![Tp-Link T1700G-28TQ V2 — aCL Configuration Guide: Securing Network Access Control [563/772]](/img/pdf.png)
Tp-Link T1700G-28TQ V2 — aCL Configuration Guide: Securing Network Access Control [563/772]
Превью страниц
Страница 563 /
772
![Tp-Link T1700G-28TQ V2 [563/772] As is shown below computers in the marketing department are connected to the switch via port 1 0 1 and the internal server group is connected to the switch via port 1 0 2](/views2/1472751/page563/bg233.png)
Configuration Guide 538
Configuring ACL Configuration Example for ACL
3
Configuration Example for ACL
3.1 Network Requirements
A company’s internal server group can provide different types of services. It is required
that:
the Marketing department can only access internal server group from intranet.
the Marketing department can only visit http and https websites on the internet.
3.2 Network Topology
As is shown below, computers in the Marketing department are connected to the switch
via port 1/0/1 , and the internal server group is connected to the switch via port 1/0/2.
Figure 3-1 Network Topology
Internet
Gi1/0/1
Marketing
IP: 10.10.70.0/24
Server Group
IP: 10.10.80.0/24
Gi1/0/2
3.3 Configuration Scheme
To meet the requirements above, you can set up packet filtering by creating an Extend-IP
ACL and configuring rules for it.
Содержание
3073- Configuration guide
- Fcc statement
- Ce mark warning
- Bsmi notice
- Industry canada statement
- Safety information
- Explanation of the symbols on the product label
- Web interface access
- System info configurations 24
- System 22
- Overview
- More information
- Managing system
- Intended readers
- Conventions
- Contents
- Command line interface access 11
- Accessing the switch
- About this guide
- Access security configurations 54
- User management configurations 37
- System tools configurations 45
- Stack configuration 79
- Sdm template configuration 69
- Physical interface 00
- Overview 76
- Managing physical interfaces
- Configuring stack
- Configuration example 89
- Appendix default parameters 98
- Appendix default parameters 72
- Lag 31
- Configuring lag
- Configuration examples 20
- Basic parameters configurations 01
- Appendix default parameters 28
- Port security configuration 09
- Port mirror configuration 05
- Port isolation configurations 13
- Loopback detection configuration 16
- Traffic monitor 47
- Monitoring traffic
- Managing mac address table
- Mac address table 54
- Lag configuration 32
- Configuration example 41
- Appendix default parameters 52
- Appendix default parameters 45
- Address configurations 56
- Configuration example 83
- Appendix default parameters 88
- Appendix default parameters 74
- Security configurations 65
- Q vlan configuration 77
- Overview 90
- Overview 76
- Mac vlan configuration 91
- Example for security configurations 71
- Configuring mac vlan
- Configuring 802 q vlan
- Protocol vlan configuration 07
- Overview 06
- Configuring spanning tree
- Configuring protocol vlan
- Configuration example 96
- Configuration example 13
- Appendix default parameters 23
- Appendix default parameters 04
- Spanning tree 25
- Stp security configurations 63
- Stp rstp configurations 33
- Mstp configurations 43
- Configuration example for mstp 69
- Appendix default parameters 88
- Layer 2 multicast 91
- Igmp snooping configurations 93
- Configuring layer 2 multicast
- Configuring mld snooping 27
- Viewing multicast snooping configurations 58
- Configuration examples 62
- Configuring static routing
- Configuring logical interfaces
- Appendix default parameters 90
- Appendix default parameters 10
- Viewing routing table 18
- Overview 98
- Overview 12
- Logical interfaces configurations 99
- Ipv6 static routing configuration 15
- Ipv4 static routing configuration 13
- Overview 39
- Overview 27
- Example for static routing 21
- Dhcp relay configuration 28
- Configuring dhcp relay
- Configuring arp
- Configuration example 34
- Arp configurations 40
- Appendix default parameters 37
- Appendix default parameter 25
- Voice vlan configuration 87
- Qos 46
- Overview 85
- Diffserv configuration 47
- Configuring voice vlan
- Configuring qos
- Configuration examples 65
- Bandwidth control configuration 59
- Appendix default parameters 82
- Configuring network security
- Configuring acl
- Configuration example for acl 38
- Configuration example 94
- Appendix default parameters 46
- Appendix default parameters 08
- Acl configuration 11
- Overview 10
- Network security 48
- X configuration 78
- Ip mac binding configurations 52
- Dos defend configuration 74
- Dhcp snooping configuration 59
- Arp inspection configurations 67
- Configuration examples 09
- Appendix default parameters 28
- Aaa configuration 92
- Viewing lldp med settings 53
- Lldp med configurations 41
- Lldp configurations 34
- Lldp 33
- Configuring lldp
- Configuration example 56
- Viewing lldp settings 48
- System log configurations 81
- Monitoring the system 78
- Maintenance 77
- Diagnosing the network 90
- Diagnosing the device 88
- Configuring maintenance
- Configuration example for remote log 94
- Appendix default parameters 75
- Snmp configurations 99
- Rmon overview 20
- Rmon configurations 21
- Notification configurations 13
- Configuring snmp rmon
- Configuration example 32
- Appendix default parameters 96
- Snmp overview 98
- Appendix default parameters 44
- Intended readers
- Conventions
- About this guide
- More information
- Part 1
- Chapters
- Accessing the switch
- Overview
- Web interface access
- Save config function
- You can shut down the http server or https server to block any access to the web interface
- Http config disable the http server and click apply
- Disable the web server
- Configure the switch s ip address and default gateway
- Click save config to save the settings
- Check the routing table to verify the default gateway you configured the entry marked in red box displays the valid default gateway
- Console login only for switch with console port
- Command line interface access
- Enter enable to enter the user exec mode to further configure the switch
- Telnet login
- Ssh login
- Password authentication mode
- Key authentication mode
- After the keys are successfully generated click save public key to save the public key to a tftp server click save private key to save the private key to the host pc
- You can shut down the telnet function to block any telnet access to the cli interface
- Using the gui
- Telnet config disable the telnet function and click apply
- Disable telnet login
- After negotiation is completed enter the username to log in if you can log in without entering the password the key authentication completed successfully
- Copy running config startup config
- Disable ssh login
- Change the switch s ip address and default gateway
- Part 2
- Managing system
- Chapters
- User management
- System tools
- System info
- System
- Supported features
- Overview
- Access security
- Sdm template
- Viewing the system summary
- Using the gui
- System info configurations
- Move the cursor to the port to view the detailed information of the port
- Specifying the device description
- Device description to load the following page
- Click a port to view the bandwidth utilization on this port
- System time to load the following page
- Setting the system time
- In the time info section view the current time information of the switch
- In the time config section follow these steps to configure the system time
- In the device description section specify the following information
- Click apply
- Choose one method to set the system time and specify the information
- In the dst config section select enable to enable the daylight saving time function
- Follow these steps to configure daylight saving time
- Daylight saving time to load the following page
- Click apply
- Choose one method to set the daylight saving time of the switch and specify the information
- Setting the daylight saving time
- Viewing the system summary
- Using the cli
- On privileged exec mode or any other configuration mode you can use the following command to view the system information of the switch
- Click apply
- The following example shows how to set the device name as switch_a set the location as beijing and set the contact information as http www tp link com
- System name switch_a
- System location beijing
- System description jetstream 24 port gigabit stackable smart switch with 4 10ge sfp slots
- Switch configure
- Switch config show system info
- Switch config location beijing
- Switch config hostname switch_a
- Switch config contact info http www tp link com
- Specifying the device description
- Follow these steps to specify the device description
- Switch copy running config startup config
- Switch config end
- Setting the system time
- Follow these steps and choose one method to set the system time
- Contact information http www tp link com
- The following example shows how to set the system time by get time from ntp server and set the time zone as utc 08 00 set the ntp server as 133 00 set the backup ntp server as 139 8 00 63 and set the update rate as 11
- Switch copy running config startup config
- Switch configure
- Switch config system time ntp utc 08 00 133 00 139 8 00 63 11
- Switch config show system time ntp
- Switch config end
- Setting the daylight saving time
- Prefered ntp server 133 00
- Last successful ntp server 133 00
- Follow these steps and choose one method to set the daylight saving time
- Backup ntp server 139 8 00 63
- Update rate 11 hour s
- Time zone utc 08 00
- The following example shows how to set the daylight saving time by date mode set the start time as 01 00 august 1st 2016 set the end time as 01 00 september 1st 2016 and set the offset as 50
- Switch copy running config startup config
- Switch configure
- Switch config system time dst date aug 1 01 00 2016 sep 1 01 00 2016 50
- Switch config show system time dst
- Switch config end
- Dst starts at 01 00 00 on aug 1 2016
- Dst offset is 50 minutes
- Dst ends at 01 00 00 on sep 1 2016
- Dst configuration is one off
- Using the gui
- User management configurations
- Creating admin accounts
- Click create
- You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin
- User config to load the following page
- In the user info section select the access level from the drop down list and specify the user name and password
- Follow these steps to create an account of other types
- Creating an account
- Creating accounts of other types
- Using the cli
- Follow these steps to create an admin account
- Creating admin accounts
- You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin
- Follow these steps to create an account of other type
- Creating accounts of other types
- The logged in users can enter the enable password on this page to get the administrative privileges
- The aaa function applies another method to manage the access users name and password for details refer to aaa configuration in configuring network security
- System tools configurations
- Configuring the boot file
- Using the gui
- Restoring the configuration of the switch
- In the config restore section select one unit and one configuration file
- Follow these steps to restore the configuration of the switch
- Config restore to load the following page
- Config backup to load the following page
- Click import to import the configuration file
- Click apply
- Backing up the configuration file
- Upgrading the firmware
- Rebooting the switch
- Configuring the reboot schedule
- Reseting the switch
- In the system reset section select the desired unit and click reset
- Follow these steps to configure the boot file
- Configuring the boot file
- Using the cli
- System reset to load the following page
- Restoring the configuration of the switch
- Upgrading the firmware
- The following example shows how to upgrade the firmware using the configuration file named file3 bin the tftp server is 190 68 00
- The following example shows how to backup the configuration file named file2 from tftp server with ip address 192 68 00
- Switch firmware upgrade ip address 192 68 00 filename file3 bin
- Switch copy startup config tftp ip address 192 68 00 filename file2
- Start to backup user config file
- Operation ok
- It will only upgrade the backup image continue y n y
- Follow these steps to upgrade the firmware
- Follow these steps to back up the current configuration of the switch in a file
- Enable
- Backup user config file ok
- Backing up the configuration file
- The following example shows how to set the switch to reboot at 12 00 on 15 01 2016
- Rebooting the switch
- Reboot with the backup image y n y
- Follow these steps to reboot the switch
- Follow these steps and choose one type to configure the reboot schedule
- Configuring the reboot schedule
- Reseting the switch
- Using the gui
- Configuring the access control feature
- Access security configurations
- When the port based mode is selected the following section will display
- When the ip based mode is selected the following section will display
- Click apply
- Configuring the http function
- Configuring the https function
- In the access user number section select enable and specify the parameters click apply
- In the session config section specify the session timeout and click apply
- In the ciphersuite config section select the algorithm to be enabled and click apply
- In the certificate download and key download section download the certificate and key
- Ssh config to load the following page
- In the global config section select enable to enable ssh function and specify other parameters
- Configuring the ssh feature
- Using the cli
- Enabling the telnet function
- Configuring the access control
- The following example shows how to set the type of access control as ip based set the ip address as 192 68 00 set the subnet mask as 255 55 55 and make the switch support snmp telnet http and https
- Switch configure
- Switch config user access control ip based 192 68 00 255 55 55 snmp telnet http https
- Switch config show user configuration
- Follow these steps to configure the http function
- Configuring the http function
- 68 24 snmp telnet http https
- User authentication mode ip based
- The following example shows how to set the session timeout as 9 set the maximum admin number as 6 and set the maximum guest number as 5
- Switch copy running config startup config
- Switch configure
- Switch config ip http server
- Switch config end
- Index ip address access interface
- Switch config ip http max user 6 5
- Switch config end
- Http user limitation enabled
- Http status enabled
- Http session timeout 9
- Http max guest users 5
- Http max admin users 6
- Follow these steps to configure the https function
- Configuring the https function
- Switch copy running config startup config
- Switch config show ip http configuration
- Switch config ip http session timeout 9
- The following example shows how to configure the https function enable ssl3 and tls1 protocol enable the ciphersuite of 3des ede cbc sha set the session timeout time as 15 the admin number as 1 and the guest number as 2 download the certificate named ca crt and the key named ca key from the tftp server with the ip address 192 68 00
- Switch configure
- Switch config ip http secure server
- Switch config ip http secure protocol ssl3 tls1
- Switch config ip http secure ciphersuite 3des ede cbc sha
- Configuring the ssh feature
- The following example shows how to configure the ssh function set the version as ssh v1 and ssh v2 enable the aes128 cbc and cast128 cbc encryption algorithm enable the hmac md5 data integrity algorithm choose the key type as ssh 2 rsa dsa
- Switch config ip ssh version v1
- Switch config ip ssh server
- Switch copy running config startup config
- Switch config end
- Follow these steps enable the telnet function
- Enabling the telnet function
- Using the gui
- The template table displays the resources allocation of each template
- Sdm template to load the following page
- Sdm template function is used to configure system resources in the switch to optimize support for specific features the switch provides three templates and the hardware resources allocation is different users can choose one according to how the switch is used in the network
- Sdm template configuration
- In select options section select one template and click apply the setting will be effective after the reboot
- Using the cli
- The following example shows how to set the sdm template as enterprisev4
- Switch config show sdm prefer enterprisev4
- Switch config
- Follow these steps to configure the sdm template function
- Default settings of user management are listed in the following table
- Default settings of system tools are listed in the following table
- Default settings of system info are listed in the following tables
- Appendix default parameters
- Default settings of access security are listed in the following tables
- Default settings of sdm template are listed in the following table
- Part 3
- Configuring stack
- Chapters
- Stack topology
- Stack membership
- Overview
- Unit id
- Stack master election and re election
- The stack master contains the saved and running configuration files for the stack the configuration files include the global settings for the stack and the interface settings for each switches in the stack
- The provisioned configuration retains in the stack when the stack member leaves the stack one application of this feature is shown below if a stack member fails and you replace it with an identical model and pre configure the new switch s unit id the same as the fail one s the stack applies the provisioned configuration to the new member that is the new one and the old one have exactly the same global settings and interface settings
- The provisioned configuration can be manually created or is automatically created when a switch is added to the stack and no provisioned configuration exists
- The following table lists the events that occur when the stack compares the provisioned configuration with the provisioned switch what configuration will be applied to the new member and what will happen to the provisioned configuration file
- Provisioned configuration
- For back up purposes all the stack members receive synchronized copies of the configuration files from the stack master if the stack master becomes unavailable all the other switches in the stack have the latest stack configuration files and the switch with the highest priority value becomes the new stack master
- Configuration synchronization
- You can use the provision feature to pre configure a new switch before it joins the stack you can configure in advance the stack unit id the switch type and the interfaces associated with the switch which is not currently part of the stack this configuration that you create on the stack is called the provisioned configuration the switch that is added to the stack and that receives this configuration is called the provisioned switch
- Using the gui
- Stack configuration
- Configuring the stack
- You can use the provision feature to pre configure a new switch before it joins the stack
- Provisioning a new member for a stack
- In the provision info section configure the provisioned switch s information
- Follow these steps to create the provisioned switch
- Click create
- In the stack port config section configure the sfp port s stacking feature
- In the stack member config section configure the stack member s information
- Follow these steps to enable the stack port
- Follow these steps to configure the stack member s information
- Enabling the stack port for a switch
- Configuring the unit id and priority for the stack member
- Click apply
- The stack ports in the switch work in ethernet mode by default configure the ethernet ports as stack ports before connecting them to build up a stack
- Viewing the stack information
- Stack port info
- Stack member info
- Stack info
- In the stack port info section view the stack port s detailed information
- In the stack member info section view the stack member s detailed information
- In the stack info section view the stack s general information
- Switch configure
- Switch config switch 1 priority 15
- Switch config show switch 1
- Switch config end
- Stack topo solo
- Follow these steps to configure the priority of the specified stack member
- Configuring the stack member s priority
- 1 4 master 50 c7 bf 07 5f 0e 15 2 t1700g 28tqrev2 ready
- Using the cli
- The following example shows how to configure stack unit1 s priority as 15
- Switch stack mac address 50 c7 bf 07 5f 0e
- Switch new id role mac address priority version switch type state
- Switch copy running config startup config
- Switch copy running config startup config
- Switch configure
- Switch config switch 1 renumber 4
- Switch config show switch 1
- Switch config end
- Stack topo solo
- Renumbering the stack member
- Follow these steps to renumber of the specified stack member
- Follow these steps to enable the specified port as stack port
- Configuring the stack port
- 1 4 master 50 c7 bf 07 5f 0e 15 2 t1700g 28tqrev2 ready
- The following example shows how to renumber stack unit1 as unit4
- Switch stack mac address 50 c7 bf 07 5f 0e
- Switch new id role mac address priority version switch type state
- The following example shows how to configure port 1 0 25 and 4 0 25 as stack ports
- Switch configure
- Switch config switch stack port interface ten gigabitethernet 4 0 25
- Switch config switch stack port interface ten gigabitethernet 1 0 25
- Switch config show switch stack ports
- Stack port group status
- Enabling disabling a stack port may cause undesired stack changes continue yes no y
- 0 28 1 ethernet
- 0 27 1 ethernet
- 0 26 0 ethernet
- 0 25 0 ok
- 1 auto master 00 0a eb 13 12 3e 5 2 t1700g 28tqrev2 ready
- 0 28 1 ethernet
- The following example shows how to create a provisioned stack member as unit 2 and t1700g 28tqrev2
- T1700g 28tqrev2 provisioned
- Switch stack mac address 50 c7 bf 07 5f 0e
- Switch new id role mac address priority version switch type state
- Switch copy running config startup config
- Switch configure
- Switch config switch 2 provision t1700g 28tqrev2
- Switch config show switch
- Switch config end
- Stack topo solo
- Follow these steps to create a provisioned stack member
- Configuring the provisioned stack member
- 4 member 50 c7 bf 07 5f 0e 15 2 t1700g 28tqrev2 ready
- Switch copy running config startup config
- Switch config end
- Configuration example
- Using the gui
- Ring stack application
- Network requirements
- Configuration scheme
- Using the cli
- Using the gui
- Replacing a stack member with a new unit
- Network requirements
- Configuration scheme
- Using the cli
- Default settings of stack are listed in the following table
- Appendix default parameters
- Part 5
- Managing physical interfaces
- Chapters
- Basic parameters
- Supported features
- Port security
- Port mirror
- Port isolation
- Physical interface
- Overview
- Loopback detection
- Using the gui
- Select and configure your desired ports or lags then click apply
- Port config to load the following page
- Follow these steps to set basic parameters for ports
- Basic parameters configurations
- Using the cli
- Follow these steps to set basic parameters for the ports
- The following example shows how to implement the basic configurations of port1 0 1 including setting a description for the port making the port autonegotiate speed and duplex with the neighboring port and enabling the flow control and jumbo feature
- Switch configure
- Using the gui
- Port mirror configuration
- In the source port section select one or multiple monitored ports for configuration then set the parameters and click apply
- In the destination port section specify a monitoring port for the mirror session and click apply
- Follow these steps to configure port mirror
- Using the cli
- The following example shows how to copy the received and transmitted packets on port 1 0 1 2 3 to port 1 0 10
- Switch configure
- Switch config show monitor session
- Switch config monitor session 1 source interface gigabitethernet 1 0 1 3 both
- Switch config monitor session 1 destination interface gigabitethernet 1 0 10
- Monitor session 1
- Follow these steps to configure port mirror
- Port security to load the following page
- Port security configuration
- Follow these steps to configure port security
- Using the gui
- Specify the maximum number of the mac addresses that can be learned on the port and then select the learn mode of the mac addresses
- Select one or multiple ports for security configuration
- Using the cli
- Select the status of the port security feature
- Follow these steps to configure port security
- Click apply
- The following example shows how to set the maximum number of mac addresses that can be learned on port 1 0 1 as 30 and configure the mode as permanent and the status as drop
- Switch configure
- Switch config interface gigabitethernet 1 0 1
- Switch config if show mac address table max mac count interface gigabitethernet 1 0 1
- Switch config if mac address table max mac count max number 30 mode permanent status drop
- Port max learn current learn mode status
- Gi1 0 1 30 0 permanent drop
- Switch copy running config startup config
- Switch config if end
- Using the gui
- Port isolation configurations
- Using the cli
- In the port section select one or multiple ports to be isolated
- In the forward portlist section select the forward ports or lags which the isolated ports can only communicate with it is multi optional
- Follow these steps to configure port isolation
- Click apply
- The following example shows how to add ports 1 0 1 3 and lag 4 to the forward list of port 1 0 5
- Switch copy running config startup config
- Switch configure
- Switch config interface gigabitethernet 1 0 5
- Switch config if show port isolation interface gigabitethernet 1 0 5
- Switch config if port isolation gi forward list 1 0 1 3 po forward list 4
- Switch config if end
- Port lag forward list
- Gi1 0 5 n a gi1 0 1 3 po4
- Using the gui
- Loopback detection configuration
- View the loopback detection information on this page
- Using the cli
- In the port config section select one or multiple ports for configuration then set the parameters and click apply
- Follow these steps to configure loopback detection
- The following example shows how to enable loopback detection globally keeping the default parameters
- Using the gui
- Network requirements
- Example for port mirror
- Configuration scheme
- Configuration examples
- Monitor session 1
- Example for port isolation
- Destination port gi1 0 1
- As shown below three hosts and a server are connected to the switch and all belong to vlan 10 with the vlan configuration unchanged host a is not allowed to communicate with the other hosts except the server even if the mac address or ip address of host a is changed
- Verify the configuration
- Using the cli
- Switch show monitor session 1
- Switch copy running config startup config
- Switch configure
- Switch config monitor session 1 source interface gigabitethernet 1 0 2 5 both
- Switch config monitor session 1 destination interface gigabitethernet 1 0 1
- Switch config end
- Source ports ingress gi1 0 2 5
- Source ports egress gi1 0 2 5
- Network requirements
- Using the gui
- Configuration scheme
- Verify the configuration
- Using the cli
- Configuration scheme
- Using the gui
- Network requirements
- Example for loopback detection
- Using the cli
- Verify the configuration
- Default settings of switching are listed in th following tables
- Appendix default parameters
- Part 6
- Configuring lag
- Chapters
- Supported features
- Static lag
- Overview
- Lag configuration
- Configuration guidelines
- Configuring load balancing algorithm
- Using the gui
- Please properly choose the load balancing algorithm to avoid data stream transferring only on one physical link for example switch a receives packets from several hosts and forwards them to the server with the fixed mac address and ip address you can set the algorithm as src mac src ip to allow switch a to determine the forwarding port based on the source mac addresses and source ip addresses of the received packets
- Load balancing algorithm is effective only for outgoing traffic if the data stream is not well shared by each link you can change the algorithm of the outgoing interface
- Lag table to load the following page
- In the global config section select the load balancing algorithm click apply
- Configuring static lag or lacp
- Specify the system priority for the switch and click apply
- Select member ports for the lag and configure the related parameters click apply
- Lacp to load the following page
- Follow these steps to configure lacp
- Configuring lacp
- Using the cli
- Follow these steps to configure the load balancing algorithm
- Configuring load balancing algorithm
- Configuring static lag or lacp
- Configuring static lag
- You can choose only one lag mode for a port static lag or lacp and make sure both ends of a link use the same lag mode
- The following example shows how to set the global load balancing mode as src dst mac
- Switch copy running config startup config
- Switch configure
- Switch config show etherchannel load balance
- Switch config port channel load balance src dst mac
- Switch config if end
- Non ip source xor destination mac address
- Ipv6 source xor destination mac address
- Ipv4 source xor destination mac address
- Follow these steps to configure static lag
- Etherchannel load balancing configuration src dst mac
- Etherchannel load balancing addresses used per protocol
- Follow these steps to configure lacp
- Flags d down p bundled in port channel u in use
- Configuring lacp
- U unsuitable for bundling w waiting to be aggregated d default port
- The following example shows how to add ports1 0 5 8 to lag 2 and set the mode as static lag
- Switch copy running config startup config
- Switch configure
- Switch config interface range gigabitethernet 1 0 5 8
- Switch config if range show etherchannel 2 summary
- Switch config if range end
- Switch config if range channel group 2 mode on
- R layer3 s layer2 f failed to allocate aggregator
- Po2 s gi1 0 5 d gi1 0 6 d gi1 0 7 d gi1 0 8 d
- I stand alone h hot standby lacp only s suspended
- Group port channel protocol ports
- Switch config interface range gigabitethernet 1 0 1 4
- Switch config if range channel group 6 mode active
- Switch config end
- 000a eb13 397
- The following example shows how to specify the system priority of the switch as 2
- The following example shows how to add ports 1 0 1 4 to lag 6 set the mode as lacp and select the lacpdu sending mode as active
- Switch copy running config startup config
- Switch configure
- Switch config show lacp sys id
- Switch config lacp system priority 2
- Network requirements
- Configuration scheme
- Configuration example
- Using the gui
- Verify the configuration
- Using the cli
- Default settings of switching are listed in the following tables
- Appendix default parameters
- Monitoring traffic
- Traffic monitor
- Viewing the traffic summary
- Using the gui
- Viewing the traffic statistics in detail
- In the statistics section view the detailed information of the selected port or lag
- In port select select a port or lag and click select
- Using the cli
- On privileged exec mode or any other configuration mode you can use the following command to view the traffic information of each port or lag
- Appendix default parameters
- Part 8
- Managing mac address table
- Chapters
- Supported features
- Overview
- Mac address table
- Address configurations
- Security configurations
- Using the gui
- Address configurations
- Adding static mac address entries
- Follow these steps to add a static mac address entry
- Enter the mac address vlan id and select a port to bind them together
- Dynamic address to load the following page
- Click create
- Binding dynamic address entries
- Modifying the aging time of dynamic address entries
- In the aging config section enable auto aging and enter your desired length of time
- Follow these steps to modify the aging time of dynamic address entries
- Dynamic address to load the following page
- Click apply
- Viewing address table entries
- Adding mac filtering address entries
- Adding static mac address entries
- Using the cli
- Follow these steps to add static mac address entries
- Address table to load the following page
- Total mac addresses for this criterion 1
- The following example shows how to add a static mac address entry with mac address 00 02 58 4f 6c 23 vlan 10 and port 1 when a packet is received in vlan 10 with this address as its destination the packet will be forwarded only to port 1
- Switch configure
- Switch config show mac address table static
- Switch config mac address table static 00 02 58 4f 6c 23 vid 10 interface gigabitethernet
- Switch config end
- Mac vlan port type aging
- Mac address table
- 02 58 4f 6c 23 10 gi1 0 1 config static no aging
- Follow these steps to modify the aging time of dynamic address entries
- Follow these steps to add mac filtering address entries
- Aging time is 500 sec
- Adding mac filtering address entries
- The following example shows how to modify the aging time to 500 seconds a dynamic entry remains in the mac address table for 500 seconds after the entry is used or updated
- Switch copy running config startup config
- Switch configure
- Switch config show mac address table aging time
- Switch config mac address table aging time 500
- Switch config end
- Modifying the aging time of dynamic address entries
- The following example shows how to add the mac filtering address 00 1e 4b 04 01 5d to vlan 10 then the switch will drop the packet that is received in vlan 10 with this address as its source or destination
- Switch copy running config startup config
- Switch configure
- Switch config show mac address table filtering
- Switch config mac address table filtering 00 1e 4b 04 01 5d vid 10
- Switch config end
- Mac vlan port type aging
- Mac address table
- 1e 4b 04 01 5d 10 filter no aging
- Total mac addresses for this criterion 1
- Using the gui
- Security configurations
- Configuring mac notification traps
- Mac vlan security to load the following page
- Limiting the number of mac addresses in vlans
- In the mac notification port config section select your desired port and enable its notification traps you can enable these three types learned mode change exceed max learned and new mac learned click apply
- In the mac notification global config section enable this feature configure the relevant options and click apply
- Configure snmp and set a management host for detailed snmp configurations please refer to configuring snmp rmon
- Follow these steps to limit the number of mac addresses in vlans
- Follow these steps to configure mac notification traps
- Enter your desired value in max learned mac to set a threshold
- Enter the vlan id to limit the number of mac addresses that can be learned in the specified vlan
- Configuring mac notification traps
- Click create
- Choose the mode that the switch adopts when the maximum number of mac addresses in the specified vlan is exceeded
- Using the cli
- The following example shows how to enable new mac learned trap on port 1 and set the interval time as 10 seconds after you have further configured snmp the switch will bundle notifications of new addresses in every 10 seconds and send to the management host
- Switch configure
- Switch config mac address table notification interval 10
- Switch config mac address table notification global status enable
- Switch config interface gigabitethernet 1 0 1
- Now you have configured mac notification traps to receive notifications you need to further enable snmp and set a management host for detailed snmp configurations please refer to configuring snmp rmon
- Switch config if mac address table notification new mac learned enable
- Switch config if end
- Port lrnmode change exceed max limit new mac learned
- Notification interval 10
- Notification global status enable
- Mac notification global config
- Limiting the number of mac addresses in vlans
- Gi1 0 1 disable disable enable
- Follow these steps to limit the number of mac addresses in vlans
- Table full notification status disable
- Switch copy running config startup config
- Switch config if show mac address table notification interface gigabitethernet 1 0 1
- Network requirements
- Example for security configurations
- Configuration scheme
- Using the gui
- Verify the configurations
- Using the cli
- Default settings of the mac address table are listed in the following tables
- Appendix default parameters
- Part 9
- Configuring 802 q vlan
- Chapters
- Overview
- Configuring the pvid of the port
- Using the gui
- Q vlan configuration
- Vlan config and click create to load the following page
- Follow these steps to configure vlan
- Enter a vlan id and a description for identification to create a vlan
- Configuring the vlan
- Will forward untagged packets in the target vlan
- Using the cli
- The following example shows how to create vlan 2 and name it as rd
- Switch configure
- Switch config vlan name rd
- Switch config vlan 2
- Select the untagged port s and the tagged port s respectively to add to the created vlan based on the network topology
- Follow these steps to create a vlan
- Creating a vlan
- Click apply
- The following example shows how to configure the pvid of port 1 0 5 as vlan 2
- Switch copy running config startup config
- Switch configure
- Switch config vlan show vlan id 2
- Switch config vlan end
- Switch config interface gigabitethernet 1 0 5
- Switch config if switchport pvid 2
- Switch config if show interface switchport gigabitethernet 1 0 5
- Rd active
- Pvid 2
- Port gi1 0 5
- Member in vlan
- Member in lag n a
- Link type general
- Follow these steps to configure the port
- Vlan name status ports
- Configuring the pvid of the port
- Vlan name egress rule
- The following example shows how to add the port 1 0 5 to vlan 2 and specify its egress rule as tagged
- System vlan untagged
- Switch copy running config startup config
- Switch configure
- Switch config interface gigabitethernet 1 0 5
- Switch config if switchport general allowed vlan 2 tagged
- Switch config if show interface switchport gigabitethernet 1 0 5
- Switch config if end
- Pvid 2
- Port gi1 0 5
- Follow these steps to add the port to the specified vlan
- Adding the port to the specified vlan
- Configuration scheme
- Configuration example
- Network requirements
- Using the gui
- Network topology
- Using the cli
- Verify the configurations
- Default settings of 802 q vlan are listed in the following table
- Appendix default parameters
- Part 10
- Configuring mac vlan
- Chapters
- Vlan is generally divided by ports this way of division is simple but isn t suitable for those networks that require frequent topology changes with the popularity of mobile office a terminal device may access the switch via different ports for example a terminal device that accessed the switch via port 1 last time may change to port 2 this time if port 1 and port 2 belong to different vlans the user has to re configure the switch to access the original vlan using mac vlan can free the user from such a problem it divides vlans based on the mac addresses of terminal devices in this way terminal devices always belong to their original vlans even when their access ports change
- Two departments share all the meeting rooms in the company but use different servers and l
- The figure below shows a common application scenario of mac vlan
- Ptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in to meet this requirement simply bind the mac addresses of the laptops to the corresponding vlans respectively in this way the mac address rather than the access port determines the vlan each laptop joins each laptop can access only the server in the vlan it joins
- Overview
- Configuring 802 q vlan
- Using the gui
- Mac vlan configuration
- Mac vlan to load the following page
- Follow these steps to bind the mac address to the vlan
- Enter the mac address of the device give it a description and enter the vlan id to bind it to the vlan
- Enabling mac vlan for the port
- Click create to create the mac vlan
- By default mac vlan is disabled on all ports you need to enable mac vlan for your desired ports manually
- Binding the mac address to the vlan
- Select your desired ports to enable mac vlan and click apply
- Port enable to load the following page
- Follow these steps to enable mac vlan for the port
- Follow these steps to bind the mac address to the vlan
- Configuring 802 q vlan
- Binding the mac address to the vlan
- Before configuring mac vlan create an 802 q vlan and set the port type according to network requirements for details refer to configuring 802 q vlan
- Using the cli
- The following example shows how to bind the mac address 00 19 56 8a 4c 71 to vlan 10 with the address description as dept a
- Switch copy running config startup config
- Switch configure
- Switch config show mac vlan vlan 10
- Switch config mac vlan mac address 00 19 56 8a 4c 71 vlan 10 description dept a
- Switch config end
- Mac addr name vlan id
- Follow these steps to enable mac vlan for the port
- Enabling mac vlan for the port
- 19 56 8a 4c 71 dept a 10
- Two departments share all the meeting rooms in the company but use different servers and laptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in the figure below shows the network topology
- Network requirements
- Create vlan 10 and vlan 20 on each of the three switches set different port types and add the ports to the vlans based on the network topology note for the ports
- Configuration scheme
- Configuration example
- You can configure mac vlan to meet this requirement on switch 1 and switch 2 bind the mac addresses of the laptops to the corresponding vlans respectively in this way each laptop can access only the server in the vlan it joins no matter which meeting room the laptops are being used in the overview of the configuration is as follows
- Using the gui
- Using the cli
- Verify the configurations
- Deptb active gi1 0 2 gi1 0 3 gi1 0 5
- Depta active gi1 0 2 gi1 0 3 gi1 0 4
- Default settings of mac vlan are listed in the following table
- Appendix default parameters
- Part 11
- Configuring protocol vlan
- Chapters
- The figure below shows a common application scenario of protocol vlan with protocol vlan configured switch 2 can forward ipv4 and ipv6 packets from different vlans to the ipv4 and ipv6 networks respectively
- Protocol vlan is a technology that divides vlans based on the network layer protocol with the protocol vlan rule configured on the basis of the existing 802 q vlan the switch can analyze special fields of received packets encapsulate the packets in specific formats and forward the packets of different protocols to the corresponding vlans since different applications and services use different protocols network administrators can use protocol vlan to manage the network based on specific applications and services of network users
- Overview
- Protocol vlan configuration
- Configuring 802 q vlan
- Using the gui
- Creating protocol template
- Configuring protocol vlan
- Using the cli
- Configuring 802 q vlan
- Switch config protocol template name ipv6 frame ether_2 ether type 86dd
- Switch config end
- Rarp ethernetii ether type 8035
- Ipx snap ether type 8137
- Ipv6 ethernetii ether type 86dd
- Ip ethernetii ether type 0800
- Index protocol name protocol type
- Follow these steps to create a protocol template
- Creating a protocol template
- At snap ether type 809b
- Arp ethernetii ether type 0806
- The following example shows how to create an ipv6 protocol template
- Switch configure
- Switch config show protocol vlan template
- The following example shows how to bind the ipv6 protocol template to vlan 10
- Switch copy running config startup config
- Switch configure
- Switch config show protocol vlan template
- Rarp ethernetii ether type 8035
- Ip ethernetii ether type 0800
- Index protocol name protocol type
- Follow these steps to configure protocol vlan
- Configuring protocol vlan
- Arp ethernetii ether type 0806
- Configuration scheme
- Configuration example
- A company uses both ipv4 and ipv6 hosts and these hosts access the ipv4 network and ipv6 network respectively via different routers it is required that ipv4 packets are forwarded to the ipv4 network ipv6 packets are forwarded to the ipv6 network and other packets are dropped
- You can configure protocol vlan on port 1 0 1 of switch 2 to meet this requirement when this port receives packets switch 2 will forward them to the corresponding vlans according to their protocol types the overview of the configuration on switch 2 is as follows
- The figure below shows the network topology the ipv4 host belongs to vlan 10 the ipv6 host belongs to vlan 20 and these hosts access the network via switch 1 switch 2 is connected to two routers to access the ipv4 network and ipv6 network respectively the routers belong to vlan 10 and vlan 20 respectively
- Network requirements
- Using the gui
- Using the cli
- Verify the configurations
- Default settings of protocol vlan are listed in the following table
- Appendix default parameters
- Part 12
- Configuring spanning tree
- Chapters
- Stp rstp concepts
- Spanning tree
- Overview
- Basic concepts
- Bridge id
- Root bridge
- Port role
- Port status
- Root path cost
- Path cost
- Mstp concepts
- Mst region
- Mst instance
- Vlan instance mapping
- Stp security
- Using the gui
- Stp rstp configurations
- Configuring stp rstp parameters on ports
- Stp config to load the following page
- Configuring stp rstp globally
- Click apply
- In the parameters config section configure the global parameters of stp rstp and click apply
- In the global config section enable spanning tree function choose the stp mode as stp rstp and click apply
- Follow these steps to configure stp rstp globally
- Verifying the stp rstp configurations
- Verify the stp rstp information of your switch after all the configurations are finished
- The stp summary section shows the summary information of spanning tree
- Stp summary to load the following page
- Using the cli
- Follow these steps to configure stp rstp parameters on ports
- Configuring stp rstp parameters on ports
- The following example shows how to enable spanning tree function on port 1 0 3 and configure the port priority as 32
- Switch configure
- Switch config interface gigabitethernet 1 0 3
- Switch config if spanning tree common config port priority 32
- Switch config if spanning tree
- Switch config if show spanning tree interface gigabitethernet 1 0 3
- Switch copy running config startup config
- Switch config if end
- Interface state prio ext cost int cost edge p2p mode role status
- Gi1 0 3 enable 32 auto auto no no auto n a n a lnkdwn
- Follow these steps to configure global stp rstp parameters of the switch
- Configuring global stp rstp parameters
- Switch copy running config startup config
- Switch configure
- Switch config spanning tree timer forward time 12
- Switch config spanning tree priority 36864
- Switch config show spanning tree bridge
- Switch config end
- State mode priority hello time fwd time max age hold count max hops
- Follow these steps to configure the spanning tree mode as stp rstp and enable spanning tree function globally
- Enabling stp rstp globally
- Enable rstp 36864 2 12 20 5 20
- This example shows how to configure the priority of the switch as 36864 the forward delay as 12 seconds
- Using the gui
- Mstp configurations
- Configuring parameters on ports in cist
- Region config to load the following page
- Configuring the region name and revision level
- Configuring the mstp region
- Configure the region name revision level vlan instance mapping of the switch the switches with the same region name the same revision level and the same vlan instance mapping are considered as in the same region
- Click apply
- Besides configure the priority of the switch the priority and path cost of ports in the desired instance
- Stp config to load the following page
- In the parameters config section configure the global parameters of mstp and click apply
- Follow these steps to configure mstp globally
- Configuring mstp globally
- In the global config section enable spanning tree function and choose the stp mode as mstp and click apply
- Stp summary to load the following page
- Verifying the mstp configurations
- The stp summary section shows the summary information of cist
- Using the cli
- The mstp summary section shows the information in mst instances
- Follow these steps to configure the parameters of the port in cist
- Configuring parameters on ports in cist
- This example shows how to enable spanning tree function for port 1 0 3 and configure the port priority as 32
- Switch configure
- Mst instance 0 cist
- Interface state prio ext cost int cost edge p2p mode role status
- Interface prio cost role status
- Gi1 0 3 enable 32 auto auto no no auto n a n a lnkdwn
- Gi1 0 3 144 200 n a lnkdwn
- Follow these steps to configure the mst region and the priority of the switch in the instance
- Configuring the mstp region
- Configuring the mst region
- Switch copy running config startup config
- Switch config interface gigabitethernet 1 0 3
- Switch config if spanning tree common config port priority 32
- Switch config if spanning tree
- Switch config if show spanning tree interface gigabitethernet 1 0 3
- Switch config if end
- Mst instance 5
- This example shows how to create an mst region of which the region name is r1 the revision level is 100 and vlan 2 vlan 6 are mapped to instance 5
- Switch configure
- Switch config spanning tree mst configuration
- Switch config mst show spanning tree mst configuration
- Switch config mst revision 100
- Switch config mst name r1
- Switch config mst instance 5 vlan 2 6
- Revision 100
- Region name r1
- Switch copy running config startup config
- Switch config mst end
- Mst instance vlans mapped
- Follow these steps to configure the priority and path cost of ports in the specified instance
- Configuring the parameters on ports in instance
- 7 4094
- Configuring global mstp parameters
- This example shows how to configure the cist priority as 36864 the forward delay as 12 seconds the hold count as 8 and the max hop as 25
- Switch configure
- Switch config spanning tree priority 36864
- Switch config if show spanning tree bridge
- Switch config if end
- State mode priority hello time fwd time max age hold count max hops
- Follow these steps to configure the spanning tree mode as mstp and enable spanning tree function globally
- Enabling spanning tree globally
- Enable mstp 36864 2 12 20 8 25
- This example shows how to configure the spanning tree mode as mstp and enable spanning tree function globally
- Switch copy running config startup config
- Switch configure
- Switch config spanning tree mode mstp
- Switch config spanning tree
- Switch config show spanning tree active
- Switch config if spanning tree timer forward time 12
- Switch config if spanning tree max hops 25
- Switch config if spanning tree hold count 8
- Using the gui
- Stp security configurations
- Configuring the stp security
- When you enable tc protect function on ports set the tc threshold and tc protect cycle here if the number of the received tc bpdus exceeds the maximum number you set in the tc threshold field the switch will not remove mac address entries in the tc protect cycle
- Optional configuring the threshold and cycle of tc protect
- Configure the port protect features for the selected ports and click apply
- Configure the parameters of tc protect feature and click apply
- Using the cli
- Tc protect to load the following page
- Follow these steps to configure the root protect feature bpdu protect feature and bpdu filter feature for ports
- Featur
- Configuring the stp security
- This example shows how to enable loop protect root protect bpdu filter and bpdu protect functions on port 1 0 3
- Switch configure
- Switch config interface gigabitethernet 1 0 3
- Switch config if spanning tree guard root
- Switch config if spanning tree guard loop
- Switch config if spanning tree bpduguard
- Switch config if spanning tree bpdufilter
- Switch config if show spanning tree interface security gigabitethernet 1 0 3
- Gi1 0 3 enable enable enable enable disable
- Follow these steps to configure tc protect feature for ports
- Configuring the tc protect
- This example shows how to enable the tc protect function on port 1 0 3 with the tc threshold is 25 and the tc protect cycle is 8
- Switch copy running config startup config
- Switch config if end
- Interface bpdu filter bpdu guard loop protect root protect tc protect
- To meet this requirement you are suggested to configure mstp function on the switches map the vlans to different instances to ensure traffic can be transmitted along the respective instance
- Network requirements
- Mstp backwards compatible with stp and rstp can map vlans to instances to enable load balancing thus providing a more flexible method in network management here we take the mstp configuration as an example
- It is required that traffic in vlan 101 vlan 103 and traffic in vlan 104 vlan 106 should be transmitted along different paths
- Here we configure two instances to meet the requirement as is shown below
- Configuration scheme
- Configuration example for mstp
- As shown in figure 5 1 the network consists of three switches traffic in vlan 101 vlan 106 is transmitted in this network the link speed between the switches is 100mb s the default path cost of the port is 200000
- Using the gui
- Instance port config to load the following page set the path cost of port 1 0 1 in instance 1 as 400000
- Instance port config to load the following page set the path cost of port 1 0 2 in instance 2 as 400000
- Using the cli
- Verify the configurations
- Default settings of the spanning tree feature are listed in the following table
- Appendix default parameters
- Part 13
- Configuring layer 2 multicast
- Chapters
- Overview
- Layer 2 multicast
- On the layer 2 device mld snooping multicast listener discovery snooping transmits data on demand on data link layer by analyzing igmp packets between layer 3 devices and users to build and maintain layer 2 multicast forwarding table
- On the layer 2 device igmp snooping transmits data on demand on data link layer by analyzing igmp packets between layer 3 devices and users to build and maintain layer 2 multicast forwarding table
- Layer 2 multicast protocol for ipv6 mld snooping
- Layer 2 multicast protocol for ipv4 igmp snooping
- Figure 1 1 igmp snooping
- Demonstrated as below
- Configuring layer 2 multicast layer 2 multicast
- Configuration guide 292
- Supported layer 2 multicast protocols
- Using the gui
- Igmp snooping configurations
- Configuring igmp snooping globally
- Specify the aging time of the router ports
- Specify the aging time of the member ports
- Snooping config page at the same time
- Optional configuring report message suppression
- Follow these steps to configure unknown multicast
- Follow these steps to configure the aging time of the router ports and the member ports
- Follow these steps to configure report message suppression
- Enabling report message suppression can reduce the number of packets in the network
- Enable or disable report message suppression globally
- Configuring router port time and member port time
- Configure unknown multicast as forward or discard
- Click apply
- Verifying igmp snooping status
- Specify the number of masqs to be sent
- Specify the interval between masqs
- Igmp snooping status table displays vlans and ports with igmp snooping enabled
- Follow these steps to configure last listener query interval and last listener query count in the global config section
- Configuring igmp snooping last listener query
- Configure the last listener query interval and last listener query count when the switch receives an igmp leave message if specified count of multicast address specific queries masqs are sent and no report message is received the switch will delete the multicast address from the multicast forwarding table
- Click apply
- Optional configuring fast leave
- Enabling igmp snooping on the port
- Configuring the port s basic igmp snooping features
- In the vlan config section follow these steps to configure relevant parameters for the designate vlan
- Enable igmp snooping in the designate vlan and configure the aging time of the router ports and the member ports
- Configuring igmp snooping in the vlan
- Configuring igmp snooping globally in the vlan
- Click apply
- Vlan config to load the following page
- Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan
- Optional configuring the static router ports in the vlan
- Configuring the multicast vlan
- Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan
- In the multicast vlan section follow these steps to enable multicast vlan and to finish the basic settings
- Enable multicast vlan configure the specific vlan to be the multicast vlan and configure the router port time and member port time
- Creating multicast vlan and configuring basic settings
- Click apply
- Optional configuring the static router ports
- Optional configuring the querier
- Follow these steps to configure the querier
- Follow these steps to configure static router ports in the multicast vlan
- Configuring the querier
- Configure the router ports in the multicast vlan
- Click apply
- Viewing dynamic router ports in the multicast vlan
- This table displays all the dynamic router ports in the multicast vlan
- Specify a vlan and configure the querier on this vlan
- Querier config to load the following page
- You can edit the settings in the igmp snooping querier table
- Viewing settings of igmp querier
- The igmp snooping querier table displays all the related settings of the igmp querier
- Profile config to load the following page
- Follow these steps to create a profile and configure its filtering mode
- Creating profile
- Create a profile and configure its filtering mode
- Configuring igmp profile
- Click add
- Editing ip range of the profile
- Click edit in the igmp profile info table edit its ip range and click add to save the settings
- Click create
- Searching profile
- Follow these steps to edit profile mode and its ip range
- Enter the search condition in the search option field to search the profile in the igmp profile info table
- Binding profile and member ports
- Viewing igmp statistics on each port
- Select a port to configure its max group and overflow action
- Packet statistic to load the following page
- Follow these steps to configure the maximum groups a port can join and overflow action
- Configuring max groups a port can join
- Click apply
- Igmp authentication to load the following
- Follow these steps to configure auto refresh
- Enabling igmp accounting and authentication
- Enable or disable auto refresh
- Configuring auto refresh
- Click apply
- Viewing igmp statistics
- The igmp statistics table displays all kinds of igmp statistics of all the ports
- Configuring igmp authentication on the port
- Configuring igmp accounting globally
- This function allows you to specify a port as a static member port in the multicast group
- Static ipv4 multicast table to load the following page
- Follow these steps to configure static member port
- Enter the multicast ip and vlan id specify the static member port
- Configuring static member port
- Click apply
- Viewing igmp static multicast groups
- Using the cli
- Static multicast ip table displays details of all igmp static multicast groups
- Enabling igmp snooping on the port
- Enabling igmp snooping globally
- Click create
- You can search igmp static multicast entries by using multicast ip vlan id or forward port as the search option
- Configuring report message suppression
- Configuring igmp snooping parameters globally
- Switch config ip igmp snooping report suppression
- Switch config ip igmp snooping
- Switch config if end
- Last query times 2
- Last query interval 1
- Igmp snooping enable
- Global router age time 300
- Global report suppression enable
- Global member age time 260
- Global authentication accounting disable
- Enable vlan
- Enable port
- Unknown multicast pass
- Configuring unknown multicast
- The following example shows how to enable report message suppression
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping
- Last query times 2
- Last query interval 1
- Igmp snooping enable
- Global router age time 200
- Global report suppression disable
- Global member age time 200
- Global authentication accounting disable
- Enable vlan
- Enable port
- Unknown multicast pass
- Configuring router port time and member port time
- The following example shows how to configure the global router port time and member port time as 200 seconds
- Configuring igmp snooping parameters on the port
- Switch configure
- Switch config show ip igmp snooping
- Switch config ip igmp snooping rtime 200
- Switch config ip igmp snooping mtime 200
- Switch config ip igmp snooping
- Switch config ip igmp snooping
- Switch config interface gigabiteternet 1 0 3
- Switch config if show ip igmp snooping interface gigabitethernet 1 0 3 basic config
- Switch config if ip igmp snooping immediate leave
- Switch config if ip igmp snooping
- Switch config if end
- Port igmp snooping fast leave
- Gi1 0 3 enable enable
- Configuring fast leave
- The following example shows how to enable fast leave on port 1 0 3
- Switch copy running config startup config
- Switch configure
- The following example shows how to configure the max group as 500 and the overflow action as drop on port 1 0 3
- Switch configure
- Switch config ip igmp snooping
- Switch config interface gigabiteternet 1 0 3
- Switch config if show ip igmp snooping interface gigabitethernet 1 0 3 max groups
- Switch config if ip igmp snooping max groups action drop
- Switch config if ip igmp snooping max groups 500
- Switch config if ip igmp snooping
- Port max groups overflow action
- Configuring max group and overflow action on the port
- Global member age time 260
- Gi1 0 3 500 drop
- Unknown multicast pass
- Configuring igmp snooping last listener query
- The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping
- Switch config ip igmp snooping last listener query interval 5
- Switch config ip igmp snooping last listener query count 5
- Switch config ip igmp snooping
- Switch config if end
- Last query times 5
- Last query interval 5
- Igmp snooping enable
- Global router age time 300
- Global report suppression disable
- Configuring router port time and member port time
- Vlan id 2
- Configuring igmp snooping parameters in the vlan
- The following example shows how to enable igmp snooping in vlan 2 and vlan 3 configure the router port time as 500 seconds and the member port time as 400 seconds
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping vlan 2
- Switch config ip igmp snooping vlan config 2 3 rtime 500
- Switch config ip igmp snooping vlan config 2 3 mtime 400
- Switch config ip igmp snooping
- Switch config end
- Static router port none
- Router time 500
- Member time 400
- Global authentication accounting disable
- Enable vlan
- Enable port
- Vlan id 2
- Configuring static router port
- The following example shows how to enable igmp snooping in vlan 2 and configure port 1 0 2 as the static router port
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping vlan 3
- Switch config show ip igmp snooping vlan 2
- Switch config ip igmp snooping vlan config 2 rport interface gigabitethernet 1 0 2
- Switch config ip igmp snooping
- Switch config end
- Static router port none
- Static router port gi1 0 2
- Router time 500
- Router time 0
- Member time 400
- Member time 0
- Vlan id 3
- Dynamic router port none
- The following example shows how to configure 226 as the static multicast ip and specify port 1 0 9 10 as the forward ports
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping groups static
- Switch config ip igmp snooping vlan config 2 static 226 interface gigabitethernet 1 0 9 10
- Switch config ip igmp snooping
- Switch config end
- Multicast ip vlan id addr type switch port
- Dynamic router port none
- Configuring static multicast multicast ip and forward port
- 2 2 static gi1 0 9 10
- Member time 400
- Dynamic router port none
- Configuring router port time and member port time
- Configuring igmp snooping parameters in the multicast vlan
- Vlan id 5
- The following example shows how to configure vlan 5 as the multicast vlan set the router port time as 500 seconds and the member port time as 400 seconds
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping multi vlan
- Switch config ip igmp snooping multi vlan config 5 rtime 500
- Switch config ip igmp snooping multi vlan config 5 mtime 400
- Switch config ip igmp snooping
- Switch config end
- Static router port none
- Router time 500
- Multicast vlan enable
- Multicast vlan enable
- Member time 260
- Dynamic router port none
- Configuring static router port
- Vlan id 5
- The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 5 as the static router port
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping multi vlan
- Switch config ip igmp snooping multi vlan config 5 rport interface gigabitethernet 1 0 5
- Switch config ip igmp snooping
- Switch config end
- Static router port gi1 0 5
- Router time 300
- Query interval 60
- Maximum response time 10
- General query source ip 192 68
- Enabling igmp querier
- Configuring the querier
- Configuring query interval max response time and general query source ip
- Vlan 4
- The following example shows how to enable igmp snooping and igmp querier in vlan 4
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping querier
- Switch config ip igmp snooping querier vlan 4
- Switch config ip igmp snooping
- Switch config end
- Switch config ip igmp snooping querier vlan 4 query interval 100
- Switch config ip igmp snooping querier vlan 4 max response time 20
- Switch config ip igmp snooping querier vlan 4 general query source ip 192 68
- Switch config ip igmp snooping
- Switch config end
- Query interval 100
- Maximum response time 20
- General query source ip 192 68
- Vlan 4
- The following example shows how to enable igmp snooping and igmp querier in vlan 4 set the query interval as 100 seconds the max response time as 20 seconds and the general query source ip as 192 68
- Switch copy running config startup config
- Switch configure
- Switch config show ip igmp snooping querier
- The following example shows how to configure profile 1 so that the switch filters multicast data sent to 226 226 0
- Switch configure
- Switch config ip igmp snooping
- Switch config ip igmp profile 1
- Switch config igmp profile show ip igmp profile
- Switch config igmp profile range 226 226 0
- Switch config igmp profile deny
- Igmp profile 1
- Creating profile
- Configuring multicast filtering
- Binding profile to the port
- The following example shows how to bind profile 1 to port 1 0 2 so that port 1 0 2 filters multicast data sent to 226 226 0
- Switch copy running config startup config
- Switch configure
- Switch config ip igmp snooping
- Switch config ip igmp profile 1
- Switch config interface gigabitethernet 1 0 2
- Switch config igmp profile range 226 226 0
- Switch config igmp profile exit
- Switch config igmp profile deny
- Switch config if show ip igmp profile
- Switch config if ip igmp snooping
- Switch config if ip igmp filter 1
- Switch config end
- Range 226 226 0
- Igmp profile 1
- Binding port s
- The following example shows how to enable igmp authentication on port 1 0 2
- Switch copy running config startup config
- Switch configure
- Switch config ip igmp snooping
- Switch config interface gigabitethernet 1 0 2
- Switch config if show ip igmp snooping interface gigabitethernet 1 0 2 authentication
- Switch config if ip igmp snooping authentication
- Switch config if ip igmp snooping
- Switch config end
- Range 226 226 0
- Port igmp authentication
- Gi1 0 2 enable
- Gi1 0 2
- Enabling igmp authentication on the port
- Enabling igmp accounting and authentication
- Enabling igmp accounting globally
- Switch copy running config startup config
- Switch config end
- Using the gui
- Configuring mld snooping globally
- Configuring mld snooping
- Specify the aging time of the member ports
- Snooping config page at the same time
- Optional configuring report message suppression
- Follow these steps to configure unknown multicast
- Follow these steps to configure the aging time of the router ports and the member ports
- Follow these steps to configure report message suppression
- Enabling report message suppression can reduce the number of packets in the network
- Enable or disable report message suppression globally
- Configuring router port time and member port time
- Configure unknown multicast as forward or discard
- Click apply
- Specify the aging time of the router ports
- Verifying mld snooping status
- Specify the number of masqs to be sent
- Specify the interval between masqs
- Mld snooping status table displays vlans and ports with mld snooping enabled
- Follow these steps to configure last listener query interval and last listener query count in the global config section
- Configuring mld snooping last listener query
- Configure the last listener query interval and last listener query count when the switch receives an mld leave message if specified count of multicast address specific queries masqs are sent and no report message is received the switch will delete the multicast address from the multicast forwarding table
- Click apply
- Optional configuring fast leave
- Enabling mld snooping on the port
- Configuring the port s basic mld snooping features
- Enable mld snooping in the designate vlan and configure the aging time of the router ports and the member ports
- Configuring mld snooping in the vlan
- Configuring mld snooping globally in the vlan
- Click apply
- Vlan config to load the following page
- Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan
- In the vlan config section follow these steps to configure relevant parameters for the designate vlan
- Optional configuring the static router ports in the vlan
- Configuring the multicast vlan
- Set up the vlan that the router ports and the member ports are in for details please refer to configuring 802 q vlan
- In the multicast vlan section follow these steps to enable multicast vlan and to finish the basic settings
- Enable multicast vlan configure the specific vlan to be the multicast vlan and configure the router port time and member port time
- Creating multicast vlan and configuring basic settings
- Click apply
- Optional configuring the querier
- Follow these steps to configure the querier
- Follow these steps to configure static router ports in the multicast vlan
- Configuring the querier
- Configure the router ports in the multicast vlan
- Click apply
- Viewing dynamic router ports in the multicast vlan
- This table displays all the dynamic router ports in the multicast vlan
- Specify a vlan and configure the querier on this vlan
- Querier config to load the following page
- Optional configuring the static router ports
- You can edit the settings in the mld snooping querier table
- Viewing settings of mld querier
- The mld snooping querier table displays all the related settings of the mld querier
- Profile config to load the following page
- Follow these steps to create a profile and configure its filtering mode
- Creating profile
- Create a profile and configure its filtering mode
- Configuring mld profile
- Click add
- Editing ip range of the profile
- Binding profile and member ports
- Searching profile
- Select the port to be bound and enter the profile id in the profile id column
- Select a port to configure its max group and overflow action
- Follow these steps to configure the maximum groups a port can join and overflow action
- Follow these steps to bind the profile to the port
- Configuring max groups a port can join
- Click apply
- Binding profile and member ports
- Viewing mld statistics on each port
- Packet statistic to load the following page
- Follow these steps to configure auto refresh
- Configuring auto refresh
- Click apply
- Viewing mld statistics
- Configuring static member port
- Click create
- You can search mld static multicast entries by using multicast ip vlan id or forward port as the search option
- Viewing mld static multicast groups
- Using the cli
- Static multicast ip table displays details of all mld static multicast groups
- Enabling mld snooping on the port
- Enabling mld snooping globally
- Mld snooping enable
- Last query times 2
- Last query interval 1
- Global router age time 300
- Global report suppression disable
- Global member age time 260
- Enable vlan
- Enable port gi1 0 3
- Unknown multicast pass
- Configuring report message suppression
- The following example shows how to enable mld snooping globally and enable mld snooping switch configure
- Configuring mld snooping parameters globally
- Switch copy running config startup config
- Switch config ipv6 mld snooping
- Switch config interface gigabitethernet 1 0 3
- Switch config if show ipv6 mld snooping
- Switch config if ipv6 mld snooping
- Switch config if end
- Last query times 2
- Last query interval 1
- Global router age time 300
- Global report suppression enable
- Global member age time 260
- Enable vlan
- Enable port
- Configuring unknown multicast
- Unknown multicast pass
- The following example shows how to enable report message suppression
- Switch copy running config startup config
- Switch configure
- Switch config show ipv6 mld snooping
- Switch config ipv6 mld snooping report suppression
- Switch config ipv6 mld snooping
- Switch config end
- Mld snooping enable
- Global router age time 200
- Global report suppression disable
- Global member age time 200
- Enable vlan
- Enable port
- Configuring router port time and member port time
- Unknown multicast pass
- The following example shows how to configure the global router port time and member port time as 200 seconds
- Configuring mld snooping parameters on the port
- Switch configure
- Switch config show ipv6 mld snooping
- Switch config ipv6 mld snooping rtime 200
- Switch config ipv6 mld snooping mtime 200
- Switch config ipv6 mld snooping
- Switch config end
- Mld snooping enable
- Last query times 2
- Last query interval 1
- Switch config if ipv6 mld snooping
- Switch config if end
- Port mld snooping fast leave
- Gi1 0 3 enable enable
- Configuring fast leave
- The following example shows how to enable fast leave on port 1 0 3
- Switch copy running config startup config
- Switch configure
- Switch config ipv6 mld snooping
- Switch config interface gigabiteternet 1 0 3
- Switch config if show ipv6 mld snooping interface gigabitethernet 1 0 3 basic config
- Switch config if ipv6 mld snooping immediate leave
- Switch configure
- Switch config ipv6 mld snooping
- Switch config interface gigabiteternet 1 0 3
- Switch config if show ipv6 mld snooping interface gigabitethernet 1 0 3 max groups
- Switch config if ipv6 mld snooping max groups action drop
- Switch config if ipv6 mld snooping max groups 500
- Switch config if ipv6 mld snooping
- Port max groups overflow action
- Configuring max group and overflow action on the port
- The following example shows how to configure the max group as 500 and the overflow action as drop on port 1 0 3
- Switch copy running config startup config
- Switch configure
- Switch config show ipv6 mld snooping
- Switch config ipv6 mld snooping last listener query interval 5
- Switch config ipv6 mld snooping last listener query count 5
- Switch config ipv6 mld snooping
- Switch config if end
- Mld snooping enable
- Last query times 5
- Last query interval 5
- Global router age time 300
- Global report suppression disable
- Global member age time 260
- Gi1 0 3 500 drop
- Unknown multicast pass
- Configuring mld snooping last listener query
- The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds
- Switch configure
- Switch config show ipv6 mld snooping vlan 2
- Switch config ipv6 mld snooping vlan config 2 3 rtime 500
- Switch config ipv6 mld snooping vlan config 2 3 mtime 400
- Switch config ipv6 mld snooping
- Switch config end
- Static router port none
- Router time 500
- Member time 400
- Enable vlan
- Enable port
- Dynamic router port none
- Configuring router port time and member port time
- Vlan id 2
- Configuring mld snooping parameters in the vlan
- The following example shows how to enable mld snooping in vlan 2 and vlan 3 configure the router port time as 500 seconds and the member port time as 400 seconds
- Switch copy running config startup config
- Switch config show ipv6 mld snooping vlan 3
- Switch config show ipv6 mld snooping vlan 2
- Switch config ipv6 mld snooping vlan config 2 rport interface gigabitethernet 1 0 2
- Switch config ipv6 mld snooping
- Switch config end
- Static router port none
- Static router port gi1 0 2
- Router time 500
- Router time 0
- Member time 400
- Member time 0
- Vlan id 3
- Dynamic router port none
- Vlan id 2
- Configuring static router port
- The following example shows how to enable mld snooping in vlan 2 and configure port 1 0 2 as the static router port
- Switch copy running config startup config
- Switch configure
- The following example shows how to configure ff01 1234 02 as the static multicast ip and specify port 1 0 9 10 as the forward ports
- Switch copy running config startup config
- Switch configure
- Switch config show ipv6 mld snooping groups static
- Switch config ipv6 mld snooping vlan config 2 static ff01 1234 02 interface gigabitethernet 1 0 9 10
- Switch config ipv6 mld snooping
- Switch config end
- Multicast ip vlan id addr type switch port
- Ff01 1234 02 2 static gi1 0 9 10
- Configuring static multicast multicast ip and forward port
- Configuring mld snooping parameters in the multicast vlan
- Vlan id 5
- The following example shows how to configure vlan 5 as the multicast vlan set the router port time as 500 seconds and the member port time as 400 seconds
- Switch copy running config startup config
- Switch configure
- Switch config show ipv6 mld snooping multi vlan
- Switch config ipv6 mld snooping multi vlan config 5 rtime 500
- Switch config ipv6 mld snooping multi vlan config 5 mtime 400
- Switch config ipv6 mld snooping
- Switch config end
- Static router port none
- Router time 500
- Multicast vlan enable
- Member time 400
- Dynamic router port none
- Configuring router port time and member port time
- Configuring static router port
- Vlan id 5
- The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 5 as the static router port
- Switch copy running config startup config
- Switch configure
- Switch config show ipv6 mld snooping multi vlan
- Switch config ipv6 mld snooping multi vlan config 5 rport interface gigabitethernet 1 0 5
- Switch config ipv6 mld snooping
- Switch config end
- Static router port gi1 0 5
- Router time 300
- Multicast vlan enable
- Member time 260
- Dynamic router port none
- Enabling mld querier
- Configuring the querier
- Configuring query interval max response time and general query source ip
- Vlan 4
- The following example shows how to enable mld snooping and mld querier in vlan 4
- Switch copy running config startup config
- Switch configure
- Switch config show ipv6 mld snooping querier
- Switch config ipv6 mld snooping querier vlan 4
- Switch config ipv6 mld snooping
- Switch config end
- Query interval 60
- Maximum response time 10
- General query source ip fe80 2ff ffff fe00 1
- Switch config ipv6 mld snooping
- Switch config end
- Query interval 100
- Maximum response time 20
- General query source ip fe80 2ff ffff fe00 1
- Vlan 4
- The following example shows how to enable mld snooping and mld querier in vlan 4 set the query interval as 100 seconds the max response time as 20 seconds and the general query source ip as fe80 2ff ffff fe00 1
- Switch copy running config startup config
- Switch configure
- Switch config show ipv6 mld snooping querier
- Switch config ipv6 mld snooping querier vlan 4 query interval 100
- Switch config ipv6 mld snooping querier vlan 4 max response time 20
- Switch config ipv6 mld snooping querier vlan 4 general query source ip fe80 2ff ffff fe00 1
- Switch config mld profile show ipv6 mld profile
- Switch config mld profile range ff01 1234 5 ff01 1234 8
- Switch config mld profile deny
- Switch config ipv6 mld snooping
- Switch config ipv6 mld profile 1
- Mld profile 1
- Creating profile
- Configuring multicast filtering
- The following example shows how to configure profile 1 so that the switch filters multicast data sent to ff01 1234 5 ff01 1234 8
- Switch configure
- Switch configure
- Switch config mld profile range ff01 1234 5 ff01 1234 8
- Switch config mld profile exit
- Switch config mld profile deny
- Switch config ipv6 mld snooping
- Switch config ipv6 mld profile 1
- Switch config interface gigabitethernet 1 0 2
- Switch config if show ipv6 mld profile
- Switch config if ipv6 mld snooping
- Switch config if ipv6 mld filter 1
- Switch config end
- Range ff01 1234 5 ff01 1234 8
- Mld profile 1
- Binding profile to the port
- The following example shows how to bind profile 1 to port 1 0 2 so that port 1 0 2 filters multicast data sent to ff01 1234 5 ff01 1234 8
- Switch copy running config startup config
- Viewing multicast snooping configurations
- Viewing ipv6 multicast snooping configurations
- Viewing ipv4 multicast snooping configurations
- Using the gui
- Viewing ipv4 multicast snooping configurations
- Using the cli
- Viewing ipv6 multicast snooping configurations
- Network requirements
- Example for configuring basic igmp snooping
- Configuration scheme
- Configuration examples
- Using the gui
- Vlan config to load the following page create vlan 10 and add untagged port 1 0 1 3 and tagged port 1 0 4 to vlan 10
- Using the cli
- Verify the configurations
- Network topology
- Network requirements
- Example for configuring multicast vlan
- Configuration scheme
- Using the gui
- Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields
- Internet
- Demonstrated with t1700g 28tq this section provides configuration procedures in two ways using the gui and using the cli
- Snooping config to load the following page enable igmp snooping on port 1 0 1 4
- Using the cli
- Verify the configurations
- Network requirement
- Example for configuring unknown multicast and fast leave
- Using the gui
- Configuration scheme
- Port config to load the following page enable igmp snooping on port 1 0 2 and port 1 0 4 and enable fast leave on port 1 0 2
- Verify the configurations
- Using the cli
- Network topology
- Network requirements
- Example for configuring multicast filtering
- Configuration scheme
- Using the gui
- Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields
- Internet
- Demonstrated with t1700g 28tq this section provides configuration procedures in two ways using the gui and using the cli
- Snooping config to load the following page
- Vlan config to load the following page enable igmp snooping in vlan 10 keep 0 as the router port time and member port time which means the global settings will be used
- Using the cli
- Verify the configurations
- Appendix default parameters
- Default parameters for igmp snooping
- Default parameters for mld snooping
- Part 14
- Configuring logical interfaces
- Chapters
- This chapter introduces the configurations for logical interfaces the supported types of logical interfaces are shown as below
- Physical interfaces are the ports on the front panel or rear panel of the switch
- Overview
- Logical interfaces are manually configured and do not physically exist such as loopback interfaces and routing interfaces
- Interfaces of a device are used to exchange data and interact with interfaces of other network devices interfaces are classified into physical interfaces and logical interfaces
- Using the gui
- Logical interfaces configurations
- Creating a layer 3 interface
- In the interface list section you can view the corresponding interface entry you create
- Figure 2
- Configuring ipv4 parameters of the interface
- You can view the corresponding interface entry you create in the interface
- List section on the corresponding interface entry click edit to load the following page and configure the ipv4 parameters of the interface
- In the modify interface section specify an interface id and configure relevant parameters for the interface according to your actual needs then click apply
- You can view the corresponding interface entry you create in the interface
- List section on the corresponding interface entry click edit ipv6 to load the following page and configure the ipv6 parameters of the interface
- In the secondary ip list section you can view the corresponding secondary ip entry you create
- In the secondary ip create section configure the secondary ip for the specified interface which allows you to have two logical subnets using one physical subnet then click create
- Figure 2
- Configuring ipv6 parameters of the interface
- Enable ipv6 function on the interface of switch in the general config section then click apply
- Configure the ipv6 link local address of the interface manually or automatically in the link local address config section then click apply
- View the global address entry in the global address table
- Via ra message
- Via dhcpv6 server
- Manually
- Configure one or more ipv6 global addresses of the interface via following three ways
- You can view the corresponding interface entry you create in the interface
- Viewing detail information of the interface
- Using the cli
- List section on the corresponding interface entry click detail to load the following page and view the detail information of the interface
- Follow these steps to create a layer 3 interface you can create a vlan interface a loopback interface a routed port or a port channel interface according to your needs
- Figure 2
- Creating a layer 3 interface
- The following example shows how to create a vlan interface with a description of vlan 2
- Switch copy running config startup config
- Switch configure
- Switch config interface vlan 2
- Switch config if end
- Switch config if description vlan 2
- Switch config if ip address 192 68 00 255 55 55
- Follow these steps to configure the ipv4 parameters of the interface
- Configuring ipv4 parameters of the interface
- The following example shows how to configure the ipv4 parameters of a routed port including setting a static ip address for the port and enabling the layer 3 capabilities
- Switch configure
- Switch config interface gigabitethernet 1 0 1
- Switch config if show ip interface brief
- Switch config if no switchport
- Switch copy running config startup config
- Switch config if end
- Interface ip address method status protocol shutdown gi1 0 1 192 68 00 24 static up up no
- Follow these steps to configure the ipv6 parameters of the interface
- Configuring ipv6 parameters of the interface
- Switch config if ipv6 address autoconfig
- Joined group address es ff02 1
- Ipv6 is enable link local address fe80 20a ebff fe13 237bnor
- Global unicast address es ff02 1 ff13 237b
- Global address ra disable
- Global address dhcpv6 enable
- Vlan2 is up line protocol is up
- The following example shows how to enable the ipv6 function and configure the ipv6 parameters of a vlan interface
- Switch configure
- Switch config interface vlan 2
- Switch config if show ipv6 interface
- Switch config if ipv6 enable
- Switch config if ipv6 address dhcp
- Default settings of interface are listed in the following tables
- Appendix default parameters
- Part 15
- Configuring static routing
- Chapters
- Overview
- Ipv4 static routing config to load the following page
- In the ipv4 static routing config section configure the corresponding parameters to add an ipv4 static route then click create
- In the ipv4 static route table section you can view and modify the ipv4 static routing entries
- Using the gui
- Ipv4 static routing configuration
- Using the cli
- The following example shows how to create an ipv4 static route with the destination ip address as 192 68 the subnet mask as 255 55 55 and the next hop address as 192 68
- Switch copy running config startup config
- Switch configure
- Switch config show ip route
- Switch config ip route 192 68 255 55 55 192 68
- Switch config end
- S 192 68 24 1 0 via 192 68 vlan1
- Follow these steps to create an ipv4 static route
- Codes c connected s static
- Candidate default
- C 192 68 24 is directly connected vlan1
- Using the gui
- Ipv6 static routing configuration
- Using the cli
- The following example shows how to create an ipv6 static route with the destination ip address as 3200 64 and the next hop address as 3100 1234
- Switch configure
- Switch config show ipv6 route static
- Switch config ipv6 route 3200 64 3100 1234
- Follow these steps to enable ipv6 routing function and create an ipv6 static route
- Codes c connected s static
- Candidate default
- Viewing routing table
- Viewing ipv6 routing table
- Viewing ipv4 routing table
- Using the gui
- Viewing ipv4 routing table
- View the ipv6 routes in the ipv6 routing information summary section
- Using the cli
- On privileged exec mode or any other configuration mode you can use the following command to view ipv4 routing table
- Viewing ipv6 routing table
- On privileged exec mode or any other configuration mode you can use the following command to view ipv6 routing table
- Using the gui
- Network requirements
- Example for static routing
- Configuration scheme
- Using the cli
- Verify the configurations
- Default setting of static routing is listed in the following table
- Appendix default parameter
- Part 16
- Configuring dhcp relay
- Chapters
- Overview
- Dhcp relay solves this problem as the following figure shows the dhcp relay device acts as a relay agent and forwards dhcp packets between dhcp clients and dhcp servers on different subnets so that dhcp clients on different subnets can share one dhcp server
- Dhcp relay is used to process and forward dhcp packets between different subnets
- Since the client requests a dynamic ip address via broadcast the basic network model of dhcp requires that the client and the server should be on the same lan therefore each lan should be equipped with a dhcp server thus increasing the costs of network construction
- Using the gui
- Enabling dhcp relay and configuring option 82
- Dhcp relay configuration
- Specifying dhcp server for the interface
- In the add dhcp server address section select the interface type and enter the interface id and then enter the server address of the interface
- Follow these steps to specify dhcp server for the interface
- Dhcp server to load the following page
- Click create to specify the dhcp server for the interface
- Click apply
- Switch config end
- Follow these steps to enable dhcp relay
- Follow these steps to configure option 82
- Enabling dhcp relay
- Dhcp relay is enabled
- Configuring option 82
- Using the cli
- The following example shows how to enable dhcp relay
- Switch copy running config startup config
- Switch configure
- Switch config show ip dhcp relay
- Switch config service dhcp relay
- The following example shows how to enable option 82 and configure the process of option 82 information as keep
- Switch configure
- Switch config show ip dhcp relay
- Switch config ip dhcp relay information policy keep
- Switch config ip dhcp relay information
- Switch config end
- Existed option 82 field operation keep
- Dhcp relay option 82 is enabled
- Specifying dhcp server for the interface
- Follow these steps to specify dhcp server for the interface
- The following example shows how to configure the dhcp server address as 192 68 on vlan 66
- Switch copy running config startup config
- Switch configure
- Switch config interface vlan 66
- Switch config if ip helper address 192 68
- Network requirements
- Configuration scheme
- Configuration example
- Using the gui
- Verify the configurations
- Using the cli
- Default settings of dhcp relay are listed in the following table
- Appendix default parameters
- Overview
- Arp address resolution protocol is used to map ip addresses to mac addresses taking an ip address as input arp learns the associated mac address and stores the ip mac address association in an arp entry for rapid retrieval
- Arp configurations
- Viewing the arp entries
- Using the gui
- You can add desired static arp entries by mannually specifying the ip addresses and mac addresses
- Using the cli
- Static arp to load the following page
- In the arp config section enter the ip address and mac address and click create
- Follow these steps to add static arp entries
- Follow these steps to add arp entries
- Configuring arp function
- Adding static arp entries manually
- Adding static arp entries
- Switch config end
- Switch config arp 192 68 00 11 22 33 44 55 arpa
- Interface address hardware addr type
- Follow these steps to configure the aging time of dynamic arp entries
- Configuring the aging time of dynamic arp entries
- Vlan1 192 68 00 11 22 33 44 55 static
- This example shows how to create a static arp entry with the ip as 192 68 and the mac as 00 11 22 33 44 55
- Switch copy running config startup config
- Switch configure
- Switch config show arp 192 68
- Viewing arp entries
- This example shows how to configure the aging time of dynamic arp entries as 1000 seconds for vlan interface 2
- Switch copy running config startup config
- Switch configure
- Switch config interface vlan 2
- Switch config if end
- Switch config if arp timeout 1000
- On privileged exec mode or any other configuration mode you can use the following command to view arp entries
- Clearing dynamic entries
- Configuring qos
- Chapters
- Part 18
- Supported features
- Overview
- Diffserv
- Bandwidth control
- Port priority
- Dscp priority
- Diffserv configuration
- Configuration guidelines
- 802 p priority
- P priority to load the following page
- Follow these steps to configure the 802 p priority
- Configuring priority mode
- Configuring 802 p priority
- Configure the tag id cos id tc mapping relations
- Click apply
- Using the gui
- The instructions of the three priority modes are described respectively in this section
- Follow these steps to configure the dscp priority
- Enable dscp priority and click apply dscp priority is disabled by default
- Dscp priority to load the following page
- Configuring dscp priority
- Configure the dscp tc mapping relations
- Click apply
- 2p priorit
- Select the desired port or lag to set its priority
- Port priority to load the following page
- Follow these steps to configure the port priority
- Configuring port priority
- Click apply
- 2p priority
- Configure the schedule mode to control the forwarding sequence of different tc queues when congestion occurs
- Select a schedule mode
- Schedule mode to load the following page
- Optional configure the weight value of the each tc queue if the schedule mode is wrr of sp wrr
- Follow these steps to configure the schedule mode
- Configuring schedule mode
- Using cli
- The instructions of the three priority modes are described respectively in this section
- Configuring priority mode
- Configuring 802 priority
- Click apply
- Switch config show qos cos map
- Switch config qos queue cos map 2 0
- Switch config end
- P priority is enabled
- Dscp priority is disabled
- Configuring dscp priority
- The following example shows how to map cos2 to tc0 and keep other cos id tc as default
- Tc tc1 tc0 tc0 tc3 tc4 tc5 tc6 tc7
- Tag 0 1 2 3 4 5 6 7
- Switch copy running config startup config
- Switch configure
- Switch config show qos status
- The following example shows how to map port 1 3 to tc1 and keep other mapping relations as default
- Switch configure
- Select the desired port to set the priority packets from this ingress port are mapped to the tc queue based on port priority
- Configuring port priority
- Configuring schedule mode
- Using the gui
- Configuring rate limit
- Bandwidth control configuration
- Configuring storm control
- Click apply
- Storm control to load the following page
- Select the port s and configure the upper rate limit for forwarding broadcast packets multicast packets and ul frames
- Follow these steps to configure the storm control function
- Using the cli
- Configuring rate limit on port
- Configure the upper rate limit for the port to receive and send packets
- Click apply
- Switch configure
- Switch config interface gigabitethernet 1 0 5
- Switch config if show bandwidth interface gigabitethernet 1 0 5
- Switch config if end
- Switch config if bandwidth ingress 5120 egress 1024
- Port ingressrate kbps egressrate kbps lag
- Gi1 0 5 5120 1024 n a
- Configuring storm control
- Configure the upper rate limit on the port for forwarding broadcast packets multicast packets and unknown unicast frames
- The following example shows how to configure the ingress rate as 5120 kbps and egress rate as 1024 kbps for port 1 0 5
- Switch copy running config startup config
- Network requirements
- Example for configuring sp mode
- Configuration scheme
- Configuration examples
- Using the gui
- Using the cli
- Verify the configuration
- Network requirements
- Example for configuring wrr mode
- This chapter provides configuration procedures in two ways using the gui and using the cli
- Configure switch b to classify the incoming packets from the two departments according to the vlan tags and to map them into different tc queues configure the schedule mode as wrr mode to implement the qos feature
- Configure switch a to add different vlan tags to the packets from the two departments respectively
- Configurations for switch a demonstrated with t1700g 28tq
- Configuration scheme
- Vlan config and click create to load the following page create vlan 10 with the description of rd add port 1 0 1 as an untagged port and port 1 0 3 as a tagged port to vlan 10 then click apply
- Using the gui
- Using the cli
- Verify the configuration
- Enabled see table 5 3 for tag id cos id tc mapping relations
- Disabled see table 5 4 for dscp cos id mapping relations
- Diffserv
- Appendix default parameters
- Bandwidth control
- Part 19
- Configuring voice vlan
- Chapters
- Overview
- Configuration guidelines
- Before configuring voice vlan you need to create a vlan for voice traffic for details about vlan configuration please refer to configuring 802 q vlan
- Because the voice vlan in automatic mode supports only tagged voice traffic you need to make sure traffic from the voice device is tagged to do so there are mainly two ways
- You can configure the voice device to forward traffic with a voice vlan tag
- Voice vlan configuration
- Vlan 1 is a default vlan and cannot be configured as the voice vlan
- To complete the voice vlan configuration follow these steps
- To apply the voice vlan configuration you may need to further configure pvid port vlan id and the link type of the port which is connected to voice devices we recommend that you choose the mode according to your needs and configure the port as the following table shows
- Optional configure oui addresses
- Only one vlan can be set as the voice vlan on the switch
- If your switch provides the lldp med feature you can also configure it to instruct the voice device to send tagged voice traffic for details about lldp med please refer to
- Create a vlan
- Configuring lld
- Configure voice vlan mode on ports
- Configure voice vlan globally
- If the oui address of your voice device is not in the oui table you need to add the oui address to the table
- Follow these steps to add oui addresses
- Enter an oui address and the corresponding mask and give a description about the oui address
- Click create to add an oui address to the table
- Using the gui
- Oui config to load the following page
- Optional configuring oui addresses
- Specify a priority for the voice vlan
- Set the aging time for the voice vlan
- Global config to load the following page
- Follow these steps to configure the voice vlan globally
- Enable the voice vlan feature and enter a vlan id
- Configuring voice vlan globally
- Click apply
- Set the security mode for selected ports
- Select your desired ports and choose the port mode
- Port config to load the following page
- Follow these steps to configure voice vlan mode on ports
- Configuring voice vlan mode on ports
- Click apply
- Using the cli
- Follow these steps to configure the voice vlan
- Transmit voice traffic in an exclusive path with high quality
- Network topology
- Network requirements
- Ip phones share switch ports used by computers because no more ports are available for ip phones
- Configuration scheme
- Configuration example
- Avoid attacks from malicious data flows
- Voice traffics from switch a and switch b are forwarded to voice gateway and internet through switch c
- Vlan config and click create to load the following page create vlan 10
- Using the gui
- Internet
- In the meeting room computers and ip phones are connected to different ports of switch b ports connected to ip phones use the voice vlan for voice traffic and ports connected to computers use the default vlan for data traffic
- Demonstrated with t1700g 28tq this chapter provides configuration procedures in two ways using the gui and using the cli
- Configurations for switch a
- Using the cli
- Verify the configurations
- Voicevlan active gi1 0 1 gi1 0 2 gi1 0 3
- Vlan name status ports
- Default settings of voice vlan are listed in the following tables
- Appendix default parameters
- Part 20
- Configuring acl
- Chapters
- Supported features
- Overview
- Introduction
- Using the gui
- Configuring time range
- Acl configuration
- Click apply to make the settings effective
- Section configure the start and end time then click create
- Section assign a name to the time range and then select a mode
- Optional configuring holiday
- In the
- In holiday mode you need to configure specific dates for the holidays
- Holiday create to load the following page
- Follow these steps to create the time range
- Create time slic
- Create time rang
- Creating an acl
- Configuring the mac acl rule
- Configuring acl rules
- Follow these steps to create the mac acl
- Define the rule s packet matching criteria
- Configuring the standard ip acl rule
- Click apply to make the settings effective
- Standard ip acl to load the following page
- Select an mac acl id from the drop down list enter a rule id then specify the operation for the matched packets
- Optional select a time range from the drop down list
- Follow these steps to create the standard ip acl
- Standard i
- Select a standard ip acl id from the drop down list enter a rule id then specify the operation for the matched packets
- Optional select a time range from the drop down list
- Follow these steps to create the extend ip acl
- Extend ip acl to load the following page
- Define the rule s packet matching criteria
- Configuring the extend ip acl rule
- Select an extend ip acl id from the drop down list enter a rule id then specify the operation for the matched packets
- Optional select a time range from the drop down list
- Extend ip ac
- Define the rule s packet matching criteria
- Configuring the ipv6 acl rule
- Select an ipv6 acl id from the drop down list enter a rule id then specify the operation for the rule
- Ipv6 acl to load the following page
- Follow these steps to create the ipv6 acl
- Define the rule s packet matching criteria
- You can also delete an acl or an acl rule or change the matching order if needed
- View the rule table
- The switch matches a received packet with the rules in order when a packet matches a rule the device stops the match process and performs the action defined in the rule
- The rules in an acl are listed in ascending order of configuration time regardless of their rule ids
- Optional select a time range from the drop down list
- In the acl rule table you can view all the acls and their rules
- By default a rule configured earlier is listed before a rule configured later
- Acl summary to load the following page
- Creating a policy
- Configuring the action of the policy
- Configuring policy
- Configure the actions to be taken for the matched packets
- Select your preferred policy and acl
- Follow these steps to configure the action of the policy
- You can select acl binding or policy binding according to your needs
- You can bind the acl to a port or a vlan the received packets will then be matched and processed according to the acl rules
- Select the acl and the port and click apply
- Port binding to load the following page
- Follow these steps to bind the acl to a port
- Configuring the acl binding and policy binding
- Configuring the acl binding
- Click apply to make the settings effective
- Binding the acl to a port
- An acl or policy takes effect only after it is bound to a port or vlan
- Follow these steps to bind the acl to a vlan
- Configuring the policy binding
- Binding the policy to a port
- Binding the acl to a vlan
- You can bind the policy to a port or a vlan the received packets will then be matched and processed according to this policy
- Vlan binding to load the following page
- Select the acl and enter the vlan id and click apply
- You can view both port binding and vlan binding entries in the table you can also delete existing entries if needed
- Vlan binding to load the following page
- Verifying the binding configuration
- Verifying the acl binding
- Select the policy and the port to be bound and click apply
- Select the acl and enter the vlan id and click apply
- Follow these steps to bind the policy to a vlan
- Follow these steps to bind the policy to a port
- Binding the policy to a vlan
- Binding table to load the following page
- You can view both port binding and vlan binding entries in the table you can also delete existing entries if needed
- Verifying the policy binding
- Binding table to load the following page
- Using the cli
- Some services or features that use acl need to be limited to a specified time period in this case you can configure time range for the acl
- Configuring time range
- The following example shows how to configure time range
- Switch copy running config startup config
- Switch config time range work_time
- Switch config time range periodic week date 1 5 time slice1 08 30 18 00
- Switch config time range exit
- Switch config show time range
- Switch config end
- Switch config
- Periodic week day 1 2 3 4 5
- Periodic time slice 08 30 18 00
- Mac acl
- Follow the steps to create different types of acl and configure the acl rules
- Configuring acl
- You can define the rules based on source or destination ip address source or destination mac address protocol type port number and others
- Time range entry work_time inactive
- The following example shows how to create mac acl 50 and configure rule 1 to permit packets with source mac address 00 34 a2 d4 34 b5
- Switch configure
- Switch config mac access list 50
- Switch copy running config startup config
- Switch config show access list 50
- Switch config mac acl rule 5 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff
- Switch config mac acl exit
- Switch config end
- Standard ip acl
- Rule 5 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff
- Mac access list 50
- Switch config access list extended 1700 rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23
- Switch config access list create 1700
- Switch config
- The following example shows how to create extend ip acl 1700 and configure rule7 to deny telnet packets with source ip192 68 00
- Switch config show access list 1700
- Switch copy running config startup config
- Switch config end
- Rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23
- Ipv6 acl
- Extended ip access list 1700
- Switch config end
- Switch config access list ipv6 3600 rule 1 deny s ip cdcd 910a 2222 5498 8475 1111 3900 2020 sip mask ffff ffff ffff ffff
- Switch config access list create 3600
- Rule 1 deny sip cdcd 910a 2222 5498 8475 1111 3900 2020 sip mask ffff ff
- Policy allows you to further process the matched packets through operations such as mirroring rate limiting redirecting or changing priority
- Ipv6 access list 3600
- Follow the steps below to create a policy and configure the policy actions
- Ff ffff ffff
- Configuring policy
- The following example shows how to create ipv6 acl 3600 and configure rule 1 to deny packets with source ipv6 address cdcd 910a 2222 5498 8475 1111 3900 2020
- Switch copy running config startup config
- Switch configure
- Switch config show access list 3600
- Switch config show access list
- Switch configure
- Switch config show access list policy rd
- Switch config action redirect interface gigabitethernet 1 0 4
- Switch config action exit
- Switch config access list policy name rd
- Switch config access list policy action rd 600
- Create policy rd apply acl 600 to policy rd and redirect the matched packets to port 4
- Policy name rd
- Policy binding
- Acl binding and policy binding
- Access list 600 redirect port gi1 0 4
- You can select acl binding or policy binding according to your needs an acl rule and policy takes effect only after they are bound to a port or vlan
- You can bind the policy to a port or a vlan then the received packets will be matched and operated based on the policy
- The following example shows how to bind policy 1 to port 2 and policy 2 to vlan 2
- Switch copy running config startup config
- Switch config interface gigabitethernet 1 0 2
- Switch config if access list bind rd
- Switch config end
- Switch config
- The marketing department can only visit http and https websites on the internet
- The marketing department can only access internal server group from intranet
- Network topology
- Network requirements
- Configuration scheme
- Configuration example for acl
- As is shown below computers in the marketing department are connected to the switch via port 1 0 1 and the internal server group is connected to the switch via port 1 0 2
- A company s internal server group can provide different types of services it is required that
- To meet the requirements above you can set up packet filtering by creating an extend ip acl and configuring rules for it
- Using the gui
- Extend acl to load the the following page configure rule 2 and rule 3 to permit packets with source ip 10 0 0 and destination port tcp 80 http service port and udp 443 https service port
- Policy create to load the following page configure rule 4 and rule 5 to permit packets with source ip 10 0 0 and with destination port tcp 53 or udp 53 dns service port
- Policy createto load the the following page then create policy market
- Policy create to load the following page configure rule 6 to deny packets with source ip 10 0 0
- Port binding to load the the following page bind policy market to port 1 0 1 to make it take effect
- Action create to load the the following page then apply acl 1600 to policy market
- Using the cli
- Verify the configurations
- For standard ip acl
- For mac acl
- For ipv6 acl
- For extend ip acl
- Appendix default parameters
- Chapters
- Part 21
- Configuring network security
- Supported features
- Overview
- Network security
- Ip mac binding
- Dhcp snooping
- Arp inspection
- Dos defend
- Using the gui
- Ip mac binding configurations
- Binding entries manually
- Select protect type for the entry
- Click bind
- Binding entries dynamically
- Arp scanning
- With arp scanning the switch sends the arp request packets of the specified ip field to the hosts upon receiving the arp reply packet the switch can get the ip address mac address vlan id and the connected port number of the host you can bind these entries conveniently
- The binding entries can be dynamically learned from arp scanning and dhcp snooping
- Select the port that is connected to this host
- In the scanning result section select one or more entries and configure the relevant parameters then click apply
- In the scanning option section specify an ip address range and a vlan id then click scan to scan the entries in the specified ip address range and vlan
- Follow these steps to configure ip mac binding via arp scanning
- Arp scanning to load the following page
- With the binding table you can view and search the specified binding entries
- With dhcp snooping enabled the switch can monitor the ip address obtaining process of the host and record the ip address mac address vlan id and the connected port number of the host
- Viewing the binding entries
- In the search section specify the search criteria to search your desired entries
- For instructions on how to configure dhcp snooping refer to dhcp snooping configurations
- Dhcp snooping
- Binding table to load the following page
- Binding entries via arp scanning is not supported by the cli binding entries via dhcp snooping is introduced in dhcp snooping configurations the following sections introduce how to bind entries manually and view the binding entries
- Binding entries manually
- You can manually bind the ip address mac address vlan id and the port number together on the condition that you have got the related information of the hosts
- Using the cli
- In the binding table section you can view the searched entries additionally you can configure the host name and protect type for one or more entries and click apply
- Follow these steps to manually bind entries
- U no host ip addr mac addr vid port acl col
- The following example shows how to bind an entry with the hostname host1 ip address 192 68 5 mac address aa bb cc dd ee ff vlan id 10 port number 1 0 5 and enable this entry for the arp detection feature
- Switch copy running config startup config
- Switch configure
- Switch config show ip source binding
- Switch config ip source binding host1 192 68 5 aa bb cc dd ee ff vlan 10 interface gigabitethernet 1 0 5 arp detection
- Switch config end
- Host1 192 68 5 aa bb cc dd ee ff 10 gi1 0 5 arp d
- Viewing binding entries
- On privileged exec mode or any other configuration mode you can use the following command to view binding entries
- Enabling dhcp snooping on vlan
- Dhcp snooping configuration
- Using the gui
- Select one or more ports and configure the parameters
- Port config to load the following page
- Follow these steps to configure dhcp snooping on the specified port
- Configuring dhcp snooping on ports
- Click apply
- Select one or more ports and configure the parameters
- Optional configuring option 82
- Option 82 records the location of the dhcp client the switch can add option 82 to the dhcp request packet and then transmit the packet to the dhcp server administrators can check the location of the dhcp client via option 82 the dhcp server supporting option 82 can also set the distribution policy of ip addresses and other parameters providing a more flexible address distribution way
- Option 82 config to load the following page
- Follow these steps to configure option 82
- Click apply
- Using the cli
- Globally configuring dhcp snooping
- Follow these steps to globally configure dhcp snooping
- Click apply
- Vlan id 5
- The following example shows how to enable dhcp snooping globally and on vlan 5
- Switch copy running config startup config
- Switch configure
- Switch config show ip dhcp snooping
- Switch config ip dhcp snooping vlan 5
- Switch config ip dhcp snooping
- Switch config if end
- Global status enable
- Follow these steps to configure dhcp snooping on the specified ports
- Configuring dhcp snooping on ports
- Switch config if ip dhcp snooping limit rate 10
- Switch config if ip dhcp snooping decline rate 20
- Switch config if end
- Interface trusted mac verify limit rate dec rate lag
- Gi1 0 1 enable enable 10 20 n a
- The following example shows how to configure port 1 0 1 as a trusted port enable the mac verify feature and set the limit rate as 10 pps and decline rate as 20 pps on this port
- Switch copy running config startup config
- Switch configure
- Switch config interface gigabitethernet 1 0 1
- Switch config if show ip dhcp snooping interface gigabitethernet 1 0 1
- Switch config if ip dhcp snooping trust
- Switch config if ip dhcp snooping mac verify
- Optional configuring option 82
- Option 82 records the location of the dhcp client the switch can add the option 82 to the dhcp request packet and then transmit the packet to the dhcp server administrators can check the location of the dhcp client via option 82 the dhcp server supporting option 82 can also set the distribution policy of ip addresses and other parameters providing more flexible address distribution way
- Follow these steps to configure option 82
- Using the gui
- Configuring arp detection
- Arp inspection configurations
- Configuring arp defend
- Click apply
- Arp defend to load the following page
- With arp defend enabled the switch can terminate receiving the arp packets for 300 seconds when the transmission speed of the legal arp packet on the port exceeds the defined value so as to avoid arp attack flood
- Select one or more ports and configure the parameters
- Follow these steps to configure arp defend
- Viewing arp statistics
- Using the cli
- The following example shows how to globally enable arp detection and configure port 1 0 1 as a trusted port
- The arp detection feature allows the switch to detect the arp packets basing on the binding entries in the ip mac binding table and filter the illegal arp packets before arp detection configuration complete ip mac binding configuration for details refer to ip mac binding configurations
- Switch configure
- Switch config ip arp inspection
- Follow these steps to configure arp detection
- Configuring arp detection
- Gi1 0 2 no
- Gi1 0 1 yes
- Follow these steps to configure arp defend
- Configuring arp defend
- Arp detection global status enabled
- With arp defend enabled the switch can terminate receiving the arp packets for 300 seconds when the transmission speed of the legal arp packet on the port exceeds the defined value so as to avoid arp attack flood
- Switch copy running config startup config
- Switch config interface gigabitethernet 1 0 1
- Switch config if show ip arp inspection
- Switch config if ip arp inspection trust
- Switch config if end
- Port trusted
- Viewing arp statistics
- Switch copy running config startup config
- On privileged exec mode or any other configuration mode you can use the following command to view arp statistics
- Using the gui
- In the defend table section select one or more defend types according to your needs the following table introduces each type of dos attack
- In the configure section enable dos protection
- Follow these steps to configure dos defend
- Dos defend to load the following page
- Dos defend configuration
- Using the cli
- Follow these steps to configure dos defend
- Click apply
- The following example shows how to enable the dos defend type named land
- Switch configure
- X configuration
- Using the gui
- Configuring the radius server
- You can configure the radius servers for authentication and accounting if multiple radius servers are available you are suggested to add them to different server groups respectively for authentication and accounting
- In the server config section configure the parameters of radius server
- Follow these steps to create a protocol template
- Configuring the radius server group
- Click apply
- Global config to load the following page
- Follow these steps to configure 802 x global parameters
- Configuring 802 x globally
- In the global config section enable 802 x globally and click apply
- In the authentication config section enable quiet configure the quiet timer and click apply
- Port config to load the following page
- Configuring 802 x on ports
- Configure 802 x authentication on the desired port and click apply
- Using the cli
- Follow these steps to configure radius
- Configuring the radius server
- The following example shows how to enable aaa add a radius server to the server group named radius1 and apply this server group to the 802 x authentication the ip address of the radius server is 192 68 00 the shared key is 123456 the authentication port is 1812 the accounting port is 1813
- Configuring 802 x globally
- Handshake state enabled
- Guest vlan state disable
- Guest vlan id n a
- Follow these steps to configure the port
- X state enabled
- Configuring 802 x on ports
- X accounting state disable
- Authentication method pap
- The following example shows how to enable 802 x authentication configure pap as the authentication method and keep other parameters as default
- Switch copy running config startup config
- Switch configure
- Switch config show dot1x global
- Switch config end
- Switch config dot1x system auth control
- Switch config dot1x auth method pap
- Supplicant timeout 3 sec
- Quiet period timer 10 sec
- Quiet period state disable
- Max retry times for radius packet 3
- Switch config if dot1x port method port based
- Switch config if dot1x port control auto
- Switch config if dot1x
- The following example shows how to enable 802 x authentication on port 1 0 2 configure the control type as port based and configure the control mode as auto
- Switch configure
- Switch config interface gigabitethernet 1 0 2
- Configuration guidelines
- Aaa configuration
- Using the gui
- Globally enabling aaa
- Adding servers
- Tacacs conifg to load the following page
- In the server config section configure the following parameters
- Follow these steps to add a tacacs server
- Click add to add the radius server on the switch
- Adding tacacs server
- Configuring server groups
- Configuring the method list
- Click add to add the new method
- In the add method list section configure the parameters for the method to be added
- In the aaa application list section select an access application and configure the login list and enable list
- Global config to load the following page
- Follow these steps to configure the aaa application list
- Configuring the aaa application list
- Click apply
- Configuring login account and enable password
- Switch config show aaa global
- Switch config end
- Switch config aaa enable
- Globally enabling aaa
- Follow these steps to globally enable aaa
- Follow these steps to add radius server on the switch
- Adding servers
- Adding radius server
- Aaa global status enable
- You can add one or more radius tacacs servers on the switch for authentication if multiple servers are added the server with the highest priority authenticates the users trying to access the switch and the others act as backup servers in case the first one breaks down
- Using the cli
- The following example shows how to globally enable aaa
- Switch copy running config startup config
- Switch configure
- The following example shows how to add a radius server on the switch set the ip address of the server as 192 68 0 the authentication port as 1812 the shared key as 123456 the timeout as 8 seconds and the retransmit number as 3
- Switch configure
- Switch config show radius server
- Switch config radius server host 192 68 0 auth port 1812 timeout 8 retransmit 3 key 123456
- Switch config end
- Server ip auth port acct port timeout retransmit shared key
- 68 0 1812 1813 8 3 123456
- Server ip port timeout shared key
- Follow these steps to add tacacs server on the switch
- Adding tacacs server
- 68 0 49 8 123456
- The following example shows how to add a tacacs server on the switch set the ip address of the server as 192 68 0 the authentication port as 49 the shared key as 123456 and the timeout as 8 seconds
- Switch copy running config startup config
- Switch configure
- Switch config tacacs server host 192 68 0 auth port 49 timeout 8 key 123456
- Switch config show tacacs server
- Switch config end
- The two default server groups cannot be deleted or edited follow these steps to add a server group
- The switch has two built in server groups one for radius and the other for tacacs the servers running the same protocol are automatically added to the default server group you can add new server groups as needed
- The following example shows how to create a radius server group named radius1 and add the existing two radius servers whose ip address is 192 68 0 and 192 68 0 to the group
- Switch copy running config startup config
- Switch configure
- Switch config aaa group radius radius1
- Switch aaa group show aaa group radius1
- Switch aaa group server 192 68 0
- Configuring server groups
- A method list describes the authentication methods and their sequence to authenticate the users the switch supports login method list for users of all types to gain access to the switch and enable method list for guests to get administrative privileges
- The following example shows how to create a login method list named login1 and configure the method 1 as the default radius server group and the method 2 as local
- Switch copy running config startup config
- Switch configure
- Switch config show aaa authentication login
- Switch config aaa authentication login login1 radius local
- Switch aaa group end
- Follow these steps to configure the method list
- Configuring the method list
- Configuring the aaa application list
- Switch config line login authentication login1
- Switch config line end
- Switch config line enable authentication enable1
- Ssh default default
- Module login list enable list
- Http default default
- Follow these steps to apply the login and enable method lists for the application ssh
- The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application telnet
- Telnet login1 enable1
- Switch copy running config startup config
- Switch configure
- Switch config line telnet
- Switch config line show aaa global
- Switch configure
- Switch config line ssh
- Switch config line show aaa global
- Switch config line login authentication login1
- Switch config line end
- Switch config line enable authentication enable1
- Ssh login1 enable1
- Module login list enable list
- Http default default
- Follow these steps to apply the login and enable method lists for the application http
- The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application ssh
- Telnet default default
- Switch copy running config startup config
- The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application http
- Telnet default default
- Switch copy running config startup config
- Switch configure
- Switch config show aaa global
- Switch config ip http login authentication login1
- Switch config ip http enable authentication enable1
- Switch config end
- Ssh default default
- On the switch
- Module login list enable list
- Http login1 enable1
- Configuring login account and enable password
- The login account and enable password can be configured locally on the switch or centrally on the radius tacacs server s
- The local username and password for login can be configured in the user management feature for details refer to managing system
- To configure the local enable password for getting administrative privileges follow these steps
- Tips the logged in guests can get administrative privileges by using the command enable admin and providing the enable password
- The accounts created by the radius tacacs server can only view the configurations and some network information without the enable password
- Some configuration principles on the server are as follows
- On the server
- On tacacs server the enable password is set with the login account and each account has its own enable password
- On radius server the user name should be set as enable and the enable password is customizable all the users trying to get administrative privileges share this enable password
- For login authentication configuration more than one login account can be created on the server besides both the user name and password can be customized
- For enable password configuration
- Network requirements
- Example for dhcp snooping and arp detection
- Configuration scheme
- Configuration examples
- Using the gui
- Using the cli
- Verify the configuration
- Network requirements
- Example for 802 x
- Configuration scheme
- Using the gui
- Radius config to load the following page configure the parameters of the radius server
- Network topology
- Internet
- Global config to load the following page enable aaa function globally on the switch
- Demonstrated with t1700g 28tq acting as the authenticator the following sections provide configuration procedure in two ways using the gui and using the cli
- As shown in the following figure switch a acts as the authenticator port 1 0 1 is connected to the client port 1 0 2 is connected to the radius server and port 1 0 3 is connected to the internet
- Using the cli
- Verify the configurations
- Network requirements
- Example for aaa
- Using the gui
- Configuration scheme
- Using the cli
- Verify the configuration
- Default settings of network security are listed in the following tables
- Appendix default parameters
- Part 22
- Configuring lldp
- Chapters
- Supported features
- Overview
- Using the gui
- Lldp configurations
- Global config
- In the global config section enable lldp click apply
- Follow these steps to enable lldp and configure the lldp feature globally
- In the parameters config section configure the lldp parameters click apply
- Select the tlvs type length value included in the lldp packets according to your needs
- Select the desired port and set its admin status and notification mode
- Port config
- Policy config to load the following page
- Follow these steps to configure the lldp feature for the interface
- Using the cli
- Global config
- Enable the lldp feature on the switch and configure the lldp parameters
- The following example shows how to configure the following parameters lldp timer 4 tx interval 30 seconds tx delay 2 seconds reinit delay 3 seconds notify iinterval 5 seconds fast count 3
- Switch configure
- Switch config show lldp
- Switch config lldp timer tx interval 30 tx delay 2 reinit delay 3 notify interval 5 fast count 3
- Switch config lldp hold multiplier 4
- Switch config lldp
- Lldp status enabled
- Tx interval 30 seconds
- Tx delay 2 seconds
- Ttl multiplier 4
- Trap notification interval 5 seconds
- Switch copy running config startup config
- Switch config end
- Select the desired port and set its admin status notification mode and the tlvs included in the lldp packets
- Port config
- Lldp med fast start repeat count 4
- Initialization delay 2 seconds
- Fast packet count 3
- Using the gui
- Lldp med configurations
- Global config
- Port config
- Global config
- Using the cli
- Tx interval 30 seconds
- The following example shows how to configure lldp med fast count as 4
- Switch configure
- Switch config show lldp
- Switch config lldp med fast count 4
- Switch config lldp
- Lldp status enabled
- Trap notification interval 5 seconds
- Switch copy running config startup config
- Switch config end
- Select the desired port enable lldp med and select the tlvs type length value included in the outgoing lldp packets according to your needs
- Port config
- Lldp med fast start repeat count 4
- Initialization delay 2 seconds
- Fast packet count 3
- Tx delay 2 seconds
- Ttl multiplier 4
- Viewing lldp settings
- Viewing lldp device info
- Using gui
- In the local info section select the desired port and view its associated local device information
- In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply
- Follow these steps to view the local information
- Viewing lldp statistics
- Viewing the neighbor info
- Viewing the local info
- Viewing lldp statistics
- Using cli
- Viewing lldp med settings
- Using gui
- Follow these steps to view lldp med neighgbor information
- Viewing the neighbor info
- In the lldp med neighbor info section select the desired port and view the lldp med settings
- In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply
- Viewing the neighbor info
- Viewing the local info
- Viewing lldp statistics
- Using cli
- Using the gui
- Network topology
- Network requirements
- Example for configuring lldp
- Configuration scheme
- Configuration example
- Using cli
- Verify the configurations
- Configuration scheme
- Network topology
- Network requirements
- Example for configuring lldp med
- Using the gui
- Using the cli
- Verify the configurations
- Default settings of lldp are listed in the following tables
- Default lldp settings
- Default lldp med settings
- Appendix default parameters
- Part 23
- Configuring maintenance
- Chapters
- Network diagnose
- Maintenance
- Device diagnose
- System monitor
- Supported features
- Overview
- Using the gui
- Monitoring the system
- Monitoring the cpu
- Using the cli
- Monitoring the memory
- Monitoring the cpu
- Monitoring the memory
- System log configurations
- Logs are classified into the following eight levels messages of levels 0 to 4 mean the functionality of the switch is affected please take actions according to the log message
- Configuring the remote log
- Configuring the local log
- Configuration guidelines
- Backing up log files
- Viewing the log table
- System log configurations include
- Using the gui
- Select your desired channel and configure the corresponding severity and status
- Remote log enables the switch to send system logs to a host to display the logs the host should run a log server that complies with the syslog standard
- Local log to load the following page
- Follow these steps to configure the local log
- Configuring the remote log
- Configuring the local log
- Click apply
- Viewing the log table
- Backing up the log file
- Using the cli
- Select a module and a severity to view the corresponding log information
- Follow these steps to configure the local log
- Configuring the local log
- The following example shows how to configure the local log on the switch save logs of levels 0 to 5 to the log buffer and synchronize logs of levels 0 to 2 to the flash every 10 hours
- Switch configure
- Switch config show logging local config
- Switch config logging file flash level 2
- Switch config logging file flash frequency periodic 10
- Switch config logging file flash
- Switch config logging buffer level 5
- Switch config logging buffer
- Switch config end
- Remote log enables the switch to send system logs to a host to display the logs the host should run a log server that complies with the syslog standard
- Monitor 5 enable immediately
- Follow these steps to set the remote log
- Flash 2 enable 10 hour s
- Configuring the remote log
- Channel level status sync periodic
- Buffer 5 enable immediately
- The following example shows how to set the remote log on the switch enable log host 2 set its ip address as 192 68 48 and allow logs of levels 0 to 5 to be sent to the host
- Switch copy running config startup config
- Switch configure
- Switch config logging host index 2 192 68 48 5
- Using the gui
- Diagnosing the device
- Using the cli
- The following example shows how to check the cable diagnostics of port 1 0 2
- Switch show cable diagnostics interface gigabitehternet 1 0 2
- Port pair status length error
- Pair d normal 2 10m
- Pair c normal 0 10m
- Pair b normal 2 10m
- On privileged exec mode or any other configuration mode you can use the following command to check the connection status of the cable that is connected to the switch
- Gi1 0 2 pair a normal 2 10m
- Configuring the ping test
- Using the gui
- Diagnosing the network
- Using the cli
- Tracert to load the following page
- On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and one node of the network
- In the tracert result section check the test results
- In the tracert config section enter the ip address of the destination set the max hop and then click tracert to start the test
- In the ping result section check the test results
- Follow these steps to test connectivity between the switch and routers along the path from the source to the destination
- Configuring the tracert test
- Configuring the ping test
- Packets sent 3 received 3 lost 0 0 loss
- On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination
- Minimum 0ms maximum 0ms average 0ms
- Configuring the tracert test
- Approximate round trip times in milli seconds
- The following example shows how to test the connectivity between the switch and the destination device with the ip address 192 68 0 specify the ping times as 3 the data size as 1000 bytes and the interval as 500 milliseconds
- Switch ping ip 192 68 0 n 3 l 1000 i 500
- Reply from 192 68 0 bytes 1000 time 16ms ttl 64
- Pinging 192 68 0 with 1000 bytes of data
- Ping statistics for 192 68 0
- Tracing route to 192 68 00 over a maximum of 2 hops
- Trace complete
- The following example shows how to test the connectivity between the switch and the network device with the ip address 192 68 00 set the maxhops as 2
- Switch tracert 192 68 00 2
- Ms 2 ms 2 ms 192 68 00
- Ms 1 ms 2 ms 192 68
- Using the gui
- Network requirements
- Configuration scheme
- Configuration example for remote log
- Using the cli
- Verify the configurations
- Default settings of maintenance are listed in the following tables
- Appendix default parameters
- Part 24
- Configuring snmp rmon
- Chapters
- The device supports three snmp versions snmpv1 snmpv2c and snmpv3 table 1 1 lists features supported by different snmp versions and table 1 2 shows corresponding application scenarios
- Snmp simple network management protocol is a standard network management protocol widely used on tcp ip networks it facilitates device management using nms network management system software with snmp network managers can view or modify network device information and troubleshoot according to notifications sent by those devices in a timely manner
- Snmp overview
- Snmp configurations
- Using the gui
- Enabling snmp
- Creating an snmp view
- Set the view name and one mib variable that is related to the view choose the view type and click create to add the view entry
- Creating an snmp group
- Create an snmp group and configure related parameters
- Snmp group to load the following page
- Set the read write and notify view of the snmp group click create
- Set the group name and security model if you choose snmpv3 as the security model you need to further configure security level
- Follow these steps to create an snmp group
- Specify the user name user type and the group which the user belongs to set the security model according to the related parameters of the specified group if you choose snmpv3 you need to configure the security level
- Snmp user to load the following page
- Follow these steps to create an snmp user
- Creating snmp users
- If you want to use snmpv1 or snmpv2c as the security model you can create snmp communities directly
- If you have chosen authnopriv or authpriv as the security level you need to set corresponding auth mode or privacy mode if not skip the step
- Creating snmp communities
- Click create
- Using the cli
- Snmp community to load the following page
- Set the community name access rights and the related view click create
- Enabling snmp
- Unknown community name
- The following example shows how to enable snmp and set 123456789a as the remote engine id
- Switch configure
- Switch config snmp server engineid remote 123456789a
- Switch config snmp server
- Switch config show snmp server
- Snmp packets input
- Snmp agent is enabled
- Number of requested variables
- Number of altered variables
- Illegal operation for community name supplied
- Get request pdus
- Encoding errors
- Bad snmp version errors
- Creating an snmp view
- Bad value errors
- Trap pdus
- Too big errors maximum packet size 1500
- Switch copy running config startup config
- Switch config show snmp server engineid
- Switch config end
- Specify the oid object identifier of the view to determine objects to be managed
- Snmp packets output
- Set request pdus
- Response pdus
- Remote engine id 123456789a
- No such name errors
- Local engine id 80002e5703000aeb132397
- Get next pdus
- General errors
- Creating an snmp group
- No name sec mode sec lev read view write view notify view 1 nms monitor v3 authpriv view view
- The following example shows how to create an snmpv3 group name the group as nms monitor enable auth mode and privacy mode and set the view as read view and notify view
- Switch copy running config startup config
- Switch configure
- Switch config snmp server group nms monitor smode v3 slev authpriv read view notify view
- Switch config show snmp server group
- Switch config end
- The following example shows how to create an snmp user on the switch name the user as admin and set the user as a remote user snmpv3 as the security mode authpriv as the
- Creating snmp users
- Configure users of the snmp group users belong to the group and use the same security level and access rights as the group
- Switch config show snmp server user
- Switch config end
- Security level sha as the authentication algorithm 1234 as the authentication password des as the privacy algorithm and 1234 as the privacy password
- No u name u type g name s mode s lev a mode p mode
- For snmpv1 and snmpv2c the community name is used for authentication functioning as the password
- Creating snmp communities
- Admin remote nms monitor v3 authpriv sha des
- The following example shows how to set an snmp community name the community as the nms monitor and allow the nms to view and modify parameters of view
- Switch copy running config startup config
- Switch configure
- Switch config snmp server user admin remote nms monitor smode v3 slev authpriv cmode sha cpwd 1234 emode des epwd 1234
- Using the gui
- Notification configurations
- Configuration guidelines
- Specify the user name or community name used by the nms and configure the security model and security level based on the settings of the user or community
- Click create
- Choose a notification type based on the snmp version if you choose the inform type you need to set retry times and timeout interval
- Using the cli
- Configuring the host
- Configure parameters of the nms host and packet handling mechanism
- Enabling the snmp standard trap
- Enabling snmp notification
- 68 22 162 admin v3 authpriv inform 3 100
- The following example shows how to set the nms host ip address as 172 68 22 udp port as port 162 name used by the nms as admin security model as snmpv3 security level as authpriv notification type as inform retry times as 3 and the timeout interval as 100 seconds
- Switch copy running config startup config
- Switch configure
- Switch config snmp server host 172 68 22 162 admin smode v3 slev authpriv type inform retries 3 timeout 100
- Switch config show snmp server host
- Switch config end
- No des ip udp name secmode seclev type retry timeout
- The following example shows how to configure the switch to send linkup traps
- Switch copy running config startup config
- Switch configure
- Switch config snmp server traps snmp linkup
- Switch config end
- Optional enabling the snmp extend trap
- Switch config end
- Optional enabling the vlan trap
- Optional enabling the link status trap
- The following example shows how to configure the switch to enable bandwidth control traps
- The following example shows how to configure the switch to enable
- Switch copy running config startup config
- Switch configure
- Switch config snmp server traps vlan create
- Switch config snmp server traps bandwidth control
- The following example shows how to configure the switch to enable link status trap
- Switch copy running config startup config
- Switch configure
- Switch config interface gigabitethernet 1 0 1
- Switch config if snmp server traps link status
- Switch config if end
- Rmon overview
- Using the gui
- Rmon configurations
- Configuring statistics
- Specify the entry id the port to be monitored and the owner name of the entry set the entry as valid or undercreation and click create
- Set the sample interval and the maximum buckets of history entries
- Select a history entry and specify a port to be monitored
- History to load the following page
- Follow these steps to configure history
- Configuring history
- Set the description and type of the event
- Follow these steps to configure event
- Event to load the following page
- Enter the owner name and set the status of the entry click apply
- Configuring event
- Choose an event entry and set the snmp user of the entry
- Enter the owner name and set the status of the entry click apply
- Configuring alarm
- Before you begin please complete configurations of statistics entries and event entries because the alarm entries must be associated with statistics and event entries
- Alarm to load the following page
- Select an alarm entry choose a variable to be monitored and associate the entry with a statistics entry
- Follow these steps to configure alarm
- Set the sample type the rising and falling threshold the corresponding event action and the alarm type of the entry
- Using the cli
- Enter the owner name and set the status of the entry click apply
- Configuring statistics
- Switch copy running config startup config
- Switch configure
- Switch config show rmon statistics
- Switch config rmon statistics 2 interface gigabitethernet 1 0 2 owner monitor status valid
- Switch config rmon statistics 1 interface gigabitethernet 1 0 1 owner monitor status valid
- Switch config end
- Index port owner state
- Gi1 0 2 monitor valid
- Gi1 0 1 monitor valid
- Configuring history
- The following example shows how to create two statistics entries on the switch to monitor port 1 0 1 and 1 0 2 respectively the owner of the entry is monitor and the entry is valid
- The following example shows how to create a history entry on the switch to monitor port 1 0 1 set the sample interval as 100 seconds max buckets as 50 and the owner as monitor
- Switch copy running config startup config
- Switch configure
- Switch config show rmon history
- Switch config rmon history 1 interface gigabitethernet 1 0 1 interval 100 owner monitor buckets 50
- Switch config end
- Index port interval buckets owner state
- Gi1 0 1 100 50 monitor enable
- Configuring event
- Switch configure
- Switch config show rmon event
- Switch config rmon event 1 user admin description rising notify type notify owner monitor
- Switch config end
- Index user description type owner state
- Admin rising notify notify monitor enable
- The following example shows how to create an event entry on the switch set the user name as admin the event type as notify set the switch to initiate notifications to the nms and the owner as monitor
- Switch copy running config startup config
- Configuring alarm
- Network requirements
- Configuration scheme
- Configuration example
- Using the gui
- Network topology
- Using the cli
- Verify the configurations
- Default settings of snmp are listed in the following table
- Appendix default parameters
- Default settings of notification are listed in the following table
Похожие устройства
-
Tp-Link TL-SM321B-2Инструкция по инсталляции -
Tp-Link TL-SM321A-2Руководство по установке
-
Tp-Link tl-sg5428Руководство по установке -
Tp-Link tl-sg108eИнструкция по эксплуатации -
Tp-Link LS1005GИнструкция по эксплуатации
-
Tp-Link LS1005GИнструкция по эксплуатации -
Tp-Link LS105GИнструкция по эксплуатации
-
Tp-Link LS108GИнструкция по эксплуатации
-
Tp-Link TL-SF1008P V1Rackmount Switch_EU2_12Languages__ Installation Guide -
Tp-Link TL-SF1008P V1Руководство пользователя -
Tp-Link TL-SF1008P V3Rackmount Switch_EU2_12Languages__ Installation Guide
-
Tp-Link TL-SF1008P V3Руководство пользователя
Learn how to configure ACL rules for secure network access, restricting Marketing department to specific internet protocols and internal server access only.