Tp-Link T2600G-28MPS V2 [8/1027] Monitoring traffic

Содержание

• T2600g series switches 1
• User guide 1
• Ce mark warning 2
• Copyright trademarks 2
• Fcc statement 2
• Industry canada statement 2
• Bsmi notice 3
• Avoid water and wet locations 4
• Don t disassemble the product or make repairs yourself you run the risk of electric shock and voiding the limited warranty if you need service please contact us 4
• Explanation of the symbols on the product label 4
• Please read and follow the above safety information when operating the device we cannot guarantee that no accidents or damage will occur due to improper use of the device please use this product with care and operate at your own risk 4
• Safety information 4
• When product has power button the power button is one of the way to shut off the product when there is no power button the only way to completely shut off power is to disconnect the product or the power adapter from the power source 4
• About this guide 5
• Accessing the switch 5
• Command line interface access 11 5
• Contents 5
• Conventions 5
• Intended readers 5
• Managing system 5
• More information 5
• Overview 5
• System 22 5
• System info configurations 24 5
• Web interface access 5
• Access security configurations 58 6
• System tools configurations 46 6
• User management configurations 38 6
• Appendix default parameters 76 7
• Basic parameters configurations 81 7
• Configuration examples 00 7
• Loopback detection configuration 96 7
• Managing physical interfaces 7
• Physical interface 80 7
• Port isolation configurations 93 7
• Port mirror configuration 85 7
• Port security configuration 89 7
• Sdm template configuration 73 7
• Appendix default parameters 08 8
• Appendix default parameters 25 8
• Appendix default parameters 31 8
• Configuration example 21 8
• Configuring lag 8
• Lag 11 8
• Lag configuration 12 8
• Monitoring traffic 8
• Traffic monitor 27 8
• Address configurations 35 9
• Appendix default parameters 52 9
• Configuring ddm 9
• Ddm configuration 55 9
• Example for security configurations 49 9
• Mac address table 33 9
• Managing mac address table 9
• Overview 54 9
• Security configurations 43 9
• Appendix default parameters 70 10
• Appendix default parameters 81 10
• Configuration example 78 10
• Configuration example 91 10
• Configuring 802 q vlan 10
• Configuring l2pt 10
• L2pt configuration 74 10
• Overview 72 10
• Overview 83 10
• Q vlan configuration 84 10
• Appendix default parameters 13 11
• Appendix default parameters 97 11
• Configuration example 05 11
• Configuration example 22 11
• Configuring mac vlan 11
• Configuring protocol vlan 11
• Mac vlan configuration 00 11
• Overview 15 11
• Overview 99 11
• Protocol vlan configuration 16 11
• Appendix default parameters 34 12
• Appendix default parameters 54 12
• Basic vlan vpn configuration 38 12
• Configuration example 46 12
• Configuration example 62 12
• Configuring gvrp 12
• Configuring vlan vpn 12
• Flexible vlan vpn configuration 43 12
• Gvrp configuration 57 12
• Overview 56 12
• Vlan vpn 36 12
• Appendix default parameters 70 13
• Appendix default parameters 88 13
• Configuration example 82 13
• Configuring private vlan 13
• Configuring spanning tree 13
• Overview 72 13
• Private vlan configurations 74 13
• Spanning tree 90 13
• Stp rstp configurations 98 13
• Appendix default parameters 51 14
• Configuration example for mstp 32 14
• Configuring oam 14
• Ethernet oam 54 14
• Ethernet oam configurations 58 14
• Mstp configurations 08 14
• Stp security configurations 28 14
• Appendix default parameters 94 15
• Configuration example 84 15
• Configuring layer 2 multicast 15
• Igmp snooping configurations 98 15
• Layer 2 multicast 96 15
• Viewing oam statistics 77 15
• Configuring mld snooping 36 17
• Appendix default parameters 03 19
• Configuration examples 75 19
• Viewing multicast snooping configurations 71 19
• Appendix default parameter 33 20
• Appendix default parameters 19 20
• Configuring logical interfaces 20
• Configuring static routing 20
• Example for static routing 29 20
• Ipv4 static routing configuration 22 20
• Ipv6 static routing configuration 24 20
• Logical interfaces configurations 08 20
• Overview 07 20
• Overview 21 20
• Viewing routing table 26 20
• Configuration examples 71 21
• Configuring dhcp 21
• Dhcp 35 21
• Dhcp client configuration 51 21
• Dhcp l2 relay configuration 66 21
• Dhcp relay configuration 54 21
• Dhcp server configuration 39 21
• Appendix default parameters 79 22
• Arp configurations 84 22
• Bandwidth control configuration 13 22
• Configuring arp 22
• Configuring qos 22
• Diffserv configuration 91 22
• Overview 83 22
• Qos 90 22
• Appendix default parameters 37 23
• Appendix default parameters 66 23
• Configuration example 49 23
• Configuration examples 20 23
• Configuring poe 23
• Configuring voice vlan 23
• Overview 40 23
• Poe 68 23
• Poe power management configurations 69 23
• Voice vlan configuration 42 23
• Acl configuration 91 24
• Appendix default parameters 88 24
• Configuring acl 24
• Example for poe configurations 84 24
• Overview 90 24
• Time range function configurations 77 24
• Appendix default parameters 35 25
• Configuration example for acl 27 25
• Configuring network security 25
• Dhcp snooping configuration 60 25
• Ip mac binding configurations 45 25
• Ipv6 mac binding configurations 51 25
• Network security 38 25
• Aaa configuration 00 26
• Arp inspection configurations 68 26
• Dhcpv6 snooping configuration 65 26
• Dos defend configuration 80 26
• Ip source guard configuration 77 26
• Nd detection configuration 75 26
• Pppoe id insertion configuration 97 26
• X configuration 83 26
• Configuration examples 27 27
• Dhcp server filter configuration 20 27
• Netbios filtering configuration 25 27
• Appendix default parameters 54 28
• Configuring lldp 28
• Lldp 66 28
• Lldp configurations 67 28
• Lldp med configurations 75 28
• Viewing lldp settings 82 28
• Appendix default parameters 09 29
• Configuration example 90 29
• Configuring maintenance 29
• Maintenance 11 29
• Monitoring the system 12 29
• Sflow configuration 15 29
• System log configurations 20 29
• Viewing lldp med settings 87 29
• Appendix default parameters 42 30
• Configuration examples 37 30
• Configuring snmp rmon 30
• Diagnosing the device 27 30
• Diagnosing the network 29 30
• Dldp configuration 33 30
• Snmp configurations 46 30
• Snmp overview 45 30
• Appendix default parameters 93 31
• Configuration example 81 31
• Notification configurations 60 31
• Rmon configurations 70 31
• Rmon overview 69 31
• About this guide 32
• Conventions 32
• Intended readers 32
• More information 33
• Accessing the switch 34
• Chapters 34
• Part 1 34
• Overview 35
• Web interface access 36
• Save config function 37
• Disable the web server 38
• Http config disable the http server and click apply 38
• You can shut down the http server or https server to block any access to the web interface 38
• Configure the switch s ip address and default gateway 39
• Check the routing table to verify the default gateway you configured the entry marked in red box displays the valid default gateway 41
• Click save config to save the settings 41
• Command line interface access 42
• Console login only for switch with console port 42
• Enter enable to enter the user exec mode to further configure the switch 43
• Telnet login 44
• Password authentication mode 45
• Ssh login 45
• Key authentication mode 46
• After the keys are successfully generated click save public key to save the public key to a tftp server click save private key to save the private key to the host pc 47
• After negotiation is completed enter the username to log in if you can log in without entering the password the key authentication completed successfully 49
• Disable telnet login 49
• Telnet config disable the telnet function and click apply 49
• Using the gui 49
• You can shut down the telnet function to block any telnet access to the cli interface 49
• Copy running config startup config 50
• Disable ssh login 50
• Change the switch s ip address and default gateway 51
• Chapters 52
• Managing system 52
• Part 2 52
• Access security 53
• Overview 53
• Supported features 53
• System 53
• System info 53
• System tools 53
• User management 53
• Sdm template 54
• System info configurations 55
• Using the gui 55
• Viewing the system summary 55
• Click a port to view the bandwidth utilization on this port 56
• Move the cursor to the port to view the detailed information of the port 56
• Setting the system time 57
• Specifying the device description 57
• Choose one method to set the system time and specify the information 58
• In the time config section follow these steps to configure the system time 58
• In the time info section view the current time information of the switch 58
• Choose one method to set the daylight saving time of the switch and specify the information 59
• Click apply 59
• Daylight saving time to load the following page 59
• Follow these steps to configure daylight saving time 59
• In the dst config section select enable to enable the daylight saving time function 59
• Setting the daylight saving time 59
• Click apply 60
• In the serial port settings section specify the baud rate and click apply 60
• Serial port setting to load the following page 60
• Specifying the serial port parameter 60
• Using the cli 61
• Viewing the system summary 61
• Follow these steps to specify the device description 62
• Running time 2 day 4 hour 55 min 36 sec 62
• Serial number 62
• Specifying the device description 62
• Switch config contact info https www tp link com 62
• Switch config hostname switch_a 62
• Switch config location beijing 62
• Switch config show system info 62
• Switch configure 62
• System description jetstream 48 port gigabit smart switch with 4 sfp slots 62
• The following example shows how to set the device name as switch_a set the location as beijing and set the contact information as https www tp link com 62
• Contact information https www tp link com 63
• Follow these steps and choose one method to set the system time 63
• Setting the system time 63
• Switch config end 63
• Switch copy running config startup config 63
• System location beijing 63
• System name switch_a 63
• Backup ntp server 139 8 00 63 65
• Follow these steps and choose one method to set the daylight saving time 65
• Last successful ntp server 133 00 65
• Prefered ntp server 133 00 65
• Setting the daylight saving time 65
• Switch config end 65
• Switch config show system time ntp 65
• Switch config system time ntp utc 08 00 133 00 139 8 00 63 11 65
• Switch configure 65
• Switch copy running config startup config 65
• The following example shows how to set the system time by get time from ntp server and set the time zone as utc 08 00 set the ntp server as 133 00 set the backup ntp server as 139 8 00 63 and set the update rate as 11 65
• Time zone utc 08 00 65
• Update rate 11 hour s 65
• Dst configuration is one off 67
• Dst ends at 01 00 00 on sep 1 2016 67
• Dst offset is 50 minutes 67
• Dst starts at 01 00 00 on aug 1 2016 67
• Follow these steps to specify the serial port parameter 67
• Specifying the serial port parameter 67
• Switch config end 67
• Switch config show system time dst 67
• Switch config system time dst date aug 1 01 00 2016 sep 1 01 00 2016 50 67
• Switch configure 67
• Switch copy running config startup config 67
• The following example shows how to set the daylight saving time by date mode set the start time as 01 00 august 1st 2016 set the end time as 01 00 september 1st 2016 and set the offset as 50 67
• Baud rate 9600 68
• Data bits 8 68
• Parity bits none 68
• Serial port settings 68
• Stop bits 1 68
• Switch config 68
• Switch config end 68
• Switch config serial_port baud_rate 9600 68
• Switch config show serial_port 68
• Switch copy running config startup config 68
• The following example shows how to set the baud rate as 9600 and view the serial port parameters 68
• Creating admin accounts 69
• User management configurations 69
• Using the gui 69
• Click create 70
• Creating accounts of other types 70
• Creating an account 70
• Follow these steps to create an account of other types 70
• In the user info section select the access level from the drop down list and specify the user name and password 70
• User config to load the following page 70
• You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin 70
• Creating admin accounts 72
• Follow these steps to create an admin account 72
• Using the cli 72
• Creating accounts of other types 73
• Follow these steps to create an account of other type 73
• You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin 73
• The aaa function applies another method to manage the access users name and password for details refer to aaa configuration in configuring network security 75
• The logged in users can enter the enable password on this page to get the administrative privileges 75
• Configuring the boot file 77
• System tools configurations 77
• Using the gui 77
• Click apply 78
• Click import to import the configuration file 78
• Config restore to load the following page 78
• Follow these steps to restore the configuration of the switch 78
• In the config restore section select one unit and one configuration file 78
• Restoring the configuration of the switch 78
• Backing up the configuration file 79
• Upgrading the firmware 79
• Auto install to load the following page 80
• Configuring auto install function 80
• In the auto install configuration section specify the parameters and click apply 80
• Configuring the reboot schedule 81
• Rebooting the switch 81
• Configuring the boot file 82
• Follow these steps to configure the boot file 82
• In the system reset section select the desired unit and click reset 82
• Reseting the switch 82
• System reset to load the following page 82
• Using the cli 82
• Backup image image2 bin 83
• Boot config 83
• Current startup image image1 bin 83
• Follow these steps to restore the configuration of the switch 83
• Next startup image image1 bin 83
• Restoring the configuration of the switch 83
• Switch config boot application filename image1 startup 83
• Switch config boot application filename image2 backup 83
• Switch config end 83
• Switch config show boot 83
• Switch configure 83
• Switch copy running config startup config 83
• The following example shows how to set the next startup image as image 1 and set the backup image as image 2 83
• Backing up the configuration file 84
• Backup user config file ok 84
• Enable 84
• Follow these steps to back up the current configuration of the switch in a file 84
• Follow these steps to upgrade the firmware 84
• Operation ok now rebooting system 84
• Start to backup user config file 84
• Start to load user config file 84
• Switch copy startup config tftp ip address 192 68 00 filename file2 84
• Switch copy tftp startup config ip address 192 68 00 filename file1 84
• The following example shows how to backup the configuration file named file2 from tftp server with ip address 192 68 00 84
• The following example shows how to restore the configuration file named file1 from the tftp server with ip address 192 68 00 84
• Upgrading the firmware 84
• Configuring auto install function 85
• Enable 85
• Follow these steps to configure the auto install function 85
• It will only upgrade the backup image continue y n y 85
• Operation ok 85
• Reboot with the backup image y n y 85
• Switch firmware upgrade ip address 192 68 00 filename file3 bin 85
• The following example shows how to upgrade the firmware using the configuration file named file3 bin the tftp server is 190 68 00 85
• Auto insatll mode stop 86
• Auto insatll persistent mode enabled 86
• Auto insatll retry count 86
• Auto insatll sate stopped 86
• Auto reboot mode enabled 86
• Auto save mode enabled 86
• Follow these steps to reboot the switch 86
• Rebooting the switch 86
• Switch config boot autoinstall auto reboot 86
• Switch config boot autoinstall auto save 86
• Switch config boot autoinstall persistent mode 86
• Switch config boot autoinstall retry count 2 86
• Switch config show boot autoinstall 86
• Switch configure 86
• The following example shows how to configure the auto install function 86
• Configuring the reboot schedule 87
• Follow these steps and choose one type to configure the reboot schedule 87
• Reboot schedule at 2016 01 15 12 00 in 17007 minutes 87
• Reboot schedule settings 87
• Reboot system at 15 01 2016 12 00 continue y n y 87
• Switch config reboot schedule at 12 00 15 01 2016 save_before_reboot 87
• Switch configure 87
• The following example shows how to set the switch to reboot at 12 00 on 15 01 2016 87
• Follow these steps to reset the switch 88
• Reseting the switch 88
• Save before reboot yes 88
• Switch config end 88
• Switch copy running config startup config 88
• Access security configurations 89
• Configuring the access control feature 89
• Using the gui 89
• Click apply 90
• When the ip based mode is selected the following section will display 90
• When the port based mode is selected the following section will display 90
• Configuring the http function 91
• Configuring the https function 92
• In the access user number section select enable and specify the parameters click apply 93
• In the certificate download and key download section download the certificate and key 93
• In the ciphersuite config section select the algorithm to be enabled and click apply 93
• In the session config section specify the session timeout and click apply 93
• Configuring the ssh feature 94
• In the global config section select enable to enable ssh function and specify other parameters 94
• Ssh config to load the following page 94
• Configuring the access control 95
• Enabling the telnet function 95
• Using the cli 95
• Switch config show user configuration 96
• Switch config user access control ip based 192 68 00 255 55 55 snmp telnet http https 96
• Switch configure 96
• The following example shows how to set the type of access control as ip based set the ip address as 192 68 00 set the subnet mask as 255 55 55 and make the switch support snmp telnet http and https 96
• 68 24 snmp telnet http https 97
• Configuring the http function 97
• Follow these steps to configure the http function 97
• Index ip address access interface 97
• Switch config end 97
• Switch config ip http server 97
• Switch configure 97
• Switch copy running config startup config 97
• The following example shows how to set the session timeout as 9 set the maximum admin number as 6 and set the maximum guest number as 5 97
• User authentication mode ip based 97
• Configuring the https function 98
• Follow these steps to configure the https function 98
• Http max admin users 6 98
• Http max guest users 5 98
• Http session timeout 9 98
• Http status enabled 98
• Http user limitation enabled 98
• Switch config end 98
• Switch config ip http max user 6 5 98
• Switch config ip http session timeout 9 98
• Switch config show ip http configuration 98
• Switch copy running config startup config 98
• Switch config ip http secure ciphersuite 3des ede cbc sha 99
• Switch config ip http secure protocol ssl3 tls1 99
• Switch config ip http secure server 99
• Switch configure 99
• The following example shows how to configure the https function enable ssl3 and tls1 protocol enable the ciphersuite of 3des ede cbc sha set the session timeout time as 15 the admin number as 1 and the guest number as 2 download the certificate named ca crt and the key named ca key from the tftp server with the ip address 192 68 00 99
• Configuring the ssh feature 100
• Switch config ip ssh server 101
• Switch config ip ssh version v1 101
• The following example shows how to configure the ssh function set the version as ssh v1 and ssh v2 enable the aes128 cbc and cast128 cbc encryption algorithm enable the hmac md5 data integrity algorithm choose the key type as ssh 2 rsa dsa 101
• Enabling the telnet function 103
• Follow these steps enable the telnet function 103
• Switch config end 103
• Switch copy running config startup config 103
• In select options section select one template and click apply the setting will be effective after the reboot 104
• Sdm template configuration 104
• Sdm template function is used to configure system resources in the switch to optimize support for specific features the switch provides three templates and the hardware resources allocation is different users can choose one according to how the switch is used in the network 104
• Sdm template to load the following page 104
• Using the gui 104
• Follow these steps to configure the sdm template function 105
• The template table displays the resources allocation of each template 105
• Using the cli 105
• Appendix default parameters 107
• Default settings of system info are listed in the following tables 107
• Default settings of system tools are listed in the following table 107
• Default settings of user management are listed in the following table 107
• Default settings of access security are listed in the following tables 108
• Default settings of sdm template are listed in the following table 109
• Chapters 110
• Managing physical interfaces 110
• Part 3 110
• Basic parameters 111
• Loopback detection 111
• Overview 111
• Physical interface 111
• Port isolation 111
• Port mirror 111
• Port security 111
• Supported features 111
• Basic parameters configurations 112
• Follow these steps to set basic parameters for ports 112
• Port config to load the following page 112
• Select and configure your desired ports or lags then click apply 112
• Using the gui 112
• Follow these steps to set basic parameters for the ports 113
• Using the cli 113
• Switch configure 114
• The following example shows how to implement the basic configurations of port1 0 1 including setting a description for the port making the port autonegotiate speed and duplex with the neighboring port and enabling the flow control and jumbo feature 114
• Port mirror configuration 116
• Using the gui 116
• Follow these steps to configure port mirror 117
• In the destination port section specify a monitoring port for the mirror session and click apply 117
• In the source port section select one or multiple monitored ports for configuration then set the parameters and click apply 117
• Follow these steps to configure port mirror 118
• Monitor session 1 118
• Switch config monitor session 1 destination interface gigabitethernet 1 0 10 118
• Switch config monitor session 1 source interface gigabitethernet 1 0 1 3 both 118
• Switch config show monitor session 118
• Switch configure 118
• The following example shows how to copy the received and transmitted packets on port 1 0 1 2 3 to port 1 0 10 118
• Using the cli 118
• Follow these steps to configure port security 120
• Port security configuration 120
• Port security to load the following page 120
• Select one or multiple ports for security configuration 120
• Specify the maximum number of the mac addresses that can be learned on the port and then select the learn mode of the mac addresses 120
• Using the gui 120
• Click apply 121
• Follow these steps to configure port security 121
• Select the status of the port security feature 121
• Using the cli 121
• Gi1 0 1 30 0 permanent drop 122
• Port max learn current learn mode status 122
• Switch config if mac address table max mac count max number 30 mode permanent status drop 122
• Switch config if show mac address table max mac count interface gigabitethernet 1 0 1 122
• Switch config interface gigabitethernet 1 0 1 122
• Switch configure 122
• The following example shows how to set the maximum number of mac addresses that can be learned on port 1 0 1 as 30 and configure the mode as permanent and the status as drop 122
• Switch config if end 123
• Switch copy running config startup config 123
• Port isolation configurations 124
• Using the gui 124
• Click apply 125
• Follow these steps to configure port isolation 125
• In the forward portlist section select the forward ports or lags which the isolated ports can only communicate with it is multi optional 125
• In the port section select one or multiple ports to be isolated 125
• Using the cli 125
• Loopback detection configuration 127
• Using the gui 127
• In the port config section select one or multiple ports for configuration then set the parameters and click apply 128
• View the loopback detection information on this page 128
• Follow these steps to configure loopback detection 129
• Using the cli 129
• Configuration examples 131
• Configuration scheme 131
• Example for port mirror 131
• Network requirements 131
• Using the gui 131
• As shown below three hosts and a server are connected to the switch and all belong to vlan 10 with the vlan configuration unchanged host a is not allowed to communicate with the other hosts except the server even if the mac address or ip address of host a is changed 133
• Destination port gi1 0 1 133
• Example for port isolation 133
• Monitor session 1 133
• Network requirements 133
• Source ports egress gi1 0 2 5 133
• Source ports ingress gi1 0 2 5 133
• Switch config end 133
• Switch config monitor session 1 destination interface gigabitethernet 1 0 1 133
• Switch config monitor session 1 source interface gigabitethernet 1 0 2 5 both 133
• Switch configure 133
• Switch copy running config startup config 133
• Switch show monitor session 1 133
• Using the cli 133
• Verify the configuration 133
• Configuration scheme 134
• Using the gui 134
• Using the cli 135
• Verify the configuration 135
• Configuration scheme 136
• Example for loopback detection 136
• Network requirements 136
• Using the gui 136
• Using the cli 137
• Verify the configuration 138
• Appendix default parameters 139
• Default settings of switching are listed in th following tables 139
• Chapters 141
• Configuring lag 141
• Part 4 141
• Overview 142
• Static lag 142
• Supported features 142
• Configuration guidelines 143
• Lag configuration 143
• Configuring load balancing algorithm 144
• In the global config section select the load balancing algorithm click apply 144
• Lag table to load the following page 144
• Load balancing algorithm is effective only for outgoing traffic if the data stream is not well shared by each link you can change the algorithm of the outgoing interface 144
• Please properly choose the load balancing algorithm to avoid data stream transferring only on one physical link for example switch a receives packets from several hosts and forwards them to the server with the fixed mac address and ip address you can set the algorithm as src mac src ip to allow switch a to determine the forwarding port based on the source mac addresses and source ip addresses of the received packets 144
• Using the gui 144
• Configuring static lag or lacp 145
• Configuring lacp 146
• Follow these steps to configure lacp 146
• Lacp to load the following page 146
• Select member ports for the lag and configure the related parameters click apply 146
• Specify the system priority for the switch and click apply 146
• Configuring load balancing algorithm 147
• Follow these steps to configure the load balancing algorithm 147
• Using the cli 147
• Configuring static lag 148
• Configuring static lag or lacp 148
• Etherchannel load balancing addresses used per protocol 148
• Etherchannel load balancing configuration src dst mac 148
• Follow these steps to configure static lag 148
• Ipv4 source xor destination mac address 148
• Ipv6 source xor destination mac address 148
• Non ip source xor destination mac address 148
• Switch config end 148
• Switch config port channel load balance src dst mac 148
• Switch config show etherchannel load balance 148
• Switch configure 148
• Switch copy running config startup config 148
• The following example shows how to set the global load balancing mode as src dst mac 148
• You can choose only one lag mode for a port static lag or lacp and make sure both ends of a link use the same lag mode 148
• Configuration example 152
• Configuration scheme 152
• Network requirements 152
• Using the gui 153
• Using the cli 154
• Verify the configuration 154
• Appendix default parameters 156
• Default settings of switching are listed in the following tables 156
• Monitoring traffic 157
• Traffic monitor 158
• Using the gui 158
• Viewing the traffic summary 158
• Follow these steps to view the traffic statistics in detail 159
• To get the real time traffic statistics enable auto refresh in the auto refresh section or click refresh at the bottom of the page 159
• Traffic statistics to load the following page 159
• Viewing the traffic statistics in detail 159
• In port select select a port or lag and click select 160
• In the statistics section view the detailed information of the selected port or lag 160
• On privileged exec mode or any other configuration mode you can use the following command to view the traffic information of each port or lag 161
• Using the cli 161
• Appendix default parameters 162
• Chapters 163
• Managing mac address table 163
• Part 6 163
• Address configurations 164
• Mac address table 164
• Overview 164
• Supported features 164
• Security configurations 165
• Adding static mac address entries 166
• Address configurations 166
• Using the gui 166
• Click apply 168
• Dynamic address to load the following page 168
• Follow these steps to modify the aging time of dynamic address entries 168
• In the aging config section enable auto aging and enter your desired length of time 168
• Modifying the aging time of dynamic address entries 168
• Adding mac filtering address entries 169
• Viewing address table entries 169
• Adding static mac address entries 170
• Address table to load the following page 170
• Follow these steps to add static mac address entries 170
• Using the cli 170
• Modifying the aging time of dynamic address entries 171
• Adding mac filtering address entries 172
• Aging time is 500 sec 172
• Follow these steps to add mac filtering address entries 172
• Switch config end 172
• Switch config mac address table aging time 500 172
• Switch config show mac address table aging time 172
• Switch configure 172
• Switch copy running config startup config 172
• The following example shows how to modify the aging time to 500 seconds a dynamic entry remains in the mac address table for 500 seconds after the entry is used or updated 172
• Configuring mac notification traps 174
• Security configurations 174
• Using the gui 174
• Configure snmp and set a management host for detailed snmp configurations please refer to configuring snmp rmon 175
• Follow these steps to configure mac notification traps 175
• In the mac notification global config section enable this feature configure the relevant options and click apply 175
• In the mac notification port config section select your desired port and enable its notification traps you can enable these three types learned mode change exceed max learned and new mac learned click apply 175
• Choose the mode that the switch adopts when the maximum number of mac addresses in the specified vlan is exceeded 176
• Click create 176
• Enter the vlan id to limit the number of mac addresses that can be learned in the specified vlan 176
• Enter your desired value in max learned mac to set a threshold 176
• Follow these steps to limit the number of mac addresses in vlans 176
• Limiting the number of mac addresses in vlans 176
• Mac vlan security to load the following page 176
• Configuring mac notification traps 177
• Follow these steps to configure mac notification traps 177
• Using the cli 177
• Limiting the number of mac addresses in vlans 178
• 100 0 drop 179
• Switch config end 179
• Switch config mac address table security vid 10 max learn 100 drop 179
• Switch config show mac address table security vid 10 179
• Switch configure 179
• Switch copy running config startup config 179
• The following example shows how to limit the number of mac addresses to 100 in vlan 10 and configure the switch to drop packets of new source mac addresses when the limit is exceeded 179
• Vlanid max learn current learn status 179
• Configuration scheme 180
• Example for security configurations 180
• Network requirements 180
• Using the gui 181
• Using the cli 182
• Verify the configurations 182
• Appendix default parameters 183
• Default settings of the mac address table are listed in the following tables 183
• Chapters 184
• Configuring ddm 184
• Part 7 184
• Overview 185
• Configuring ddm globally 186
• Ddm configuration 186
• Using the gui 186
• Click apply 187
• Configuring the temperature threshold 187
• Configuring the voltage threshold 187
• Follow these steps to configure ddm s temperature threshold 187
• In the port config table configure temperature threshold of the sfp ports 187
• Temperature threshold to load the following page 187
• Voltage threshold to load the following page 187
• Bias current threshold to load the following page 188
• Click apply 188
• Configuring the bias current threshold 188
• Follow these steps to configure ddm s bias current threshold 188
• Follow these steps to configure ddm s voltage threshold 188
• In the port config table configure bias current threshold on the sfp ports 188
• In the port config table configure voltage threshold on the sfp ports 188
• Click apply 189
• Configuring the tx power threshold 189
• Follow these steps to configure ddm s tx power threshold 189
• In the port config table configure tx power threshold on the sfp ports 189
• Tx power threshold to load the following page 189
• Click apply 190
• Configuring the rx power threshold 190
• Ddm status to load the following page 190
• Follow these steps to configure ddm s rx power threshold 190
• In the port config table configure rx power threshold on the sfp ports 190
• Rx power threshold to load the following page 190
• Viewing ddm status 190
• Configure the shutdown condition 191
• Configure the specified threshold for warning or alarm 191
• Configuring ddm globally 191
• Enable ddm on the sfp port 191
• Follow these steps to enable ddm on specified sfp ports 191
• In the port config table view the current operating parameters for the sfp modules inserted into the sfp ports 191
• To complete ddm configuration follow these steps 191
• Using the cli 191
• Configuring ddm shutdown 192
• Ddm status ddm status shutdown 192
• Follow these steps to configure settings for shutting down sfp ports when the alarm threshold or warning threshold is exceeded 192
• Gi1 0 17 enable none 192
• Gi1 0 18 enable none 192
• Switch config if ddm state enable 192
• Switch config if end 192
• Switch config if show ddm configuration state 192
• Switch config interface gigabitethernet 1 0 17 192
• Switch configure 192
• Switch copy running config startup config 192
• The following example shows how to enable ddm on sfp port 1 0 17 192
• Configuring temperature threshold 193
• Ddm status ddm status shutdown 193
• Follow these steps to configure the threshold of the ddm temperature on the specified sfp port 193
• Gi1 0 17 enable warning 193
• Gi1 0 18 enable none 193
• Switch config if ddm shutdown warning 193
• Switch config if end 193
• Switch config if show ddm configuration state 193
• Switch config interface gigabitethernet 1 0 17 193
• Switch configure 193
• Switch copy running config startup config 193
• The following example shows how to set sfp port 1 0 17 to shut down when the warning threshold is exceeded 193
• Configuring voltage threshold 194
• Follow these steps to configure the threshold of the ddm voltage on the specified sfp port 194
• Gi1 0 17 110 00000 194
• Gi1 0 18 194
• High alarm high alarm low alarm high warning low warning 194
• Switch config if ddm temperature_threshold high_alarm 110 194
• Switch config if end 194
• Switch config if show ddm configuration temperature 194
• Switch config interface gigabitethernet 1 0 17 194
• Switch configure 194
• Switch copy running config startup config 194
• Temperature threshold celsius 194
• The following example shows how to set sfp port 1 0 17 s high alarm temperature threshold as 110 celsius 194
• Configuring bias current threshold 195
• Gi1 0 17 120 00000 196
• Gi1 0 18 196
• High alarm high alarm low alarm high warning low warning 196
• Switch config if ddm vlotage_threshold high_alarm 120 196
• Switch config if end 196
• Switch config if show ddm configuration bias_current 196
• Switch config interface gigabitethernet 1 0 17 196
• Switch configure 196
• Switch copy running config startup config 196
• The following example shows how to set sfp port 1 0 17 s high alarm threshold bias current as 120 ma 196
• Voltage threshold v 196
• Configuring tx power threshold 197
• Follow these steps to configure the threshold of the ddm tx power on the specified sfp port 197
• Gi1 0 17 6 00000 197
• Gi1 0 18 197
• High alarm high alarm low alarm high warning low warning 197
• Switch config if ddm tx_power_threshold high_alarm 6 197
• Switch config if show ddm configuration tx_power 197
• Switch config interface gigabitethernet 1 0 17 197
• Switch configure 197
• The following example shows how to set sfp port 1 0 17 s high alarm threshold tx power as 6 mw 197
• Tx power threshold mw 197
• Configuring rx power threshold 198
• Follow these steps to configure the threshold of the ddm rx power on the specified sfp port 198
• Switch config if ddm rx_power_threshold high_alarm 6 198
• Switch config if end 198
• Switch config if show ddm configuration rx_power 198
• Switch config interface gigabitethernet 1 0 17 198
• Switch configure 198
• Switch copy running config startup config 198
• The following example shows how to set sfp port 1 0 17 s high alarm threshold rx power as 6 mw 198
• Viewing ddm configuration 199
• Viewing ddm status 200
• Appendix default parameters 201
• Default settings of ddm are listed in the following table 201
• Chapters 202
• Configuring l2pt 202
• Part 8 202
• Overview 203
• Follow these steps to configure l2pt 205
• In the global config section enable l2pt globally and click apply 205
• In the port config section configure the port that is connected to the customer network as a uni port and specify your desired protocols on the port in addition you can also set the threshold for packets per second to be processed on the uni port 205
• L2pt config to load the following page 205
• L2pt configuration 205
• Using the gui 205
• Click apply 206
• Follow these steps to configure l2pt feature 206
• In the port config section configure the port that is connected to the isp network as an nni port note that the protocols and threshold cannot be configured on the nni port 206
• Using the cli 206
• Configuration example 209
• Configuration scheme 209
• Network requirements 209
• Using the gui 209
• Using the cli 210
• Verify the configuration 211
• Appendix default parameters 212
• Default settings of l2pt are listed in the following table 212
• Chapters 213
• Configuring 802 q vlan 213
• Part 9 213
• Overview 214
• Configuring the pvid of the port 215
• Q vlan configuration 215
• Using the gui 215
• Click apply 217
• Configuring the vlan 217
• Enter a vlan id and a description for identification to create a vlan 217
• Follow these steps to configure vlan 217
• Select the untagged port s and the tagged port s respectively to add to the created vlan based on the network topology 217
• Vlan config and click create to load the following page 217
• Creating a vlan 218
• Follow these steps to create a vlan 218
• Rd active 218
• Switch config vlan 2 218
• Switch config vlan end 218
• Switch config vlan name rd 218
• Switch config vlan show vlan id 2 218
• Switch configure 218
• The following example shows how to create vlan 2 and name it as rd 218
• Using the cli 218
• Vlan name status ports 218
• Configuring the port 219
• Follow these steps to configure the port 219
• Link type trunk 219
• Member in lag n a 219
• Member in vlan 219
• Port gi1 0 5 219
• Pvid 2 219
• Switch config if show interface switchport gigabitethernet 1 0 5 219
• Switch config if switchport mode trunk 219
• Switch config if switchport pvid 2 219
• Switch config interface gigabitethernet 1 0 5 219
• Switch configure 219
• Switch copy running config startup config 219
• The following example shows how to configure the link type of port 1 0 5 as trunk the pvid of port 1 0 5 as vlan 2 219
• Adding the port to the specified vlan 220
• Follow these steps to add the port to the specified vlan 220
• Switch config if end 220
• Switch config interface gigabitethernet 1 0 5 220
• Switch configure 220
• Switch copy running config startup config 220
• System vlan tagged 220
• The following example shows how to add the general port 1 0 5 to vlan 2 and specify its egress rule as tagged 220
• Vlan name egress rule 220
• Configuration example 222
• Configuration scheme 222
• Network requirements 222
• Network topology 223
• Using the gui 223
• Using the cli 226
• Verify the configurations 226
• Appendix default parameters 228
• Default settings of 802 q vlan are listed in the following table 228
• Chapters 229
• Configuring mac vlan 229
• Part 10 229
• Overview 230
• Ptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in to meet this requirement simply bind the mac addresses of the laptops to the corresponding vlans respectively in this way the mac address rather than the access port determines the vlan each laptop joins each laptop can access only the server in the vlan it joins 230
• The figure below shows a common application scenario of mac vlan 230
• Two departments share all the meeting rooms in the company but use different servers and l 230
• Vlan is generally divided by ports this way of division is simple but isn t suitable for those networks that require frequent topology changes with the popularity of mobile office a terminal device may access the switch via different ports for example a terminal device that accessed the switch via port 1 last time may change to port 2 this time if port 1 and port 2 belong to different vlans the user has to re configure the switch to access the original vlan using mac vlan can free the user from such a problem it divides vlans based on the mac addresses of terminal devices in this way terminal devices always belong to their original vlans even when their access ports change 230
• Configuring 802 q vlan 231
• Mac vlan configuration 231
• Using the gui 231
• Binding the mac address to the vlan 232
• By default mac vlan is disabled on all ports you need to enable mac vlan for your desired ports manually 232
• Click create to create the mac vlan 232
• Enabling mac vlan for the port 232
• Enter the mac address of the device give it a description and enter the vlan id to bind it to the vlan 232
• Follow these steps to bind the mac address to the vlan 232
• Mac vlan to load the following page 232
• Before configuring mac vlan create an 802 q vlan and set the port type according to network requirements for details refer to configuring 802 q vlan 233
• Binding the mac address to the vlan 233
• Configuring 802 q vlan 233
• Follow these steps to bind the mac address to the vlan 233
• Follow these steps to enable mac vlan for the port 233
• Port enable to load the following page 233
• Select your desired ports to enable mac vlan and click apply 233
• Using the cli 233
• 19 56 8a 4c 71 dept a 10 234
• Enabling mac vlan for the port 234
• Follow these steps to enable mac vlan for the port 234
• Mac addr name vlan id 234
• Switch config end 234
• Switch config mac vlan mac address 00 19 56 8a 4c 71 vlan 10 description dept a 234
• Switch config show mac vlan vlan 10 234
• Switch configure 234
• Switch copy running config startup config 234
• The following example shows how to bind the mac address 00 19 56 8a 4c 71 to vlan 10 with the address description as dept a 234
• Configuration example 236
• Configuration scheme 236
• Create vlan 10 and vlan 20 on each of the three switches set different port types and add the ports to the vlans based on the network topology note for the ports connecting the laptops set the link type as general and set the egress rule as 236
• Network requirements 236
• Two departments share all the meeting rooms in the company but use different servers and laptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in the figure below shows the network topology 236
• You can configure mac vlan to meet this requirement on switch 1 and switch 2 bind the mac addresses of the laptops to the corresponding vlans respectively in this way each laptop can access only the server in the vlan it joins no matter which meeting room the laptops are being used in the overview of the configuration is as follows 236
• Using the gui 237
• Using the cli 241
• Verify the configurations 243
• Appendix default parameters 244
• Default settings of mac vlan are listed in the following table 244
• Chapters 245
• Configuring protocol vlan 245
• Part 11 245
• Overview 246
• Protocol vlan is a technology that divides vlans based on the network layer protocol with the protocol vlan rule configured on the basis of the existing 802 q vlan the switch can analyze special fields of received packets encapsulate the packets in specific formats and forward the packets of different protocols to the corresponding vlans since different applications and services use different protocols network administrators can use protocol vlan to manage the network based on specific applications and services of network users 246
• The figure below shows a common application scenario of protocol vlan with protocol vlan configured switch 2 can forward ipv4 and ipv6 packets from different vlans to the ipv4 and ipv6 networks respectively 246
• Configuring 802 q vlan 247
• Protocol vlan configuration 247
• Using the gui 247
• Creating protocol template 248
• Configuring 802 q vlan 249
• Configuring protocol vlan 249
• Using the cli 249
• Arp ethernetii ether type 0806 250
• At snap ether type 809b 250
• Creating a protocol template 250
• Follow these steps to create a protocol template 250
• Index protocol name protocol type 250
• Ip ethernetii ether type 0800 250
• Ipv6 ethernetii ether type 86dd 250
• Ipx snap ether type 8137 250
• Rarp ethernetii ether type 8035 250
• Switch config end 250
• Switch config protocol vlan template name ipv6 frame ether_2 ether type 86dd 250
• Switch config show protocol vlan template 250
• Switch configure 250
• The following example shows how to create an ipv6 protocol template 250
• Configuring protocol vlan 251
• Follow these steps to configure protocol vlan 251
• Index protocol name protocol type 251
• Ip ethernetii ether type 0800 251
• Switch config show protocol vlan template 251
• Switch configure 251
• Switch copy running config startup config 251
• The following example shows how to bind the ipv6 protocol template to vlan 10 251
• A company uses both ipv4 and ipv6 hosts and these hosts access the ipv4 network and ipv6 network respectively via different routers it is required that ipv4 packets are forwarded to the ipv4 network ipv6 packets are forwarded to the ipv6 network and other packets are dropped 253
• Configuration example 253
• Configuration scheme 253
• Network requirements 253
• The figure below shows the network topology the ipv4 host belongs to vlan 10 the ipv6 host belongs to vlan 20 and these hosts access the network via switch 1 switch 2 is connected to two routers to access the ipv4 network and ipv6 network respectively the routers belong to vlan 10 and vlan 20 respectively 253
• You can configure protocol vlan on port 1 0 1 of switch 2 to meet this requirement when this port receives packets switch 2 will forward them to the corresponding vlans according to their protocol types the overview of the configuration on switch 2 is as follows 253
• Using the gui 254
• Using the cli 260
• Verify the configurations 263
• Appendix default parameters 265
• Default settings of protocol vlan are listed in the following table 265
• Chapters 266
• Configuring vlan vpn 266
• Part 12 266
• Overview 267
• Vlan vpn 267
• Basic vlan vpn 268
• Flexible vlan vpn 268
• Supported features 268
• Basic vlan vpn configuration 269
• Configuring 802 q vlan 269
• Using the gui 269
• Configuring global vlan vpn and up link ports 270
• Configuring 802 q vlan 271
• Configuring vpn ports 271
• Using the cli 271
• Configuring basic vlan vpn 272
• Follow these steps to configure basic vlan vpn 272
• Configuration guidelines 274
• Flexible vlan vpn configuration 274
• Using the gui 274
• Follow these steps to configure flexible vlan vpn 275
• In the vlan mapping config section choose a vpn port to enable vlan mapping enter customer network vlan id in the c vlan field enter isp network vlan id in the sp vlan field and enter a name to identify the entry then click create to add a mapping entry 275
• Using the cli 275
• Configuration example 277
• Configuration scheme 277
• Configure 802 q vlan before vlan vpn configuration create isp network vlan 1050 on the switch and add port1 0 1 tagged and port 1 0 2 untagged to the vlan create client network vlan 100 and vlan 200 and add port 1 0 2 tagged to both the vlans set the pvid of port 1 0 1 and port 1 0 2 as 1050 277
• Demonstrated with t2600g 28ts this chapter provides configuration procedures in two ways using the gui and using the cli 277
• Enable the vpn feature globally and set global tpid as 0x9100 277
• Figure 4 1 shows the network topology switches of the two divisions are connected to customer networks vlan 100 and vlan 200 respectively and they communicate across isp network vlan 1050 devices in the isp network adopt tpid value 0x9100 277
• Network requirements 277
• Set port 1 0 1 as the vpn up link port and port 1 0 2 as the vpn port 277
• Two divisions of the company are located in different areas and have to communicate across an isp network a normal communication is required 277
• Users can configure vlan vpn on switch 1 and switch 2 to allow packets sent with double vlan tags and thus ensure the communication between them the general configuration procedure is as follows 277
• Using the gui 278
• Using the cli 282
• Verify the configurations 283
• Appendix default parameters 285
• Default settings of vlan vpn are listed in the following table 285
• Chapters 286
• Configuring gvrp 286
• Part 13 286
• Gvrp garp vlan registration protocol is a garp generic attribute registration protocol application that allows registration and deregistration of vlan attribute values and dynamic vlan creation 287
• Overview 287
• The configuration may seem easy in this situation however for a larger or more complex network such manual configuration would be time costing and fallible gvrp can be applied to implement dynamic vlan configuration with gvrp the switch can exchange vlan configuration information with the adjacent gvrp switches and dynamically create and manage the vlans this reduces vlan configuration workload and ensures correct vlan configuration 287
• Without gvrp operating configuring the same vlan on a network would require manual configuration on each device as shown in figure 1 1 switch a b and c are connected through trunk ports vlan 10 is configured on switch a and vlan 1 is configured on switch b and switch c switch c can receive messages sent from switch a in vlan 10 only when the network administrator has manually created vlan 10 on switch b and switch c 287
• Configuration guidelines 288
• Gvrp configuration 288
• Using the gui 288
• Click apply 290
• Gvrp requires vlan creation first and you need to set the link type of the ports as trunk for gvrp can be enabled only on trunk interfaces for details refer to configuring 802 q vlan 290
• Using the cli 290
• Enabled 292
• Gi1 0 1 enabled fixed 1000 20 60 n a 292
• Gvrp global status 292
• Port status reg mode leaveall joinin leave lag 292
• Switch config gvrp 292
• Switch config if end 292
• Switch config if gvrp 292
• Switch config if gvrp registration fixed 292
• Switch config if show gvrp global 292
• Switch config if show gvrp interface gigabitethernet 1 0 1 292
• Switch config interface gigabitethernet 1 0 1 292
• Switch configure 292
• Switch copy running config startup config 292
• The following example shows how to enable gvrp globally and on trunk port 1 0 1 configure the gvrp registration mode as fixed and keep the values of timers as default 292
• Before enabling gvrp set the link type for all ports in the link as trunk 293
• Configuration example 293
• Configuration scheme 293
• Demonstrated with t2600g 28ts the following sections provide configuration procedure in two ways using the gui and using the cli 293
• Department a and department b of a company are connected using switches offices of one department are distributed on different floors as shown in figure 3 1 the network topology is complicated configuration of the same vlan on different switches is required so that computers in the same department can communicate with each other 293
• Network requirements 293
• The two departments are in separate vlans to make sure the switches only dynamically create vlan of their own department you need to set the registration mode for ports on switch 1 to switch 4 as fixed to prevents dynamic registration and deregistration of vlans and allow the port to transmit only the static vlan registration information 293
• To configure dynamic vlan creation on other switches set the registration mode of the corresponding ports as normal to allow dynamic registration and de registration of vlans 293
• To reduce manual configuration and maintenance workload gvrp can be enabled to implement dynamic vlan registration and update on the switches 293
• When configuring gvrp please note the following 293
• Using the gui 294
• Using the cli 297
• Verify the configuration 299
• Appendix default parameters 301
• Default settings of gvrp are listed in the following tables 301
• Chapters 302
• Configuring private vlan 302
• Part 14 302
• Overview 303
• If private vlan is configured on switch b switch a only needs to recognize primary vlan vlan5 and end users can be isolated by secondary vlans vlan2 vlan3 and vlan4 saving vlan resources for switch a 304
• Creating private vlan 305
• Private vlan configurations 305
• Using the gui 305
• Click create 306
• Configuring the up link port 306
• In the port config section select the port to be configured set the port type as promiscuous and enter the ids of primary vlan and secondary vlan 306
• Port config to load the following page 306
• The switch requires that only access port can be added to a private vlan 306
• Click apply 307
• Configuring the down link port 307
• In the port config section select the port to be configured set the port type as host and enter the ids of primary vlan and secondary vlan 307
• Port config to load the following page 307
• The switch requires that only access port can be added to a private vlan 307
• Click apply 308
• Creating private vlan 308
• Using the cli 308
• Community 309
• Primary secondary type ports 309
• Switch config end 309
• Switch config show vlan private vlan 309
• Switch config vlan 5 309
• Switch config vlan 6 309
• Switch config vlan exit 309
• Switch config vlan private vlan association 5 309
• Switch config vlan private vlan community 309
• Switch config vlan private vlan primary 309
• Switch configure 309
• Switch copy running config startup config 309
• The following example shows how to create primary vlan 6 and secondary vlan 5 set the secondary vlan type as community and pair primary vlan 6 with secondary vlan 5 as a private vlan 309
• Configuring the up link port 310
• Switch config interface gigabitethernet 1 0 2 310
• Switch configure 310
• The following example shows how to configure the port type of port 1 0 2 as promiscuous and add it to the private vlan composed of primary vlan 6 and secondary vlan 5 310
• The switch requires that only access port can be added to a private vlan 310
• Community gi1 0 2 311
• Configuring the down link port 311
• Gi1 0 2 promiscuous 311
• Port type 311
• Primary secondary type ports 311
• Switch config end 311
• Switch config if exit 311
• Switch config if switchport private vlan promiscuous 311
• Switch config show vlan private vlan 311
• Switch config show vlan private vlan interface gigabitethernet 1 0 2 311
• Switch copy running config startup config 311
• Swtich config if switchport private vlan mapping 6 5 311
• The switch requires that only access port can be added to a private vlan 311
• Community gi1 0 3 312
• Gi1 0 3 host 312
• Port type 312
• Primary secondary type ports 312
• Switch config end 312
• Switch config if exit 312
• Switch config if switchport private vlan host 312
• Switch config interface gigabitethernet 1 0 3 312
• Switch config show vlan private vlan 312
• Switch config show vlan private vlan interface gigabitethernet 1 0 3 312
• Switch configure 312
• Switch copy running config startup config 312
• Swtich config if switchport private vlan host association 6 5 community 312
• The following example shows how to configure the port type of port 1 0 3 as host and add it to the private vlan composed of primary vlan 6 and secondary vlan 5 312
• Configuration example 313
• Configuration scheme 313
• Network requirements 313
• Network topology 313
• Configurations for switch a 314
• Creating private vlan 314
• Pvlan config to load the following page create primary vlan 6 and secondary vlan 5 select community as the secondary vlan type click create and primary vlan 6 is paired with secondary vlan 5 similarly create primary vlan 6 and secondary vlan 7 select community as the secondary vlan type click create and primary vlan 6 is paired with secondary vlan 7 314
• Using the gui 314
• Using the cli 316
• Verify the configurations 318
• Appendix default parameters 319
• Default settings of private vlan are listed in the following tables 319
• Chapters 320
• Configuring spanning tree 320
• Part 15 320
• Basic concepts 321
• Overview 321
• Spanning tree 321
• Stp rstp concepts 321
• Bridge id 322
• Port role 322
• Root bridge 322
• Port status 323
• Path cost 324
• Root path cost 324
• Mst instance 325
• Mst region 325
• Mstp concepts 325
• Stp security 326
• Vlan instance mapping 326
• Configuring stp rstp parameters on ports 329
• Stp rstp configurations 329
• Using the gui 329
• Click apply 331
• Configuring stp rstp globally 331
• Stp config to load the following page 331
• Follow these steps to configure stp rstp globally 332
• In the global config section enable spanning tree function choose the stp mode as stp rstp and click apply 332
• In the parameters config section configure the global parameters of stp rstp and click apply 332
• Stp summary to load the following page 333
• The stp summary section shows the summary information of spanning tree 333
• Verify the stp rstp information of your switch after all the configurations are finished 333
• Verifying the stp rstp configurations 333
• Configuring stp rstp parameters on ports 334
• Follow these steps to configure stp rstp parameters on ports 334
• Using the cli 334
• Switch config if show spanning tree interface gigabitethernet 1 0 3 335
• Switch config if spanning tree 335
• Switch config if spanning tree common config port priority 32 335
• Switch config interface gigabitethernet 1 0 3 335
• Switch configure 335
• The following example shows how to enable spanning tree function on port 1 0 3 and configure the port priority as 32 335
• Configuring global stp rstp parameters 336
• Follow these steps to configure global stp rstp parameters of the switch 336
• Gi1 0 3 enable 32 auto auto no no auto n a n a lnkdwn 336
• Interface state prio ext cost int cost edge p2p mode role status 336
• Switch config if end 336
• Switch copy running config startup config 336
• Enable rstp 36864 2 12 20 5 20 337
• Enabling stp rstp globally 337
• Follow these steps to configure the spanning tree mode as stp rstp and enable spanning tree function globally 337
• State mode priority hello time fwd time max age hold count max hops 337
• Switch config end 337
• Switch config show spanning tree bridge 337
• Switch config spanning tree priority 36864 337
• Switch config spanning tree timer forward time 12 337
• Switch configure 337
• Switch copy running config startup config 337
• This example shows how to configure the priority of the switch as 36864 the forward delay as 12 seconds 337
• Configuring parameters on ports in cist 339
• Mstp configurations 339
• Using the gui 339
• Besides configure the priority of the switch the priority and path cost of ports in the desired instance 341
• Click apply 341
• Configure the region name revision level vlan instance mapping of the switch the switches with the same region name the same revision level and the same vlan instance mapping are considered as in the same region 341
• Configuring the mstp region 341
• Configuring the region name and revision level 341
• Region config to load the following page 341
• Configuring mstp globally 346
• Follow these steps to configure mstp globally 346
• In the parameters config section configure the global parameters of mstp and click apply 346
• Stp config to load the following page 346
• In the global config section enable spanning tree function and choose the stp mode as mstp and click apply 347
• Stp summary to load the following page 348
• The stp summary section shows the summary information of cist 348
• Verifying the mstp configurations 348
• Configuring parameters on ports in cist 349
• Follow these steps to configure the parameters of the port in cist 349
• The mstp summary section shows the information in mst instances 349
• Using the cli 349
• Switch configure 350
• This example shows how to enable spanning tree function for port 1 0 3 and configure the port priority as 32 350
• Configuring the mst region 351
• Configuring the mstp region 351
• Follow these steps to configure the mst region and the priority of the switch in the instance 351
• Gi1 0 3 144 200 n a lnkdwn 351
• Gi1 0 3 enable 32 auto auto no no auto n a n a lnkdwn 351
• Interface prio cost role status 351
• Interface state prio ext cost int cost edge p2p mode role status 351
• Mst instance 0 cist 351
• Mst instance 5 351
• Switch config if end 351
• Switch config if show spanning tree interface gigabitethernet 1 0 3 351
• Switch config if spanning tree 351
• Switch config if spanning tree common config port priority 32 351
• Switch config interface gigabitethernet 1 0 3 351
• Switch copy running config startup config 351
• Region name r1 352
• Revision 100 352
• Switch config mst instance 5 vlan 2 6 352
• Switch config mst name r1 352
• Switch config mst revision 100 352
• Switch config mst show spanning tree mst configuration 352
• Switch config spanning tree mst configuration 352
• Switch configure 352
• This example shows how to create an mst region of which the region name is r1 the revision level is 100 and vlan 2 vlan 6 are mapped to instance 5 352
• 7 4094 353
• Configuring the parameters on ports in instance 353
• Follow these steps to configure the priority and path cost of ports in the specified instance 353
• Mst instance vlans mapped 353
• Switch config mst end 353
• Switch copy running config startup config 353
• Configuring global mstp parameters 354
• Switch config if spanning tree timer forward time 12 355
• Switch config spanning tree priority 36864 355
• Switch configure 355
• This example shows how to configure the cist priority as 36864 the forward delay as 12 seconds the hold count as 8 and the max hop as 25 355
• Enable mstp 36864 2 12 20 8 25 356
• Enabling spanning tree globally 356
• Follow these steps to configure the spanning tree mode as mstp and enable spanning tree function globally 356
• Spanning tree is enabled 356
• State mode priority hello time fwd time max age hold count max hops 356
• Switch config if end 356
• Switch config if show spanning tree bridge 356
• Switch config if spanning tree hold count 8 356
• Switch config if spanning tree max hops 25 356
• Switch config show spanning tree active 356
• Switch config spanning tree 356
• Switch config spanning tree mode mstp 356
• Switch configure 356
• Switch copy running config startup config 356
• This example shows how to configure the spanning tree mode as mstp and enable spanning tree function globally 356
• Stp security configurations 359
• Using the gui 359
• Follow these steps to configure the root protect feature bpdu protect feature and bpdu filter feature for ports 360
• Using the cli 360
• Featur 361
• Switch config interface gigabitethernet 1 0 3 361
• Switch configure 361
• This example shows how to enable loop protect root protect bpdu filter and bpdu protect functions on port 1 0 3 361
• As shown in figure 5 1 the network consists of three switches traffic in vlan 101 vlan 106 is transmitted in this network the link speed between the switches is 100mb s the default path cost of the port is 200000 363
• Configuration example for mstp 363
• Configuration scheme 363
• Here we configure two instances to meet the requirement as is shown below 363
• It is required that traffic in vlan 101 vlan 103 and traffic in vlan 104 vlan 106 should be transmitted along different paths 363
• Mstp backwards compatible with stp and rstp can map vlans to instances to enable load balancing thus providing a more flexible method in network management here we take the mstp configuration as an example 363
• Network requirements 363
• To meet this requirement you are suggested to configure mstp function on the switches map the vlans to different instances to ensure traffic can be transmitted along the respective instance 363
• Using the gui 364
• Instance port config to load the following page set the path cost of port 1 0 1 in instance 1 as 400000 366
• Instance port config to load the following page set the path cost of port 1 0 2 in instance 2 as 400000 370
• Using the cli 375
• Verify the configurations 377
• Appendix default parameters 382
• Default settings of the spanning tree feature are listed in the following table 382
• Chapters 384
• Configuring oam 384
• Part 16 384
• Ethernet oam 385
• Oam connection 385
• Oam entity 385
• Oampdus 385
• Overview 385
• As the above figure shows the oam entity on switch a is in active mode and that on switch b is in passive mode switch a initiates an oam connection by sending an information oampdu switch b compares the oam information in the received oampdu with its own and sends back an information oampdu to switch a if the oam information of the two entities matches an oam connection will be established after that the two oam entities will exchange information oampdus periodically to keep the oam connection valid 386
• Link monitoring 386
• Link monitoring is for monitoring link performance under various circumstances when problems are detected on the link the oam entity will send its remote peer the event notification oampdus to report link events 386
• Supported features 386
• The link events are described as follows 386
• The switch supports the following oam features link monitoring remote failure indication rfi and remote loopback 386
• As the above figure shows the oam connection has been established between the two entities the oam entity on switch a is in active mode and that on switch b is in passive mode 387
• Critical event unspecified critical event occurs 387
• Dying gasp an unrecoverable fault such as power failure occurs 387
• Remote failure indication 387
• Remote loopback 387
• With remote failure indication an oam entity can send the failure conditions of the link such as disruption in traffic because of the device failure to its peer through information oampdus so the network administrator can get informed of the link faults and take action in time the switch supports two kinds of failure conditions 387
• With remote loopback administrators can test the link performance like delay jitter and frame loss rate during installation or for troubleshooting 387
• Enabling oam and configuring oam mode 389
• Ethernet oam configurations 389
• Using the gui 389
• Click apply 390
• Configuring link monitoring 390
• Follow these steps to complete the basic oam configuration 390
• Link monitoring to load the following page 390
• Select one or more ports configure the oam mode and enable oam 390
• Click apply 391
• Follow these steps to configure link monitoring 391
• In the current link event section select a link event type to be configured 391
• In the link monitoring config section select one or more ports and configure the threshold and period for the selected link event 391
• Click apply 392
• Configuring rfi 392
• Follow these steps to configure remote failure indication 392
• Remote failure indication config to load the following page 392
• Select one or more ports and configure the dying gasp notify and critical event notify features 392
• Click apply 393
• Configuring remote loopback 393
• Follow these steps to configure remote loopback 393
• Remote loopback to load the following page 393
• Select one or more ports and configure the relevant options 393
• Discovery info to load the following page 394
• Select a port to view whether the oam connection is established with the peer additionally you can view the oam information of the local and the remote entities 394
• The oam information of the local entity is as follows 394
• Viewing oam status 394
• The oam information of the remote entity is as follows 395
• Enabling oam and configuring oam mode 396
• Follow these steps to enable oam and configure oam mode on the port 396
• Using the cli 396
• Configuring link monitoring 397
• Gi1 0 1 398
• Notify state enabled 398
• Switch config if end 398
• Switch config if ethernet oam link monitor symbol period threshold 1 window 10 notify enable 398
• Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 398
• Switch config interface gigabitethernet 1 0 1 398
• Switch configure 398
• Symbol period error 398
• The following example shows how to enable frame error notifying and configure the threshold as 1 and the window as 1000 ms 10 100 ms on port 1 0 1 398
• Threshold 1 error symbol 398
• Window 1000 milliseconds 398
• Configuring frame error 399
• Follow these steps to configure frame error 399
• Switch config if ethernet oam link monitor frame threshold 1 window 20 notify enable 399
• Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 399
• Switch config interface gigabitethernet 1 0 1 399
• Switch configure 399
• Switch copy running config startup config 399
• The following example shows how to enable frame error notifying and configure the threshold as 1 and the window as 2000 ms 20 100 ms on port 1 0 1 399
• With frame error enabled a frame error event occurs if the number of frame errors exceeds the defined threshold within a specific period of time 399
• Configuring frame period error 400
• Follow these steps to configure frame period error 400
• Frame error 400
• Gi1 0 1 400
• Notify state enabled 400
• Switch config if end 400
• Switch copy running config startup config 400
• Threshold 1 error frame 400
• Window 2000 milliseconds 400
• With frame period error enabled a frame period error event occurs if the number of frame errors in specific number of received frames exceeds the defined threshold 400
• Frame seconds error 402
• Gi1 0 1 402
• Notify state enabled 402
• Switch config if end 402
• Switch config if ethernet oam link monitor frame seconds threshold 1 window 800 notify enable 402
• Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 402
• Switch config interface gigabitethernet 1 0 1 402
• Switch configure 402
• The following example shows how to enable frame seconds error notifying and configure the threshold as 1 and the window as 80000 ms 800 100 ms on port 1 0 1 402
• Threshold 1 error seconds 402
• Window 80000 milliseconds 402
• Configuring remote failure indication 403
• Follow these steps to configure remote failure indication 403
• Switch config if ethernet oam dying gasp notify enable 403
• Switch config if ethernet oam remote failure notify enable 403
• Switch config if show ethernet oam configuration interface gigabitethernet 1 0 1 403
• Switch config interface gigabitethernet 1 0 1 403
• Switch configure 403
• Switch copy running config startup config 403
• The following example shows how to enable dying gasp and critical event on port 1 0 1 403
• Configuring remote loopback 404
• Critical event enabled 404
• Dying gasp enabled 404
• Follow these steps to configure remote loopback 404
• Gi1 0 1 404
• Switch config if end 404
• Switch config interface gigabitethernet 1 0 1 404
• Switch configure 404
• Switch copy running config startup config 404
• The following example shows how to start the oam remote loopback mode of the peer on port 1 0 1 404
• On privileged exec mode or any other configuration mode you can use the following command to view whether the oam connection is established with the peer additionally you can view the oam information of the local entity and the remote entity 405
• Switch config if ethernet oam remote loopback start 405
• Verifying oam connection 405
• Gi1 0 1 406
• Local client 406
• Max oampdu 1518 bytes 406
• Mode active 406
• Oam enabled 406
• Remote loopback supported 406
• Switch config show ethernet oam status interface gigabitethernet 1 0 1 406
• The following example shows how to view the oam status of port 1 0 1 406
• Unidirection not supported 406
• Using the gui 408
• Viewing oam statistics 408
• Viewing oampdus 408
• Event log to load the following page 410
• Select a port and view the local and remote event logs on this port in the event log statistics section 410
• Viewing event logs 410
• Additionally you can view the detailed information of the event logs in the event log table section 411
• Gi1 0 1 411
• Information oampdu rx 28 411
• Information oampdu tx 28 411
• On privileged exec mode or any other configuration mode you can use the following command to view the number of oampdus received and sent on the specified port 411
• Switch show ethernet oam statistics interface gigabitethernet 1 0 1 411
• The following example shows how to view the transmitted and received oamdpus on port 1 0 1 411
• Unique event notification oampdu rx 0 411
• Unique event notification oampdu tx 0 411
• Using the cli 411
• Viewing oampdus 411
• Critical event remote 2016 01 01 08 08 00 413
• Event listing 413
• Gi1 0 1 413
• Local event statistics 413
• On privileged exec mode or any other configuration mode you can use the following command to view the local and remote event logs on the specified port 413
• Switch show ethernet oam event log interface gigabitethernet 1 0 1 413
• The following example shows how to view the event logs on port 1 0 1 413
• Type location time stamp 413
• Viewing event logs 413
• Configuration example 415
• Configuration scheme 415
• Network requirements 415
• Using the gui 415
• Using the cli 420
• Verify the configuration 421
• Critical event 1 424
• Appendix default parameters 425
• Default settings of ethernet oam are listed in the following tables 425
• Chapters 426
• Configuring layer 2 multicast 426
• Part 17 426
• Layer 2 multicast 427
• Overview 427
• Configuration guide 397 428
• Configuring layer 2 multicast layer 2 multicast 428
• Demonstrated as below 428
• Figure 1 1 igmp snooping 428
• Layer 2 multicast protocol for ipv4 igmp snooping 428
• Layer 2 multicast protocol for ipv6 mld snooping 428
• On the layer 2 device igmp snooping transmits data on demand on data link layer by analyzing igmp packets between layer 3 devices and users to build and maintain layer 2 multicast forwarding table 428
• On the layer 2 device mld snooping multicast listener discovery snooping transmits data on demand on data link layer by analyzing igmp packets between layer 3 devices and users to build and maintain layer 2 multicast forwarding table 428
• Supported layer 2 multicast protocols 428
• Configuring igmp snooping globally 429
• Igmp snooping configurations 429
• Using the gui 429
• Click apply 430
• Configure unknown multicast as forward or discard 430
• Configuring router port time and member port time 430
• Enable or disable report message suppression globally 430
• Enabling report message suppression can reduce the number of packets in the network 430
• Follow these steps to configure report message suppression 430
• Follow these steps to configure the aging time of the router ports and the member ports 430
• Follow these steps to configure unknown multicast 430
• Optional configuring report message suppression 430
• Snooping config page at the same time 430
• Specify the aging time of the member ports 430
• Specify the aging time of the router ports 430
• Click apply 431
• Configure the last listener query interval and last listener query count when the switch receives an igmp leave message if specified count of multicast address specific queries masqs are sent and no report message is received the switch will delete the multicast address from the multicast forwarding table 431
• Configuring igmp snooping last listener query 431
• Follow these steps to configure last listener query interval and last listener query count in the global config section 431
• Igmp snooping status table displays vlans and ports with igmp snooping enabled 431
• Specify the interval between masqs 431
• Specify the number of masqs to be sent 431
• Verifying igmp snooping status 431
• Configuring the port s basic igmp snooping features 432
• Enabling igmp snooping on the port 432
• Optional configuring fast leave 432
• Configuring igmp snooping globally in the vlan 433
• Configuring igmp snooping in the vlan 433
• Click create 434
• Configure the forbidden router ports in the designate vlan 434
• Configure the router ports in the designate vlan 434
• Configuring the multicast vlan 434
• Follow these steps to configure static router ports in the designate vlan 434
• Follow these steps to forbid the selected ports to be the router ports in the designate vlan 434
• In old multicast transmission mode when users in different vlans apply for data from the same multicast group the layer 3 device will duplicate this multicast data and deliver copies to the layer 2 devices 434
• Optional configuring the forbidden router ports in the vlan 434
• Optional configuring the static router ports in the vlan 434
• With multicast vlan configured all multicast group members will be added to a vlan layer 3 device only need to send one piece of multicast data to a layer 2 device and the layer 2 device will send the data to all member ports of the vlan in this way multicast vlan saves bandwidth and reduces network load of layer 3 devices 434
• Creating multicast vlan and configuring basic settings 435
• Enable multicast vlan configure the specific vlan to be the multicast vlan and configure the router port time and member port time 435
• In the multicast vlan section follow these steps to enable multicast vlan and to finish the basic settings 435
• Multicast vlan to load the following page 435
• Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan 435
• Click apply 436
• Configure the new multicast source ip 436
• Configure the router ports in the designate vlan 436
• Configure the router ports in the multicast vlan 436
• Follow these steps to configure static router ports in the multicast vlan 436
• Follow these steps to forbid the selected ports to be the router ports in the multicast vlan 436
• Optional configuring the forbidden router ports 436
• Optional configuring the static router ports 436
• Optional creating replace source ip 436
• This function allows you to use a new ip instead of the source ip to send data to multicast group members in the multicast vlan section follow these steps to configure replace source ip 436
• This table displays all the dynamic router ports in the multicast vlan 436
• Viewing dynamic router ports in the multicast vlan 436
• Click add 437
• Configuring the querier 437
• Follow these steps to configure the querier 437
• Optional configuring the querier 437
• Querier config to load the following page 437
• Specify a vlan and configure the querier on this vlan 437
• The igmp snooping querier table displays all the related settings of the igmp querier 437
• Viewing settings of igmp querier 437
• You can edit the settings in the igmp snooping querier table 437
• Click create 438
• Configuring igmp profile 438
• Create a profile and configure its filtering mode 438
• Creating profile 438
• Enter the search condition in the search option field to search the profile in the igmp profile info table 438
• Follow these steps to create a profile and configure its filtering mode 438
• Profile config to load the following page 438
• Searching profile 438
• Binding profile and member ports 439
• Click edit in the igmp profile info table edit its ip range and click add to save the settings 439
• Click submit to save the settings click back to go back to the previous page 439
• Editing ip range of the profile 439
• Follow these steps to edit profile mode and its ip range 439
• In the ip range table you can select an ip range and click delete to delete an ip range 439
• Profile binding to load the following page 439
• Binding profile and member ports 440
• Click apply 440
• Configuring max groups a port can join 440
• Follow these steps to bind the profile to the port 440
• Follow these steps to configure the maximum groups a port can join and overflow action 440
• Select a port to configure its max group and overflow action 440
• Select the port to be bound and enter the profile id in the profile id column 440
• Click apply 441
• Configuring auto refresh 441
• Enable or disable auto refresh 441
• Follow these steps to configure auto refresh 441
• Packet statistic to load the following page 441
• Viewing igmp statistics on each port 441
• Click apply 442
• Enabling igmp accounting and authentication 442
• Igmp authentication to load the following 442
• The igmp statistics table displays all kinds of igmp statistics of all the ports 442
• Viewing igmp statistics 442
• Configuring igmp accounting globally 443
• Configuring igmp authentication on the port 443
• Configuring static member port 443
• Click create 444
• Configuring static member port 444
• Enter the multicast ip and vlan id specify the static member port 444
• Follow these steps to configure static member port 444
• Static multicast ip table displays details of all igmp static multicast groups 444
• Viewing igmp static multicast groups 444
• You can search igmp static multicast entries by using multicast ip vlan id or forward port as the search option 444
• Enabling igmp snooping globally 445
• Enabling igmp snooping on the port 445
• Switch config ip igmp snooping 445
• Switch configure 445
• The following example shows how to enable igmp snooping globally and enable igmp snooping on port 1 0 3 445
• Using the cli 445
• Configuring igmp snooping parameters globally 446
• Configuring report message suppression 446
• Enable port gi1 0 3 446
• Enable vlan 446
• Global authentication accounting disable 446
• Global member age time 260 446
• Global report suppression disable 446
• Global router age time 300 446
• Igmp snooping enable 446
• Last query interval 1 446
• Last query times 2 446
• Switch config if end 446
• Switch config if ip igmp snooping 446
• Switch config if show ip igmp snooping 446
• Switch config interface gigabitethernet 1 0 3 446
• Switch copy running config startup config 446
• Unknown multicast pass 446
• Configuring unknown multicast 447
• Enable port 447
• Enable vlan 447
• Global authentication accounting disable 447
• Global member age time 260 447
• Global report suppression enable 447
• Global router age time 300 447
• Igmp snooping enable 447
• Last query interval 1 447
• Last query times 2 447
• Switch config if end 447
• Switch config ip igmp snooping 447
• Switch config ip igmp snooping report suppression 447
• Switch config show ip igmp snooping 447
• Switch configure 447
• Switch copy running config startup config 447
• The following example shows how to enable report message suppression 447
• Unknown multicast pass 447
• Configuring igmp snooping parameters on the port 448
• Configuring router port time and member port time 448
• Configuring fast leave 449
• Enable port 449
• Enable vlan 449
• Global authentication accounting disable 449
• Global member age time 200 449
• Global report suppression disable 449
• Global router age time 200 449
• Igmp snooping enable 449
• Last query interval 1 449
• Last query times 2 449
• Switch config if end 449
• Switch config ip igmp snooping 449
• Switch config ip igmp snooping mtime 200 449
• Switch config ip igmp snooping rtime 200 449
• Switch config show ip igmp snooping 449
• Switch configure 449
• Switch copy running config startup config 449
• The following example shows how to configure the global router port time and member port time as 200 seconds 449
• Unknown multicast pass 449
• Configuring max group and overflow action on the port 450
• Gi1 0 3 enable enable 450
• Port igmp snooping fast leave 450
• Switch config if end 450
• Switch config if ip igmp snooping 450
• Switch config if ip igmp snooping immediate leave 450
• Switch config if show ip igmp snooping interface gigabitethernet 1 0 3 basic config 450
• Switch config interface gigabiteternet 1 0 3 450
• Switch config ip igmp snooping 450
• Switch configure 450
• Switch copy running config startup config 450
• The following example shows how to enable fast leave on port 1 0 3 450
• Configuring igmp snooping last listener query 451
• Gi1 0 3 500 drop 451
• Port max groups overflow action 451
• Switch config if end 451
• Switch config if ip igmp snooping 451
• Switch config if ip igmp snooping max groups 500 451
• Switch config if ip igmp snooping max groups action drop 451
• Switch config if show ip igmp snooping interface gigabitethernet 1 0 3 max groups 451
• Switch config interface gigabiteternet 1 0 3 451
• Switch config ip igmp snooping 451
• Switch configure 451
• Switch copy running config startup config 451
• The following example shows how to configure the max group as 500 and the overflow action as drop on port 1 0 3 451
• Enable port 452
• Enable vlan 452
• Global authentication accounting disable 452
• Global member age time 260 452
• Global report suppression disable 452
• Global router age time 300 452
• Igmp snooping enable 452
• Last query interval 5 452
• Last query times 5 452
• Switch config end 452
• Switch config ip igmp snooping 452
• Switch config ip igmp snooping last listener query count 5 452
• Switch config ip igmp snooping last listener query interval 5 452
• Switch config show ip igmp snooping 452
• Switch configure 452
• Switch copy running config startup config 452
• The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds 452
• Unknown multicast pass 452
• Configuring igmp snooping parameters in the vlan 453
• Configuring router port time and member port time 453
• Dynamic router port none 453
• Forbidden router port none 453
• Member time 400 453
• Router time 500 453
• Static router port none 453
• Switch config ip igmp snooping 453
• Switch config ip igmp snooping vlan config 2 3 mtime 400 453
• Switch config ip igmp snooping vlan config 2 3 rtime 500 453
• Switch config show ip igmp snooping vlan 2 453
• Switch config show ip igmp snooping vlan 3 453
• Switch configure 453
• The following example shows how to enable igmp snooping in vlan 2 and vlan 3 configure the router port time as 500 seconds and the member port time as 400 seconds 453
• Vlan id 2 453
• Vlan id 3 453
• Configuring static router port 454
• Dynamic router port none 454
• Forbidden router port none 454
• Member time 0 454
• Member time 400 454
• Router time 0 454
• Static router port gi1 0 2 454
• Static router port none 454
• Switch config end 454
• Switch config ip igmp snooping 454
• Switch config ip igmp snooping vlan config 2 rport interface gigabitethernet 1 0 2 454
• Switch config show ip igmp snooping vlan 2 454
• Switch configure 454
• Switch copy running config startup config 454
• The following example shows how to enable igmp snooping in vlan 2 and configure port 1 0 2 as the static router port 454
• Vlan id 2 454
• Configuring forbidden router port 455
• Dynamic router port none 455
• Forbidden router port gi1 0 4 6 455
• Member time 0 455
• Router time 0 455
• Static router port none 455
• Switch config end 455
• Switch config ip igmp snooping 455
• Switch config ip igmp snooping vlan config 2 router ports forbidden interface gigabitethernet 1 0 4 6 455
• Switch config show ip igmp snooping vlan 2 455
• Switch configure 455
• Switch copy running config startup config 455
• The following example shows how to enable igmp snooping in vlan 2 and forbid port 1 0 4 6 from becoming router ports port 1 0 4 6 will drop all multicast data from layer 3 devices 455
• Vlan id 2 455
• 2 static gi1 0 9 10 456
• Configuring igmp snooping parameters in the multicast vlan 456
• Configuring router port time and member port time 456
• Configuring static multicast multicast ip and forward port 456
• Multicast ip vlan id addr type switch port 456
• Switch config end 456
• Switch config ip igmp snooping 456
• Switch config ip igmp snooping vlan config 2 static 226 interface gigabitethernet 1 0 9 10 456
• Switch config show ip igmp snooping groups static 456
• Switch configure 456
• Switch copy running config startup config 456
• The following example shows how to configure 226 as the static multicast ip and specify port 1 0 9 10 as the forward ports 456
• Configuring static router port 457
• Dynamic router port none 457
• Forbidden router port none 457
• Member time 400 457
• Multicast vlan enable 457
• Replace source ip 0 457
• Router time 500 457
• Static router port none 457
• Switch config end 457
• Switch config ip igmp snooping 457
• Switch config ip igmp snooping multi vlan config 5 mtime 400 457
• Switch config ip igmp snooping multi vlan config 5 rtime 500 457
• Switch config show ip igmp snooping multi vlan 457
• Switch configure 457
• Switch copy running config startup config 457
• The following example shows how to configure vlan 5 as the multicast vlan set the router port time as 500 seconds and the member port time as 400 seconds 457
• Vlan id 5 457
• Configuring forbidden router port 458
• Dynamic router port none 458
• Forbidden router port none 458
• Member time 260 458
• Multicast vlan enable 458
• Replace source ip 0 458
• Router time 300 458
• Static router port gi1 0 5 458
• Switch config end 458
• Switch config ip igmp snooping 458
• Switch config ip igmp snooping multi vlan config 5 rport interface gigabitethernet 1 0 5 458
• Switch config show ip igmp snooping multi vlan 458
• Switch configure 458
• Switch copy running config startup config 458
• The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 5 as the static router port 458
• Vlan id 5 458
• Configuring replace source ip 459
• Dynamic router port none 459
• Forbidden router port gi1 0 6 459
• Member time 260 459
• Multicast vlan enable 459
• Replace source ip 0 459
• Router time 300 459
• Static router port none 459
• Switch config end 459
• Switch config ip igmp snooping 459
• Switch config ip igmp snooping multi vlan config 5 router ports forbidden interface gigabitethernet 1 0 6 459
• Switch config show ip igmp snooping multi vlan 459
• Switch configure 459
• Switch copy running config startup config 459
• The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 6 as the forbidden router port 459
• Vlan id 5 459
• Configuring the querier 460
• Dynamic router port none 460
• Enabling igmp querier 460
• Forbidden router port none 460
• Member time 260 460
• Multicast vlan enable 460
• Replace source ip 192 68 460
• Router time 300 460
• Static router port none 460
• Switch config end 460
• Switch config ip igmp snooping 460
• Switch config ip igmp snooping multi vlan config 5 replace sourceip 192 68 460
• Switch config show ip igmp snooping multi vlan 460
• Switch configure 460
• Switch copy running config startup config 460
• The following example shows how to configure vlan 5 as the multicast vlan and replace the source ip in the igmp packets sent by the switch with 192 68 460
• Vlan id 5 460
• Configuring query interval max response time and general query source ip 461
• General query source ip 192 68 461
• Maximum response time 10 461
• Query interval 60 461
• Switch config end 461
• Switch config ip igmp snooping 461
• Switch config ip igmp snooping querier vlan 4 461
• Switch config show ip igmp snooping querier 461
• Switch configure 461
• Switch copy running config startup config 461
• The following example shows how to enable igmp snooping and igmp querier in vlan 4 461
• Vlan 4 461
• Configuring multicast filtering 462
• Creating profile 462
• Binding profile to the port 463
• Igmp profile 1 463
• Range 226 226 0 463
• Switch config end 463
• Switch config igmp profile deny 463
• Switch config igmp profile range 226 226 0 463
• Switch config igmp profile show ip igmp profile 463
• Switch config ip igmp profile 1 463
• Switch config ip igmp snooping 463
• Switch configure 463
• Switch copy running config startup config 463
• The following example shows how to configure profile 1 so that the switch filters multicast data sent to 226 226 0 463
• Binding port s 464
• Gi1 0 2 464
• Igmp profile 1 464
• Range 226 226 0 464
• Switch config end 464
• Switch config if ip igmp filter 1 464
• Switch config if ip igmp snooping 464
• Switch config if show ip igmp profile 464
• Switch config igmp profile deny 464
• Switch config igmp profile exit 464
• Switch config igmp profile range 226 226 0 464
• Switch config interface gigabitethernet 1 0 2 464
• Switch config ip igmp profile 1 464
• Switch config ip igmp snooping 464
• Switch configure 464
• Switch copy running config startup config 464
• The following example shows how to bind profile 1 to port 1 0 2 so that port 1 0 2 filters multicast data sent to 226 226 0 464
• Enabling igmp accounting and authentication 465
• Enabling igmp authentication on the port 465
• Gi1 0 2 enable 465
• Port igmp authentication 465
• Switch config end 465
• Switch config if ip igmp snooping 465
• Switch config if ip igmp snooping authentication 465
• Switch config if show ip igmp snooping interface gigabitethernet 1 0 2 authentication 465
• Switch config interface gigabitethernet 1 0 2 465
• Switch config ip igmp snooping 465
• Switch configure 465
• Switch copy running config startup config 465
• The following example shows how to enable igmp authentication on port 1 0 2 465
• Enabling igmp accounting globally 466
• Configuring mld snooping 467
• Configuring mld snooping globally 467
• Using the gui 467
• Click apply 468
• Configure unknown multicast as forward or discard 468
• Configuring router port time and member port time 468
• Enable or disable report message suppression globally 468
• Enabling report message suppression can reduce the number of packets in the network 468
• Follow these steps to configure report message suppression 468
• Follow these steps to configure the aging time of the router ports and the member ports 468
• Follow these steps to configure unknown multicast 468
• Optional configuring report message suppression 468
• Snooping config page at the same time 468
• Specify the aging time of the member ports 468
• Specify the aging time of the router ports 468
• Click apply 469
• Configure the last listener query interval and last listener query count when the switch receives an mld leave message if specified count of multicast address specific queries masqs are sent and no report message is received the switch will delete the multicast address from the multicast forwarding table 469
• Configuring mld snooping last listener query 469
• Follow these steps to configure last listener query interval and last listener query count in the global config section 469
• Mld snooping status table displays vlans and ports with mld snooping enabled 469
• Specify the interval between masqs 469
• Specify the number of masqs to be sent 469
• Verifying mld snooping status 469
• Configuring the port s basic mld snooping features 470
• Enabling mld snooping on the port 470
• Optional configuring fast leave 470
• Configuring mld snooping globally in the vlan 471
• Configuring mld snooping in the vlan 471
• Click create 472
• Configure the forbidden router ports in the designate vlan 472
• Configure the router ports in the designate vlan 472
• Configuring the multicast vlan 472
• Follow these steps to configure static router ports in the designate vlan 472
• Follow these steps to forbid the selected ports to be the router ports in the designate vlan 472
• In old multicast transmission mode when users in different vlans apply for data from the same multicast group the layer 3 device will duplicate this multicast data and deliver copies to the layer 2 devices 472
• Optional configuring the forbidden router ports in the vlan 472
• Optional configuring the static router ports in the vlan 472
• With multicast vlan configured all multicast group members will be added to a vlan layer 3 device only need to send one piece of multicast data to a layer 2 device and the layer 2 device will send the data to all member ports of the vlan in this way multicast vlan saves bandwidth and reduces network load of layer 3 devices 472
• Creating multicast vlan and configuring basic settings 473
• Enable multicast vlan configure the specific vlan to be the multicast vlan and configure the router port time and member port time 473
• In the multicast vlan section follow these steps to enable multicast vlan and to finish the basic settings 473
• Multicast vlan to load the following page 473
• Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan 473
• Click apply 474
• Configure the new multicast source ip 474
• Configure the router ports in the designate vlan 474
• Configure the router ports in the multicast vlan 474
• Follow these steps to configure static router ports in the multicast vlan 474
• Follow these steps to forbid the selected ports to be the router ports in the multicast vlan 474
• Optional configuring the forbidden router ports 474
• Optional configuring the static router ports 474
• Optional creating replace source ip 474
• This function allows you to use a new ip instead of the source ip to send data to multicast group members in the multicast vlan section follow these steps to configure replace source ip 474
• This table displays all the dynamic router ports in the multicast vlan 474
• Viewing dynamic router ports in the multicast vlan 474
• Click add 475
• Configuring the querier 475
• Follow these steps to configure the querier 475
• Optional configuring the querier 475
• Querier config to load the following page 475
• Specify a vlan and configure the querier on this vlan 475
• The mld snooping querier table displays all the related settings of the mld querier 475
• Viewing settings of mld querier 475
• You can edit the settings in the mld snooping querier table 475
• Click create 476
• Configuring mld profile 476
• Create a profile and configure its filtering mode 476
• Creating profile 476
• Enter the search condition in the search option field to search the profile in the mld profile info table 476
• Follow these steps to create a profile and configure its filtering mode 476
• Profile config to load the following page 476
• Searching profile 476
• Editing ip range of the profile 477
• Binding profile and member ports 478
• Click apply 478
• Follow these steps to bind the profile to the port 478
• Profile binding to load the following page 478
• Select the port to be bound and enter the profile id in the profile id column 478
• Click apply 479
• Configuring max groups a port can join 479
• Follow these steps to configure the maximum groups a port can join and overflow action 479
• Select a port to configure its max group and overflow action 479
• Click apply 480
• Configuring auto refresh 480
• Enable or disable auto refresh 480
• Follow these steps to configure auto refresh 480
• Packet statistic to load the following page 480
• The mld statistics table displays all kinds of mld statistics of all the ports 480
• Viewing mld statistics 480
• Viewing mld statistics on each port 480
• Configuring static member port 481
• Viewing mld static multicast groups 481
• Enabling mld snooping globally 482
• Enabling mld snooping on the port 482
• Switch config interface gigabitethernet 1 0 3 482
• Switch config ipv6 mld snooping 482
• The following example shows how to enable mld snooping globally and enable mld snooping switch configure 482
• Using the cli 482
• Configuring mld snooping parameters globally 483
• Configuring report message suppression 483
• Enable port gi1 0 3 483
• Enable vlan 483
• Global member age time 260 483
• Global report suppression disable 483
• Global router age time 300 483
• Last query interval 1 483
• Last query times 2 483
• Mld snooping enable 483
• Switch config if end 483
• Switch config if ipv6 mld snooping 483
• Switch config if show ipv6 mld snooping 483
• Switch config ipv6 mld snooping 483
• Switch configure 483
• Switch copy running config startup config 483
• The following example shows how to enable report message suppression 483
• Unknown multicast pass 483
• Configuring unknown multicast 484
• Enable port 484
• Enable vlan 484
• Global member age time 260 484
• Global report suppression enable 484
• Global router age time 300 484
• Igmp snooping and mld snooping share the setting of unknown multicast so you have to enable igmp snooping globally at the same time 484
• Last query interval 1 484
• Last query times 2 484
• Mld snooping enable 484
• Switch config end 484
• Switch config ipv6 mld snooping 484
• Switch config ipv6 mld snooping report suppression 484
• Switch config show ipv6 mld snooping 484
• Switch configure 484
• Switch copy running config startup config 484
• The following example shows how to configure the switch to discard unknown multicast data 484
• Unknown multicast pass 484
• Configuring mld snooping parameters on the port 485
• Configuring router port time and member port time 485
• Enable port 485
• Enable vlan 485
• Global member age time 260 485
• Global report suppression disable 485
• Global router age time 300 485
• Last query interval 1 485
• Last query times 2 485
• Mld snooping enable 485
• Switch config end 485
• Switch config ip igmp snooping 485
• Switch config ipv6 mld snooping drop unknown 485
• Switch config show ipv6 mld snooping 485
• Switch configure 485
• Switch copy running config startup config 485
• The following example shows how to configure the global router port time and member port time as 200 seconds 485
• Unknown multicast discard 485
• Configuring fast leave 486
• Enable port 486
• Enable vlan 486
• Global member age time 200 486
• Global report suppression disable 486
• Global router age time 200 486
• Last query interval 1 486
• Last query times 2 486
• Mld snooping enable 486
• Switch config end 486
• Switch config ipv6 mld snooping 486
• Switch config ipv6 mld snooping mtime 200 486
• Switch config ipv6 mld snooping rtime 200 486
• Switch config show ipv6 mld snooping 486
• Switch copy running config startup config 486
• Unknown multicast pass 486
• Configuring max group and overflow action on the port 487
• Gi1 0 3 enable enable 487
• Port mld snooping fast leave 487
• Switch config if end 487
• Switch config if ipv6 mld snooping 487
• Switch config if ipv6 mld snooping immediate leave 487
• Switch config if show ipv6 mld snooping interface gigabitethernet 1 0 3 basic config 487
• Switch config interface gigabiteternet 1 0 3 487
• Switch config ipv6 mld snooping 487
• Switch configure 487
• Switch copy running config startup config 487
• The following example shows how to enable fast leave on port 1 0 3 487
• Configuring mld snooping last listener query 488
• Gi1 0 3 500 drop 488
• Port max groups overflow action 488
• Switch config if end 488
• Switch config if ipv6 mld snooping 488
• Switch config if ipv6 mld snooping max groups 500 488
• Switch config if ipv6 mld snooping max groups action drop 488
• Switch config if show ipv6 mld snooping interface gigabitethernet 1 0 3 max groups 488
• Switch config interface gigabiteternet 1 0 3 488
• Switch config ipv6 mld snooping 488
• Switch configure 488
• Switch copy running config startup config 488
• The following example shows how to configure the max group as 500 and the overflow action as drop on port 1 0 3 488
• Configuring mld snooping parameters in the vlan 489
• Configuring router port time and member port time 489
• Enable port 489
• Enable vlan 489
• Global member age time 260 489
• Global report suppression disable 489
• Global router age time 300 489
• Last query interval 5 489
• Last query times 5 489
• Mld snooping enable 489
• Switch config end 489
• Switch config ipv6 mld snooping 489
• Switch config ipv6 mld snooping last listener query count 5 489
• Switch config ipv6 mld snooping last listener query interval 5 489
• Switch config show ipv6 mld snooping 489
• Switch configure 489
• Switch copy running config startup config 489
• The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds 489
• Unknown multicast pass 489
• Configuring static router port 490
• Configuring forbidden router port 491
• Dynamic router port none 491
• Forbidden router port none 491
• Member time 0 491
• Router time 0 491
• Static router port gi1 0 2 491
• Switch config end 491
• Switch config ipv6 mld snooping 491
• Switch config ipv6 mld snooping vlan config 2 rport interface gigabitethernet 1 0 2 491
• Switch config show ipv6 mld snooping vlan 2 491
• Switch configure 491
• Switch copy running config startup config 491
• The following example shows how to enable mld snooping in vlan 2 and configure port 1 0 2 as the static router port 491
• Vlan id 2 491
• Configuring static multicast multicast ip and forward port 492
• Dynamic router port none 492
• Forbidden router port gi1 0 4 6 492
• Member time 0 492
• Router time 0 492
• Static router port none 492
• Switch config 492
• Switch config end 492
• Switch config ipv6 mld snooping 492
• Switch config ipv6 mld snooping vlan config 2 router ports forbidden interface gigabitethernet 1 0 4 6 492
• Switch config show ipv6 mld snooping vlan 2 492
• Switch copy running config startup config 492
• The following example shows how to enable mld snooping in vlan 2 and forbid port 1 0 4 6 from becoming router ports port 1 0 4 6 will drop all multicast data from layer 3 devices 492
• Vlan id 2 492
• Configuring mld snooping parameters in the multicast vlan 493
• Configuring router port time and member port time 493
• Ff01 1234 02 2 static gi1 0 9 10 493
• Multicast ip vlan id addr type switch port 493
• Switch config end 493
• Switch config ipv6 mld snooping 493
• Switch config ipv6 mld snooping vlan config 2 static ff01 1234 02 interface gigabitethernet 1 0 9 10 493
• Switch config show ipv6 mld snooping groups static 493
• Switch configure 493
• Switch copy running config startup config 493
• The following example shows how to configure ff01 1234 02 as the static multicast ip and specify port 1 0 9 10 as the forward ports 493
• Configuring static router port 494
• Dynamic router port none 494
• Forbidden router port none 494
• Member time 400 494
• Multicast vlan enable 494
• Replace source ip 494
• Router time 500 494
• Static router port none 494
• Switch config end 494
• Switch config ipv6 mld snooping 494
• Switch config ipv6 mld snooping multi vlan config 5 mtime 400 494
• Switch config ipv6 mld snooping multi vlan config 5 rtime 500 494
• Switch config show ipv6 mld snooping multi vlan 494
• Switch configure 494
• Switch copy running config startup config 494
• The following example shows how to configure vlan 5 as the multicast vlan set the router port time as 500 seconds and the member port time as 400 seconds 494
• Vlan id 5 494
• Configuring forbidden router port 495
• Dynamic router port none 495
• Forbidden router port none 495
• Member time 260 495
• Multicast vlan enable 495
• Replace source ip 495
• Router time 300 495
• Static router port gi1 0 5 495
• Switch config end 495
• Switch config ipv6 mld snooping 495
• Switch config ipv6 mld snooping multi vlan config 5 rport interface gigabitethernet 1 0 5 495
• Switch config show ipv6 mld snooping multi vlan 495
• Switch configure 495
• Switch copy running config startup config 495
• The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 5 as the static router port 495
• Vlan id 5 495
• Configuring replace source ip 496
• Dynamic router port none 496
• Forbidden router port gi1 0 6 496
• Member time 260 496
• Multicast vlan enable 496
• Replace source ip 496
• Router time 300 496
• Static router port none 496
• Switch config end 496
• Switch config ipv6 mld snooping 496
• Switch config ipv6 mld snooping multi vlan config 5 router ports forbidden interface gigabitethernet 1 0 6 496
• Switch config show ipv6 mld snooping multi vlan 496
• Switch configure 496
• Switch copy running config startup config 496
• The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 6 as the forbidden router port 496
• Vlan id 5 496
• Configuring the querier 497
• Dynamic router port none 497
• Enabling mld querier 497
• Forbidden router port none 497
• Member time 260 497
• Multicast vlan enable 497
• Replace source ip fe80 2ff ffff fe00 1 497
• Router time 300 497
• Static router port none 497
• Switch config end 497
• Switch config ipv6 mld snooping 497
• Switch config ipv6 mld snooping multi vlan config 5 replace sourceip fe80 02ff ffff fe00 0001 497
• Switch config show ipv6 mld snooping multi vlan 497
• Switch configure 497
• Switch copy running config startup config 497
• The following example shows how to configure vlan 5 as the multicast vlan and replace the source ip in the mld packets sent by the switch with fe80 02ff ffff fe00 0001 497
• Vlan id 5 497
• Configuring query interval max response time and general query source ip 498
• General query source ip fe80 2ff ffff fe00 1 498
• Maximum response time 10 498
• Query interval 60 498
• Switch config end 498
• Switch config ipv6 mld snooping 498
• Switch config ipv6 mld snooping querier vlan 4 498
• Switch config show ipv6 mld snooping querier 498
• Switch configure 498
• Switch copy running config startup config 498
• The following example shows how to enable mld snooping and mld querier in vlan 4 498
• The following example shows how to enable mld snooping and mld querier in vlan 4 set the query interval as 100 seconds the max response time as 20 seconds and the general query source ip as fe80 2ff ffff fe00 1 498
• Vlan 4 498
• Configuring multicast filtering 499
• Creating profile 499
• General query source ip fe80 2ff ffff fe00 1 499
• Maximum response time 20 499
• Query interval 100 499
• Switch config end 499
• Switch config ipv6 mld snooping 499
• Switch config ipv6 mld snooping querier vlan 4 general query source ip fe80 2ff ffff fe00 1 499
• Switch config ipv6 mld snooping querier vlan 4 max response time 20 499
• Switch config ipv6 mld snooping querier vlan 4 query interval 100 499
• Switch config show ipv6 mld snooping querier 499
• Switch copy running config startup config 499
• Vlan 4 499
• Binding profile to the port 500
• Mld profile 1 500
• Range ff01 1234 5 ff01 1234 8 500
• Switch config end 500
• Switch config ipv6 mld profile 1 500
• Switch config ipv6 mld snooping 500
• Switch config mld profile deny 500
• Switch config mld profile range ff01 1234 5 ff01 1234 8 500
• Switch config mld profile show ipv6 mld profile 500
• Switch configure 500
• Switch copy running config startup config 500
• The following example shows how to configure profile 1 so that the switch filters multicast data sent to ff01 1234 5 ff01 1234 8 500
• Using the gui 502
• Viewing ipv4 multicast snooping configurations 502
• Viewing multicast snooping configurations 502
• Ipv6 multicast table to view all valid multicast ip vlan port entries 503
• Using the cli 503
• Viewing ipv4 multicast snooping configurations 503
• Viewing ipv6 multicast snooping configurations 503
• Viewing ipv6 multicast snooping configurations 504
• Configuration examples 506
• Configuration scheme 506
• Example for configuring basic igmp snooping 506
• Network requirements 506
• Using the gui 507
• Vlan config to load the following page create vlan 10 and add untagged port 1 0 1 3 and tagged port 1 0 4 to vlan 10 508
• Using the cli 510
• Verify the configurations 511
• Configuration scheme 512
• Example for configuring multicast vlan 512
• Network requirements 512
• Network topology 512
• Demonstrated with t2600g 28ts this section provides configuration procedures in two ways using the gui and using the cli 513
• Internet 513
• Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields 513
• Using the gui 513
• Snooping config to load the following page enable igmp snooping on port 1 0 1 4 514
• Using the cli 516
• Verify the configurations 517
• Example for configuring unknown multicast and fast leave 518
• Network requirement 518
• Configuration scheme 519
• Using the gui 519
• Port config to load the following page enable igmp snooping on port 1 0 2 and port 1 0 4 and enable fast leave on port 1 0 2 520
• Vlan config to load the following page enable igmp snooping in vlan 10 521
• Using the cli 522
• Verify the configurations 522
• Configuration scheme 523
• Example for configuring multicast filtering 523
• Network requirements 523
• Network topology 523
• Demonstrated with t2600g 28ts this section provides configuration procedures in two ways using the gui and using the cli 524
• Internet 524
• Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields 524
• Using the gui 524
• Snooping config to load the following page 525
• Using the cli 531
• Verify the configurations 533
• Appendix default parameters 534
• Default parameters for igmp snooping 534
• Default parameters for mld snooping 535
• Chapters 537
• Configuring logical interfaces 537
• Part 18 537
• Interfaces of a device are used to exchange data and interact with interfaces of other network devices interfaces are classified into physical interfaces and logical interfaces 538
• Logical interfaces are manually configured and do not physically exist such as loopback interfaces and routing interfaces 538
• Overview 538
• Physical interfaces are the ports on the front panel or rear panel of the switch 538
• This chapter introduces the configurations for logical interfaces the supported types of logical interfaces are shown as below 538
• Creating a layer 3 interface 539
• Logical interfaces configurations 539
• Using the gui 539
• Configuring ipv4 parameters of the interface 540
• Figure 2 540
• In the interface list section you can view the corresponding interface entry you create 540
• In the modify interface section specify an interface id and configure relevant parameters for the interface according to your actual needs then click apply 540
• List section on the corresponding interface entry click edit to load the following page and configure the ipv4 parameters of the interface 540
• You can view the corresponding interface entry you create in the interface 540
• Configuring ipv6 parameters of the interface 541
• Figure 2 541
• In the secondary ip create section configure the secondary ip for the specified interface which allows you to have two logical subnets using one physical subnet then click create 541
• In the secondary ip list section you can view the corresponding secondary ip entry you create 541
• List section on the corresponding interface entry click edit ipv6 to load the following page and configure the ipv6 parameters of the interface 541
• You can view the corresponding interface entry you create in the interface 541
• Configure the ipv6 link local address of the interface manually or automatically in the link local address config section then click apply 542
• Enable ipv6 function on the interface of switch in the general config section then click apply 542
• Configure one or more ipv6 global addresses of the interface via following three ways 543
• Manually 543
• Via dhcpv6 server 543
• Via ra message 543
• View the global address entry in the global address table 543
• Creating a layer 3 interface 544
• Figure 2 544
• Follow these steps to create a layer 3 interface you can create a vlan interface a loopback interface a routed port or a port channel interface according to your needs 544
• List section on the corresponding interface entry click detail to load the following page and view the detail information of the interface 544
• Using the cli 544
• Viewing detail information of the interface 544
• You can view the corresponding interface entry you create in the interface 544
• Switch config if description vlan 2 545
• Switch config if end 545
• Switch config interface vlan 2 545
• Switch configure 545
• Switch copy running config startup config 545
• The following example shows how to create a vlan interface with a description of vlan 2 545
• Configuring ipv4 parameters of the interface 546
• Follow these steps to configure the ipv4 parameters of the interface 546
• Switch config if ip address 192 68 00 255 55 55 546
• Switch config if no switchport 546
• Switch config if show ip interface brief 546
• Switch config interface gigabitethernet 1 0 1 546
• Switch configure 546
• The following example shows how to configure the ipv4 parameters of a routed port including setting a static ip address for the port and enabling the layer 3 capabilities 546
• Configuring ipv6 parameters of the interface 547
• Follow these steps to configure the ipv6 parameters of the interface 547
• Interface ip address method status protocol shutdown gi1 0 1 192 68 00 24 static up up no 547
• Switch config if end 547
• Switch copy running config startup config 547
• Global address dhcpv6 enable 548
• Global address ra disable 548
• Global unicast address es ff02 1 ff13 237b 548
• Ipv6 is enable link local address fe80 20a ebff fe13 237bnor 548
• Joined group address es ff02 1 548
• Switch config if ipv6 address autoconfig 548
• Switch config if ipv6 address dhcp 548
• Switch config if ipv6 enable 548
• Switch config if show ipv6 interface 548
• Switch config interface vlan 2 548
• Switch configure 548
• The following example shows how to enable the ipv6 function and configure the ipv6 parameters of a vlan interface 548
• Vlan2 is up line protocol is up 548
• Appendix default parameters 550
• Default settings of interface are listed in the following tables 550
• Chapters 551
• Configuring static routing 551
• Part 19 551
• Overview 552
• In the ipv4 static route table section you can view and modify the ipv4 static routing entries 553
• In the ipv4 static routing config section configure the corresponding parameters to add an ipv4 static route then click create 553
• Ipv4 static routing config to load the following page 553
• Ipv4 static routing configuration 553
• Using the gui 553
• C 192 68 24 is directly connected vlan1 554
• Candidate default 554
• Codes c connected s static 554
• Follow these steps to create an ipv4 static route 554
• S 192 68 24 1 0 via 192 68 vlan1 554
• Switch config end 554
• Switch config ip route 192 68 255 55 55 192 68 554
• Switch config show ip route 554
• Switch configure 554
• Switch copy running config startup config 554
• The following example shows how to create an ipv4 static route with the destination ip address as 192 68 the subnet mask as 255 55 55 and the next hop address as 192 68 554
• Using the cli 554
• Ipv6 static routing configuration 555
• Using the gui 555
• C 3000 64 is directly connected vlan1 556
• Candidate default 556
• Codes c connected s static 556
• Follow these steps to enable ipv6 routing function and create an ipv6 static route 556
• S 3200 64 1 0 via 3100 1234 vlan2 556
• Switch config end 556
• Switch config ipv6 route 3200 64 3100 1234 556
• Switch config show ipv6 route static 556
• Switch configure 556
• Switch copy running config startup config 556
• The following example shows how to create an ipv6 static route with the destination ip address as 3200 64 and the next hop address as 3100 1234 556
• Using the cli 556
• Using the gui 557
• Viewing ipv4 routing table 557
• Viewing routing table 557
• Ipv6 routing table to load the following page 558
• On privileged exec mode or any other configuration mode you can use the following command to view ipv4 routing table 558
• Using the cli 558
• View the ipv6 routes in the ipv6 routing information summary section 558
• Viewing ipv4 routing table 558
• Viewing ipv6 routing table 558
• On privileged exec mode or any other configuration mode you can use the following command to view ipv6 routing table 559
• Viewing ipv6 routing table 559
• Configuration scheme 560
• Example for static routing 560
• Network requirements 560
• Using the gui 560
• Using the cli 561
• Verify the configurations 562
• Appendix default parameter 564
• Default setting of static routing is listed in the following table 564
• Chapters 565
• Configuring dhcp 565
• Part 20 565
• Dhcp client 566
• Dhcp server 566
• Overview 566
• Supported features 566
• Dhcp relay 567
• As the following figure shows no ip addresses are assigned to vlan 10 and vlan 20 but a default relay agent interface is configured with the ip address 192 68 24 the switch uses ip address of the default agent interface 192 68 24 to apply for ip addresses for clients in both vlan 10 and vlan 20 as a result the dhcp server will assign ip addresses on 192 68 24 the same subnet with the ip address of the default agent interface to clients in both vlan 10 and vlan 20 568
• Dhcp vlan relay 568
• Dhcp vlan relay allows clients in different vlans to obtain ip addresses from the dhcp server using a single agent interface ip address 568
• In dhcp interface relay to assign ip addresses to clients in different vlans you need to create a layer 3 interface for each vlan to ensure the reachability 568
• In dhcp vlan relay you can simply specify a layer 3 interface as default agent interface for all vlans the swith will fill this default agent interface s ip address in the relay agent ip address field of the dhcp packets from all vlans 568
• Dhcp l2 relay 569
• Unlike dhcp relay dhcp l2 relay is used in the situation that the dhcp server and client are in the same vlan in dhcp l2 relay in addition to normally assigning ip addresses to clients from the dhcp server the switch can record the location information of the dhcp client using option 82 the switch can add option 82 to the dhcp request packet and then transmit the packet to the dhcp server the dhcp server which supports option 82 can set the distribution policy of ip addresses and the other parameters providing a more flexible address distribution way 569
• Dhcp server configuration 570
• Enabling dhcp server 570
• Using the gui 570
• In the excluded ip address section enter the start ip address and end ip address to specify the range of reserved ip addresses click create 571
• In the ping time config section configure ping packets and ping timeout for ping tests click apply 571
• Configuring dhcp server pool 572
• Follow these steps to configure dhcp server pool 572
• In the dhcp server pool section configure the relevant parameters 572
• Pool setting to load the following page 572
• Click create 573
• Configuring manual binding 573
• Some hosts www server for example requires a static ip address to satisfy this requirement you can manually bind the mac address or client id of the host to an ip address and the dhcp server will reserve the bound ip address to this host at all times 573
• Click create 574
• Follow these steps to configure manual binding 574
• In the manual binding section select a pool name and enter the ip address to be bound select a binding mode and finish the configuration accordingly 574
• Manual binding to load the following page 574
• Enabling dhcp server 575
• Follow these steps to enable dhcp server and to configure ping packets and ping timeout 575
• Using the cli 575
• Dhcp server is enable 576
• Ping packet number 2 576
• Ping packet timeout 200 milliseconds 576
• Switch config end 576
• Switch config ip dhcp server ping packets 2 576
• Switch config ip dhcp server ping timeout 200 576
• Switch config service dhcp server 576
• Switch config show ip dhcp server status 576
• Switch configure 576
• Switch copy running config startup config 576
• The following example shows how to enable dhcp server globally on switch configure the number of ping packets as 2 and configure the ping timeout period as 200 ms 576
• Configuring dhcp server pool 577
• Switch config ip dhcp server pool pool1 579
• Switch configure 579
• Switch dhcp config bootfile bootfile 579
• Switch dhcp config default gateway 192 68 579
• Switch dhcp config dns server 192 68 579
• Switch dhcp config domain name com 579
• Switch dhcp config lease 180 579
• Switch dhcp config netbios name server 192 68 9 579
• Switch dhcp config netbios node type b node 579
• Switch dhcp config network 192 68 255 55 55 579
• Switch dhcp config next server 192 68 0 579
• The following example shows how to create a dhcp server pool and name it as pool1 and configure its network address as 192 68 subnet mask as 255 55 55 lease time as 180 minute default gateway as 192 68 dns server as 192 68 netbios server as 192 68 9 netbios type as broadcast tftp server as 192 68 0 domain name as com and bootfile name as bootfile 579
• Configuring manual binding 580
• Pool name client id hardware address ip address hardware type bind mode 581
• Pool1 74 d4 68 22 3f 34 192 68 3 ethernet mac address 581
• Switch config 581
• Switch config ip dhcp server pool pool1 581
• Switch copy running config startup config 581
• Switch dhcp config address 192 68 3 hardware address 74 d4 68 22 3f 34 hardware type ethernet 581
• Switch dhcp config end 581
• Switch dhcp config show ip dhcp server manual binding 581
• The following example shows how to bind the ip address 192 68 3 in pool1 on the subnet of 192 68 to the host with the mac address 74 d4 68 22 3f 34 581
• Click create 582
• Dhcp client configuration 582
• Follow these steps to configure dhcp client 582
• In the creating interface section select interface vlan or routed port as the interface type and enter the interface id select dhcp or bootp as the ip address mode set the admin status as enable and enter the interface name optional 582
• Interface config to load the following page 582
• Using the gui 582
• Follow these steps to configure dhcp client 583
• Switch configure 583
• The following example shows how to configure port 1 0 5 as an layer 3 interface and to configure its ip address mode as dhcp 583
• Using the cli 583
• Dhcp relay configuration 585
• Enabling dhcp relay globally and configuring option 82 585
• Using the gui 585
• Click apply 586
• Click apply 587
• Enabling dhcp relay for ports 587
• Follow these steps to enable dhcp relay for ports 587
• Port config to load the following page 587
• Select and configure your desired ports 587
• Specifying dhcp server for the interface or vlan 588
• Follow these steps to specify dhcp server for the specific vlan 589
• In the add dhcp server address section specify the vlan in which the clients needs ip addresses and the server address click add 589
• In the default relay agent interface section specify the type and id of the interface that needs to be configured as the default relay agent interface then click apply 589
• Dhcp relay is enabled 590
• Enabling dhcp relay globally 590
• Follow these steps to configure option 82 590
• Follow these steps to enable dhcp relay globally 590
• Optional configuring option 82 590
• Switch config end 590
• Switch config service dhcp relay 590
• Switch config show ip dhcp relay 590
• Switch configure 590
• Switch copy running config startup config 590
• The following example shows how to enable dhcp relay 590
• Using the cli 590
• Switch config ip dhcp relay information 591
• Switch config ip dhcp relay information policy keep 591
• Switch configure 591
• The following example shows how to enable option 82 and configure the process of option 82 information as keep 591
• After enabling dhcp relay globally you need to enable dhcp relay for the ports connected to dhcp clients 592
• Dhcp relay option 82 is enabled 592
• Enabling dhcp relay for ports 592
• Existed option 82 field operation keep 592
• Follow these steps to enable dhcp relay for ports 592
• Switch config end 592
• Switch config if ip dhcp relay enable 592
• Switch config interface gigabitethernet 1 0 2 592
• Switch config show ip dhcp relay 592
• Switch configure 592
• Switch copy running config startup config 592
• The following example shows how to enable dhcp relay for port 1 0 2 592
• Dhcp interface relay 593
• Follow these steps to dhcp interface relay 593
• Gi1 0 2 enable n a 593
• Interface state lag 593
• Specifying dhcp server for interface or vlan 593
• Switch config if end 593
• Switch config if show ip dhcp relay interface gigabitethernet 1 0 2 593
• Switch copy running config startup config 593
• You can specify dhcp server for an layer 3 interface or for a vlan the following respectively introduces how to configure dhcp interface relay and dhcp vlan relay 593
• Dhcp l2 relay configuration 597
• Enabling dhcp l2 relay 597
• Using the gui 597
• Configuring option 82 for ports 598
• Follow these steps to enable dhcp relay and configure option 82 598
• Option 82 config to load the following page 598
• Select one or more ports to configure option 82 598
• Click apply 599
• Enabling dhcp l2 relay 599
• Follow these steps to enable dhcp l2 relay 599
• Switch config ip dhcp l2relay 599
• Switch configure 599
• The following example shows how to enable dhcp l2 relay globally and for vlan 2 599
• Using the cli 599
• Configuring option 82 for ports 600
• Follow these steps to configure option 82 for ports 600
• Global status enable 600
• Switch config end 600
• Switch config ip dhcp l2relay vlan 2 600
• Switch config show ip dhcp l2relay 600
• Switch copy running config startup config 600
• Vlan id 2 600
• Gi1 0 7 enable replace normal vlan20 host1 n a 601
• Interface option 82 status operation strategy format circuit id remote id lag 601
• Switch config if end 601
• Switch config if ip dhcp l2relay information circuit id vlan20 601
• Switch config if ip dhcp l2relay information format normal 601
• Switch config if ip dhcp l2relay information option 601
• Switch config if ip dhcp l2relay information remote id host1 601
• Switch config if ip dhcp l2relay information strategy replace 601
• Switch config if show ip dhcp l2relay interface gigabitethernet 1 0 7 601
• Switch config interface gigabitethernet 1 0 7 601
• Switch configure 601
• Switch copy running config startup config 601
• The following example shows how to enable option 82 on port 1 0 7 and configure the strategy as replace the format as normal the circuit id as vlan20 and the remote id as host1 601
• Configuration examples 602
• Configuration scheme 602
• Example for dhcp server 602
• Network requirements 602
• Using the gui 602
• Using the cli 605
• Verify the configuration 605
• Configuration scheme 606
• Example for dhcp interface relay 606
• Network requirements 606
• Using the gui 607
• Using the cli 608
• Appendix default parameters 610
• Default settings of dhcp server are listed in the following table 610
• Default settings of dhcp relay are listed in the following table 611
• Default setting of dhcp client is listed in the following table 612
• Default settings of dhcp l2 relay are listed in the following table 612
• Arp address resolution protocol is used to map ip addresses to mac addresses taking an ip address as input arp learns the associated mac address and stores the ip mac address association in an arp entry for rapid retrieval 614
• Overview 614
• Arp configurations 615
• Using the gui 615
• Viewing the arp entries 615
• Adding static arp entries 616
• Adding static arp entries manually 616
• Configuring arp function 616
• Follow these steps to add arp entries 616
• Follow these steps to add static arp entries 616
• In the arp config section enter the ip address and mac address and click create 616
• Static arp to load the following page 616
• Using the cli 616
• You can add desired static arp entries by mannually specifying the ip addresses and mac addresses 616
• Configuring the aging time of dynamic arp entries 617
• Follow these steps to configure the aging time of dynamic arp entries 617
• Interface address hardware addr type 617
• Switch config arp 192 68 00 11 22 33 44 55 arpa 617
• Switch config end 617
• Switch config show arp 192 68 617
• Switch configure 617
• Switch copy running config startup config 617
• This example shows how to create a static arp entry with the ip as 192 68 and the mac as 00 11 22 33 44 55 617
• Vlan1 192 68 00 11 22 33 44 55 static 617
• Clearing dynamic entries 618
• On privileged exec mode or any other configuration mode you can use the following command to view arp entries 618
• Switch config if arp timeout 1000 618
• Switch config if end 618
• Switch config interface vlan 2 618
• Switch configure 618
• Switch copy running config startup config 618
• This example shows how to configure the aging time of dynamic arp entries as 1000 seconds for vlan interface 2 618
• Viewing arp entries 618
• Chapters 620
• Configuring qos 620
• Part 22 620
• Bandwidth control 621
• Diffserv 621
• Overview 621
• Supported features 621
• 802 p priority 622
• Configuration guidelines 622
• Diffserv configuration 622
• Dscp priority 622
• Port priority 622
• Click apply 623
• Configuring port priority 623
• Configuring the trust mode and port to 802 p mapping 623
• Follow these steps to configure the parameters of the port priority 623
• Port priority to load the following page 623
• Select the desired ports specify the 802 p priority and set the trust mode as untrust 623
• Using the gui 623
• Configuring 802 p priority 625
• Configuring dscp priority 628
• Click apply 630
• Configuring the dscp to 802 p mapping and the dscp remap 630
• Dscp priority to load the following page 630
• Follow these steps to configure the dscp priority 630
• Select the desired port configure the dscp to 802 p mapping and the dscp remap 630
• Configure the schedule mode to control the forwarding sequence of different tc queues when congestion occurs 631
• Configuring schedule mode 631
• Follow these steps to configure the schedule mode 631
• Schedule mode to load the following page 631
• Select a schedule mode 631
• Click apply 632
• Configuring port priority 632
• Configuring the trust mode and the port to 802 p mapping 632
• Follow these steps to configure the trust mode and the port to 802 p mapping 632
• Optional configure the weight value of the each tc queue if the schedule mode is wrr of sp wrr 632
• Using cli 632
• Configuring the 802 p to queue mapping 633
• Follow these steps to configure the 802 p to queue mapping 633
• Configuring 802 p priority 634
• Configuring the 802 p to queue mapping and 802 p remap 635
• Follow these steps to configure the 802 p to queue mapping and 802 p remap 635
• Configuring dscp priority 637
• Configuring the 802 p to queue mapping 637
• Configuring the trust mode 637
• Follow these steps to configure the 802 p to queue mapping 637
• Follow these steps to configure the trust mode 637
• Gi1 0 1 0 3 2 3 4 5 6 7 n a 637
• Switch config if end 637
• Switch copy running config startup config 637
• Configuring the dscp to 802 p mapping and dscp remap 638
• Follow these steps to configure the dscp to 802 p mapping and dscp remap 638
• Configuring schedule mode 641
• Bandwidth control configuration 644
• Configuring rate limit 644
• Using the gui 644
• Click apply 645
• Configuring storm control 645
• Follow these steps to configure the storm control function 645
• Select the port s and configure the upper rate limit for forwarding broadcast packets multicast packets and ul frames 645
• Storm control to load the following page 645
• Click apply 646
• Configure the upper rate limit for the port to receive and send packets 647
• Configuring rate limit on port 647
• Gi1 0 5 5120 1024 n a 647
• Port ingressrate kbps egressrate kbps lag 647
• Switch config if bandwidth ingress 5120 egress 1024 647
• Switch config if show bandwidth interface gigabitethernet 1 0 5 647
• Switch config interface gigabitethernet 1 0 5 647
• Switch configure 647
• The following example shows how to configure the ingress rate as 5120 kbps and egress rate as 1024 kbps for port 1 0 5 647
• Using the cli 647
• Configure the upper rate limit on the port for forwarding broadcast packets multicast packets and unknown unicast frames 648
• Configuring storm control 648
• Switch config if end 648
• Switch copy running config startup config 648
• Configuration examples 651
• Configuration scheme 651
• Example for configuring sp mode 651
• Network requirements 651
• Using the gui 652
• Using the cli 653
• Verify the configuration 654
• Both rd department and marketing department can access the local network server configure the switches to ensure the traffic from the two departments are forwarded based on the weight value ratio of 2 1 when congestion occurs 655
• Configuration scheme 655
• Configure switch a to add different vlan tags to the packets from the two departments respectively 655
• Configure switch b to classify the incoming packets from the two departments according to the vlan tags and to map them into different tc queues configure the schedule mode as wrr mode to implement the qos feature 655
• Example for configuring wrr mode 655
• Network requirements 655
• The network topology is shown as the following figure switch a is an access layer switch and switch b is a layer 3 switch with acl redirect feature rd department is connected to port 1 0 1 of switch a marketing department is connected to port 1 0 2 of switch a the server is connected to port 1 0 2 of switch b and port 1 0 3 of switch a is connected to port 1 0 1 of switch b 655
• Using the gui 656
• Using the cli 663
• Verify the configuration 666
• Appendix default parameters 668
• Diffserv 668
• Bandwidth control 669
• Chapters 670
• Configuring voice vlan 670
• Part 23 670
• Overview 671
• Because the voice vlan in automatic mode supports only tagged voice traffic you need to make sure traffic from the voice device is tagged to do so there are mainly two ways 673
• Before configuring voice vlan you need to create a vlan for voice traffic for details about vlan configuration please refer to configuring 802 q vlan 673
• Configuration guidelines 673
• Configure oui addresses 673
• Configure voice vlan globally 673
• Configure voice vlan mode on ports 673
• Configuring lld 673
• Create a vlan 673
• If your switch provides the lldp med feature you can also configure it to instruct the voice device to send tagged voice traffic for details about lldp med please refer to 673
• Only one vlan can be set as the voice vlan on the switch 673
• To apply the voice vlan configuration you may need to further configure pvid port vlan id and the link type of the port which is connected to voice devices we recommend that you choose the mode according to your needs and configure the port as the following table shows 673
• To complete the voice vlan configuration follow these steps 673
• Vlan 1 is a default vlan and cannot be configured as the voice vlan 673
• Voice vlan configuration 673
• You can configure the voice device to forward traffic with a voice vlan tag 673
• Click create to add an oui address to the table 674
• Configuring oui addresses 674
• Enter an oui address and the corresponding mask and give a description about the oui address 674
• Follow these steps to add oui addresses 674
• If the oui address of your voice device is not in the oui table you need to add the oui address to the table 674
• Oui config to load the following page 674
• Using the gui 674
• Click apply 675
• Configuring voice vlan globally 675
• Enable the voice vlan feature and enter a vlan id 675
• Follow these steps to configure the voice vlan globally 675
• Global config to load the following page 675
• Set the aging time for the voice vlan 675
• Specify a priority for the voice vlan 675
• Configuring voice vlan mode on ports 676
• Follow these steps to configure voice vlan mode on ports 676
• Port config to load the following page 676
• Select your desired ports and choose the port mode 676
• Set the security mode for selected ports 676
• Click apply 677
• Follow these steps to configure the voice vlan 677
• Using the cli 677
• Avoid attacks from malicious data flows 680
• Configuration example 680
• Configuration scheme 680
• Ip phones share switch ports used by computers because no more ports are available for ip phones 680
• Network requirements 680
• Network topology 680
• Transmit voice traffic in an exclusive path with high quality 680
• Demonstrated with t2600g 28ts this chapter provides configuration procedures in two ways using the gui and using the cli 681
• In the meeting room computers and ip phones are connected to different ports of switch b ports connected to ip phones use the voice vlan for voice traffic and ports connected to computers use the default vlan for data traffic 681
• Internet 681
• Voice traffics from switch a and switch b are forwarded to voice gateway and internet through switch c 681
• Using the gui 682
• Vlan config and edit vlan 10 to load the following page add port 1 0 2 to the voice vlan 684
• Using the cli 692
• Verify the configurations 695
• Appendix default parameters 697
• Default settings of voice vlan are listed in the following tables 697
• Chapters 698
• Configuring poe 698
• Part 24 698
• Overview 699
• Poe power management 699
• Supported features 699
• Time range function 699
• Configuring the poe parameters manually 700
• Poe power management configurations 700
• Using the gui 700
• In the port config section select the port you want to configure and specify the parameters click apply 701
• Click apply 702
• Configuring the poe parameters using the profile 702
• Creating a poe profile 702
• Follow these steps to create a poe profile 702
• In the create poe profile section specify the desired configurations of the profile 702
• Poe profile to load the following page 702
• Binding the profile to the corresponding ports 703
• Follow these steps to bind the profile to the corresponding ports 703
• In the global config section specify the system power limit and click apply 703
• In the port config section select a profile and bind it to the corresponding ports click apply 703
• Configuring the poe parameters manually 704
• Follow these steps to configure the basic poe parameters 704
• Using the cli 704
• Gi1 0 5 enable middle class3 no limit none 705
• Interface poe status poe prio power limit w time range poe profile 705
• Switch config if power inline consumption class3 705
• Switch config if power inline priority middle 705
• Switch config if power inline supply enable 705
• Switch config if show power inline 705
• Switch config if show power inline configuration interface gigabitethernet 1 0 5 705
• Switch config interface gigabitethernet 1 0 5 705
• Switch config power inline consumption 160 705
• Switch configure 705
• System power consumption 0 w 705
• System power limit 160 w 705
• System power remain 160 w 705
• The following example shows how to set the system power limit as 160w set the priority as middle and set the power limit as class3 in the port 1 0 5 705
• Configuring the poe parameters using the profile 706
• Follow these steps to configure the poe profile 706
• Gi1 0 5 1 26 53 class 2 on 706
• Interface power w current ma voltage v pd class power status 706
• Switch config end 706
• Switch config if show power inline information interface gigabitethernet 1 0 5 706
• Switch copy running config startup config 706
• Creating a time range 708
• Time range function configurations 708
• Using the gui 708
• Click apply 709
• In the add absolute or periodic section specify the parameters and click add 709
• When the absolute mode is selected the following section will be shown 709
• When the periodic mode is selected the following section will be shown 709
• Configuring the holiday parameters 710
• Viewing the time range table 710
• Configuring a time range 711
• Follow these steps to create a time range 711
• Using the cli 711
• 01 00 to 23 00 on 5 712
• 09 08 2016 00 00 to 09 10 2016 24 00 712
• Holiday include 712
• Number of absolute time 1 712
• Number of periodic time 1 712
• Switch config power time range time range1 712
• Switch config show power time range time range1 712
• Switch config time range absolute from 09 08 2016 00 00 to 09 10 2016 24 00 712
• Switch config time range exit 712
• Switch config time range holiday include 712
• Switch config time range periodic start 01 00 end 23 00 day of the week 5 712
• Switch configure 712
• The following example shows how to create a time range named time range1 select include to make the settings take affected on holiday set absolute mode from 2016 09 08 00 00 to 2016 09 10 24 00 set the periodic mode from 01 00 to 23 00 in friday bind the time range to the port 1 0 7 712
• Time range entry time range1 active 712
• Configuring the holiday parameters 713
• Follow these steps to configure the holiday parameters 713
• Holiday1 08 6 08 0 713
• Index holiday name start end 713
• Switch config end 713
• Switch config if end 713
• Switch config if power inline time range time range1 713
• Switch config interface gigabitethernet 1 0 7 713
• Switch config power holiday holiday1 start date 08 16 end date 08 20 713
• Switch config show power holiday 713
• Switch configure 713
• Switch copy running config startup config 713
• The following example shows how to create a holiday named holiday1 set the starting date as 08 16 set the ending date as 08 20 713
• 01 01 2000 00 00 to 12 31 2099 24 00 by default 714
• 08 30 to 18 00 on 1 2 3 4 5 714
• Holiday include 714
• Number of absolute time 0 714
• Number of periodic time 1 714
• On privileged exec mode or any other configuration mode you can use the following command to view the time range table 714
• Switch copy running config startup config 714
• Switch end 714
• Switch show power time range 714
• The following example shows how to view the time range table 714
• Time range entry office time active 714
• Viewing the time range table 714
• Configuring scheme 715
• Example for poe configurations 715
• Network requirements 715
• Using the gui 715
• Using the cli 717
• Verify the configuration 718
• Appendix default parameters 719
• Chapters 720
• Configuring acl 720
• Part 25 720
• Introduction 721
• Overview 721
• Supported features 721
• Acl configuration 722
• Configuration guidelines 722
• Click apply to make the settings effective 723
• Configuring time range 723
• Create time rang 723
• Create time slic 723
• Follow these steps to create the time range 723
• Some acl based services or features may need to be limited to take effect only during a specified time period in this case you can configure time range for the acl 723
• Time range create to load the following page 723
• Using the gui 723
• Creating an acl 724
• Optional configuring holiday 724
• Add rules to the acl for details refer to mac acl rule standard ip acl rule extend ip acl rule combined acl rule ipv6 acl rule and packet content acl rule 726
• Configuring acl rules 726
• Configuring the mac acl rule 726
• Define the rule s packet matching criteria 726
• Follow these steps to create the mac acl 726
• Mac acl to load the following page 726
• Select an mac acl id from the drop down list enter a rule id then specify the operation for the matched packets 726
• Click apply to make the settings effective 727
• Configuring the standard ip acl rule 727
• Define the rule s packet matching criteria 727
• Follow these steps to create the standard ip acl 727
• Optional select a time range from the drop down list 727
• Select a standard ip acl id from the drop down list enter a rule id then specify the operation for the matched packets 727
• Standard i 727
• Standard ip acl to load the following page 727
• Configuring the extend ip acl rule 728
• Define the rule s packet matching criteria 728
• Extend ip acl to load the following page 728
• Follow these steps to create the extend ip acl 728
• Select an extend ip acl id from the drop down list enter a rule id then specify the operation for the matched packets 728
• Optional select a time range from the drop down list 729
• Combined acl to load the following page 730
• Configuring the combined acl rule 730
• Define the rule s packet matching criteria 730
• Follow these steps to create the combined acl 730
• Select a combined acl id from the drop down list enter a rule id then specify the operation for the matched packets 730
• Configuring the ipv6 acl rule 731
• Follow these steps to create the ipv6 acl 731
• Ipv6 acl to load the following page 731
• Optional select a time range from the drop down list 731
• Select an ipv6 acl id from the drop down list enter a rule id then specify the operation for the rule 731
• Define the rule s packet matching criteria 732
• Optional select a time range from the drop down list 732
• Configuring the packet content acl rule 733
• Create packet conten 733
• Follow these steps to create the packet content acl 733
• Packet content acl to load the following page 733
• Packet content offset profil 733
• Rule id specify the operation for the rule and define the rule s packet matching criteria 733
• Section 733
• Section enter the offset of a chunk all the 4 chunks must be set at the same time 733
• Select a packet content acl from the drop down list enter a 733
• Acl summary to load the following page 734
• Configure the action of the policy 734
• Configuring policy 734
• Create a policy 734
• In the acl rule table you can view all the acls and their rules 734
• Optional select a time range from the drop down list 734
• Policy allows you to further process the matched packets through operations such as mirroring rate limiting redirecting or changing priority 734
• The rules in an acl are listed in ascending order of configuration time regardless of their rule ids by default a rule configured earlier is listed before a rule configured later 734
• The switch matches a received packet with the rules in order when a packet matches a rule the device stops the match process and performs the action defined in the rule 734
• To configure the policy follow these steps 734
• View the rule table 734
• You can also delete an acl or an acl rule or change the matching order if needed 734
• Creating a policy 735
• Enter a policy name then click apply 735
• Follow these steps to create a policy 735
• Policy create to load the following page 735
• Action create to load the following page 736
• Apply an acl to the policy and specify the action to be taken for the matched packets 736
• Configure the actions to be taken for the matched packets 736
• Configuring the action of the policy 736
• Follow these steps to configure the action of the policy 736
• Select your preferred policy and acl 736
• An acl or policy takes effect only after it is bound to a port or vlan 737
• Click apply to make the settings effective 737
• Configuring the acl binding and policy binding 737
• You can select acl binding or policy binding according to your needs 737
• Configuring the acl binding 738
• Binding the acl to a vlan 739
• Follow these steps to bind the acl to a vlan 739
• Select the acl and enter the vlan id and click apply 739
• Vlan binding to load the following page 739
• Configuring the policy binding 740
• Verifying the binding configuration 741
• Binding table to load the following page 742
• Configuring time range 742
• Some services or features that use acl need to be limited to a specified time period in this case you can configure time range for the acl 742
• Using the cli 742
• Configuring acl 744
• Switch config mac access list 50 745
• Switch config mac acl exit 745
• Switch config mac acl rule 5 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff 745
• Switch config show access list 50 745
• Switch configure 745
• The following example shows how to create mac acl 50 and configure rule 5 to permit packets with source mac address 00 34 a2 d4 34 b5 745
• Mac access list 50 746
• Rule 5 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff 746
• Standard ip acl 746
• Switch config end 746
• Switch configure 746
• Switch copy running config startup config 746
• The following example shows how to create standard ip acl 600 and configure rule 1 to permit packets with source ip address 192 68 00 746
• Switch config access list create 1700 748
• Switch config access list extended 1700 rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23 748
• Switch config show access list 1700 748
• Switch configure 748
• The following example shows how to create extend ip acl 1700 and configure rule 7 to deny telnet packets with source ip192 68 00 748
• Combined acl 749
• Extended ip access list 1700 749
• Rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23 749
• Switch config end 749
• Switch copy running config startup config 749
• Switch config access list create 3600 751
• Switch config access list ipv6 3600 rule 1 deny sip cdcd 910a 2222 5498 8475 1111 3900 2020 sip mask ffff ffff ffff ffff 751
• Switch config show access list 3600 751
• Switch configure 751
• The following example shows how to create ipv6 acl 3600 and configure rule 1 to deny packets with source ipv6 address cdcd 910a 2222 5498 8475 1111 3900 2020 751
• Ff ffff ffff 752
• Ipv6 access list 3600 752
• Packet content acl 752
• Rule 1 deny sip cdcd 910a 2222 5498 8475 1111 3900 2020 sip mask ffff ff 752
• Switch config end 752
• Switch copy running config startup config 752
• Configuring policy 753
• Access list 600 redirect port gi1 0 4 754
• Create policy rd apply acl 600 to policy rd and redirect the matched packets to port 1 0 4 754
• Policy name rd 754
• Switch config access list policy action rd 600 754
• Switch config access list policy name rd 754
• Switch config action exit 754
• Switch config action redirect interface gigabitethernet 1 0 4 754
• Switch config show access list policy rd 754
• Switch configure 754
• Acl binding and policy binding 755
• Policy binding 755
• Switch config end 755
• Switch config if access list bind 1 755
• Switch config if exit 755
• Switch config interface gigabitethernet 1 0 2 755
• Switch configure 755
• Switch copy running config startup config 755
• The following example shows how to bind policy 1 to port 2 and policy 2 to vlan 2 755
• You can bind the policy to a port or a vlan then the received packets will be matched and operated based on the policy 755
• You can select acl binding or policy binding according to your needs an acl rule and policy takes effect only after they are bound to a port or vlan 755
• 2 ingress vlan 756
• Acl binding 756
• Gi1 0 2 ingress port 756
• Index acl id interface vid direction type 756
• Index policy name interface vid direction type 756
• Switch config end 756
• Switch config if access list bind 2 756
• Switch config if exit 756
• Switch config interface vlan 2 756
• Switch config show access list bind 756
• Switch copy running config startup config 756
• You can bind the acl to a port or a vlan the received packets will then be matched and processed according to the acl rules 756
• A company s internal server group can provide different types of services it is required that 758
• As is shown below computers in the marketing department are connected to the switch via port 1 0 1 and the internal server group is connected to the switch via port 1 0 2 758
• Configuration example for acl 758
• Configuration scheme 758
• Network requirements 758
• Network topology 758
• The marketing department can only access internal server group in the intranet 758
• The marketing department can only visit http and https websites on the internet 758
• To meet the requirements above you can set up packet filtering by creating an extend ip acl and configuring rules for it 758
• Using the gui 759
• Extend ip acl to load the the following page configure rule 2 and rule 3 to permit packets with source ip 10 0 0 and destination port tcp 80 http service port and udp 443 https service port 760
• Extend ip acl to load the following page configure rule 4 and rule 5 to permit packets with source ip 10 0 0 and with destination port tcp 53 or udp 53 dns service port 761
• Using the cli 764
• Verify the configurations 765
• Appendix default parameters 766
• For extend ip acl 766
• For ipv6 acl 766
• For mac acl 766
• For standard ip acl 766
• For combined acl 767
• For packet content acl 767
• Chapters 768
• Configuring network security 768
• Part 26 768
• Dhcp snooping 769
• Ip mac binding 769
• Ipv6 mac binding 769
• Network security 769
• Overview 769
• Supported features 769
• Arp inspection 770
• Dhcpv6 snooping 770
• Nd detection 771
• Dos defend 772
• Ip source guard 772
• Pppoe id insertion 773
• Dhcp server filter 775
• Netbios filtering 775
• Binding entries manually 776
• Ip mac binding configurations 776
• Using the gui 776
• Arp scanning 777
• Binding entries dynamically 777
• Click bind 777
• Select protect type for the entry 777
• Select the port that is connected to this host 777
• The binding entries can be dynamically learned from arp scanning and dhcp snooping 777
• With arp scanning the switch sends the arp request packets of the specified ip field to the hosts upon receiving the arp reply packet the switch can get the ip address mac address vlan id and the connected port number of the host you can bind these entries conveniently 777
• Arp scanning to load the following page 778
• Follow these steps to configure ip mac binding via arp scanning 778
• In the scanning option section specify an ip address range and a vlan id then click scan to scan the entries in the specified ip address range and vlan 778
• In the scanning result section select one or more entries and configure the relevant parameters then click apply 778
• Binding table to load the following page 779
• Dhcp snooping 779
• For instructions on how to configure dhcp snooping refer to dhcp snooping configurations 779
• In the search section specify the search criteria to search your desired entries 779
• Viewing the binding entries 779
• With dhcp snooping enabled the switch can monitor the ip address obtaining process of the host and record the ip address mac address vlan id and the connected port number of the host 779
• With the binding table you can view and search the specified binding entries 779
• Binding entries via arp scanning is not supported by the cli binding entries via dhcp snooping is introduced in dhcp snooping configurations the following sections introduce how to bind entries manually and view the binding entries 780
• In the binding table section you can view the searched entries additionally you can configure the host name and protect type for one or more entries and click apply 780
• Using the cli 780
• Binding entries manually 781
• Follow these steps to manually bind entries 781
• Switch config ip source binding host1 192 68 5 aa bb cc dd ee ff vlan 10 interface gigabitethernet 1 0 5 arp detection 781
• Switch configure 781
• The following example shows how to bind an entry with the hostname host1 ip address 192 68 5 mac address aa bb cc dd ee ff vlan id 10 port number 1 0 5 and enable this entry for the arp detection feature 781
• You can manually bind the ip address mac address vlan id and the port number together on the condition that you have got the related information of the hosts 781
• Additionally you can search the specified entries in the binding table 782
• Dynamical binding including nd snooping and dhcpv6 snooping 782
• Host1 192 68 5 aa bb cc dd ee ff 10 gi1 0 5 arp d 782
• Ipv6 mac binding configurations 782
• Manual binding 782
• On privileged exec mode or any other configuration mode you can use the following command to view binding entries 782
• Switch config end 782
• Switch config show ip source binding 782
• Switch copy running config startup config 782
• U no host ip addr mac addr vid port acl col 782
• Viewing binding entries 782
• You can complete ipv6 mac binding in two ways 782
• Binding entries manually 783
• Enter the following information to specify a host 783
• In the manual binding option section follow these steps to configure ipv6 mac binding 783
• Manual binding to load the following page 783
• Select protect type for the entry 783
• Using the gui 783
• You can manually bind the ipv6 address mac address vlan id and the port number together on the condition that you have got the related information of the hosts on the network 783
• Binding entries dynamically 784
• Click bind 784
• Nd snooping 784
• Select the port that is connected to this host 784
• The binding entries can be dynamically learned from nd snooping and dhcpv6 snooping 784
• With nd snooping the switch monitors the nd packets and records the ipv6 addresses mac addresses vlan ids and the connected port numbers of the ipv6 hosts you can bind these entries conveniently 784
• Binding table to load the following page 786
• Configuratio 786
• Dhcpv6 snooping 786
• For instructions on how to configure dhcpv6 snooping refer to 786
• In the port configure section select one or more ports and configure the maximum number of entries that can be learned on this port via nd snooping then click apply 786
• In the search section specify the search criteria to search your desired entries 786
• Viewing the binding entries 786
• With dhcpv6 snooping enabled the switch can monitor the ipv6 address obtaining process of the host and record the ipv6 address mac address vlan id and the connected port number of the host 786
• With the binding table you can view and search the specified binding entries 786
• In the binding table section you can view the search results additionally you can configure the host name and protect type for one or more entries and click apply 787
• Binding entries manually 788
• Binding entries via dhcpv6 snooping is introduced in 788
• Dhcpv6 snooping configuratio 788
• Follow these steps to manually bind entries 788
• The following example shows how to bind an entry with the hostname host1 ipv6 address 2001 0 9d38 90d5 34 mac address aa bb cc dd ee ff vlan id 10 port number 1 0 5 and enable this entry for nd detection 788
• The following sections introduce how to bind entries manually and via nd snooping and how to view the binding entries 788
• Using the cli 788
• You can manually bind the ipv6 address mac address vlan id and the port number together on the condition that you have got the related information of the hosts 788
• Binding entries via nd snooping 789
• Follow these steps to bind entries via nd snooping 789
• Host1 2001 0 9d38 90d5 34 aa bb cc dd ee ff 10 gi1 0 5 nd d nd d manual 789
• Switch config end 789
• Switch config ipv6 source binding host1 2001 0 9d38 90d5 34 aa bb cc dd ee ff vlan 10 interface gigabitethernet 1 0 5 nd detection 789
• Switch config show ipv6 source binding 789
• Switch configure 789
• Switch copy running config startup config 789
• U no host ip addr mac addr vid port acl active source col 789
• Viewing binding entries 790
• Dhcp snooping configuration 791
• Enabling dhcp snooping on vlan 791
• Using the gui 791
• Click apply 792
• Configure the illegal dhcp server trap feature 792
• Enable dhcp snooping on a vlan or range of vlans 792
• Follow these steps to enable dhcp snooping 792
• Globally enable dhcp snooping 792
• Configuring dhcp snooping on ports 793
• Follow these steps to configure dhcp snooping on the specified port 793
• Port config to load the following page 793
• Select one or more ports and configure the parameters 793
• Click apply 794
• Enabling dhcp snooping on vlan 794
• Follow these steps to globally configure dhcp snooping 794
• Switch config ip dhcp snooping 794
• Switch config ip dhcp snooping vlan 5 794
• Switch configure 794
• The following example shows how to enable dhcp snooping globally and on vlan 5 794
• Using the cli 794
• Configuring dhcp snooping on ports 795
• Follow these steps to configure dhcp snooping on the specified ports 795
• Global status enable 795
• Switch config if end 795
• Switch config show ip dhcp snooping 795
• Switch copy running config startup config 795
• Vlan id 5 795
• Dhcpv6 snooping configuration 796
• Gi1 0 1 enable enable 10 20 n a 796
• Interface trusted mac verify limit rate dec rate lag 796
• Switch config if end 796
• Switch config if ip dhcp snooping decline rate 20 796
• Switch config if ip dhcp snooping limit rate 10 796
• Switch config if ip dhcp snooping mac verify 796
• Switch config if ip dhcp snooping trust 796
• Switch config if show ip dhcp snooping interface gigabitethernet 1 0 1 796
• Switch config interface gigabitethernet 1 0 1 796
• Switch configure 796
• Switch copy running config startup config 796
• The following example shows how to configure port 1 0 1 as a trusted port enable the mac verify feature and set the limit rate as 10 pps and decline rate as 20 pps on this port 796
• Tips the switch can dynamically bind the entries via dhcpv6 snooping after dhcpv6 snooping is configured by default the binding entries are applied to both ip source guard and nd detection 796
• Click apply 797
• Dhcpv6 snooping to load the following page 797
• Follow these steps to configure dhcpv6 snooping 797
• In the dhcpv6 snooping section enable dhcpv6 snooping globally and specify one or more vlan ids to enable dhcpv6 snooping on the vlan s 797
• In the trusted port section select 797
• Using the cli 797
• Using the gui 797
• Global status enable 798
• Switch config if ipv6 dhcp snooping trust 798
• Switch config if show ipv6 dhcp snooping 798
• Switch config interface gigabitethernet 1 0 1 798
• Switch config ipv6 dhcp snooping 798
• Switch config ipv6 dhcp snooping vlan 5 798
• Switch configure 798
• The following example shows how to enable dhcp snooping globally and on vlan 5 and configure port 1 0 1 as a trusted port 798
• Vlan id 5 798
• Arp inspection configurations 799
• Configuring arp detection 799
• Using the gui 799
• Configuring arp defend 800
• Arp defend to load the following page 801
• Click apply 801
• Follow these steps to configure arp defend 801
• Select one or more ports and configure the parameters 801
• Viewing arp statistics 802
• Arp detection global status enabled 803
• Configuring arp detection 803
• Follow these steps to configure arp detection 803
• Switch config if ip arp inspection trust 803
• Switch config if show ip arp inspection 803
• Switch config interface gigabitethernet 1 0 1 803
• Switch config ip arp inspection 803
• Switch configure 803
• The arp detection feature allows the switch to detect the arp packets basing on the binding entries in the ip mac binding table and filter the illegal arp packets before configuring arp detection complete ip mac binding configuration for details refer to ip mac binding configurations 803
• The following example shows how to globally enable arp detection and configure port 1 0 1 as a trusted port 803
• Using the cli 803
• Configuring arp defend 804
• Follow these steps to configure arp defend 804
• Gi1 0 1 yes 804
• Gi1 0 2 no 804
• Port trusted 804
• Switch config if end 804
• Switch copy running config startup config 804
• With arp defend enabled the switch can terminate receiving the arp packets for 300 seconds when the transmission speed of the legal arp packet on the port exceeds the defined value so as to avoid arp attack flood 804
• Nd detection configuration 806
• Using the gui 806
• Viewing arp statistics 806
• Click apply 807
• Follow these steps to configure nd detection 807
• In the trusted port section select one or more ports to be configured as the trusted port s on which the nd packets will not be checked the specific ports such as up link ports and routing ports are suggested to be set as trusted 807
• Ipv6 mac binding configurations 807
• The nd detection feature allows the switch to detect the nd packets based on the binding entries in the ipv6 mac binding table and filter out the illegal nd packets before configuring nd detection complete ipv6 mac binding configuration for details refer to 807
• Using the cli 807
• Vlan ids to enable dhcpv6 snooping on the vlan s 807
• Ip source guard configuration 808
• Using the gui 808
• Click apply 809
• Follow these steps to configure ip source guard 809
• Ip source guard to load the following page 809
• Select one or more ports and configure ip source guard on the port s 809
• Follow these steps to configure ip source guard 810
• Ipv6 mac binding configurations 810
• Switch configure 810
• The following example shows how to enable ip source guard on port 1 0 1 for ipv6 packets 810
• The ip source guard feature allows the switch to filter the packets that do not match the rules of ip mac binding table or ipv6 mac binding table before configuring ip source guard complete ip mac binding or ipv6 mac binding configurations for details refer to ip mac binding configurations an 810
• Using the cli 810
• Dos defend configuration 811
• Using the gui 811
• Click apply 812
• Follow these steps to configure dos defend 812
• Using the cli 812
• Switch configure 813
• The following example shows how to enable the dos defend type named land 813
• Configuring the radius server 814
• Using the gui 814
• X configuration 814
• Adding the radius server 815
• Click apply 815
• Follow these steps to create a protocol template 815
• In the global config section enable aaa function on the switch and click apply 815
• In the server config section configure the parameters of radius server 815
• Radius config to load the following page 815
• Configuring 802 x globally 818
• Follow these steps to configure 802 x global parameters 818
• Global config to load the following page 818
• In the global config section enable 802 x globally and click apply 818
• In the authentication config section enable quiet configure the quiet timer and click apply 819
• Configure 802 x authentication on the desired port and click apply 820
• Configuring 802 x on ports 820
• Port config to load the following page 820
• Configuring the radius server 821
• Follow these steps to configure radius 821
• Using the cli 821
• The following example shows how to enable aaa add a radius server to the server group named radius1 and apply this server group to the 802 x authentication the ip address of 822
• Configuring 802 x globally 823
• Authentication method pap 825
• Guest vlan id n a 825
• Guest vlan state disabled 825
• Handshake state enabled 825
• Quiet period state disable 825
• Quiet period timer 10 sec 825
• Switch config dot1x auth method pap 825
• Switch config dot1x system auth control 825
• Switch config show dot1x global 825
• Switch configure 825
• The following example shows how to enable 802 x authentication configure pap as the authentication method and keep other parameters as default 825
• X accounting state disabled 825
• X state enabled 825
• X vlan assignment state disabled 825
• Configuring 802 x on ports 826
• Follow these steps to configure the port 826
• Max retry times for radius packet 3 826
• Supplicant timeout 3 sec 826
• Switch config end 826
• Switch copy running config startup config 826
• Gi1 0 2 enabled disabled disabled auto port based unauthorized n a 827
• Port state mab state guestvlan portcontrol portmethod authorized lag 827
• Switch config if dot1x 827
• Switch config if dot1x port control auto 827
• Switch config if dot1x port method port based 827
• Switch config if end 827
• Switch config if show dot1x interface gigabitethernet 1 0 2 827
• Switch config interface gigabitethernet 1 0 2 827
• Switch configure 827
• Switch copy running config startup config 827
• The following example shows how to enable 802 x authentication on port 1 0 2 configure the control type as port based and configure the control mode as auto 827
• Pppoe id insertion configuration 828
• Using the gui 828
• Follow these steps to configure pppoe id insertion 829
• Using the cli 829
• Pppoe id insertion state enabled 830
• Switch config if interface gigabitethernet 1 0 1 830
• Switch config if pppoe circuit id 830
• Switch config if pppoe circuit id type udf only 123 830
• Switch config if pppoe remote id host1 830
• Switch config if show pppoe id insertion global 830
• Switch config pppoe id insertion 830
• Switch configure 830
• The following example shows how to enable pppoe id insertion globally and on port 1 0 1 and configure the circuit id as 123 without other information and remote id as host1 830
• Aaa configuration 831
• Configuration guidelines 831
• Adding servers 832
• Globally enabling aaa 832
• Using the gui 832
• Adding radius server 833
• Click add to add the radius server on the switch 833
• Follow these steps to add a radius server 833
• In the server config section configure the following parameters 833
• Radius conifg to load the following page 833
• Adding tacacs server 834
• Click add to add the tacacs server on the switch 834
• Configuring server groups 834
• Follow these steps to add a tacacs server 834
• In the server config section configure the following parameters 834
• Tacacs conifg to load the following page 834
• The switch has two built in server groups one for radius servers and the other for tacacs servers the servers running the same protocol are automatically added to the default server group you can add new server groups as needed 834
• Configuring the method list 836
• Click add to add the new method 837
• Click apply 837
• Configuring the aaa application list 837
• Follow these steps to configure the aaa application list 837
• Global config to load the following page 837
• In the aaa application list section select an access application and configure the login list and enable list 837
• In the add method list section configure the parameters for the method to be added 837
• Configuring login account and enable password 838
• Aaa global status enable 839
• Adding radius server 839
• Adding servers 839
• Follow these steps to add radius server on the switch 839
• Follow these steps to globally enable aaa 839
• Globally enabling aaa 839
• Switch config aaa enable 839
• Switch config end 839
• Switch config show aaa global 839
• Switch configure 839
• Switch copy running config startup config 839
• The following example shows how to globally enable aaa 839
• Using the cli 839
• You can add one or more radius tacacs servers on the switch for authentication if multiple servers are added the server with the highest priority authenticates the users trying to access the switch and the others act as backup servers in case the first one breaks down 839
• Server ip auth port acct port timeout retransmit nas identifier shared key 840
• Switch config radius server host 192 68 0 auth port 1812 timeout 8 retransmit 3 key 123456 840
• Switch config show radius server 840
• Switch configure 840
• The following example shows how to add a radius server on the switch set the ip address of the server as 192 68 0 the authentication port as 1812 the shared key as 123456 the timeout as 8 seconds and the retransmit number as 3 840
• 68 0 1812 1813 5 2 000aeb132397 123456 841
• Adding tacacs server 841
• Follow these steps to add tacacs server on the switch 841
• Switch config end 841
• Switch config show tacacs server 841
• Switch config tacacs server host 192 68 0 auth port 49 timeout 8 key 123456 841
• Switch configure 841
• Switch copy running config startup config 841
• The following example shows how to add a tacacs server on the switch set the ip address of the server as 192 68 0 the authentication port as 49 the shared key as 123456 and the timeout as 8 seconds 841
• 68 0 49 8 123456 842
• Configuring server groups 842
• Server ip port timeout shared key 842
• Switch aaa group server 192 68 0 842
• Switch config aaa group radius radius1 842
• Switch config end 842
• Switch configure 842
• Switch copy running config startup config 842
• The following example shows how to create a radius server group named radius1 and add the existing two radius servers whose ip address is 192 68 0 and 192 68 0 to the group 842
• The switch has two built in server groups one for radius and the other for tacacs the servers running the same protocol are automatically added to the default server group you can add new server groups as needed 842
• The two default server groups cannot be deleted or edited follow these steps to add a server group 842
• A method list describes the authentication methods and their sequence to authenticate the users the switch supports login method list for users of all types to gain access to the switch and enable method list for guests to get administrative privileges 843
• Configuring the method list 843
• Follow these steps to configure the method list 843
• Switch aaa group end 843
• Switch aaa group server 192 68 0 843
• Switch aaa group show aaa group radius1 843
• Switch copy running config startup config 843
• Configuring the aaa application list 844
• Console login1 enable1 845
• Http default default 845
• Module login list enable list 845
• Ssh default default 845
• Switch config line console 0 845
• Switch config line enable authentication enable1 845
• Switch config line end 845
• Switch config line login authentication login1 845
• Switch config line show aaa global 845
• Switch configure 845
• Switch copy running config startup config 845
• Telnet default default 845
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application console 845
• Console default default 846
• Follow these steps to apply the login and enable method lists for the application telnet 846
• Module login list enable list 846
• Ssh default default 846
• Switch config line enable authentication enable1 846
• Switch config line login authentication login1 846
• Switch config line show aaa global 846
• Switch config line telnet 846
• Switch configure 846
• Telnet 846
• Telnet login1 enable1 846
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application telnet 846
• Follow these steps to apply the login and enable method lists for the application ssh 847
• Http default default 847
• Module login list enable list 847
• Switch config line enable authentication enable1 847
• Switch config line end 847
• Switch config line login authentication login1 847
• Switch config line show aaa global 847
• Switch config line ssh 847
• Switch configure 847
• Switch copy running config startup config 847
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application ssh 847
• Console default default 848
• Follow these steps to apply the login and enable method lists for the application http 848
• Http default default 848
• Module login list enable list 848
• Ssh login1 enable1 848
• Switch config ip http enable authentication enable1 848
• Switch config ip http login authentication login1 848
• Switch config line end 848
• Switch config show aaa global 848
• Switch configure 848
• Switch copy running config startup config 848
• Telnet default default 848
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application http 848
• Configuring login account and enable password 849
• Console default default 849
• Http login1 enable1 849
• On the switch 849
• Ssh default default 849
• Switch config end 849
• Switch copy running config startup config 849
• Telnet default default 849
• The local username and password for login can be configured in the user management feature for details refer to managing system 849
• The login account and enable password can be configured locally on the switch or centrally on the radius tacacs server s 849
• To configure the local enable password for getting administrative privileges follow these steps 849
• Dhcp server filter configuration 851
• Enabling dhcp server filter 851
• Using the gui 851
• Configuring the dhcp server permit entry 852
• Dhcp server permit entry to load the following page 852
• Follow these steps to configure the dhcp server permit entry 852
• Follow these steps to enable dhcp server filter 852
• In the global config section enable dhcp server filter enable dhcp server filter trap if needed click apply 852
• In the manual binding option section bind server ip address client mac address and port manually 852
• In the port config section enable dhcp server filter for the desired ports click apply 852
• Click bind 853
• Enabling dhcp server filter globally 853
• Follow these steps to enable dhcp relay globally 853
• Global status enable 853
• Switch config end 853
• Switch config ip dhcp filter 853
• Switch config show ip dhcp filter 853
• Switch configure 853
• Switch copy running config startup config 853
• The following example shows how to enable dhcp relay 853
• Using the cli 853
• Enabling dhcp server filter for ports 854
• Follow these steps to enable dhcp server filter for ports 854
• Gi1 0 2 enable n a 854
• Interface state lag 854
• Switch config end 854
• Switch config if ip dhcp filter 854
• Switch config if show ip dhcp filter interface gigabitethernet 1 0 2 854
• Switch config interface gigabitethernet 1 0 2 854
• Switch configure 854
• Switch copy running config startup config 854
• The following example shows how to enable dhcp server filter for port 1 0 2 854
• 68 0 aa aa aa aa aa aa gi1 0 2 855
• Configuring the dhcp server permit entry 855
• Follow these steps to configure dhcp server permit entry 855
• Server ip client mac interface 855
• Switch config end 855
• Switch config ip dhcp filter server permit entry server ip 192 68 0 client mac aa aa aa aa aa aa interface gigabitethernet 1 0 2 855
• Switch config show ip dhcp filter server permit entry 855
• Switch configure 855
• Switch copy running config startup config 855
• The following example shows how to configure the dhcp server permit entry by binding dhcp server ip 192 68 0 mac address aa aa aa aa aa aa and port 1 0 2 manually 855
• Follow these steps to configure netbios filtering 856
• Netbios filtering configuration 856
• Select the ports and enable netbios filtering over tcp ip for ports 856
• Using the gui 856
• Click apply 857
• Follow these steps to configure netbios filtering 857
• Gi1 0 2 enable n a 857
• Interface netbios filtering over tcp ip lag 857
• Switch config end 857
• Switch config if netbios filter 857
• Switch config if show netbios filter interface gigabitethernet 1 0 2 857
• Switch config interface gigabitethernet 1 0 2 857
• Switch configure 857
• Switch copy running config startup config 857
• The following example shows how to enable netbios filtering on port 1 0 2 857
• Using the cli 857
• Configuration examples 858
• Configuration scheme 858
• Example for dhcp snooping and arp detection 858
• Network requirements 858
• Using the gui 859
• Using the cli 862
• Example for dhcpv6 snooping and nd detection 864
• Network requirements 864
• Configuration scheme 865
• Configure dhcpv6 snooping on switch a set port 1 0 4 that is connected to the illegal dhcpv6 server as the trusted port and other ports as untrusted ports so that the illegal dhcpv6 server on any other port cannot assign ipv6 addresses for the clients 865
• Configure ipv6 mac binding on switch a the binding entries for user 1 and user 2 will be automatically learned via dhcpv6 snooping and you need to manually bind the entry for user 3 865
• Demonstrated with t2600g 28ts the following sections provide configuration procedure in two ways using the gui and using the cli 865
• Enable nd detection on switch a to prevent nd attacks 865
• Global config to load the following page because all users are in the default vlan 1 enable dhcpv6 snooping on vlan 1 set port 1 0 4 as a trusted port click apply after that the ipv6 mac binding entries of the dhcpv6 clients will be automatically learned via dhcpv6 snooping 865
• To meet these requirements you can configure dhcpv6 snooping to filter the untrusted dhcpv6 packets from the illegal dhcpv6 server and configure nd detection to prevent the network from nd attacks the overview of configuration is as follows 865
• Using the gui 865
• Using the cli 867
• Verify the configuration 868
• Configuration scheme 869
• Example for ip source guard 869
• Network requirements 869
• Using the gui 870
• Using the cli 871
• Configuration scheme 872
• Example for 802 x 872
• Network requirements 872
• Verify the configuration 872
• Network topology 873
• Using the gui 873
• Using the cli 876
• Verify the configurations 877
• Example for aaa 878
• Network requirements 878
• Configuration scheme 879
• Using the gui 879
• Using the cli 882
• Verify the configuration 883
• Appendix default parameters 885
• Default settings of network security are listed in the following tables 885
• Chapters 896
• Configuring lldp 896
• Part 27 896
• Overview 897
• Supported features 897
• Global config 898
• Lldp configurations 898
• Using the gui 898
• Follow these steps to enable lldp and configure the lldp feature globally 899
• In the global config section enable lldp you can also enable the switch to forward lldp messages when lldp function is disabled click apply 899
• In the parameters config section configure the lldp parameters click apply 899
• Follow these steps to configure the lldp feature for the interface 900
• Policy config to load the following page 900
• Port config 900
• Select the desired port and set its admin status and notification mode 900
• Select the tlvs type length value included in the lldp packets according to your needs 900
• Enable the lldp feature on the switch and configure the lldp parameters 901
• Global config 901
• Optional configure the port s management address for identifying the devices 901
• Using the cli 901
• Lldp status enabled 902
• Switch config lldp 902
• Switch config lldp hold multiplier 4 902
• Switch config lldp timer tx interval 30 tx delay 2 reinit delay 3 notify interval 5 fast count 3 902
• Switch config show lldp 902
• Switch configure 902
• The following example shows how to configure the following parameters lldp timer 4 tx interval 30 seconds tx delay 2 seconds reinit delay 3 seconds notify iinterval 5 seconds fast count 3 902
• Fast packet count 3 903
• Initialization delay 2 seconds 903
• Lldp forward message disabled 903
• Lldp med fast start repeat count 4 903
• Port config 903
• Select the desired port and set its admin status notification mode and the tlvs included in the lldp packets 903
• Switch config end 903
• Switch copy running config startup config 903
• Trap notification interval 5 seconds 903
• Ttl multiplier 4 903
• Tx delay 2 seconds 903
• Tx interval 30 seconds 903
• Global config 906
• Lldp med configurations 906
• Using the gui 906
• Port config 907
• Global config 909
• Lldp status enabled 909
• Switch config lldp 909
• Switch config lldp med fast count 4 909
• Switch config show lldp 909
• Switch configure 909
• The following example shows how to configure lldp med fast count as 4 909
• Tx interval 30 seconds 909
• Using the cli 909
• Fast packet count 3 910
• Initialization delay 2 seconds 910
• Lldp med fast start repeat count 4 910
• Port config 910
• Select the desired port enable lldp med and select the tlvs type length value included in the outgoing lldp packets according to your needs 910
• Switch config end 910
• Switch copy running config startup config 910
• Trap notification interval 5 seconds 910
• Ttl multiplier 4 910
• Tx delay 2 seconds 910
• Using gui 913
• Viewing lldp device info 913
• Viewing lldp settings 913
• Follow these steps to view the local information 914
• In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 914
• In the local info section select the desired port and view its associated local device information 914
• Viewing lldp statistics 916
• Using cli 917
• Viewing lldp statistics 917
• Viewing the local info 917
• Viewing the neighbor info 917
• Using gui 918
• Viewing lldp med settings 918
• Follow these steps to view lldp med neighgbor information 919
• In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 919
• In the lldp med neighbor info section select the desired port and view the lldp med settings 919
• Viewing the neighbor info 919
• Using cli 920
• Viewing lldp statistics 920
• Viewing the local info 920
• Viewing the neighbor info 920
• Configuration example 921
• Configuration scheme 921
• Example for configuring lldp 921
• Network requirements 921
• Network topology 921
• Using the gui 921
• Using cli 922
• Verify the configurations 923
• Configuration scheme 928
• Example for configuring lldp med 928
• Network requirements 928
• Network topology 928
• Using the gui 929
• Using the cli 933
• Verify the configurations 934
• Appendix default parameters 940
• Default lldp med settings 940
• Default lldp settings 940
• Default settings of lldp are listed in the following tables 940
• Chapters 941
• Configuring maintenance 941
• Part 28 941
• Device diagnose 942
• Maintenance 942
• Network diagnose 942
• Overview 942
• Supported features 942
• System monitor 942
• Monitoring the cpu 943
• Monitoring the system 943
• Using the gui 943
• Monitoring the memory 944
• Monitoring the cpu 945
• Monitoring the memory 945
• Using the cli 945
• Configuring the sflow collector 946
• Sflow configuration 946
• Using the gui 946
• Configuring the sflow sampler 947
• In the collector config section select a collector to configure relevant parameters and click apply 947
• Sflow sampler to load the following page 947
• Click apply 948
• Follow these steps to configure the sflow 948
• Follow these steps to configure the sflow sampler 948
• In the sampler config section set one or more ports to be a sampler and configure relevant parameters one port can be bound to only one collector 948
• Using the cli 948
• Switch config if sflow sampler collector id 1 949
• Switch config interface gigabitethernet 1 0 1 949
• Switch config sflow address 192 68 949
• Switch config sflow collector collector id 1 ip 192 68 00 949
• Switch config sflow collector collector id 1 port 6343 949
• Switch config sflow enable 949
• Switch configure 949
• The following example shows how to configure the switch whose ip address is 192 68 to send sflow packets to the host whose ip address is 192 68 00 set the sflow agent ip address as 192 68 the sflow collector ip address 1 as 192 68 00 configure gigabit ethernet port 1 as the sflow sampler the collector id as 1 and the ingress rate as 1024 949
• Backing up log files 951
• Configuration guidelines 951
• Configuring the local log 951
• Configuring the remote log 951
• Logs are classified into the following eight levels messages of levels 0 to 4 mean the functionality of the switch is affected please take actions according to the log message 951
• System log configurations 951
• System log configurations include 951
• Viewing the log table 951
• Click apply 952
• Configuring the local log 952
• Follow these steps to configure the local log 952
• Local log to load the following page 952
• Select your desired channel and configure the corresponding severity and status 952
• Using the gui 952
• Backing up the log file 953
• Configuring the remote log 953
• Configuring the local log 954
• Follow these steps to configure the local log 954
• Log table to load the following page 954
• Select a module and a severity to view the corresponding log information 954
• Using the cli 954
• Viewing the log table 954
• Switch config logging buffer 955
• Switch config logging buffer level 5 955
• Switch config logging file flash 955
• Switch config logging file flash frequency periodic 10 955
• Switch config logging file flash level 2 955
• Switch config show logging local config 955
• Switch configure 955
• The following example shows how to configure the local log on the switch save logs of levels 0 to 5 to the log buffer and synchronize logs of levels 0 to 2 to the flash every 10 hours 955
• Buffer 5 enable immediately 956
• Channel level status sync periodic 956
• Configuring the remote log 956
• Flash 2 enable 10 hour s 956
• Follow these steps to set the remote log 956
• Monitor 5 enable immediately 956
• Remote log enables the switch to send system logs to a host to display the logs the host should run a log server that complies with the syslog standard 956
• Switch config end 956
• Switch config logging host index 2 192 68 48 5 956
• Switch configure 956
• Switch copy running config startup config 956
• The following example shows how to set the remote log on the switch enable log host 2 set its ip address as 192 68 48 and allow logs of levels 0 to 5 to be sent to the host 956
• Cable test to load the following page 958
• Diagnosing the device 958
• In the port section select your desired port for the test 958
• In the result section click apply and check the test results 958
• Using the gui 958
• Gi1 0 2 pair a normal 2 10m 959
• On privileged exec mode or any other configuration mode you can use the following command to check the connection status of the cable that is connected to the switch 959
• Pair b normal 2 10m 959
• Pair c normal 0 10m 959
• Pair d normal 2 10m 959
• Port pair status length error 959
• Switch show cable diagnostics interface gigabitehternet 1 0 2 959
• The following example shows how to check the cable diagnostics of port 1 0 2 959
• Using the cli 959
• Configuring the ping test 960
• Diagnosing the network 960
• Using the gui 960
• Configuring the tracert test 961
• Follow these steps to test connectivity between the switch and routers along the path from the source to the destination 961
• In the ping result section check the test results 961
• In the tracert config section enter the ip address of the destination set the max hop and then click tracert to start the test 961
• In the tracert result section check the test results 961
• Tracert to load the following page 961
• Approximate round trip times in milli seconds 962
• Configuring the ping test 962
• Minimum 0ms maximum 0ms average 0ms 962
• On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and one node of the network 962
• Packets sent 3 received 3 lost 0 0 loss 962
• Ping statistics for 192 68 0 962
• Pinging 192 68 0 with 1000 bytes of data 962
• Reply from 192 68 0 bytes 1000 time 16ms ttl 64 962
• Switch ping ip 192 68 0 n 3 l 1000 i 500 962
• The following example shows how to test the connectivity between the switch and the destination device with the ip address 192 68 0 specify the ping times as 3 the data size as 1000 bytes and the interval as 500 milliseconds 962
• Using the cli 962
• Configuring the tracert test 963
• Ms 1 ms 2 ms 192 68 963
• Ms 2 ms 2 ms 192 68 00 963
• On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination 963
• Switch tracert 192 68 00 2 963
• The following example shows how to test the connectivity between the switch and the network device with the ip address 192 68 00 set the maxhops as 2 963
• Trace complete 963
• Tracing route to 192 68 00 over a maximum of 2 hops 963
• Dldp configuration 964
• Using the gui 964
• In the port config section select one or more ports enable dldp and click apply then you can view the relevant dldp information in the table 965
• Follow these steps to configure dldp 966
• Using the cli 966
• Configuration examples 968
• Configuration scheme 968
• Example for configuring sflow 968
• Network requirements 968
• Using the gui 968
• Using the cli 969
• Verify the configurations 970
• Configuration scheme 971
• Example for configuring remote log 971
• Network requirements 971
• Using the cli 971
• Using the gui 971
• Verify the configurations 972
• Appendix default parameters 973
• Default settings of maintenance are listed in the following tables 973
• Chapters 975
• Configuring snmp rmon 975
• Part 29 975
• Snmp overview 976
• Snmp simple network management protocol is a standard network management protocol widely used on tcp ip networks it facilitates device management using nms network management system software with snmp network managers can view or modify network device information and troubleshoot according to notifications sent by those devices in a timely manner 976
• The device supports three snmp versions snmpv1 snmpv2c and snmpv3 table 1 1 lists features supported by different snmp versions and table 1 2 shows corresponding application scenarios 976
• Snmp configurations 977
• Creating an snmp view 978
• Enabling snmp 978
• Using the gui 978
• Create an snmp group and configure related parameters 979
• Creating an snmp group 979
• Set the view name and one mib variable that is related to the view choose the view type and click create to add the view entry 979
• Follow these steps to create an snmp group 980
• Set the group name and security model if you choose snmpv3 as the security model you need to further configure security level 980
• Set the read write and notify view of the snmp group click create 980
• Snmp group to load the following page 980
• Creating snmp users 981
• Follow these steps to create an snmp user 981
• Snmp user to load the following page 981
• Specify the user name user type and the group which the user belongs to set the security model according to the related parameters of the specified group if you choose snmpv3 you need to configure the security level 981
• Click create 982
• Creating snmp communities 982
• If you have chosen authnopriv or authpriv as the security level you need to set corresponding auth mode or privacy mode if not skip the step 982
• If you want to use snmpv1 or snmpv2c as the security model you can create snmp communities directly 982
• Enabling snmp 983
• Set the community name access rights and the related view click create 983
• Snmp community to load the following page 983
• Using the cli 983
• Bad snmp version errors 984
• Encoding errors 984
• Get request pdus 984
• Illegal operation for community name supplied 984
• Number of altered variables 984
• Number of requested variables 984
• Snmp agent is enabled 984
• Snmp packets input 984
• Switch config show snmp server 984
• Switch config snmp server 984
• Switch config snmp server engineid remote 123456789a 984
• Switch configure 984
• The following example shows how to enable snmp and set 123456789a as the remote engine id 984
• Unknown community name 984
• Bad value errors 985
• Creating an snmp view 985
• General errors 985
• Get next pdus 985
• Local engine id 80002e5703000aeb132397 985
• No such name errors 985
• Remote engine id 123456789a 985
• Response pdus 985
• Set request pdus 985
• Snmp packets output 985
• Specify the oid object identifier of the view to determine objects to be managed 985
• Switch config end 985
• Switch config show snmp server engineid 985
• Switch copy running config startup config 985
• Too big errors maximum packet size 1500 985
• Trap pdus 985
• Creating an snmp group 986
• No name sec mode sec lev read view write view notify view 1 nms monitor v3 authpriv view view 987
• Switch config end 987
• Switch config show snmp server group 987
• Switch config snmp server group nms monitor smode v3 slev authpriv read view notify view 987
• Switch configure 987
• Switch copy running config startup config 987
• The following example shows how to create an snmpv3 group name the group as nms monitor enable auth mode and privacy mode and set the view as read view and notify view 987
• Configure users of the snmp group users belong to the group and use the same security level and access rights as the group 988
• Creating snmp users 988
• The following example shows how to create an snmp user on the switch name the user as admin and set the user as a remote user snmpv3 as the security mode authpriv as the 988
• Admin remote nms monitor v3 authpriv sha des 989
• Creating snmp communities 989
• For snmpv1 and snmpv2c the community name is used for authentication functioning as the password 989
• No u name u type g name s mode s lev a mode p mode 989
• Security level sha as the authentication algorithm 1234 as the authentication password des as the privacy algorithm and 1234 as the privacy password 989
• Switch config end 989
• Switch config show snmp server user 989
• Switch config snmp server user admin remote nms monitor smode v3 slev authpriv cmode sha cpwd 1234 emode des epwd 1234 989
• Switch configure 989
• Switch copy running config startup config 989
• The following example shows how to set an snmp community name the community as the nms monitor and allow the nms to view and modify parameters of view 989
• Configuration guidelines 991
• Notification configurations 991
• Using the gui 991
• Choose a notification type based on the snmp version if you choose the inform type you need to set retry times and timeout interval 992
• Click create 992
• Specify the user name or community name used by the nms and configure the security model and security level based on the settings of the user or community 992
• Configure parameters of the nms host and packet handling mechanism 993
• Configuring the host 993
• Using the cli 993
• 68 22 162 admin v3 authpriv inform 3 100 994
• Enabling snmp notification 994
• Enabling the snmp standard trap 994
• No des ip udp name secmode seclev type retry timeout 994
• Switch config end 994
• Switch config show snmp server host 994
• Switch config snmp server host 172 68 22 162 admin smode v3 slev authpriv type inform retries 3 timeout 100 994
• Switch configure 994
• Switch copy running config startup config 994
• The following example shows how to set the nms host ip address as 172 68 22 udp port as port 162 name used by the nms as admin security model as snmpv3 security level as authpriv notification type as inform retry times as 3 and the timeout interval as 100 seconds 994
• Optional enabling the snmp extended trap 995
• Switch config end 995
• Switch config snmp server traps snmp linkup 995
• Switch configure 995
• Switch copy running config startup config 995
• The following example shows how to configure the switch to send linkup traps 995
• Switch config end 996
• Switch config snmp server traps bandwidth control 996
• Switch configure 996
• Switch copy running config startup config 996
• The following example shows how to configure the switch to enable bandwidth control traps 996
• Optional enabling the ddm trap 997
• Switch config end 997
• Switch config snmp server traps ddm create 997
• Switch configure 997
• Switch copy running config startup config 997
• The following example shows how to configure the switch to enable ddm created trap 997
• Optional enabling the illegal dhcp server trap 998
• Optional enabling the link status trap 998
• Switch config end 998
• Switch config snmp server traps ddm 998
• Switch config snmp server traps security dhcp snoop 998
• Switch configure 998
• Switch copy running config startup config 998
• The following example shows how to configure the switch to enable all the snmp ddm trap 998
• The following example shows how to configure the switch to enable illegal dhcp server trap 998
• Switch config if end 999
• Switch config if snmp server traps link status 999
• Switch config interface gigabitethernet 1 0 1 999
• Switch configure 999
• Switch copy running config startup config 999
• The following example shows how to configure the switch to enable link status trap 999
• Rmon overview 1000
• Configuring statistics 1001
• Rmon configurations 1001
• Using the gui 1001
• Configuring history 1002
• Follow these steps to configure history 1002
• History to load the following page 1002
• Select a history entry and specify a port to be monitored 1002
• Set the sample interval and the maximum buckets of history entries 1002
• Specify the entry id the port to be monitored and the owner name of the entry set the entry as valid or undercreation and click create 1002
• Choose an event entry and set the snmp user of the entry 1003
• Configuring event 1003
• Enter the owner name and set the status of the entry click apply 1003
• Event to load the following page 1003
• Follow these steps to configure event 1003
• Set the description and type of the event 1003
• Alarm to load the following page 1004
• Before you begin please complete configurations of statistics entries and event entries because the alarm entries must be associated with statistics and event entries 1004
• Configuring alarm 1004
• Enter the owner name and set the status of the entry click apply 1004
• Follow these steps to configure alarm 1004
• Select an alarm entry choose a variable to be monitored and associate the entry with a statistics entry 1004
• Set the sample type the rising and falling threshold the corresponding event action and the alarm type of the entry 1005
• Configuring statistics 1006
• Enter the owner name and set the status of the entry click apply 1006
• Using the cli 1006
• Configuring history 1007
• Gi1 0 1 monitor valid 1007
• Gi1 0 2 monitor valid 1007
• Index port owner state 1007
• Switch config end 1007
• Switch config rmon statistics 1 interface gigabitethernet 1 0 1 owner monitor status valid 1007
• Switch config rmon statistics 2 interface gigabitethernet 1 0 2 owner monitor status valid 1007
• Switch config show rmon statistics 1007
• Switch configure 1007
• Switch copy running config startup config 1007
• The following example shows how to create two statistics entries on the switch to monitor port 1 0 1 and 1 0 2 respectively the owner of the entry is monitor and the entry is valid 1007
• Configuring event 1008
• Gi1 0 1 100 50 monitor enable 1008
• Index port interval buckets owner state 1008
• Switch config end 1008
• Switch config rmon history 1 interface gigabitethernet 1 0 1 interval 100 owner monitor buckets 50 1008
• Switch config show rmon history 1008
• Switch configure 1008
• Switch copy running config startup config 1008
• The following example shows how to create a history entry on the switch to monitor port 1 0 1 set the sample interval as 100 seconds max buckets as 50 and the owner as monitor 1008
• Admin rising notify notify monitor enable 1009
• Index user description type owner state 1009
• Switch config end 1009
• Switch config rmon event 1 user admin description rising notify type notify owner monitor 1009
• Switch config show rmon event 1009
• Switch configure 1009
• Switch copy running config startup config 1009
• The following example shows how to create an event entry on the switch set the user name as admin the event type as notify set the switch to initiate notifications to the nms and the owner as monitor 1009
• Configuring alarm 1010
• Configuration example 1012
• Configuration scheme 1012
• Network requirements 1012
• Network topology 1013
• Using the gui 1013
• Using the cli 1018
• Verify the configurations 1020
• Appendix default parameters 1024
• Default settings of snmp are listed in the following table 1024
• Default settings of notification are listed in the following table 1025