Tp-Link T1500-28TC V1 [503/619] Chapters

Содержание

• Configuration guide 1
• T1500 28tc tl sl2428 t1500 28pct tl sl2428p 1
• Canadian compliance statement 2
• Ce mark warning 2
• Fcc statement 2
• Bsmi notice 3
• Industry canada statement 3
• Ncc notice 3
• Explanation of the symbols on the product label 4
• Safety information 4
• About this guide 5
• Accessing the switch 5
• Command line interface access 5
• Contents 5
• Conventions 5
• Intended readers 5
• Managing system 5
• More information 5
• Overview 5
• System 20 5
• System info configurations 22 5
• Web interface access 5
• Access security configurations 54 6
• System tools configurations 46 6
• User management configurations 38 6
• Appendix default parameters 69 7
• Basic parameters configurations 74 7
• Configuration examples 92 7
• Loopback detection configuration 88 7
• Managing physical interfaces 7
• Physical interface 73 7
• Port isolation configurations 85 7
• Port mirror configuration 78 7
• Port security configuration 82 7
• Address configurations 26 8
• Appendix default parameters 00 8
• Appendix default parameters 17 8
• Appendix default parameters 23 8
• Configuration example 13 8
• Configuring lag 8
• Lag 03 8
• Lag configuration 04 8
• Mac address table 25 8
• Managing mac address table 8
• Monitoring traffic 8
• Traffic monitor 19 8
• Appendix default parameters 34 9
• Appendix default parameters 48 9
• Configuration example 43 9
• Configuring 802 q vlan 9
• Configuring spanning tree 9
• Overview 36 9
• Q vlan configuration 37 9
• Spanning tree 50 9
• Stp rstp configurations 58 9
• Appendix default parameters 11 10
• Configuration example for mstp 92 10
• Configuring layer 2 multicast 10
• Igmp snooping configurations 18 10
• Layer 2 multicast 16 10
• Mstp configurations 68 10
• Stp security configurations 88 10
• Configuration examples 55 12
• Viewing multicast snooping configurations 53 12
• Appendix default parameters 83 13
• Bandwidth control configuration 96 13
• Configuration examples 01 13
• Configuring qos 13
• Diffserv configuration 86 13
• Qos 85 13
• Appendix default parameters 17 14
• Appendix default parameters 41 14
• Configuration example 28 14
• Configuring poe 14
• Configuring voice vlan 14
• Overview 19 14
• Poe 43 14
• Poe power management configurations 44 14
• Time range function configurations 52 14
• Voice vlan configuration 21 14
• Acl 65 15
• Acl configurations 66 15
• Appendix default parameters 63 15
• Appendix default parameters 91 15
• Configuration example for acl 84 15
• Configuring acl 15
• Example for poe configurations 59 15
• Arp inspection configurations 12 16
• Configuring network security 16
• Dhcp snooping configuration 04 16
• Dos defend configuration 19 16
• Ip mac binding configurations 97 16
• Network security 93 16
• X configuration 23 16
• Aaa configuration 37 17
• Appendix default parameters 75 17
• Configuration examples 56 17
• Configuration example 17 18
• Configuring snmp rmon 18
• Notification configurations 98 18
• Rmon configurations 06 18
• Rmon overview 05 18
• Snmp configurations 84 18
• Snmp overview 83 18
• Appendix default parameters 29 19
• Configuration example 58 19
• Configuring lldp 19
• Lldp 34 19
• Lldp configurations 35 19
• Lldp med configurations 42 19
• Viewing lldp med settings 54 19
• Viewing lldp settings 49 19
• Appendix default parameters 77 20
• Configuring maintenance 20
• Diagnosing the device 90 20
• Diagnosing the network 92 20
• Maintenance 79 20
• Monitoring the system 80 20
• System log configurations 83 20
• Appendix default parameters 98 21
• Configuration example for remote log 96 21
• About this guide 22
• Conventions 22
• Intended readers 22
• More information 23
• Accessing the switch 24
• Chapters 24
• Part 1 24
• Overview 25
• Web interface access 26
• Save config function 27
• Configure the switch s ip address and default gateway 28
• Disable the web server 28
• The default ip address of the switch is 192 68 and the default gateway is 0 you can change the ip address and default gateway of the switch according to your needs 28
• To load the following page 28
• You can shut down the http server or https server to block any access to the web interface 28
• Command line interface access 30
• Console login only for switch with console port 30
• Enter enable to enter the user exec mode to further configure the switch 31
• Telnet login 32
• Password authentication mode 33
• Ssh login 33
• Key authentication mode 34
• After the keys are successfully generated click save public key to save the public key to a tftp server click save private key to save the private key to the host pc 35
• After negotiation is completed enter the username to log in if you can log in without entering the password the key authentication completed successfully 37
• Disable telnet login 37
• Telnet config disable the telnet function and click apply 37
• Using the gui 37
• You can shut down the telnet function to block any telnet access to the cli interface 37
• Copy running config startup config 38
• Disable ssh login 38
• Change the switch s ip address and default gateway 39
• Chapters 40
• Managing system 40
• Part 2 40
• Access security 41
• Overview 41
• Supported features 41
• System 41
• System info 41
• System tools 41
• User management 41
• System info configurations 43
• Using the gui 43
• Viewing the system summary 43
• Click a port to view the bandwidth utilization on this port 44
• Move the cursor to the port to view the detailed information of the port 44
• Click apply 45
• Device description to load the following page 45
• In the device description section specify the following information 45
• Specifying the device description 45
• Choose one method to set the system time and specify the information 46
• In the time config section follow these steps to configure the system time 46
• In the time info section view the current time information of the switch 46
• Setting the system time 46
• System time to load the following page 46
• Choose one method to set the daylight saving time of the switch and specify the information 47
• Click apply 47
• Daylight saving time to load the following page 47
• Follow these steps to configure daylight saving time 47
• In the dst config section select enable to enable the daylight saving time function 47
• Setting the daylight saving time 47
• Click apply 48
• Specifying the system ip 48
• System ip to load the following page 48
• Click apply 49
• In the ip config section specify the following information 49
• On privileged exec mode or any other configuration mode you can use the following command to view the system information of the switch 49
• Using the cli 49
• Viewing the system summary 49
• Specifying the device description 50
• Contact information http www tp link com 51
• Follow these steps and choose one method to set the system time 51
• Setting the system time 51
• Switch config contact info http www tp link com 51
• Switch config end 51
• Switch config hostname switch_a 51
• Switch config location beijing 51
• Switch config show system info 51
• Switch configure 51
• Switch copy running config startup config 51
• System description jetstream 48 port gigabit smart switch with 4 sfp slots 51
• System location beijing 51
• System name switch_a 51
• The following example shows how to set the device name as switch_a set the location as beijing and set the contact information as http www tp link com 51
• Backup ntp server 139 8 00 63 54
• Follow these steps and choose one method to set the daylight saving time 54
• Last successful ntp server 133 00 54
• Prefered ntp server 133 00 54
• Setting the daylight saving time 54
• Switch config end 54
• Switch config show system time ntp 54
• Switch config system time ntp utc 08 00 133 00 139 8 00 63 11 54
• Switch configure 54
• Switch copy running config startup config 54
• The following example shows how to set the system time by get time from ntp server and set the time zone as utc 08 00 set the ntp server as 133 00 set the backup ntp server as 139 8 00 63 and set the update rate as 11 54
• Time zone utc 08 00 54
• Update rate 11 hour s 54
• Dst configuration is one off 56
• Dst ends at 01 00 00 on sep 1 2016 56
• Dst offset is 50 minutes 56
• Dst starts at 01 00 00 on aug 1 2016 56
• Specifying the system ip 56
• Switch config end 56
• Switch config show system time dst 56
• Switch config system time dst date aug 1 01 00 2016 sep 1 01 00 2016 50 56
• Switch configure 56
• Switch copy running config startup config 56
• The following example shows how to set the daylight saving time by date mode set the start time as 01 00 august 1st 2016 set the end time as 01 00 september 1st 2016 and set the offset as 50 56
• 2006 01 01 08 08 44 netif 5 line protocol on interface vlan1 changed state to down by admin on vty0 192 68 00 57
• 2006 01 01 08 09 19 netif 5 line protocol on interface vlan2 changed state to up 57
• Follow these steps and choose one method to specify the system ip 57
• Switch config ip management vlan 2 57
• Switch configure 57
• The following example shows how to set the management vlan as vlan 2 set the ip address as 192 68 2 and set the subnet mask as 255 55 55 57
• Creating admin accounts 59
• User management configurations 59
• Using the gui 59
• Click create 60
• Creating accounts of other types 60
• Creating an account 60
• Follow these steps to create an account of other types 60
• In the user info section select the access level from the drop down list and specify the user name and password 60
• User config to load the following page 60
• You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin 60
• Creating admin accounts 62
• Follow these steps to create an admin account 62
• Using the cli 62
• Creating accounts of other types 63
• Follow these steps to create an account of other type 63
• You can create accounts with the access level of operator power user and user here you also need to go to the aaa section to create an enable password for these accounts the enable password is used to change the users access level to admin 63
• The aaa function applies another method to manage the access users name and password for details refer to aaa configuration in configuring network security 65
• The logged in users can enter the enable password on this page to get the administrative privileges 65
• Configuring the boot file 67
• System tools configurations 67
• Using the gui 67
• Click apply 68
• Click import to import the configuration file 68
• Config restore to load the following page 68
• Follow these steps to restore the configuration of the switch 68
• In the config restore section select one unit and one configuration file 68
• Restoring the configuration of the switch 68
• Backing up the configuration file 69
• Upgrading the firmware 69
• Rebooting the switch 70
• Reseting the switch 70
• Backup image image2 bin 71
• Boot config 71
• Configuring the boot file 71
• Current startup image image1 bin 71
• Follow these steps to configure the boot file 71
• Follow these steps to restore the configuration of the switch 71
• Next startup image image1 bin 71
• Restoring the configuration of the switch 71
• Switch config boot application filename image1 startup 71
• Switch config boot application filename image2 backup 71
• Switch config end 71
• Switch config show boot 71
• Switch configure 71
• Switch copy running config startup config 71
• The following example shows how to set the next startup image as image 1 and set the backup image as image 2 71
• Using the cli 71
• Backing up the configuration file 72
• Backup user config file ok 72
• Enable 72
• Follow these steps to back up the current configuration of the switch in a file 72
• Operation ok now rebooting system 72
• Start to backup user config file 72
• Start to load user config file 72
• Switch copy startup config tftp ip address 192 68 00 filename file2 72
• Switch copy tftp startup config ip address 192 68 00 filename file1 72
• The following example shows how to backup the configuration file named file2 from tftp server with ip address 192 68 00 72
• The following example shows how to restore the configuration file named file1 from the tftp server with ip address 192 68 00 72
• Enable 73
• Follow these steps to reboot the switch 73
• Follow these steps to reset the switch 73
• Follow these steps to upgrade the firmware 73
• It will only upgrade the backup image continue y n y 73
• Operation ok 73
• Reboot with the backup image y n y 73
• Rebooting the switch 73
• Reseting the switch 73
• Switch firmware upgrade ip address 192 68 00 filename file3 bin 73
• The following example shows how to upgrade the firmware using the configuration file named file3 bin the tftp server is 190 68 00 73
• Upgrading the firmware 73
• Access security configurations 75
• Configuring the access control feature 75
• Using the gui 75
• Click apply 76
• When the ip based mode is selected the following section will display 76
• When the port based mode is selected the following section will display 76
• Configuring the http function 77
• Configuring the https function 78
• In the access user number section select enable and specify the parameters click apply 79
• In the certificate download and key download section download the certificate and key 79
• In the ciphersuite config section select the algorithm to be enabled and click apply 79
• In the session config section specify the session timeout and click apply 79
• Configuring the ssh feature 80
• In the global config section select enable to enable ssh function and specify other parameters 80
• Ssh config to load the following page 80
• Configuring the access control 81
• Enabling the telnet function 81
• Using the cli 81
• Switch config show user configuration 82
• Switch config user access control ip based 192 68 00 255 55 55 snmp telnet http https 82
• Switch configure 82
• The following example shows how to set the type of access control as ip based set the ip address as 192 68 00 set the subnet mask as 255 55 55 and make the switch support snmp telnet http and https 82
• 68 24 snmp telnet http https 83
• Configuring the http function 83
• Follow these steps to configure the http function 83
• Index ip address access interface 83
• Switch config end 83
• Switch copy running config startup config 83
• User authentication mode ip based 83
• Configuring the https function 84
• Follow these steps to configure the https function 84
• Http max admin users 6 84
• Http max guest users 5 84
• Http session timeout 9 84
• Http status enabled 84
• Http user limitation enabled 84
• Switch config end 84
• Switch config ip http max user 6 5 84
• Switch config ip http server 84
• Switch config ip http session timeout 9 84
• Switch config show ip http configuration 84
• Switch configure 84
• Switch copy running config startup config 84
• The following example shows how to set the session timeout as 9 set the maximum admin number as 6 and set the maximum guest number as 5 84
• Configuring the ssh feature 87
• Follow these steps to configure the ssh function 87
• Begin ssh2 public key 89
• Blowfish cbc disabled 89
• Cast128 cbc enabled 89
• Comment dsa key 20160711 89
• Data integrity algorithm 89
• Des cbc disabled 89
• Enabling the telnet function 89
• Follow these steps enable the telnet function 89
• Hmac md5 enabled 89
• Hmac sha1 disabled 89
• Key file 89
• Key type ssh 2 rsa dsa 89
• Switch config end 89
• Switch copy running config startup config 89
• Appendix default parameters 90
• Default settings of system info are listed in the following tables 90
• Default settings of system tools are listed in the following table 90
• Default settings of user management are listed in the following table 90
• Default settings of access security are listed in the following tables 91
• Chapters 93
• Managing physical interfaces 93
• Part 3 93
• Basic parameters 94
• Loopback detection 94
• Overview 94
• Physical interface 94
• Port isolation 94
• Port mirror 94
• Port security 94
• Supported features 94
• Basic parameters configurations 95
• Follow these steps to set basic parameters for ports 95
• Port config to load the following page 95
• Select and configure your desired ports or lags then click apply 95
• Set the jumbo frame value and click apply the default mtu maximum transmission unit size for frames received and sent on all ports is 1518 bytes a higher value means allowing the port to send jumbo frames the valid values are from 1518 to 9216 bytes 95
• Using the gui 95
• Follow these steps to set basic parameters for the ports 96
• Using the cli 96
• Switch configure 97
• The following example shows how to implement the basic configurations of port1 0 1 including setting a description for the port making the port autonegotiate speed and duplex with the neighboring port and enabling the flow control feature 97
• Port mirror configuration 99
• Using the gui 99
• Follow these steps to configure port mirror 100
• In the destination port section specify a monitoring port for the mirror session and click apply 100
• In the source port section select one or multiple monitored ports for configuration then set the parameters and click apply 100
• Follow these steps to configure port mirror 101
• Monitor session 1 101
• Switch config monitor session 1 destination interface fastethernet 1 0 10 101
• Switch config monitor session 1 source interface fastethernet 1 0 1 3 both 101
• Switch config show monitor session 101
• Switch configure 101
• The following example shows how to copy the received and transmitted packets on port 1 0 1 2 3 to port 1 0 10 101
• Using the cli 101
• Follow these steps to configure port security 103
• Port security configuration 103
• Port security to load the following page 103
• Select one or multiple ports for security configuration 103
• Specify the maximum number of the mac addresses that can be learned on the port and then select the learn mode of the mac addresses 103
• Using the gui 103
• Click apply 104
• Follow these steps to configure port security 104
• Select the status of the port security feature 104
• Using the cli 104
• Fa1 0 1 30 0 permanent drop 105
• Port max learn current learn mode status 105
• Switch config if end 105
• Switch config if mac address table max mac count max number 30 mode permanent status drop 105
• Switch config if show mac address table max mac count interface fastethernet 1 0 1 105
• Switch config interface fastethernet 1 0 1 105
• Switch configure 105
• Switch copy running config startup config 105
• The following example shows how to set the maximum number of mac addresses that can be learned on port 1 0 1 as 30 and configure the mode as permanent and the status as drop 105
• Port isolation configurations 106
• Using the gui 106
• Click apply 107
• Follow these steps to configure port isolation 107
• In the forward portlist section select the forward ports or lags which the isolated ports can only communicate with it is multi optional 107
• In the port section select one or multiple ports to be isolated 107
• Using the cli 107
• Loopback detection configuration 109
• Using the gui 109
• Follow these steps to configure loopback detection 110
• In the port config section select one or multiple ports for configuration then set the parameters and click apply 110
• Using the cli 110
• View the loopback detection information on this page 110
• The following example shows how to enable loopback detection globally keeping the default parameters 111
• Configuration examples 113
• Configuration scheme 113
• Example for port mirror 113
• Network requirements 113
• Using the gui 113
• Example for port isolation 115
• Network requirements 115
• Using the cli 115
• Verify the configuration 115
• Configuration scheme 116
• Using the gui 116
• Using the cli 117
• Verify the configuration 117
• Configuration scheme 118
• Example for loopback detection 118
• Network requirements 118
• Using the gui 118
• Using the cli 119
• Verify the configuration 120
• Appendix default parameters 121
• Default settings of switching are listed in th following tables 121
• Chapters 123
• Configuring lag 123
• Part 4 123
• Overview 124
• Static lag 124
• Supported features 124
• Configuration guidelines 125
• Lag configuration 125
• Configuring load balancing algorithm 126
• In the global config section select the load balancing algorithm click apply 126
• Lag table to load the following page 126
• Load balancing algorithm is effective only for outgoing traffic if the data stream is not well shared by each link you can change the algorithm of the outgoing interface 126
• Please properly choose the load balancing algorithm to avoid data stream transferring only on one physical link for example switch a receives packets from several hosts and forwards them to the server with the fixed mac address and ip address you can set the algorithm as src mac or src ip to allow switch a to determine the forwarding port based on the source mac addresses or source ip addresses of the received packets 126
• Using the gui 126
• Configuring static lag or lacp 127
• Configuring lacp 128
• Follow these steps to configure lacp 128
• Lacp to load the following page 128
• Select member ports for the lag and configure the related parameters click apply 128
• Specify the system priority for the switch and click apply 128
• Configuring load balancing algorithm 129
• Follow these steps to configure the load balancing algorithm 129
• Using the cli 129
• Configuring static lag 130
• Configuring static lag or lacp 130
• Etherchannel load balancing addresses used per protocol 130
• Etherchannel load balancing configuration src dst mac 130
• Follow these steps to configure static lag 130
• Ipv4 source xor destination mac address 130
• Ipv6 source xor destination mac address 130
• Non ip source xor destination mac address 130
• Switch config end 130
• Switch config port channel load balance src dst mac 130
• Switch config show etherchannel load balance 130
• Switch configure 130
• Switch copy running config startup config 130
• The following example shows how to set the global load balancing mode as src dst mac 130
• You can choose only one lag mode for a port static lag or lacp and make sure both ends of a link use the same lag mode 130
• Configuration example 134
• Configuration scheme 134
• Network requirements 134
• Using the gui 135
• Using the cli 136
• Verify the configuration 136
• Appendix default parameters 138
• Default settings of switching are listed in the following tables 138
• Monitoring traffic 139
• Traffic monitor 140
• Using the gui 140
• Viewing the traffic summary 140
• Follow these steps to view the traffic statistics in detail 141
• To get the real time traffic statistics enable auto refresh in the auto refresh section or click refresh at the bottom of the page 141
• Traffic statistics to load the following page 141
• Viewing the traffic statistics in detail 141
• In port select select a port or lag and click select 142
• In the statistics section view the detailed information of the selected port or lag 142
• On privileged exec mode or any other configuration mode you can use the following command to view the traffic information of each port or lag 143
• Using the cli 143
• Appendix default parameters 144
• Chapters 145
• Managing mac address table 145
• Part 6 145
• Mac address table 146
• Overview 146
• Supported features 146
• Adding static mac address entries 147
• Address configurations 147
• Using the gui 147
• Click apply 149
• Dynamic address to load the following page 149
• Follow these steps to modify the aging time of dynamic address entries 149
• In the aging config section enable auto aging and enter your desired length of time 149
• Modifying the aging time of dynamic address entries 149
• Adding mac filtering address entries 150
• Viewing address table entries 150
• Adding static mac address entries 151
• Address table to load the following page 151
• Follow these steps to add static mac address entries 151
• Using the cli 151
• Modifying the aging time of dynamic address entries 152
• Adding mac filtering address entries 153
• Aging time is 500 sec 153
• Follow these steps to add mac filtering address entries 153
• Switch config end 153
• Switch config mac address table aging time 500 153
• Switch config show mac address table aging time 153
• Switch configure 153
• Switch copy running config startup config 153
• The following example shows how to modify the aging time to 500 seconds a dynamic entry remains in the mac address table for 500 seconds after the entry is used or updated 153
• Appendix default parameters 155
• Default settings of the mac address table are listed in the following tables 155
• Chapters 156
• Configuring 802 q vlan 156
• Part 7 156
• Overview 157
• Configuring the pvid of the port 158
• Q vlan configuration 158
• Using the gui 158
• Configuring the vlan 159
• Enter a vlan id and a description for identification to create a vlan 159
• Follow these steps to configure vlan 159
• Select the untagged port s and the tagged port s respectively to add to the created vlan based on the network topology 159
• Vlan config and click create to load the following page 159
• Click apply 160
• Creating a vlan 160
• Follow these steps to create a vlan 160
• Switch config vlan 2 160
• Switch config vlan name rd 160
• Switch config vlan show vlan id 2 160
• Switch configure 160
• The following example shows how to create vlan 2 and name it as rd 160
• Using the cli 160
• 1 system vlan untagged 161
• Configuring the pvid of the port 161
• Follow these steps to configure the port 161
• Link type general 161
• Member in lag n a 161
• Member in vlan 161
• Port fa1 0 5 pvid 2 161
• Rd active 161
• Switch config if show interface switchport fastethernet 1 0 5 161
• Switch config if switchport pvid 2 161
• Switch config interface fastethernet 1 0 5 161
• Switch config vlan end 161
• Switch configure 161
• Switch copy running config startup config 161
• The following example shows how to configure the pvid of port 1 0 5 as vlan 2 161
• Vlan name egress rule 161
• Vlan name status ports 161
• Adding the port to the specified vlan 162
• Follow these steps to add the port to the specified vlan 162
• Link type general 162
• Member in lag n a 162
• Member in vlan 162
• Port fa1 0 5 162
• Pvid 2 162
• Switch config if end 162
• Switch config if show interface switchport fastethernet 1 0 5 162
• Switch config if switchport general allowed vlan 2 tagged 162
• Switch config interface fastethernet 1 0 5 162
• Switch configure 162
• Switch copy running config startup config 162
• The following example shows how to add the port 1 0 5 to vlan 2 and specify its egress rule as tagged 162
• Configuration example 164
• Configuration scheme 164
• Network requirements 164
• Network topology 165
• Using the gui 165
• Using the cli 167
• Verify the configurations 167
• Appendix default parameters 169
• Default settings of 802 q vlan are listed in the following table 169
• Chapters 170
• Configuring spanning tree 170
• Part 8 170
• Basic concepts 171
• Overview 171
• Spanning tree 171
• Stp rstp concepts 171
• Bridge id 172
• Port role 172
• Root bridge 172
• Port status 173
• Path cost 174
• Root path cost 174
• Mst instance 175
• Mst region 175
• Mstp concepts 175
• Stp security 176
• Vlan instance mapping 176
• Configuring stp rstp parameters on ports 179
• Stp rstp configurations 179
• Using the gui 179
• Click apply 181
• Configuring stp rstp globally 181
• Stp config to load the following page 181
• Follow these steps to configure stp rstp globally 182
• In the global config section enable spanning tree function choose the stp mode as stp rstp and click apply 182
• In the parameters config section configure the global parameters of stp rstp and click apply 182
• Stp summary to load the following page 183
• The stp summary section shows the summary information of spanning tree 183
• Verify the stp rstp information of your switch after all the configurations are finished 183
• Verifying the stp rstp configurations 183
• Configuring stp rstp parameters on ports 184
• Follow these steps to configure stp rstp parameters on ports 184
• Using the cli 184
• Switch config if show spanning tree interface fastethernet 1 0 3 185
• Switch config if spanning tree 185
• Switch config if spanning tree common config port priority 32 185
• Switch config interface fastethernet 1 0 3 185
• Switch configure 185
• The following example shows how to enable spanning tree function on port 1 0 3 and configure the port priority as 32 185
• Configuring global stp rstp parameters 186
• Fa1 0 3 enable 32 auto auto no no auto n a n a lnkdwn 186
• Follow these steps to configure global stp rstp parameters of the switch 186
• Interface state prio ext cost int cost edge p2p mode role status 186
• Switch config if end 186
• Switch copy running config startup config 186
• Enable rstp 36864 2 12 20 5 20 187
• Enabling stp rstp globally 187
• Follow these steps to configure the spanning tree mode as stp rstp and enable spanning tree function globally 187
• State mode priority hello time fwd time max age hold count max hops 187
• Switch config end 187
• Switch config show spanning tree bridge 187
• Switch config spanning tree priority 36864 187
• Switch config spanning tree timer forward time 12 187
• Switch configure 187
• Switch copy running config startup config 187
• This example shows how to configure the priority of the switch as 36864 the forward delay as 12 seconds 187
• Configuring parameters on ports in cist 189
• Mstp configurations 189
• Using the gui 189
• Besides configure the priority of the switch the priority and path cost of ports in the desired instance 191
• Click apply 191
• Configure the region name revision level vlan instance mapping of the switch the switches with the same region name the same revision level and the same vlan instance mapping are considered as in the same region 191
• Configuring the mstp region 191
• Configuring the region name and revision level 191
• Region config to load the following page 191
• Configuring mstp globally 196
• Follow these steps to configure mstp globally 196
• In the parameters config section configure the global parameters of mstp and click apply 196
• Stp config to load the following page 196
• In the global config section enable spanning tree function and choose the stp mode as mstp and click apply 197
• Stp summary to load the following page 198
• The stp summary section shows the summary information of cist 198
• Verifying the mstp configurations 198
• Configuring parameters on ports in cist 199
• Follow these steps to configure the parameters of the port in cist 199
• The mstp summary section shows the information in mst instances 199
• Using the cli 199
• Switch configure 200
• This example shows how to enable spanning tree function for port 1 0 3 and configure the port priority as 32 200
• Configuring the mst region 201
• Configuring the mstp region 201
• Fa1 0 3 144 200 n a lnkdwn 201
• Fa1 0 3 enable 32 auto auto no no auto n a n a lnkdwn 201
• Follow these steps to configure the mst region and the priority of the switch in the instance 201
• Interface prio cost role status 201
• Interface state prio ext cost int cost edge p2p mode role status 201
• Mst instance 0 cist 201
• Mst instance 5 201
• Switch config if end 201
• Switch config if show spanning tree interface fastethernet 1 0 3 201
• Switch config if spanning tree 201
• Switch config if spanning tree common config port priority 32 201
• Switch config interface fastethernet 1 0 3 201
• Switch copy running config startup config 201
• Region name r1 202
• Revision 100 202
• Switch config mst instance 5 vlan 2 6 202
• Switch config mst name r1 202
• Switch config mst revision 100 202
• Switch config mst show spanning tree mst configuration 202
• Switch config spanning tree mst configuration 202
• Switch configure 202
• This example shows how to create an mst region of which the region name is r1 the revision level is 100 and vlan 2 vlan 6 are mapped to instance 5 202
• 7 4094 203
• Configuring the parameters on ports in instance 203
• Follow these steps to configure the priority and path cost of ports in the specified instance 203
• Mst instance vlans mapped 203
• Switch config mst end 203
• Switch copy running config startup config 203
• Configuring global mstp parameters 204
• Switch config spanning tree priority 36864 205
• Switch configure 205
• This example shows how to configure the cist priority as 36864 the forward delay as 12 seconds the hold count as 8 and the max hop as 25 205
• Enable mstp 36864 2 12 20 8 25 206
• Enabling spanning tree globally 206
• Follow these steps to configure the spanning tree mode as mstp and enable spanning tree function globally 206
• State mode priority hello time fwd time max age hold count max hops 206
• Switch config if end 206
• Switch config if show spanning tree bridge 206
• Switch config if spanning tree hold count 8 206
• Switch config if spanning tree max hops 25 206
• Switch config if spanning tree timer forward time 12 206
• Switch config show spanning tree active 206
• Switch config spanning tree 206
• Switch config spanning tree mode mstp 206
• Switch configure 206
• Switch copy running config startup config 206
• This example shows how to configure the spanning tree mode as mstp and enable spanning tree function globally 206
• Configuring the stp security 209
• Stp security configurations 209
• Using the gui 209
• Configure the port protect features for the selected ports and click apply 210
• Configuring the stp security 210
• Follow these steps to configure the root protect feature bpdu protect feature and bpdu filter feature for ports 210
• Using the cli 210
• Featur 211
• As shown in figure 5 1 the network consists of three switches traffic in vlan 101 vlan 106 is transmitted in this network the link speed between the switches is 100mb s the default path cost of the port is 200000 213
• Configuration example for mstp 213
• Configuration scheme 213
• Here we configure two instances to meet the requirement as is shown below 213
• It is required that traffic in vlan 101 vlan 103 and traffic in vlan 104 vlan 106 should be transmitted along different paths 213
• Mstp backwards compatible with stp and rstp can map vlans to instances to enable load balancing thus providing a more flexible method in network management here we take the mstp configuration as an example 213
• Network requirements 213
• To meet this requirement you are suggested to configure mstp function on the switches map the vlans to different instances to ensure traffic can be transmitted along the respective instance 213
• Using the gui 214
• Instance port config to load the following page set the path cost of port 1 0 1 in instance 1 as 400000 216
• Instance port config to load the following page set the path cost of port 1 0 2 in instance 2 as 400000 220
• Using the cli 225
• Verify the configurations 227
• Appendix default parameters 232
• Default settings of the spanning tree feature are listed in the following table 232
• Chapters 236
• Configuring layer 2 multicast 236
• Part 9 236
• Layer 2 multicast 237
• Overview 237
• Configuration guide 217 238
• Configuring layer 2 multicast layer 2 multicast 238
• Demonstrated as below 238
• Figure 1 1 igmp snooping 238
• Layer 2 multicast protocol for ipv4 igmp snooping 238
• On the layer 2 device igmp snooping transmits data on demand on data link layer by analyzing igmp packets between layer 3 devices and users to build and maintain layer 2 multicast forwarding table 238
• Supported layer 2 multicast protocols 238
• Configuring igmp snooping globally 239
• Igmp snooping configurations 239
• Using the gui 239
• Click apply 240
• Configure the last listener query interval and last listener query count when the switch receives an igmp leave message if specified count of multicast address specific queries masqs are sent and no report message is received the switch will delete the multicast address from the multicast forwarding table 240
• Configure unknown multicast as forward or discard 240
• Configuring igmp snooping last listener query 240
• Configuring router port time and member port time 240
• Enable or disable report message suppression globally 240
• Enabling report message suppression can reduce the number of packets in the network 240
• Follow these steps to configure report message suppression 240
• Follow these steps to configure the aging time of the router ports and the member ports 240
• Optional configuring report message suppression 240
• Specify the aging time of the member ports 240
• Specify the aging time of the router ports 240
• Click apply 241
• Follow these steps to configure last listener query interval and last listener query count in the global config section 241
• Igmp snooping status table displays vlans and ports with igmp snooping enabled 241
• Specify the interval between masqs 241
• Specify the number of masqs to be sent 241
• Verifying igmp snooping status 241
• Configuring the port s basic igmp snooping features 242
• Enabling igmp snooping on the port 242
• Optional configuring fast leave 242
• Configuring igmp snooping globally in the vlan 243
• Configuring igmp snooping in the vlan 243
• Click create 244
• Configure the forbidden router ports in the designate vlan 244
• Configure the router ports in the designate vlan 244
• Configuring the multicast vlan 244
• Follow these steps to configure static router ports in the designate vlan 244
• Follow these steps to forbid the selected ports to be the router ports in the designate vlan 244
• In old multicast transmission mode when users in different vlans apply for data from the same multicast group the layer 3 device will duplicate this multicast data and deliver copies to the layer 2 devices 244
• Optional configuring the forbidden router ports in the vlan 244
• Optional configuring the static router ports in the vlan 244
• With multicast vlan configured all multicast group members will be added to a vlan layer 3 device only need to send one piece of multicast data to a layer 2 device and the layer 2 device will send the data to all member ports of the vlan in this way multicast vlan saves bandwidth and reduces network load of layer 3 devices 244
• Creating multicast vlan and configuring basic settings 245
• Click apply 246
• Configure the new multicast source ip 246
• Configure the router ports in the designate vlan 246
• Configure the router ports in the multicast vlan 246
• Follow these steps to configure static router ports in the multicast vlan 246
• Follow these steps to forbid the selected ports to be the router ports in the multicast vlan 246
• Optional configuring the forbidden router ports 246
• Optional configuring the static router ports 246
• Optional creating replace source ip 246
• This function allows you to use a new ip instead of the source ip to send data to multicast group members in the multicast vlan section follow these steps to configure replace source ip 246
• This table displays all the dynamic router ports in the multicast vlan 246
• Viewing dynamic router ports in the multicast vlan 246
• Click add 247
• Click apply 247
• Configuring the querier 247
• Follow these steps to configure the querier 247
• Optional configuring the querier 247
• Querier config to load the following page 247
• Specify a vlan and configure the querier on this vlan 247
• You can edit the settings in the igmp snooping querier table 247
• Click create 248
• Configuring igmp profile 248
• Create a profile and configure its filtering mode 248
• Creating profile 248
• Enter the search condition in the search option field to search the profile in the igmp profile info table 248
• Follow these steps to create a profile and configure its filtering mode 248
• Profile config to load the following page 248
• Searching profile 248
• The igmp snooping querier table displays all the related settings of the igmp querier 248
• Viewing settings of igmp querier 248
• Binding profile and member ports 249
• Click edit in the igmp profile info table edit its ip range and click add to save the settings 249
• Click submit to save the settings click back to go back to the previous page 249
• Editing ip range of the profile 249
• Follow these steps to edit profile mode and its ip range 249
• In the ip range table you can select an ip range and click delete to delete an ip range 249
• Profile binding to load the following page 249
• Binding profile and member ports 250
• Click apply 250
• Configuring max groups a port can join 250
• Follow these steps to bind the profile to the port 250
• Follow these steps to configure the maximum groups a port can join and overflow action 250
• Select a port to configure its max group and overflow action 250
• Select the port to be bound and enter the profile id in the profile id column 250
• Click apply 251
• Configuring auto refresh 251
• Enable or disable auto refresh 251
• Follow these steps to configure auto refresh 251
• Packet statistic to load the following page 251
• Viewing igmp statistics on each port 251
• Configuring static member port 252
• Viewing igmp statistics 252
• Click create 253
• Enabling igmp snooping globally 253
• Enabling igmp snooping on the port 253
• Static multicast ip table displays details of all igmp static multicast groups 253
• Using the cli 253
• Viewing igmp static multicast groups 253
• You can search igmp static multicast entries by using multicast ip vlan id or forward port as the search option 253
• Configuring igmp snooping parameters globally 255
• Configuring report message suppression 255
• Enable port 255
• Enable vlan 255
• Global authentication accounting disable 255
• Global member age time 260 255
• Global report suppression enable 255
• Global router age time 300 255
• Igmp snooping enable 255
• Last query interval 1 255
• Last query times 2 255
• Switch config if end 255
• Switch config ip igmp snooping 255
• Switch config ip igmp snooping report suppression 255
• Switch config show ip igmp snooping 255
• Switch configure 255
• The following example shows how to enable report message suppression 255
• Unknown multicast pass 255
• Configuring unknown multicast 256
• Enable port 256
• Enable vlan 256
• Global authentication accounting disable 256
• Global member age time 260 256
• Global report suppression disable 256
• Global router age time 300 256
• Igmp snooping enable 256
• Last query interval 1 256
• Last query times 2 256
• Switch config if end 256
• Switch config ip igmp snooping 256
• Switch config ip igmp snooping drop unknown 256
• Switch config show ip igmp snooping 256
• Switch configure 256
• Switch copy running config startup config 256
• The following example shows how to configure the switch to discard unknown multicast data 256
• Unknown multicast discard 256
• Configuring igmp snooping parameters on the port 257
• Configuring router port time and member port time 257
• Enable port 257
• Enable vlan 257
• Global authentication accounting disable 257
• Global member age time 200 257
• Global report suppression disable 257
• Global router age time 200 257
• Igmp snooping enable 257
• Last query interval 1 257
• Last query times 2 257
• Switch config ip igmp snooping 257
• Switch config ip igmp snooping mtime 200 257
• Switch config ip igmp snooping rtime 200 257
• Switch config show ip igmp snooping 257
• Switch configure 257
• The following example shows how to configure the global router port time and member port time as 200 seconds 257
• Unknown multicast pass 257
• Configuring fast leave 258
• Fa1 0 3 enable enable 258
• Port igmp snooping fast leave 258
• Switch config if end 258
• Switch config if ip igmp snooping 258
• Switch config if ip igmp snooping immediate leave 258
• Switch config if show ip igmp snooping interface fastethernet 1 0 3 basic config 258
• Switch config interface fasteternet 1 0 3 258
• Switch config ip igmp snooping 258
• Switch configure 258
• Switch copy running config startup config 258
• The following example shows how to enable fast leave on port 1 0 3 258
• Configuring max group and overflow action on the port 259
• Fa1 0 3 500 drop 259
• Port max groups overflow action 259
• Switch config if ip igmp snooping 259
• Switch config if ip igmp snooping max groups 500 259
• Switch config if ip igmp snooping max groups action drop 259
• Switch config if show ip igmp snooping interface fastethernet 1 0 3 max groups 259
• Switch config interface fasteternet 1 0 3 259
• Switch config ip igmp snooping 259
• Switch configure 259
• The following example shows how to configure the max group as 500 and the overflow action as drop on port 1 0 3 259
• Configuring igmp snooping last listener query 260
• Global authentication accounting disable 260
• Global member age time 260 260
• Global report suppression disable 260
• Global router age time 300 260
• Igmp snooping enable 260
• Last query interval 5 260
• Last query times 5 260
• Switch config if end 260
• Switch config ip igmp snooping 260
• Switch config ip igmp snooping last listener query count 5 260
• Switch config ip igmp snooping last listener query interval 5 260
• Switch config show ip igmp snooping 260
• Switch configure 260
• Switch copy running config startup config 260
• The following example shows how to configure the last listener query count as 5 and the last listener query interval as 5 seconds 260
• Unknown multicast pass 260
• Configuring igmp snooping parameters in the vlan 261
• Configuring router port time and member port time 261
• Dynamic router port none 261
• Enable port 261
• Enable vlan 261
• Member time 400 261
• Router time 500 261
• Static router port none 261
• Switch config end 261
• Switch config ip igmp snooping 261
• Switch config ip igmp snooping vlan config 2 3 mtime 400 261
• Switch config ip igmp snooping vlan config 2 3 rtime 500 261
• Switch config show ip igmp snooping vlan 2 261
• Switch configure 261
• Switch copy running config startup config 261
• The following example shows how to enable igmp snooping in vlan 2 and vlan 3 configure the router port time as 500 seconds and the member port time as 400 seconds 261
• Vlan id 2 261
• Configuring static router port 262
• Dynamic router port none 262
• Forbidden router port none 262
• Member time 0 262
• Member time 400 262
• Router time 0 262
• Router time 500 262
• Static router port none 262
• Switch config end 262
• Switch config ip igmp snooping 262
• Switch config ip igmp snooping vlan config 2 rport interface fastethernet 1 0 2 262
• Switch config show ip igmp snooping vlan 2 262
• Switch config show ip igmp snooping vlan 3 262
• Switch configure 262
• Switch copy running config startup config 262
• The following example shows how to enable igmp snooping in vlan 2 and configure port 1 0 2 as the static router port 262
• Vlan id 2 262
• Vlan id 3 262
• Configuring forbidden router port 263
• Dynamic router port none 263
• Forbidden router port fa1 0 4 6 263
• Forbidden router port none 263
• Member time 0 263
• Router time 0 263
• Static router port fa1 0 2 263
• Static router port none 263
• Switch config end 263
• Switch config ip igmp snooping 263
• Switch config ip igmp snooping vlan config 2 router ports forbidden interface fastethernet 1 0 4 6 263
• Switch config show ip igmp snooping vlan 2 263
• Switch configure 263
• Switch copy running config startup config 263
• The following example shows how to enable igmp snooping in vlan 2 and forbid port 1 0 4 6 from becoming router ports port 1 0 4 6 will drop all multicast data from layer 3 devices 263
• Vlan id 2 263
• 2 static fa1 0 9 10 264
• Configuring static multicast multicast ip and forward port 264
• Multicast ip vlan id addr type switch port 264
• Switch config end 264
• Switch config ip igmp snooping 264
• Switch config ip igmp snooping vlan config 2 static 226 interface fastethernet 1 0 9 10 264
• Switch config show ip igmp snooping groups static 264
• Switch configure 264
• Switch copy running config startup config 264
• The following example shows how to configure 226 as the static multicast ip and specify port 1 0 9 10 as the forward ports 264
• Configuring igmp snooping parameters in the multicast vlan 265
• Configuring router port time and member port time 265
• Dynamic router port none 265
• Forbidden router port none 265
• Member time 400 265
• Multicast vlan enable 265
• Replace source ip 0 265
• Router time 500 265
• Static router port none 265
• Switch config end 265
• Switch config ip igmp snooping 265
• Switch config ip igmp snooping multi vlan config 5 mtime 400 265
• Switch config ip igmp snooping multi vlan config 5 rtime 500 265
• Switch config show ip igmp snooping multi vlan 265
• Switch configure 265
• The following example shows how to configure vlan 5 as the multicast vlan set the router port time as 500 seconds and the member port time as 400 seconds 265
• Vlan id 5 265
• Configuring static router port 266
• Dynamic router port none 266
• Forbidden router port none 266
• Member time 260 266
• Multicast vlan enable 266
• Replace source ip 0 266
• Router time 300 266
• Static router port fa1 0 5 266
• Switch config end 266
• Switch config ip igmp snooping 266
• Switch config ip igmp snooping multi vlan config 5 rport interface fastethernet 1 0 5 266
• Switch config show ip igmp snooping multi vlan 266
• Switch configure 266
• Switch copy running config startup config 266
• The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 5 as the static router port 266
• Vlan id 5 266
• Configuring forbidden router port 267
• Dynamic router port none 267
• Forbidden router port fa1 0 6 267
• Member time 260 267
• Multicast vlan enable 267
• Replace source ip 0 267
• Router time 300 267
• Static router port none 267
• Switch config end 267
• Switch config ip igmp snooping 267
• Switch config ip igmp snooping multi vlan config 5 router ports forbidden interface fastethernet 1 0 6 267
• Switch config show ip igmp snooping multi vlan 267
• Switch configure 267
• Switch copy running config startup config 267
• The following example shows how to configure vlan 5 as the multicast vlan and set port 1 0 6 as the forbidden router port 267
• Vlan id 5 267
• Configuring replace source ip 268
• Dynamic router port none 268
• Forbidden router port none 268
• Member time 260 268
• Multicast vlan enable 268
• Replace source ip 192 68 268
• Router time 300 268
• Static router port none 268
• Switch config end 268
• Switch config ip igmp snooping 268
• Switch config ip igmp snooping multi vlan config 5 replace sourceip 192 68 268
• Switch config show ip igmp snooping multi vlan 268
• Switch configure 268
• Switch copy running config startup config 268
• The following example shows how to configure vlan 5 as the multicast vlan and replace the source ip in the igmp packets sent by the switch with 192 68 268
• Vlan id 5 268
• Configuring query interval max response time and general query source ip 269
• Configuring the querier 269
• Enabling igmp querier 269
• General query source ip 192 68 269
• Maximum response time 10 269
• Query interval 60 269
• Switch config end 269
• Switch config ip igmp snooping 269
• Switch config ip igmp snooping querier vlan 4 269
• Switch config show ip igmp snooping querier 269
• Switch configure 269
• Switch copy running config startup config 269
• The following example shows how to enable igmp snooping and igmp querier in vlan 4 269
• Vlan 4 269
• General query source ip 192 68 270
• Maximum response time 20 270
• Query interval 100 270
• Switch config end 270
• Switch config ip igmp snooping 270
• Switch config ip igmp snooping querier vlan 4 general query source ip 192 68 270
• Switch config ip igmp snooping querier vlan 4 max response time 20 270
• Switch config ip igmp snooping querier vlan 4 query interval 100 270
• Switch config show ip igmp snooping querier 270
• Switch configure 270
• Switch copy running config startup config 270
• The following example shows how to enable igmp snooping and igmp querier in vlan 4 set the query interval as 100 seconds the max response time as 20 seconds and the general query source ip as 192 68 270
• Vlan 4 270
• Configuring multicast filtering 271
• Creating profile 271
• Igmp profile 1 271
• Switch config igmp profile deny 271
• Switch config igmp profile range 226 226 0 271
• Switch config igmp profile show ip igmp profile 271
• Switch config ip igmp profile 1 271
• Switch config ip igmp snooping 271
• Switch configure 271
• The following example shows how to configure profile 1 so that the switch filters multicast data sent to 226 226 0 271
• Binding profile to the port 272
• Igmp profile 1 272
• Range 226 226 0 272
• Switch config end 272
• Switch config if ip igmp filter 1 272
• Switch config if ip igmp snooping 272
• Switch config if show ip igmp profile 272
• Switch config igmp profile deny 272
• Switch config igmp profile exit 272
• Switch config igmp profile range 226 226 0 272
• Switch config interface fastethernet 1 0 2 272
• Switch config ip igmp profile 1 272
• Switch config ip igmp snooping 272
• Switch configure 272
• Switch copy running config startup config 272
• The following example shows how to bind profile 1 to port 1 0 2 so that port 1 0 2 filters multicast data sent to 226 226 0 272
• Using the cli 274
• Using the gui 274
• Viewing ipv4 multicast snooping configurations 274
• Viewing multicast snooping configurations 274
• Configuration examples 276
• Configuration scheme 276
• Example for configuring basic igmp snooping 276
• Network requirements 276
• Using the gui 277
• Vlan config to load the following page create vlan 10 and add untagged port 1 0 1 3 and tagged port 1 0 4 to vlan 10 278
• Using the cli 280
• Verify the configurations 281
• Configuration scheme 282
• Example for configuring multicast vlan 282
• Network requirements 282
• Network topology 282
• Demonstrated with t1500 28pct this section provides configuration procedures in two ways using the gui and using the cli 283
• Internet 283
• Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields 283
• Using the gui 283
• Snooping config to load the following page enable igmp snooping on port 1 0 1 4 284
• Using the cli 286
• Verify the configurations 287
• Example for configuring unknown multicast and fast leave 288
• Network requirement 288
• Configuration scheme 289
• Using the gui 289
• Vlan config to load the following page enable igmp snooping in vlan 10 291
• Using the cli 292
• Verify the configurations 292
• Configuration scheme 293
• Example for configuring multicast filtering 293
• Network requirements 293
• Network topology 293
• Demonstrated with t1500 28pct this section provides configuration procedures in two ways using the gui and using the cli 294
• Internet 294
• Snooping config to load the following page enable igmp snooping globally and keep the default values in the router port time and member port time fields 294
• Using the gui 294
• Snooping config to load the following page 295
• Using the cli 301
• Verify the configurations 303
• Appendix default parameters 304
• Default parameters for igmp snooping 304
• Chapters 305
• Configuring qos 305
• Part 10 305
• Bandwidth control 306
• Diffserv 306
• Overview 306
• Supported features 306
• Configuration guidelines 307
• Diffserv configuration 307
• Click apply 308
• Configuring 802 p priority 308
• Configuring priority mode 308
• Enable 802 p priority and click apply 308
• Enable 802 p priority and configure the tag id cos id tc mapping relations 308
• Follow these steps to configure the 802 p priority 308
• P priority to load the following page 308
• The instructions of the three priority modes are described respectively in this section 308
• Using the gui 308
• Configuring schedule mode 310
• Click apply 311
• Configuring 802 priority 311
• Configuring priority mode 311
• Follow these steps to configure the schedule mode 311
• Select a schedule mode 311
• The instructions of the three priority modes are described respectively in this section 311
• Using cli 311
• Dscp priority is disabled 312
• P priority is enabled 312
• Switch config end 312
• Switch config qos queue cos map 2 0 312
• Switch config show qos cos map 312
• Switch config show qos status 312
• Switch configure 312
• Switch copy running config startup config 312
• Tag 0 1 2 3 4 5 6 7 312
• Tc tc1 tc0 tc0 tc1 tc2 tc2 tc3 tc3 312
• The following example shows how to map cos2 to tc0 and keep other cos id tc as default 312
• Configuring dscp priority 313
• Switch config qos queue dscp map 10 14 0 313
• Switch config show qos cos map 313
• Switch configure 313
• Tag 0 1 2 3 4 5 6 7 313
• Tc tc1 tc0 tc0 tc1 tc2 tc2 tc3 tc3 313
• The following example shows how to map dscp values 10 14 to tc0 and keep other mapping relations as default 313
• Configuring port priority 314
• Cos tc 0 tc 0 tc 0 tc 0 tc 0 tc 0 tc 0 tc 0 314
• Dscp 8 9 10 11 12 13 14 15 314
• Dscp priority is enabled 314
• P priority is disabled 314
• Select the desired port to set the priority packets from this ingress port are mapped to the tc queue based on port priority 314
• Switch config end 314
• Switch config show qos dscp map 314
• Switch config show qos status 314
• Switch copy running config startup config 314
• Configuring schedule mode 315
• Fa1 0 1 tc 0 n a 315
• Fa1 0 2 tc 0 n a 315
• Fa1 0 3 tc 0 n a 315
• Follow these steps to configure the schedule mode to control the forwarding sequence of different tc queues when congestion occurs 315
• Port tc value lag 315
• Switch config if range end 315
• Switch config if range qos 0 315
• Switch config if range show qos interface fastethernet 1 0 1 3 315
• Switch config interface range fastethernet 1 0 1 3 315
• Switch configure 315
• Switch copy running config startup config 315
• The following example shows how to map port 1 3 to tc1 and keep other mapping relations as default 315
• Schedule mode wrr weight tc0 1 tc1 2 tc2 4 tc3 8 316
• Switch config end 316
• Switch config qos queue mode wrr 316
• Switch config show qos queue mode 316
• Switch configure 316
• Switch copy running config startup config 316
• The following example shows how to configure the schedule mode as wrr 316
• Bandwidth control configuration 317
• Configuring rate limit 317
• Using the gui 317
• Click apply 318
• Configuring storm control 318
• Follow these steps to configure the storm control function 318
• Select the port s and configure the upper rate limit for forwarding broadcast packets multicast packets and ul frames 318
• Storm control to load the following page 318
• Click apply 319
• Configure the upper rate limit for the port to receive and send packets 319
• Configuring rate limit on port 319
• Using the cli 319
• Configure the upper rate limit on the port for forwarding broadcast packets multicast packets and unknown unicast frames 320
• Configuring storm control 320
• Fa1 0 5 5120 1024 n a 320
• Port ingressrate kbps egressrate kbps lag 320
• Switch config if bandwidth ingress 5120 egress 1024 320
• Switch config if end 320
• Switch config if show bandwidth interface fastethernet 1 0 5 320
• Switch config interface fastethernet 1 0 5 320
• Switch configure 320
• Switch copy running config startup config 320
• The following example shows how to configure the ingress rate as 5120 kbps and egress rate as 1024 kbps for port 1 0 5 320
• Fa1 0 5 kbps 10240 kbps 0 kbps 0 n a 321
• Port bcrate mcate ulrate lag 321
• Switch config if end 321
• Switch config if show storm control interface fastethernet 1 0 5 321
• Switch config if storm control broadcast kbps 10240 321
• Switch config interface fastethernet 1 0 5 321
• Switch configure 321
• Switch copy running config startup config 321
• The following example shows how to configure the upper rate limit of broadcast packets as 10240 kbps on port 1 0 5 321
• Configuration examples 322
• Configuration scheme 322
• Example for configuring sp mode 322
• Network requirements 322
• Using the cli 323
• Using the gui 323
• Example for configuring wrr mode 324
• Network requirements 324
• Verify the configuration 324
• Configuration scheme 325
• Configure switch a to add different vlan tags to the packets from the two departments respectively 325
• Configure switch b to classify the incoming packets from the two departments according to the vlan tags and to map them into different tc queues configure the schedule mode as wrr mode to implement the qos feature 325
• Server is connected to port 1 0 2 of switch b and port 1 0 3 of switch a is connected to port 1 0 1 of switch b 325
• This chapter provides configuration procedures in two ways using the gui and using the cli 325
• Using the gui 325
• Vlan binding bind policy rd and policy marketing to vlan10 and vlan 20 respectively 333
• Using the cli 334
• Verify the configuration 336
• Appendix default parameters 338
• Bandwidth control 338
• Diffserv 338
• Disabled see table 5 2 for tag id cos id tc mapping relations 338
• Disabled see table 5 3 for dscp tc mapping relations 338
• Chapters 339
• Configuring voice vlan 339
• Part 11 339
• Overview 340
• Configuration guidelines 342
• Voice vlan configuration 342
• Click create to add an oui address to the table 343
• Enter an oui address and the corresponding mask and give a description about the oui address 343
• Follow these steps to add oui addresses 343
• If the oui address of your voice device is not in the oui table you need to add the oui address to the table 343
• Optional configuring oui addresses 343
• Oui config to load the following page 343
• Using the gui 343
• Click apply 344
• Configuring voice vlan globally 344
• Enable the voice vlan feature and enter a vlan id 344
• Follow these steps to configure the voice vlan globally 344
• Global config to load the following page 344
• Set the aging time for the voice vlan 344
• Specify a priority for the voice vlan 344
• Configuring voice vlan mode on ports 345
• Follow these steps to configure voice vlan mode on ports 345
• Port config to load the following page 345
• Select your desired ports and choose the port mode 345
• Set the security mode for selected ports 345
• Click apply 346
• Follow these steps to configure the voice vlan 346
• Using the cli 346
• Configuration example 349
• Configuration scheme 349
• Network requirements 349
• Network topology 349
• Configurations for switch a 350
• Demonstrated with t1500 28pct this chapter provides configuration procedures in two ways using the gui and using the cli 350
• In the meeting room computers and ip phones are connected to different ports of switch b ports connected to ip phones use the voice vlan for voice traffic and ports connected to computers use the default vlan for data traffic 350
• Internet 350
• Using the gui 350
• Vlan config and click create to load the following page create vlan 10 350
• Voice traffics from switch a and switch b are forwarded to voice gateway and internet through switch c 350
• Using the cli 358
• Verify the configurations 360
• Appendix default parameters 362
• Default settings of voice vlan are listed in the following tables 362
• Chapters 363
• Configuring poe 363
• Part 12 363
• Overview 364
• Poe power management 364
• Supported features 364
• Time range function 364
• Configuring the poe parameters manually 365
• Poe power management configurations 365
• Using the gui 365
• In the port config section select the port you want to configure and specify the parameters click apply 366
• Click apply 367
• Configuring the poe parameters using the profile 367
• Creating a poe profile 367
• Follow these steps to create a poe profile 367
• In the create poe profile section specify the desired configurations of the profile 367
• Poe profile to load the following page 367
• Binding the profile to the corresponding ports 368
• Follow these steps to bind the profile to the corresponding ports 368
• In the global config section specify the system power limit and click apply 368
• In the port config section select a profile and bind it to the corresponding ports click apply 368
• Configuring the poe parameters manually 369
• Follow these steps to configure the basic poe parameters 369
• Using the cli 369
• Fa1 0 5 enable middle class3 no limit none 370
• Interface poe status poe prio power limit w time range poe profile 370
• Switch config if power inline consumption class3 370
• Switch config if power inline priority middle 370
• Switch config if power inline supply enable 370
• Switch config if show power inline 370
• Switch config if show power inline configuration interface fastethernet 1 0 5 370
• Switch config interface fastethernet 1 0 5 370
• Switch config power inline consumption 160 370
• Switch configure 370
• System power consumption 0 w 370
• System power limit 160 w 370
• System power remain 160 w 370
• The following example shows how to set the system power limit as 160w set the priority as middle and set the power limit as class3 in the port 1 0 5 370
• Configuring the poe parameters using the profile 371
• Fa1 0 5 1 26 53 class 2 on 371
• Follow these steps to configure the poe profile 371
• Interface power w current ma voltage v pd class power status 371
• Switch config end 371
• Switch config if show power inline information interface fastethernet 1 0 5 371
• Switch copy running config startup config 371
• Creating a time range 373
• Time range function configurations 373
• Using the gui 373
• Click apply 374
• In the add absolute or periodic section specify the parameters and click add 374
• When the absolute mode is selected the following section will be shown 374
• When the periodic mode is selected the following section will be shown 374
• Configuring the holiday parameters 375
• Viewing the time range table 375
• Configuring a time range 376
• Follow these steps to create a time range 376
• Using the cli 376
• 01 00 to 23 00 on 5 377
• 09 08 2016 00 00 to 09 10 2016 24 00 377
• Holiday include 377
• Number of absolute time 1 377
• Number of periodic time 1 377
• Switch config power time range time range1 377
• Switch config show power time range time range1 377
• Switch config time range absolute from 09 08 2016 00 00 to 09 10 2016 24 00 377
• Switch config time range exit 377
• Switch config time range holiday include 377
• Switch config time range periodic start 01 00 end 23 00 day of the week 5 377
• Switch configure 377
• The following example shows how to create a time range named time range1 select include to make the settings take affected on holiday set absolute mode from 2016 09 08 00 00 to 2016 09 10 24 00 set the periodic mode from 01 00 to 23 00 in friday bind the time range to the port 1 0 7 377
• Time range entry time range1 active 377
• Configuring the holiday parameters 378
• Follow these steps to configure the holiday parameters 378
• Holiday1 08 6 08 0 378
• Index holiday name start end 378
• Switch config end 378
• Switch config if end 378
• Switch config if power inline time range time range1 378
• Switch config interface fastethernet 1 0 7 378
• Switch config power holiday holiday1 start date 08 16 end date 08 20 378
• Switch config show power holiday 378
• Switch configure 378
• Switch copy running config startup config 378
• The following example shows how to create a holiday named holiday1 set the starting date as 08 16 set the ending date as 08 20 378
• 01 01 2000 00 00 to 12 31 2099 24 00 by default 379
• 08 30 to 18 00 on 1 2 3 4 5 379
• Holiday include 379
• Number of absolute time 0 379
• Number of periodic time 1 379
• On privileged exec mode or any other configuration mode you can use the following command to view the time range table 379
• Switch copy running config startup config 379
• Switch end 379
• Switch show power time range 379
• The following example shows how to view the time range table 379
• Time range entry office time active 379
• Viewing the time range table 379
• Configuring scheme 380
• Example for poe configurations 380
• Network requirements 380
• Using the gui 380
• Using the cli 382
• Verify the configuration 383
• Appendix default parameters 384
• Chapters 385
• Configuring acl 385
• Part 13 385
• Acl binding 386
• Overview 386
• Policy binding 386
• Supported features 386
• Acl configurations 387
• Creating an acl 387
• Using the gui 387
• Configuring acl rules 388
• Click apply 389
• Configure the rule s packet matching criteria 389
• Configuring the standard ip acl rule 389
• Follow these steps to create the standard ip acl rule 389
• Select a standard ip acl from the drop down list enter a rule id and specify the operation for the matched packets 389
• Standard i 389
• Standard ip acl to load the following page 389
• Tandard i 389
• Click apply 390
• Configure the rule s packet matching criteri 390
• Configure the rule s packet matching criteria 390
• Configuring the extend ip acl rule 390
• Extend ip ac 390
• Extend ip acl to load the following page 390
• Follow these steps to create the extend ip acl rule 390
• Select an extend ip acl from the drop down list enter a rule id and specify the operation for the matched packets 390
• Configuring policy 391
• Configuring the acl binding 392
• Configuring the acl binding and policy binding 392
• Verifying the binding configuration 395
• Configuring acl 397
• Configuring the mac acl 397
• Follow the steps to create different types of acl and configure the acl rules 397
• Using the cli 397
• You can define the rules based on source or destination ip addresses source or destination mac addresses protocol type and so on 397
• Configuring the standard ip acl 398
• Mac access list 50 398
• Rule 1 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff 398
• Switch config mac access list 50 398
• Switch config mac acl end 398
• Switch config mac acl rule 1 permit smac 00 34 a2 d4 34 b5 smask ff ff ff ff ff ff 398
• Switch config mac acl show access list 50 398
• Switch configure 398
• Switch copy running config startup config 398
• The following example shows how to create mac acl 50 and configure rule 1 to permit packets with source mac address 00 34 a2 d4 34 b5 398
• Configuring the extend ip acl 399
• Rule 1 permit sip 192 68 00 smask 255 55 55 55 399
• Standard ip access list 600 399
• Switch config access list create 600 399
• Switch config end 399
• Switch config rule 1 permit sip 192 68 00 smask 255 55 55 55 399
• Switch config show access list 600 399
• Switch configure 399
• Switch copy running config startup config 399
• The following example shows how to create standard ip acl 600 and configure rule 1 to permit packets with source ip address 192 68 00 399
• Extended ip access list 1700 400
• Rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23 400
• Switch config access list create 1700 400
• Switch config access list extended 1700 rule 7 deny sip 192 68 00 smask 255 55 55 55 protocol 6 d port 23 400
• Switch config end 400
• Switch config show access list 1700 400
• Switch configure 400
• Switch copy running config startup config 400
• The following example shows how to create extend ip acl 1700 and configure rule7 to deny telnet packets with source ip192 68 00 400
• Access list 600 401
• Configuring policy 401
• Follow the steps below to create a policy and configure the policy actions 401
• Policy name rd 401
• Switch config access list policy action rd 600 401
• Switch config access list policy name rd 401
• Switch config action exit 401
• Switch config end 401
• Switch config show access list policy rd 401
• Switch configure 401
• Switch copy running config startup config 401
• The following example shows how to create policy rd and apply acl 600 to policy rd 401
• Acl binding 402
• Acl binding and policy binding 402
• Switch config if access list bind acl 1 402
• Switch config if access list bind acl 2 402
• Switch config if exit 402
• Switch config if show access list bind 402
• Switch config interface fastethernet 1 0 3 402
• Switch config interface vlan 4 402
• Switch configure 402
• The following example shows how to bind acl 1 to port 3 and acl 2 to vlan 4 402
• You can bind the acl to a port or a vlan the received packets will then be matched and processed according to the acl rules 402
• You can select acl binding or policy binding according to your needs an acl rule and policy takes effect only after they are bound to a port or vlan 402
• Configuration example for acl 405
• Configuration scheme 405
• Network requirements 405
• Network topology 405
• Using the gui 406
• Extend acl to load the the following page configure rule 2 and rule 3 to permit packets with source ip 10 0 0 and destination port tcp 80 http service port and udp 443 https service port 407
• Using the cli 410
• Verify the configurations 411
• Appendix default parameters 412
• For extend ip acl 412
• For mac acl 412
• For standard ip acl 412
• Chapters 413
• Configuring network security 413
• Part 14 413
• Dhcp snooping 414
• Ip mac binding 414
• Network security 414
• Overview 414
• Supported features 414
• Arp inspection 415
• Dos defend 416
• Binding entries manually 418
• Ip mac binding configurations 418
• Using the gui 418
• Arp scanning 419
• Binding entries dynamically 419
• Click bind 419
• Select protect type for the entry 419
• Select the port that is connected to this host 419
• The binding entries can be dynamically learned from arp scanning and dhcp snooping 419
• With arp scanning the switch sends the arp request packets of the specified ip field to the hosts upon receiving the arp reply packet the switch can get the ip address mac address vlan id and the connected port number of the host you can bind these entries conveniently 419
• Arp scanning to load the following page 420
• Follow these steps to configure ip mac binding via arp scanning 420
• In the scanning option section specify an ip address range and a vlan id then click scan to scan the entries in the specified ip address range and vlan 420
• In the scanning result section select one or more entries and configure the relevant parameters then click apply 420
• Binding table to load the following page 421
• Dhcp snooping 421
• For instructions on how to configure dhcp snooping refer to dhcp snooping configurations 421
• In the search section specify the search criteria to search your desired entries 421
• Viewing the binding entries 421
• With dhcp snooping enabled the switch can monitor the ip address obtaining process of the host and record the ip address mac address vlan id and the connected port number of the host 421
• With the binding table you can view and search the specified binding entries 421
• Binding entries manually 422
• Binding entries via arp scanning is not supported by the cli binding entries via dhcp snooping is introduced in dhcp snooping configurations the following sections introduce how to bind entries manually and view the binding entries 422
• Follow these steps to manually bind entries 422
• In the binding table section you can view the searched entries additionally you can configure the host name and protect type for one or more entries and click apply 422
• Using the cli 422
• You can manually bind the ip address mac address vlan id and the port number together on the condition that you have got the related information of the hosts 422
• Host1 192 68 5 aa bb cc dd ee ff 10 fa1 0 5 arp d 423
• Switch config end 423
• Switch config ip source binding host1 192 68 5 aa bb cc dd ee ff vlan 10 interface fastethernet 1 0 5 arp detection 423
• Switch config show ip source binding 423
• Switch configure 423
• Switch copy running config startup config 423
• The following example shows how to bind an entry with the hostname host1 ip address 192 68 5 mac address aa bb cc dd ee ff vlan id 10 port number 1 0 5 and enable this entry for the arp detection feature 423
• U no host ip addr mac addr vid port acl col 423
• On privileged exec mode or any other configuration mode you can use the following command to view binding entries 424
• Viewing binding entries 424
• Dhcp snooping configuration 425
• Enabling dhcp snooping on vlan 425
• Using the gui 425
• Click apply 426
• Configuring dhcp snooping on ports 426
• Follow these steps to configure dhcp snooping on the specified port 426
• Port config to load the following page 426
• Select one or more ports and configure the parameters 426
• Click apply 427
• Follow these steps to configure option 82 427
• Option 82 config to load the following page 427
• Option 82 records the location of the dhcp client the switch can add option 82 to the dhcp request packet and then transmit the packet to the dhcp server administrators can check the location of the dhcp client via option 82 the dhcp server supporting option 82 can also set the distribution policy of ip addresses and other parameters providing a more flexible address distribution way 427
• Optional configuring option 82 427
• Select one or more ports and configure the parameters 427
• Click apply 428
• Enabling dhcp snooping on vlan 428
• Follow these steps to globally configure dhcp snooping 428
• Using the cli 428
• Configuring dhcp snooping on ports 429
• Follow these steps to configure dhcp snooping on the specified ports 429
• Global status enable 429
• Switch config end 429
• Switch config ip dhcp snooping 429
• Switch config ip dhcp snooping vlan 5 429
• Switch config show ip dhcp snooping 429
• Switch configure 429
• Switch copy running config startup config 429
• The following example shows how to enable dhcp snooping globally and on vlan 5 429
• Vlan id 5 429
• Fa1 0 1 enable enable 10 20 n a 430
• Interface trusted mac verify limit rate dec rate lag 430
• Switch config if end 430
• Switch config if ip dhcp snooping decline rate 20 430
• Switch config if ip dhcp snooping limit rate 10 430
• Switch config if ip dhcp snooping mac verify 430
• Switch config if ip dhcp snooping trust 430
• Switch config if show ip dhcp snooping interface fastethernet 1 0 1 430
• Switch config interface fastethernet 1 0 1 430
• Switch configure 430
• Switch copy running config startup config 430
• The following example shows how to configure port 1 0 1 as a trusted port enable the mac verify feature and set the limit rate as 10 pps and decline rate as 20 pps on this port 430
• Follow these steps to configure option 82 431
• Option 82 records the location of the dhcp client the switch can add the option 82 to the dhcp request packet and then transmit the packet to the dhcp server administrators can check the location of the dhcp client via option 82 the dhcp server supporting option 82 can also set the distribution policy of ip addresses and other parameters providing more flexible address distribution way 431
• Optional configuring option 82 431
• Arp inspection configurations 433
• Configuring arp detection 433
• Using the gui 433
• Arp defend to load the following page 434
• Click apply 434
• Configuring arp defend 434
• Follow these steps to configure arp defend 434
• Select one or more ports and configure the parameters 434
• With arp defend enabled the switch can terminate receiving the arp packets for 300 seconds when the transmission speed of the legal arp packet on the port exceeds the defined value so as to avoid arp attack flood 434
• Click apply 435
• Viewing arp statistics 435
• You can view the number of the illegal arp packets received on each port which facilitates you to locate the network malfunction and take the related protection measures 435
• Arp detection global status enabled 437
• Configuring arp detection 437
• Follow these steps to configure arp detection 437
• Switch config if ip arp inspection trust 437
• Switch config if show ip arp inspection 437
• Switch config interface fastethernet 1 0 1 437
• Switch config ip arp inspection 437
• Switch configure 437
• The arp detection feature allows the switch to detect the arp packets basing on the binding entries in the ip mac binding table and filter the illegal arp packets before configuring arp detection complete ip mac binding configuration for details refer to ip mac binding configurations 437
• The following example shows how to globally enable arp detection and configure port 1 0 1 as a trusted port 437
• Using the cli 437
• Configuring arp defend 438
• Fa1 0 1 yes 438
• Fa1 0 2 no 438
• Follow these steps to configure arp defend 438
• Port trusted 438
• Switch config if end 438
• Switch copy running config startup config 438
• The following example shows how to enable arp defend and configure the arp inspection limit rate as 20 pps on port 1 0 2 438
• With arp defend enabled the switch can terminate receiving the arp packets for 300 seconds when the transmission speed of the legal arp packet on the port exceeds the defined value so as to avoid arp attack flood 438
• Viewing arp statistics 439
• Dos defend configuration 440
• Dos defend to load the following page 440
• Follow these steps to configure dos defend 440
• In the configure section enable dos protection 440
• In the defend table section select one or more defend types according to your needs the following table introduces each type of dos attack 440
• Using the gui 440
• Click apply 441
• Follow these steps to configure dos defend 441
• Using the cli 441
• Configuring the radius server 444
• Using the gui 444
• X configuration 444
• Adding the radius server 445
• Click apply 445
• Configuring the radius server group 445
• Follow these steps to create a protocol template 445
• In the server config section configure the parameters of radius server 445
• Radius config to load the following page 445
• You can configure the radius servers for authentication and accounting if multiple radius servers are available you are suggested to add them to different server groups respectively for authentication and accounting 445
• Configuring 802 x globally 448
• Follow these steps to configure 802 x global parameters 448
• Global config to load the following page 448
• In the global config section enable 802 x globally and click apply 448
• In the authentication config section enable quiet configure the quiet timer and click apply 449
• Configure 802 x authentication on the desired port and click apply 450
• Configuring 802 x on ports 450
• Port config to load the following page 450
• Configuring the radius server 451
• Follow these steps to configure radius 451
• Using the cli 451
• The following example shows how to enable aaa add a radius server to the server group named radius1 and apply this server group to the 802 x authentication the ip address of the radius server is 192 68 00 the shared key is 123456 the authentication port is 1812 the accounting port is 1813 452
• Configuring 802 x globally 453
• Authentication method pap 455
• Configuring 802 x on ports 455
• Follow these steps to configure the port 455
• Guest vlan id n a 455
• Guest vlan state disable 455
• Handshake state enabled 455
• Max retry times for radius packet 3 455
• Quiet period state disable 455
• Quiet period timer 10 sec 455
• Supplicant timeout 3 sec 455
• Switch config dot1x auth method pap 455
• Switch config dot1x system auth control 455
• Switch config end 455
• Switch config show dot1x global 455
• Switch configure 455
• Switch copy running config startup config 455
• The following example shows how to enable 802 x authentication configure pap as the authentication method and keep other parameters as default 455
• X accounting state disable 455
• X state enabled 455
• Switch config if dot1x 456
• Switch config if dot1x port control auto 456
• Switch config if dot1x port method port based 456
• Switch config if show dot1x interface fastethernet 1 0 2 456
• Switch config interface fastethernet 1 0 2 456
• Switch configure 456
• The following example shows how to enable 802 x authentication on port 1 0 2 configure the control type as port based and configure the control mode as auto 456
• Aaa configuration 458
• Configuration guidelines 458
• Adding servers 459
• Globally enabling aaa 459
• Using the gui 459
• Adding tacacs server 460
• Click add to add the radius server on the switch 460
• Follow these steps to add a tacacs server 460
• In the server config section configure the following parameters 460
• Tacacs conifg to load the following page 460
• Configuring server groups 461
• Configuring the method list 462
• Click add to add the new method 463
• Click apply 463
• Configuring the aaa application list 463
• Follow these steps to configure the aaa application list 463
• Global config to load the following page 463
• In the aaa application list section select an access application and configure the login list and enable list 463
• In the add method list section configure the parameters for the method to be added 463
• Configuring login account and enable password 464
• Aaa global status enable 465
• Adding radius server 465
• Adding servers 465
• Follow these steps to add radius server on the switch 465
• Follow these steps to globally enable aaa 465
• Globally enabling aaa 465
• Switch config aaa enable 465
• Switch config end 465
• Switch config show aaa global 465
• Switch configure 465
• Switch copy running config startup config 465
• The following example shows how to globally enable aaa 465
• Using the cli 465
• You can add one or more radius tacacs servers on the switch for authentication if multiple servers are added the server with the highest priority authenticates the users trying to access the switch and the others act as backup servers in case the first one breaks down 465
• 68 0 1812 1813 8 3 123456 466
• Server ip auth port acct port timeout retransmit shared key 466
• Switch config end 466
• Switch config radius server host 192 68 0 auth port 1812 timeout 8 retransmit 3 key 123456 466
• Switch config show radius server 466
• Switch configure 466
• The following example shows how to add a radius server on the switch set the ip address of the server as 192 68 0 the authentication port as 1812 the shared key as 123456 the timeout as 8 seconds and the retransmit number as 3 466
• 68 0 49 8 123456 467
• Adding tacacs server 467
• Follow these steps to add tacacs server on the switch 467
• Server ip port timeout shared key 467
• Switch config end 467
• Switch config show tacacs server 467
• Switch config tacacs server host 192 68 0 auth port 49 timeout 8 key 123456 467
• Switch configure 467
• Switch copy running config startup config 467
• The following example shows how to add a tacacs server on the switch set the ip address of the server as 192 68 0 the authentication port as 49 the shared key as 123456 and the timeout as 8 seconds 467
• Configuring server groups 468
• Switch aaa group server 192 68 0 468
• Switch aaa group show aaa group radius1 468
• Switch config aaa group radius radius1 468
• Switch configure 468
• Switch copy running config startup config 468
• The following example shows how to create a radius server group named radius1 and add the existing two radius servers whose ip address is 192 68 0 and 192 68 0 to the group 468
• The switch has two built in server groups one for radius and the other for tacacs the servers running the same protocol are automatically added to the default server group you can add new server groups as needed 468
• The two default server groups cannot be deleted or edited follow these steps to add a server group 468
• A method list describes the authentication methods and their sequence to authenticate the users the switch supports login method list for users of all types to gain access to the switch and enable method list for guests to get administrative privileges 469
• Configuring the method list 469
• Follow these steps to configure the method list 469
• Switch aaa group end 469
• Switch config aaa authentication login login1 radius local 469
• Switch config show aaa authentication login 469
• Switch configure 469
• Switch copy running config startup config 469
• The following example shows how to create a login method list named login1 and configure the method 1 as the default radius server group and the method 2 as local 469
• Configuring the aaa application list 470
• Console 470
• Default local 470
• Enable1 radius local 470
• Follow these steps to apply the login and enable method lists for the application console 470
• Login1 radius local 470
• Methodlist pri1 pri2 pri3 pri4 470
• Switch config aaa authentication enable enable1 radius local 470
• Switch config end 470
• Switch config show aaa authentication enable 470
• Switch configure 470
• Switch copy running config startup config 470
• The following example shows how to create an enable method list named enable1 and configure the method 1 as the default radius server group and the method 2 as local 470
• You can configure authentication method lists on the following access applications console telnet ssh and http 470
• Console login1 enable1 471
• Follow these steps to apply the login and enable method lists for the application telnet 471
• Http default default 471
• Module login list enable list 471
• Ssh default default 471
• Switch config line console 0 471
• Switch config line enable authentication enable1 471
• Switch config line end 471
• Switch config line login authentication login1 471
• Switch config line show aaa global 471
• Switch configure 471
• Switch copy running config startup config 471
• Telnet 471
• Telnet default default 471
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application console 471
• Console default default 472
• Follow these steps to apply the login and enable method lists for the application ssh 472
• Http default default 472
• Module login list enable list 472
• Ssh default default 472
• Switch config line enable authentication enable1 472
• Switch config line end 472
• Switch config line login authentication login1 472
• Switch config line show aaa global 472
• Switch config line telnet 472
• Switch configure 472
• Switch copy running config startup config 472
• Telnet login1 enable1 472
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application telnet 472
• Console default default 473
• Http default default 473
• Module login list enable list 473
• Ssh login1 enable1 473
• Switch config line enable authentication enable1 473
• Switch config line end 473
• Switch config line login authentication login1 473
• Switch config line show aaa global 473
• Switch config line ssh 473
• Switch configure 473
• Switch copy running config startup config 473
• Telnet default default 473
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application ssh 473
• Console default default 474
• Follow these steps to apply the login and enable method lists for the application http 474
• Http login1 enable1 474
• Module login list enable list 474
• Ssh default default 474
• Switch config end 474
• Switch config ip http enable authentication enable1 474
• Switch config ip http login authentication login1 474
• Switch config show aaa global 474
• Switch configure 474
• Switch copy running config startup config 474
• Telnet default default 474
• The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application http 474
• Configuring login account and enable password 475
• For enable password configuration 475
• For login authentication configuration more than one login account can be created on the server besides both the user name and password can be customized 475
• On the server 475
• On the switch 475
• Some configuration principles on the server are as follows 475
• The accounts created by the radius tacacs server can only view the configurations and some network information without the enable password 475
• The local username and password for login can be configured in the user management feature for details refer to managing system 475
• The login account and enable password can be configured locally on the switch or centrally on the radius tacacs server s 475
• To configure the local enable password for getting administrative privileges follow these steps 475
• Configuration examples 477
• Configuration scheme 477
• Example for dhcp snooping and arp detection 477
• Network requirements 477
• Using the gui 478
• Using the cli 481
• Verify the configuration 482
• Configuration scheme 483
• Example for 802 x 483
• Network requirements 483
• As shown in the following figure switch a acts as the authenticator port 1 0 1 is connected to the client port 1 0 2 is connected to the radius server and port 1 0 3 is connected to the internet 484
• Demonstrated with t1500 28pct acting as the authenticator the following sections provide configuration procedure in two ways using the gui and using the cli 484
• Global config to load the following page enable aaa function globally on the switch 484
• Internet 484
• Network topology 484
• Radius config to load the following page configure the parameters of the radius server 484
• Using the gui 484
• Using the cli 487
• Verify the configurations 488
• Example for aaa 489
• Network requirements 489
• Configuration scheme 490
• Using the gui 490
• Using the cli 493
• Verify the configuration 494
• Appendix default parameters 496
• Default settings of network security are listed in the following tables 496
• Chapters 503
• Configuring snmp rmon 503
• Part 15 503
• Snmp overview 504
• Snmp simple network management protocol is a standard network management protocol widely used on tcp ip networks it facilitates device management using nms network management system software with snmp network managers can view or modify network device information and troubleshoot according to notifications sent by those devices in a timely manner 504
• The device supports three snmp versions snmpv1 snmpv2c and snmpv3 table 1 1 lists features supported by different snmp versions and table 1 2 shows corresponding application scenarios 504
• Snmp configurations 505
• Creating an snmp view 506
• Enabling snmp 506
• Using the gui 506
• Create an snmp group and configure related parameters 507
• Creating an snmp group 507
• Set the view name and one mib variable that is related to the view choose the view type and click create to add the view entry 507
• Follow these steps to create an snmp group 508
• Set the group name and security model if you choose snmpv3 as the security model you need to further configure security level 508
• Set the read write and notify view of the snmp group click create 508
• Snmp group to load the following page 508
• Creating snmp users 509
• Follow these steps to create an snmp user 509
• Snmp user to load the following page 509
• Specify the user name user type and the group which the user belongs to set the security model according to the related parameters of the specified group if you choose snmpv3 you need to configure the security level 509
• Click create 510
• Creating snmp communities 510
• If you have chosen authnopriv or authpriv as the security level you need to set corresponding auth mode or privacy mode if not skip the step 510
• If you want to use snmpv1 or snmpv2c as the security model you can create snmp communities directly 510
• Enabling snmp 511
• Set the community name access rights and the related view click create 511
• Snmp community to load the following page 511
• Using the cli 511
• Bad snmp version errors 512
• Encoding errors 512
• Get request pdus 512
• Illegal operation for community name supplied 512
• Number of altered variables 512
• Number of requested variables 512
• Snmp agent is enabled 512
• Snmp packets input 512
• Switch config show snmp server 512
• Switch config snmp server 512
• Switch config snmp server engineid remote 123456789a 512
• Switch configure 512
• The following example shows how to enable snmp and set 123456789a as the remote engine id 512
• Unknown community name 512
• Bad value errors 513
• Creating an snmp view 513
• General errors 513
• Get next pdus 513
• Local engine id 80002e5703000aeb132397 513
• No such name errors 513
• Remote engine id 123456789a 513
• Response pdus 513
• Set request pdus 513
• Snmp packets output 513
• Specify the oid object identifier of the view to determine objects to be managed 513
• Switch config end 513
• Switch config show snmp server engineid 513
• Switch copy running config startup config 513
• Too big errors maximum packet size 1500 513
• Trap pdus 513
• Creating an snmp group 514
• No name sec mode sec lev read view write view notify view 1 nms monitor v3 authpriv view view 515
• Switch config end 515
• Switch config show snmp server group 515
• Switch config snmp server group nms monitor smode v3 slev authpriv read view notify view 515
• Switch configure 515
• Switch copy running config startup config 515
• The following example shows how to create an snmpv3 group name the group as nms monitor enable auth mode and privacy mode and set the view as read view and notify view 515
• Configure users of the snmp group users belong to the group and use the same security level and access rights as the group 516
• Creating snmp users 516
• The following example shows how to create an snmp user on the switch name the user as admin and set the user as a remote user snmpv3 as the security mode authpriv as the 516
• Admin remote nms monitor v3 authpriv sha des 517
• Creating snmp communities 517
• For snmpv1 and snmpv2c the community name is used for authentication functioning as the password 517
• No u name u type g name s mode s lev a mode p mode 517
• Security level sha as the authentication algorithm 1234 as the authentication password des as the privacy algorithm and 1234 as the privacy password 517
• Switch config end 517
• Switch config show snmp server user 517
• Switch config snmp server user admin remote nms monitor smode v3 slev authpriv cmode sha cpwd 1234 emode des epwd 1234 517
• Switch configure 517
• Switch copy running config startup config 517
• The following example shows how to set an snmp community name the community as the nms monitor and allow the nms to view and modify parameters of view 517
• Configuration guidelines 519
• Notification configurations 519
• Using the gui 519
• Choose a notification type based on the snmp version if you choose the inform type you need to set retry times and timeout interval 520
• Click create 520
• Specify the user name or community name used by the nms and configure the security model and security level based on the settings of the user or community 520
• Configure parameters of the nms host and packet handling mechanism 521
• Configuring the host 521
• Using the cli 521
• 68 22 162 admin v3 authpriv inform 3 100 522
• Enabling snmp notification 522
• Enabling the snmp standard trap 522
• No des ip udp name secmode seclev type retry timeout 522
• Switch config end 522
• Switch config show snmp server host 522
• Switch config snmp server host 172 68 22 162 admin smode v3 slev authpriv type inform retries 3 timeout 100 522
• Switch configure 522
• Switch copy running config startup config 522
• The following example shows how to set the nms host ip address as 172 68 22 udp port as port 162 name used by the nms as admin security model as snmpv3 security level as authpriv notification type as inform retry times as 3 and the timeout interval as 100 seconds 522
• Optional enabling the snmp extend trap 523
• Switch config end 523
• Switch config snmp server traps snmp linkup 523
• Switch configure 523
• Switch copy running config startup config 523
• The following example shows how to configure the switch to send linkup traps 523
• Switch config end 524
• Switch config snmp server traps bandwidth control 524
• Switch configure 524
• The following example shows how to configure the switch to enable bandwidth control traps 524
• Optional enabling the link status trap 525
• Switch config if end 525
• Switch config if snmp server traps link status 525
• Switch config interface fastethernet 1 0 1 525
• Switch configure 525
• Switch copy running config startup config 525
• The following example shows how to configure the switch to enable link status trap 525
• Rmon overview 526
• Configuring statistics 527
• Rmon configurations 527
• Using the gui 527
• Configuring history 528
• Follow these steps to configure history 528
• History to load the following page 528
• Select a history entry and specify a port to be monitored 528
• Set the sample interval and the maximum buckets of history entries 528
• Specify the entry id the port to be monitored and the owner name of the entry set the entry as valid or undercreation and click create 528
• Choose an event entry and set the snmp user of the entry 529
• Configuring event 529
• Enter the owner name and set the status of the entry click apply 529
• Event to load the following page 529
• Follow these steps to configure event 529
• Set the description and type of the event 529
• Alarm to load the following page 530
• Before you begin please complete configurations of statistics entries and event entries because the alarm entries must be associated with statistics and event entries 530
• Configuring alarm 530
• Enter the owner name and set the status of the entry click apply 530
• Follow these steps to configure alarm 530
• Select an alarm entry choose a variable to be monitored and associate the entry with a statistics entry 530
• Set the sample type the rising and falling threshold the corresponding event action and the alarm type of the entry 531
• Configuring statistics 532
• Enter the owner name and set the status of the entry click apply 532
• Using the cli 532
• Configuring history 533
• Fa1 0 1 monitor valid 533
• Fa1 0 2 monitor valid 533
• Index port owner state 533
• Switch config end 533
• Switch config rmon statistics 1 interface fastethernet 1 0 1 owner monitor status valid 533
• Switch config rmon statistics 2 interface fastethernet 1 0 2 owner monitor status valid 533
• Switch config show rmon statistics 533
• Switch configure 533
• Switch copy running config startup config 533
• The following example shows how to create two statistics entries on the switch to monitor port 1 0 1 and 1 0 2 respectively the owner of the entry is monitor and the entry is valid 533
• Configuring event 534
• Fa1 0 1 100 50 monitor enable 534
• Index port interval buckets owner state 534
• Switch config end 534
• Switch config rmon history 1 interface fastethernet 1 0 1 interval 100 owner monitor buckets 50 534
• Switch config show rmon history 534
• Switch configure 534
• Switch copy running config startup config 534
• The following example shows how to create a history entry on the switch to monitor port 1 0 1 set the sample interval as 100 seconds max buckets as 50 and the owner as monitor 534
• Admin rising notify notify monitor enable 535
• Index user description type owner state 535
• Switch config end 535
• Switch config rmon event 1 user admin description rising notify type notify owner monitor 535
• Switch config show rmon event 535
• Switch configure 535
• Switch copy running config startup config 535
• The following example shows how to create an event entry on the switch set the user name as admin the event type as notify set the switch to initiate notifications to the nms and the owner as monitor 535
• Configuring alarm 536
• Configuration example 538
• Configuration scheme 538
• Network requirements 538
• Network topology 539
• Using the gui 539
• Using the cli 544
• Verify the configurations 546
• Appendix default parameters 550
• Default settings of snmp are listed in the following table 550
• Default settings of notification are listed in the following table 551
• Chapters 554
• Configuring lldp 554
• Part 16 554
• Overview 555
• Supported features 555
• Global config 556
• Lldp configurations 556
• Using the gui 556
• Follow these steps to enable lldp and configure the lldp feature globally 557
• In the global config section enable lldp click apply 557
• In the parameters config section configure the lldp parameters click apply 557
• Follow these steps to configure the lldp feature for the interface 558
• Policy config to load the following page 558
• Port config 558
• Select the desired port and set its admin status and notification mode 558
• Select the tlvs type length value included in the lldp packets according to your needs 558
• Enable the lldp feature on the switch and configure the lldp parameters 559
• Global config 559
• Using the cli 559
• Lldp status enabled 560
• Switch config lldp 560
• Switch config lldp hold multiplier 4 560
• Switch config lldp timer tx interval 30 tx delay 2 reinit delay 3 notify interval 5 fast count 3 560
• Switch config show lldp 560
• Switch configure 560
• The following example shows how to configure the following parameters lldp timer 4 tx interval 30 seconds tx delay 2 seconds reinit delay 3 seconds notify iinterval 5 seconds fast count 3 560
• Tx interval 30 seconds 560
• Fast packet count 3 561
• Initialization delay 2 seconds 561
• Lldp med fast start repeat count 4 561
• Port config 561
• Select the desired port and set its admin status notification mode and the tlvs included in the lldp packets 561
• Switch config end 561
• Switch copy running config startup config 561
• Trap notification interval 5 seconds 561
• Ttl multiplier 4 561
• Tx delay 2 seconds 561
• Global config 563
• Lldp med configurations 563
• Using the gui 563
• Port config 564
• Global config 566
• Lldp status enabled 566
• Switch config lldp 566
• Switch config lldp med fast count 4 566
• Switch config show lldp 566
• Switch configure 566
• The following example shows how to configure lldp med fast count as 4 566
• Tx interval 30 seconds 566
• Using the cli 566
• Fast packet count 3 567
• Initialization delay 2 seconds 567
• Lldp med fast start repeat count 4 567
• Port config 567
• Select the desired port enable lldp med and select the tlvs type length value included in the outgoing lldp packets according to your needs 567
• Switch config end 567
• Switch copy running config startup config 567
• Trap notification interval 5 seconds 567
• Ttl multiplier 4 567
• Tx delay 2 seconds 567
• Using gui 570
• Viewing lldp device info 570
• Viewing lldp settings 570
• Follow these steps to view the local information 571
• In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 571
• In the local info section select the desired port and view its associated local device information 571
• Viewing lldp statistics 573
• Using cli 574
• Viewing lldp statistics 574
• Viewing the local info 574
• Viewing the neighbor info 574
• Using gui 575
• Viewing lldp med settings 575
• Follow these steps to view lldp med neighgbor information 577
• In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 577
• In the lldp med neighbor info section select the desired port and view the lldp med settings 577
• Using cli 577
• Viewing the local info 577
• Viewing the neighbor info 577
• Viewing lldp statistics 578
• Viewing the neighbor info 578
• Configuration example 579
• Configuration scheme 579
• Example for configuring lldp 579
• Network requirements 579
• Network topology 579
• Using the gui 579
• Using cli 580
• Verify the configurations 581
• Configuration scheme 586
• Example for configuring lldp med 586
• Network requirements 586
• Network topology 586
• Using the gui 587
• Using the cli 591
• Verify the configurations 592
• Appendix default parameters 598
• Default lldp med settings 598
• Default lldp settings 598
• Default settings of lldp are listed in the following tables 598
• Chapters 599
• Configuring maintenance 599
• Part 17 599
• Device diagnose 600
• Maintenance 600
• Network diagnose 600
• Overview 600
• Supported features 600
• System monitor 600
• Monitoring the cpu 601
• Monitoring the system 601
• Using the gui 601
• Monitoring the memory 602
• Monitoring the cpu 603
• Monitoring the memory 603
• Using the cli 603
• Backing up log files 604
• Configuration guidelines 604
• Configuring the local log 604
• Configuring the remote log 604
• Logs are classified into the following eight levels messages of levels 0 to 4 mean the functionality of the switch is affected please take actions according to the log message 604
• System log configurations 604
• System log configurations include 604
• Viewing the log table 604
• Click apply 605
• Configuring the local log 605
• Configuring the remote log 605
• Follow these steps to configure the local log 605
• Local log to load the following page 605
• Remote log enables the switch to send system logs to a host to display the logs the host should run a log server that complies with the syslog standard 605
• Select your desired channel and configure the corresponding severity and status 605
• Using the gui 605
• Backing up the log file 606
• Backup log to load the following page 606
• Click apply 606
• Click backup log to save the system log as a file on your computer if the switch system breaks down you can check the file for troubleshooting 606
• Follow these steps to configure remote log 606
• Remote log to load the following page 606
• Select an entry to enable the status and then set the host ip address and severity 606
• Configuring the local log 607
• Follow these steps to configure the local log 607
• Log table to load the following page 607
• Select a module and a severity to view the corresponding log information 607
• Using the cli 607
• Viewing the log table 607
• Switch config logging buffer 608
• Switch config logging buffer level 5 608
• Switch config logging file flash 608
• Switch config logging file flash frequency periodic 10 608
• Switch configure 608
• The following example shows how to configure the local log on the switch save logs of levels 0 to 5 to the log buffer and synchronize logs of levels 0 to 2 to the flash every 10 hours 608
• Buffer 5 enable immediately 609
• Channel level status sync periodic 609
• Configuring the remote log 609
• Flash 2 enable 10 hour s 609
• Follow these steps to set the remote log 609
• Monitor 5 enable immediately 609
• Remote log enables the switch to send system logs to a host to display the logs the host should run a log server that complies with the syslog standard 609
• Switch config end 609
• Switch config logging file flash level 2 609
• Switch config show logging local config 609
• Switch copy running config startup config 609
• Diagnosing the device 611
• Using the gui 611
• Fa1 0 2 pair a normal 2 10m 612
• On privileged exec mode or any other configuration mode you can use the following command to check the connection status of the cable that is connected to the switch 612
• Pair b normal 2 10m 612
• Pair c normal 0 10m 612
• Pair d normal 2 10m 612
• Port pair status length error 612
• Switch show cable diagnostics interface fastethernet 1 0 2 612
• The following example shows how to check the cable diagnostics of port 1 0 2 612
• Using the cli 612
• Configuring the ping test 613
• Diagnosing the network 613
• Using the gui 613
• Configuring the ping test 614
• Configuring the tracert test 614
• Follow these steps to test connectivity between the switch and routers along the path from the source to the destination 614
• In the ping result section check the test results 614
• In the tracert config section enter the ip address of the destination set the max hop and then click tracert to start the test 614
• In the tracert result section check the test results 614
• On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and one node of the network 614
• Tracert to load the following page 614
• Using the cli 614
• Approximate round trip times in milli seconds 615
• Configuring the tracert test 615
• Minimum 0ms maximum 0ms average 0ms 615
• On privileged exec mode or any other configuration mode you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination 615
• Packets sent 3 received 3 lost 0 0 loss 615
• Ping statistics for 192 68 0 615
• Pinging 192 68 0 with 1000 bytes of data 615
• Reply from 192 68 0 bytes 1000 time 16ms ttl 64 615
• Switch ping ip 192 68 0 n 3 l 1000 i 500 615
• The following example shows how to test the connectivity between the switch and the destination device with the ip address 192 68 0 specify the ping times as 3 the data size as 1000 bytes and the interval as 500 milliseconds 615
• Ms 1 ms 2 ms 192 68 616
• Ms 2 ms 2 ms 192 68 00 616
• Switch tracert 192 68 00 2 616
• The following example shows how to test the connectivity between the switch and the network device with the ip address 192 68 00 set the maxhops as 2 616
• Trace complete 616
• Tracing route to 192 68 00 over a maximum of 2 hops 616
• Configuration example for remote log 617
• Configuration scheme 617
• Network requirements 617
• Using the gui 617
• Using the cli 618
• Verify the configurations 618
• Appendix default parameters 619
• Default settings of maintenance are listed in the following tables 619