Tp-Link T1500G-10PS V2 Руководство пользователя онлайн

After the keys are successfully generated click save public key to save the public key to a tftp server click save private key to save the private key to the host pc 36

Disable telnet login 38

Change the switch s ip address and default gateway 39

Copy running config startup config 39

Disable ssh login 39

Chapters 41

Managing system 41

Part 2 41

Overview 42

Supported features 42

System 42

System info 42

System tools 42

User management 42

Sdm template 43

Time range 43

System info configurations 44

Using the gui 44

Viewing the system summary 44

You can click a port to view the bandwidth utilization on this port 45

You can move your cursor to a port to view the detailed information of the port 45

In the system info section you can view the system information of the switch 46

Viewing the system information 46

Configuring the device description 48

Device description to load the following page 48

In the device description section configure the following parameters 48

Choose one method to set the system time and specify the related parameters 49

Click apply 49

Configuring the system time 49

In the time config section follow these steps to configure the system time 49

In the time info section you can view the current time information of the switch 49

System time to load the following page 49

Choose one method to set the daylight saving time and specify the related parameters 50

Click apply 50

Configuring the daylight saving time 50

Daylight saving time to load the following page 50

Follow these steps to configure daylight saving time 50

In the dst config section enable the daylight saving time function 50

Click apply 51

Configure the corresponding parameters for the system ip 51

Configuring the system ip 51

Follow these steps to configure the system ip 51

System ip to load the following page 51

Click apply 52

Configuring the system ipv6 52

In the system ipv6 config section enable ipv6 feature for the interface and configure the corresponding parameters then click apply 52

System ipv6 to load the following page 52

Configure ipv6 global address of the interface via following three ways 53

In the global address config section click 53

Manually 53

To manually assign an ipv6 global address to the interface 53

Via dhcpv6 server 53

Via ra message 53

View the global address entry in the global address config section 54

Gi1 0 1 linkdown n a n a n a disable copper 55

Gi1 0 2 linkdown n a n a n a disable copper 55

Gi1 0 3 linkup 1000m full disable disable copper 55

On privileged exec mode or any other configuration mode you can use the following commands to view the system information of the switch 55

Port status speed duplex flowctrl jumbo active medium 55

Switch show interface status 55

Switch show system info 55

System description jetstream 48 port gigabit smart switch with 4 sfp slots 55

System name t1500 28pct 55

The following example shows how to view the interface status and the system information of the switch 55

Using the cli 55

Viewing the system summary 55

Bootloader version tp link bootutil v1 56

Configuring the device description 56

Contact information www tp link com 56

Follow these steps to configure the device description 56

Hardware version t1500 28pct 3 56

Mac address 00 0a eb 13 23 a0 56

Running time 1 day 2 hour 33 min 42 sec 56

Serial number 56

Software version 3 build 20171129 rel 8400 s 56

System location shenzhen 56

System time 2017 12 12 11 23 32 56

Configuring the system time 57

Backup ntp server 139 8 00 63 59

Last successful ntp server 133 00 59

Prefered ntp server 133 00 59

Switch config show system time ntp 59

Switch config system time ntp utc 08 00 133 00 139 8 00 63 11 59

Switch configure 59

The following example shows how to set the system time by get time from ntp server and set the time zone as utc 08 00 set the ntp server as 133 00 set the backup ntp server as 139 8 00 63 and set the update rate as 11 59

Time zone utc 08 00 59

Configuring the daylight saving time 60

Follow these steps to configure the daylight saving time 60

Switch config end 60

Switch copy running config startup config 60

Update rate 11 hour s 60

Dst configuration is one off 61

Dst ends at 01 00 00 on sep 1 2017 61

Dst offset is 50 minutes 61

Dst starts at 01 00 00 on aug 1 2017 61

Switch config end 61

Switch config show system time dst 61

Switch config system time dst date aug 1 01 00 2017 sep 1 01 00 2017 50 61

Switch configure 61

Switch copy running config startup config 61

The following example shows how to set the daylight saving time by date mode set the start time as 01 00 august 1st 2017 set the end time as 01 00 september 1st 2017 and set the offset as 50 61

Configuring the system ip 62

Follow these steps to configure the system ip parameters 62

Switch config if ip address 192 68 0 255 55 55 gateway 192 68 00 62

Switch config interface vlan 1 62

Switch configure 62

The following example shows how to configure the switch s ip address as 192 68 0 24 and configure the default gateway as 192 68 00 62

Configuring system ipv6 parameters 63

Enable 63

Follow these steps to configure the system ipv6 parameters 63

Password admin 63

Switch copy running config startup config 63

Switch show interface vlan 1 63

Telnet 192 68 0 63

The connection will be interrupted and you should telnet to the switch s new ip address 192 68 0 63

User admin 63

Global address dhcpv6 enable 64

Global address ra disable 64

Global unicast address es ff02 1 ff13 237b 64

Ipv6 is enable link local address fe80 20a ebff fe13 237bnor 64

Joined group address es ff02 1 64

Switch config if ipv6 address autoconfig 64

Switch config if ipv6 address dhcp 64

Switch config if ipv6 enable 64

Switch config if show ipv6 interface 64

Switch config interface vlan 1 64

Switch configure 64

The following example shows how to enable the ipv6 function and configure the ipv6 parameters of the management interface 64

Vlan2 is up line protocol is up 64

Creating accounts 66

User management configurations 66

Using the gui 66

Click create 67

Configure the following parameters 67

Configuring enable password 67

Follow these steps to create a new user account 67

Global config to load the following page 67

Creating accounts 68

Using the cli 68

Configuring enable password 70

Follow these steps to create an account of other type 70

The logged in users can enter the enable password on this page to get the administrative privileges 71

Configuring the boot file 73

System tools configurations 73

Using the gui 73

Click apply 74

Follow these steps to configure the boot file 74

In the boot table section select one or more units and configure the relevant parameters 74

In the image table you can view the information of the current startup image next startup image and backup image the displayed information is as follows 74

Restore config to load the following page 74

Restoring the configuration of the switch 74

Backing up the configuration file 75

Upgrading the firmware 76

Configuring reboot schedule 77

Manually rebooting the switch 77

Rebooting the switch 77

Choose whether to save the current configuration before the reboot 78

Click apply 78

Configuring the boot file 78

Follow these steps to configure the boot file 78

In the system reset section select the desired unit and click reset after reset all configurations of the switch will be reset to the factory defaults 78

Reseting the switch 78

System reset to load the following page 78

Using the cli 78

Backup config config2 cfg 79

Backup image image2 bin 79

Boot config 79

Current startup config config2 cfg 79

Current startup image image2 bin 79

Follow these steps to restore the configuration of the switch 79

Next startup config config1 cfg 79

Next startup image image1 bin 79

Restoring the configuration of the switch 79

Switch config boot application filename image1 startup 79

Switch config boot application filename image2 backup 79

Switch config boot config filename config1 startup 79

Switch config boot config filename config2 backup 79

Switch config end 79

Switch config show boot 79

Switch configure 79

Switch copy running config startup config 79

The following example shows how to set the next startup image as image1 the backup image as image2 the next startup configuration file as config1 and the backup configuration file as config2 79

Backing up the configuration file 80

Backup user config file ok 80

Enable 80

Follow these steps to back up the current configuration of the switch in a file 80

Follow these steps to upgrade the firmware 80

Operation ok now rebooting system 80

Start to backup user config file 80

Start to load user config file 80

Switch copy startup config tftp ip address 192 68 00 filename file2 80

Switch copy tftp startup config ip address 192 68 00 filename file1 80

The following example shows how to backup the configuration file named file2 to tftp server with ip address 192 68 00 80

The following example shows how to restore the configuration file named file1 from the tftp server with ip address 192 68 00 80

Upgrading the firmware 80

Configuring reboot schedule 81

Enable 81

Follow these steps to configure the reboot schedule 81

Follow these steps to reboot the switch 81

It will only upgrade the backup image continue y n y 81

Manually rebooting the switch 81

Operation ok 81

Reboot with the backup image y n y 81

Rebooting the switch 81

Switch firmware upgrade ip address 192 68 00 filename file3 bin 81

The following example shows how to upgrade the firmware using the configuration file named file3 bin the tftp server is 190 68 00 81

Reboot schedule at 2017 08 15 12 00 in 25582 minutes 82

Reboot schedule settings 82

Reboot system at 15 08 2017 12 00 continue y n y 82

Save before reboot yes 82

Switch config end 82

Switch config reboot schedule at 12 00 15 08 2017 save_before_reboot 82

Switch configure 82

Switch copy running config startup config 82

The following example shows how to set the switch to reboot at 12 00 on 15 08 2017 82

Follow these steps to reset the switch 83

Reseting the switch 83

Click apply 84

Eee configuration 84

Eee to load the following page 84

Enable or disable eee on the selected port s 84

Follow these steps to configure eee 84

In the eee config section select one or more ports to be configured 84

Using the cli 84

Poe configurations 86

And configure the system power limit click apply 87

Configuring the poe parameters manually 87

Follow these steps to configure the basic poe parameters 87

In addition you can click 87

In the poe config section you can view the current poe parameters 87

Poe config to load the following page 87

Using the gui 87

In the port config section select the port you want to configure and specify the parameters click apply 88

Click create 90

Configuring the poe parameters using the profile 90

Creating a poe profile 90

Follow these steps to create a poe profile 90

In the create poe profile section specify the desired configurations of the profile 90

Poe profile and click 90

To load the following page 90

In the port config section select one or more ports and configure the following two parameters time range and poe profile click apply and the poe parameters of the selected poe profile such as poe status and poe priority will be displayed in the table 92

Configuring the poe parameters manually 93

Follow these steps to configure the basic poe parameters 93

Using the cli 93

Gi1 0 5 enable middle class3 no limit none 94

Interface poe status poe prio power limit w time range poe profile 94

Switch config if power inline consumption class3 94

Switch config if power inline priority middle 94

Switch config if power inline supply enable 94

Switch config if show power inline 94

Switch config if show power inline configuration interface gigabitethernet 1 0 5 94

Switch config if show power inline information interface gigabitethernet 1 0 5 94

Switch config interface gigabitethernet 1 0 5 94

Switch config power inline consumption 160 94

Switch configure 94

System power consumption 0 w 94

System power limit 160 w 94

System power remain 160 w 94

The following example shows how to set the system power limit as 160w set the priority as middle and set the power limit as class3 for the port 1 0 5 94

Configuring the poe parameters using the profile 95

Follow these steps to configure the poe profile 95

Gi1 0 5 1 26 53 class 2 on 95

Interface power w current ma voltage v pd class power status 95

Switch config if end 95

Switch copy running config startup config 95

Index name status priority power limit w 96

Profile1 enable middle class2 96

Switch config interface gigabitethernet 1 0 6 96

Switch config power profile profile1 supply enable priority middle consumption class2 96

Switch config show power profile 96

Switch configure 96

The following example shows how to create a profile named profile1and bind the profile to the port 1 0 6 96

In sdm template config section select one template and click apply the setting will be effective after the switch is rebooted 98

Sdm template configuration 98

Sdm template to load the following page 98

The template table displays the resources allocation of each template 98

Using the gui 98

Follow these steps to configure the sdm template 99

Switch config 99

The following example shows how to set the sdm template as enterprisev4 99

Using the cli 99

Adding time range entries 101

Time range configuration 101

Using the gui 101

Configure the following parameters and click create 102

Similarly you can add more entries of period time according to your needs the final period time is the sum of all the periods in the table click create 102

Configuring holiday 103

Adding time range entries 104

Follow these steps to add time range entries 104

Using the cli 104

08 00 to 20 00 on 1 2 105

10 01 2017 to 10 31 2017 105

Configuring holiday 105

Follow these steps to configure holiday time range 105

Holiday exclude 105

Number of time slice 1 105

Switch config 105

Switch config time range absolute from 10 01 2017 to 10 31 2017 105

Switch config time range end 105

Switch config time range holiday exclude 105

Switch config time range periodic start 08 00 end 20 00 day of the week 1 2 105

Switch config time range show time range 105

Switch config time range time1 105

Switch copy running config startup config 105

The following example shows how to create a time range entry and set the name as time1 holiday mode as exclude absolute time as 10 01 2017 to 10 31 2017 and periodic time as 8 00 to 20 00 on every monday and tuesday 105

Time range entry 12 inactive 105

Time range entry time1 inactive 105

Configuring scheme 107

Example for poe configurations 107

Network requirements 107

Using the gui 107

Using the cli 110

Verify the configuration 110

Gi1 0 3 enable low class4 office time none 111

Interface poe status poe prio power limit w time range poe profile 111

Appendix default parameters 112

Default settings of system info are listed in the following tables 112

Default settings of system tools are listed in the following table 112

Default settings of user management are listed in the following table 112

Default setting of eee is listed in the following table 113

Default settings of poe is listed in the following table 113

Default settings of sdm template are listed in the following table 113

Default settings of time range are listed in the following table 114

Chapters 115

Managing physical interfaces 115

Part 3 115

Basic parameters 116

Loopback detection 116

Overview 116

Physical interface 116

Port isolation 116

Supported features 116

Basic parameters configurations 117

Configure the mtu size of jumbo frames for all ports then click apply 117

Follow these steps to configure basic parameters for the ports 117

Port config to load the following page 117

Select one or more ports to configure the basic parameters then click apply 117

Using the gui 117

Follow these steps to set basic parameters for the ports 118

Using the cli 118

Switch config if no shutdown 119

Switch config interface gigabitethernet 1 0 1 119

Switch configure 119

Switch jumbo size 9216 119

The following example shows how to implement the basic configurations of port1 0 1 including setting a description for the port configuring the jumbo frame making the port automatically negotiate speed and duplex with the neighboring port and enabling the flow control 119

Port isolation configurations 121

Using the gui 121

Click apply 122

Follow these steps to configure port isolation 122

In the forwarding port list section select the forwarding ports or lags which the isolated ports can only communicate with it is multi optional 122

In the port section select one or multiple ports to be isolated 122

Using the cli 122

Gi1 0 5 n a gi1 0 1 3 po4 123

Port lag forward list 123

Switch config if end 123

Switch config if port isolation gi forward list 1 0 1 3 po forward list 4 123

Switch config if show port isolation interface gigabitethernet 1 0 5 123

Switch config interface gigabitethernet 1 0 5 123

Switch configure 123

Switch copy running config startup config 123

The following example shows how to add ports 1 0 1 3 and lag 4 to the forwarding list of port 1 0 5 123

Loopback detection configuration 124

Using the gui 124

In the port config section select one or more ports to configure the loopback detection parameters then click apply 125

Optional view the loopback detection information 125

Follow these steps to configure loopback detection 126

Using the cli 126

Configuration examples 128

Configuration scheme 128

Example for port isolation 128

Network requirements 128

Using the gui 128

Using the cli 130

Verify the configuration 130

Configuration scheme 131

Example for loopback detection 131

Network requirements 131

Using the gui 132

Using the cli 133

Verify the configuration 133

Appendix default parameters 134

Default settings of switching are listed in th following tables 134

Chapters 135

Configuring lag 135

Part 4 135

Overview 136

Static lag 136

Supported features 136

Configuration guidelines 137

Lag configuration 137

Configuring load balancing algorithm 138

In the global config section select the load balancing algorithm hash algorithm then click apply 138

Lag table to load the following page 138

Load balancing algorithm is effective only for outgoing traffic if the data stream is not well shared by each link you can change the algorithm of the outgoing interface 138

Please properly choose the load balancing algorithm to avoid data stream transferring only on one physical link for example switch a receives packets from several hosts and forwards them to the server with the fixed mac address you can set the algorithm 138

Using the gui 138

Configuring static lag or lacp 139

Configuring lacp 140

Follow these steps to configure lacp 140

Lacp to load the following page 140

Select member ports for the lag and configure the related parameters click apply 140

Specify the system priority for the switch and click apply 140

Configuring load balancing algorithm 141

Follow these steps to configure the load balancing algorithm 141

Using the cli 141

Configuring static lag or lacp 142

Etherchannel load balancing addresses used per protocol 142

Etherchannel load balancing configuration src dst mac 142

Ipv4 source xor destination mac address 142

Ipv6 source xor destination mac address 142

Non ip source xor destination mac address 142

Switch config end 142

Switch config port channel load balance src dst mac 142

Switch config show etherchannel load balance 142

Switch configure 142

Switch copy running config startup config 142

The following example shows how to set the global load balancing mode as src dst mac 142

You can choose only one lag mode for a port static lag or lacp and make sure both ends of a link use the same lag mode 142

Configuring static lag 143

Flags d down p bundled in port channel u in use 143

Follow these steps to configure static lag 143

Group port channel protocol ports 143

I stand alone h hot standby lacp only s suspended 143

Po2 s gi1 0 5 d gi1 0 6 d gi1 0 7 d gi1 0 8 d 143

R layer3 s layer2 f failed to allocate aggregator 143

Switch config if range channel group 2 mode on 143

Switch config if range end 143

Switch config if range show etherchannel 2 summary 143

Switch config interface range gigabitethernet 1 0 5 8 143

Switch configure 143

Switch copy running config startup config 143

The following example shows how to add ports1 0 5 8 to lag 2 and set the mode as static lag 143

U unsuitable for bundling w waiting to be aggregated d default port 143

Configuring lacp 144

Follow these steps to configure lacp 144

Configuration example 146

Configuration scheme 146

Network requirements 146

Using the gui 147

Using the cli 148

Verify the configuration 148

Appendix default parameters 150

Default settings of switching are listed in the following tables 150

Chapters 151

Managing mac address table 151

Part 5 151

Address configurations 152

Mac address table 152

Overview 152

Supported features 152

Adding static mac address entries 153

Mac address configurations 153

Using the gui 153

Click apply 155

Dynamic address to load the following page 155

Follow these steps to modify the aging time of dynamic address entries 155

In the aging config section enable auto aging and enter your desired length of time 155

Modifying the aging time of dynamic address entries 155

Adding mac filtering address entries 156

Viewing address table entries 156

Adding static mac address entries 157

Address table and click 157

Follow these steps to add static mac address entries 157

To load the following page 157

Using the cli 157

Modifying the aging time of dynamic address entries 158

Adding mac filtering address entries 159

Aging time is 500 sec 159

Follow these steps to add mac filtering address entries 159

Switch config end 159

Switch config mac address table aging time 500 159

Switch config show mac address table aging time 159

Switch configure 159

Switch copy running config startup config 159

The following example shows how to modify the aging time to 500 seconds a dynamic entry remains in the mac address table for 500 seconds after the entry is used or updated 159

Appendix default parameters 161

Default settings of the mac address table are listed in the following tables 161

Chapters 162

Configuring 802 q vlan 162

Part 6 162

Overview 163

Configuring the pvid of the port 164

Q vlan configuration 164

Using the gui 164

Configuring the vlan 166

Enter a vlan id and a description for identification to create a vlan 166

Follow these steps to configure vlan 166

Select the untagged port s and the tagged port s respectively to add to the created vlan based on the network topology 166

To load the following page to load the following page 166

Vlan config and click 166

Click apply 167

Creating a vlan 167

Follow these steps to create a vlan 167

Switch config vlan 2 167

Switch config vlan name rd 167

Switch config vlan show vlan id 2 167

Switch configure 167

The following example shows how to create vlan 2 and name it as rd 167

Using the cli 167

Configuring the port 168

Follow these steps to configure the port 168

Rd active 168

Switch config if switchport pvid 2 168

Switch config interface gigabitethernet 1 0 5 168

Switch config vlan end 168

Switch configure 168

Switch copy running config startup config 168

The following example shows how to configure the pvid of port 1 0 5 as 2 enable the ingress checking and set the acceptable frame type as all 168

Vlan name status ports 168

Acceptable frame type all 169

Adding the port to the specified vlan 169

Follow these steps to add the port to the specified vlan 169

Ingress checking enable 169

Link type general 169

Member in lag n a 169

Member in vlan 169

Port gi1 0 5 169

Pvid 2 169

Switch config if end 169

Switch config if show interface switchport gigabitethernet 1 0 5 169

Switch config if switchport acceptable frame all 169

Switch config if switchport check ingress 169

Switch copy running config startup config 169

System vlan untagged 169

Vlan name egress rule 169

Configuration example 171

Configuration scheme 171

Network requirements 171

Demonstrated with t1500 28pct the following sections provide configuration procedure in two ways using the gui and using the cli 172

Network topology 172

The configurations of switch 1 and switch 2 are similar the following introductions take switch 1 as an example 172

The figure below shows the network topology host a1 and host a2 are in department a while host b1 and host b2 are in department b switch 1 and switch 2 are located in two different places host a1 and host b1 are connected to port 1 0 2 and port 1 0 3 on switch 1 respectively while host a2 and host b2 are connected to port 1 0 6 and port 1 0 7 on switch 2 respectively port 1 0 4 on switch 1 is connected to port 1 0 8 on switch 2 172

To load the following page create vlan 10 with the description of department_a add port 1 0 2 as an untagged port and port 1 0 4 as a tagged port to vlan 10 click create 172

Using the gui 172

Vlan config and 172

Using the cli 175

Verify the configurations 176

Appendix default parameters 178

Default settings of 802 q vlan are listed in the following table 178

Chapters 179

Configuring mac vlan 179

Part 7 179

Overview 180

Ptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in to meet this requirement simply bind the mac addresses of the laptops to the corresponding vlans respectively in this way the mac address determines the vlan each laptop joins each laptop can access only the server in the vlan it joins 180

The figure below shows a common application scenario of mac vlan 180

Two departments share all the meeting rooms in the company but use different servers and l 180

Vlan is generally divided by ports it is a common way of division but isn t suitable for those networks that require frequent topology changes with the popularity of mobile office at different times a terminal device may access the network via different ports for example a terminal device that accessed the switch via port 1 last time may change to port 2 this time if port 1 and port 2 belong to different vlans the user has to re configure the switch to access the original vlan using mac vlan can free the user from such a problem it divides vlans based on the mac addresses of terminal devices in this way terminal devices always belong to their mac vlans even when their access ports change 180

Binding the mac address to the vlan 181

Configuring 802 q vlan 181

Mac vlan configuration 181

Using the gui 181

Enabling mac vlan for the port 182

19 56 8a 4c 71 dept a 10 183

Before configuring mac vlan create an 802 q vlan and set the port type according to network requirements for details refer to configuring 802 q vlan 183

Binding the mac address to the vlan 183

Configuring 802 q vlan 183

Follow these steps to bind the mac address to the vlan 183

Mac addr name vlan id 183

Switch config end 183

Switch config mac vlan mac address 00 19 56 8a 4c 71 vlan 10 description dept a 183

Switch config show mac vlan vlan 10 183

Switch configure 183

The following example shows how to bind the mac address 00 19 56 8a 4c 71 to vlan 10 with the address description as dept a 183

Using the cli 183

Enabling mac vlan for the port 184

Follow these steps to enable mac vlan for the port 184

Gi1 0 1 enable 184

Gi1 0 2 disable 184

Port status 184

Switch config if end 184

Switch config if mac vlan 184

Switch config if show mac vlan interface 184

Switch config interface gigabitethernet 1 0 1 184

Switch configure 184

Switch copy running config startup config 184

The following example shows how to enable mac vlan for port 1 0 1 184

Configuration example 185

Configuration scheme 185

Create vlan 10 and vlan 20 on each of the three switches and add the ports to the vlans based on the network topology for the ports connecting the laptops set the 185

Network requirements 185

Two departments share all the meeting rooms in the company but use different servers and laptops department a uses server a and laptop a while department b uses server b and laptop b server a is in vlan 10 while server b is in vlan 20 it is required that laptop a can only access server a and laptop b can only access server b no matter which meeting room the laptops are being used in the figure below shows the network topology 185

You can configure mac vlan to meet this requirement on switch 1 and switch 2 bind the mac addresses of the laptops to the corresponding vlans respectively in this way each laptop can access only the server in the vlan it joins no matter which meeting room the laptops are being used in the overview of the configuration is as follows 185

Using the gui 186

Using the cli 191

Verify the configurations 193

Appendix default parameters 195

Default settings of mac vlan are listed in the following table 195

Chapters 196

Configuring protocol vlan 196

Part 8 196

Overview 197

Protocol vlan is a technology that divides vlans based on the network layer protocol with the protocol vlan rule configured on the basis of the existing 802 q vlan the switch can analyze specific fields of received packets encapsulate the packets in specific formats and forward the packets with different protocols to the corresponding vlans since different applications and services use different protocols network administrators can use protocol vlan to manage the network based on specific applications and services 197

The figure below shows a common application scenario of protocol vlan with protocol vlan configured switch 2 can forward ipv4 and ipv6 packets from different vlans to the ipv4 and ipv6 networks respectively 197

Configuring 802 q vlan 198

Protocol vlan configuration 198

Using the gui 198

Check whether your desired template already exists in the protocol template config 199

Creating protocol template 199

Follow these steps to create a protocol template 199

Protocol template to load the following page 199

Section if not click 199

To create a new template 199

Click create 200

Configuring protocol vlan 200

Follow these steps to configure the protocol group 200

In the protocol group config section specify the following parameters 200

Protocol vlan group and 200

To load the following page 200

Before configuring protocol vlan create an 802 q vlan and set the port type according to network requirements for details refer to configuring 802 q vlan 201

Configuring 802 q vlan 201

Creating a protocol template 201

Follow these steps to create a protocol template 201

Select the desired ports click create 201

Using the cli 201

Arp ethernetii ether type 0806 202

At snap ether type 809b 202

Configuring protocol vlan 202

Follow these steps to configure protocol vlan 202

Index protocol name protocol type 202

Ip ethernetii ether type 0800 202

Ipv6 ethernetii ether type 86dd 202

Ipx snap ether type 8137 202

Rarp ethernetii ether type 8035 202

Switch config end 202

Switch config protocol vlan template name ipv6 frame ether_2 ether type 86dd 202

Switch config show protocol vlan template 202

Switch configure 202

Switch copy running config startup config 202

The following example shows how to create an ipv6 protocol template 202

Arp ethernetii ether type 0806 203

At snap ether type 809b 203

Index protocol name protocol type 203

Index protocol name vid priority member 203

Ip ethernetii ether type 0800 203

Ipv6 10 0 203

Ipv6 ethernetii ether type 86dd 203

Ipx snap ether type 8137 203

Rarp ethernetii ether type 8035 203

Switch config if protocol vlan group 1 203

Switch config if show protocol vlan vlan 203

Switch config interface gigabitethernet 1 0 2 203

Switch config protocol vlan vlan 10 priority 5 template 6 203

Switch config show protocol vlan template 203

Switch config show protocol vlan vlan 203

Switch configure 203

The following example shows how to bind the ipv6 protocol template to vlan 10 and add port 1 0 2 to protocol vlan 203

A company uses both ipv4 and ipv6 hosts and these hosts access the ipv4 network and ipv6 network respectively via different routers it is required that ipv4 packets are forwarded to the ipv4 network ipv6 packets are forwarded to the ipv6 network and other packets are dropped 205

Configuration example 205

Configuration scheme 205

Network requirements 205

The figure below shows the network topology the ipv4 host belongs to vlan 10 the ipv6 host belongs to vlan 20 and these hosts access the network via switch 1 switch 2 is connected to two routers to access the ipv4 network and ipv6 network respectively the routers belong to vlan 10 and vlan 20 respectively 205

You can configure protocol vlan on port 1 0 1 of switch 2 to meet this requirement when this port receives packets switch 2 will forward them to the corresponding vlans according to their protocol types the overview of the configuration on switch 2 is as follows 205

Using the gui 207

Configurations for switch 1 212

Create vlan 10 and vlan 20 212

To save the settings 212

Using the cli 212

Verify the configurations 215

Appendix default parameters 217

Default settings of protocol vlan are listed in the following table 217

Chapters 218

Configuring gvrp 218

Part 9 218

Gvrp garp vlan registration protocol is a garp generic attribute registration protocol application that allows registration and deregistration of vlan attribute values and dynamic vlan creation 219

Overview 219

The configuration may seem easy in this situation however for a larger or more complex network such manual configuration would be time costing and fallible gvrp can be used to implement dynamic vlan configuration with gvrp the switch can exchange vlan configuration information with the adjacent gvrp switches and dynamically create and manage the vlans this reduces vlan configuration workload and ensures correct vlan configuration 219

Without gvrp operating configuring the same vlan on a network would require manual configuration on each device as shown in figure 1 1 switch a b and c are connected through trunk ports vlan 10 is configured on switch a and vlan 1 is configured on switch b and switch c switch c can receive messages sent from switch a in vlan 10 only when the network administrator has manually created vlan 10 on switch b and switch c 219

Configuration guidelines 220

Gvrp configuration 220

Follow these steps to configure gvrp 221

Gvrp config to load the following page 221

In the gvrp section enable gvrp globally then click apply 221

In the port config section select one or more ports set the status as enable and configure the related parameters according to your needs 221

Using the gui 221

Click apply 222

Using the cli 222

Configuration example 225

Configuration scheme 225

Demonstrated with t1600g 28ts the following sections provide configuration procedure in two ways using the gui and using the cli 225

Department a and department b of a company are connected using switches offices of one department are distributed on different floors as shown in figure 3 1 the network topology is complicated configuration of the same vlan on different switches is required so that computers in the same department can communicate with each other 225

Network requirements 225

The two departments are in separate vlans to make sure the switches only dynamically create vlan of their own department you need to set the registration mode for ports on switch 1 to switch 4 as fixed to prevents dynamic registration and deregistration of vlans and allow the port to transmit only the static vlan registration information 225

To configure dynamic vlan creation on other switches set the registration mode of the corresponding ports as normal to allow dynamic registration and deregistration of vlans 225

To reduce manual configuration and maintenance workload gvrp can be enabled to implement dynamic vlan registration and update on the switches 225

When configuring gvrp please note the following 225

Using the gui 226

Using the cli 230

Verify the configuration 232

Appendix default parameters 234

Default settings of gvrp are listed in the following tables 234

Chapters 235

Configuring layer 2 multicast 235

Part 10 235

Layer 2 multicast 236

Overview 236

A member port is a port on snooping switch that is connecting to the host 237

A router port is a port on snooping switch that is connecting to the igmp querier 237

A snooping switch indicates a switch with igmp snooping enabled the switch maintains a multicast forwarding table by snooping on the igmp transmissions between the host and the querier with the multicast forwarding table the switch can forward multicast data only to the ports that are in the corresponding multicast group so as to constrain the flooding of multicast data in the layer 2 network 237

An igmp querier is a multicast router a router or a layer 3 switch that sends query messages to maintain a list of multicast group memberships for each attached network and a timer for each membership 237

Demonstrated as below 237

Igmp querier 237

Member port 237

Normally only one device acts as querier per physical network if there are more than one multicast router in the network a querier election process will be implemented to determine which one acts as the querier 237

Router port 237

Snooping switch 237

The following basic concepts of igmp snooping will be introduced igmp querier snooping switch router port and member port 237

Layer 2 multicast protocol for ipv4 igmp snooping 238

Layer 2 multicast protocol for ipv6 mld snooping 238

Multicast filtering 238

Multicast vlan registration mvr 238

Supported features 238

Configuring igmp snooping globally 239

Igmp snooping configuration 239

Using the gui 239

And click 240

Before configuring igmp snooping for vlans set up the vlans that the router ports and the member ports are in for details please refer to configuring 802 q vlan 240

Choose the menu 240

Click apply 240

Configuring igmp snooping for vlans 240

Global config 240

Igmp vlan confi 240

In your desired vlan entry in the 240

Section to load the following page 240

The switch supports configuring igmp snooping on a per vlan basis after igmp snooping is enabled globally you also need to enable igmp snooping and configure the corresponding parameters for the vlans that the router ports and the member ports are in 240

Enable igmp snooping for the vlan and configure the corresponding parameters 241

Follow these steps to configure igmp snooping for a specific vlan 241

Click save 243

Click apply 244

Configuring hosts to statically join a group 244

Configuring igmp snooping for ports 244

Enable igmp snooping for the port and enable fast leave if there is only one receiver connected to the port 244

Follow these steps to configure igmp snooping for ports 244

Following page 244

Hosts or layer 2 ports normally join multicast groups dynamically but you can also configure hosts to statically join a group 244

Port confi 244

To load the 244

Choose the menu 245

Click create 245

Configuring igmp snooping globally 245

Follow these steps to configure hosts to statically join a group 245

Follow these steps to configure igmp snooping globally 245

Specify the multicast ip address vlan id select the ports to be the static member ports of the multicast group 245

Static group config 245

To load the following page 245

Using the cli 245

Switch config ip igmp snooping 246

Switch config ip igmp snooping drop unknown 246

Switch config ip igmp snooping version v3 246

Switch config ipv6 mld snooping 246

Switch configure 246

The following example shows how to enable igmp snooping and header validation globally and specify the igmp snooping version as igmpv3 the way how the switch processes multicast streams that are sent to unknown multicast groups as discard 246

Before configuring igmp snooping for vlans set up the vlans that the router ports and the member ports are in for details please refer to configuring 802 q vlan 247

Configuring igmp snooping for vlans 247

Follow these steps to configure igmp snooping for vlans 247

Header validation enable 247

Igmp snooping enable 247

Igmp version v3 247

Switch config end 247

Switch config ip igmp snooping header validation 247

Switch config show ip igmp snooping 247

Switch copy running config startup config 247

The switch supports configuring igmp snooping on a per vlan basis after igmp snooping is enabled globally you also need to enable igmp snooping and configure the corresponding parameters for the vlans that the router ports and the member ports are in 247

Unknown multicast discard 247

Switch configure 250

The following example shows how to enable igmp snooping for vlan 1 and configure the member port aging time as 300 seconds the router port aging time as 320 seconds and then enable fast leave and report suppression for the vlan 250

Configuring igmp snooping for ports 252

Follow these steps to configure igmp snooping for ports 252

General query source ip 192 68 252

Last member query count 3 252

Last member query interval 2 252

Query interval 100 252

Switch config end 252

Switch configure 252

Switch copy running config startup config 252

The following example shows how to enable igmp snooping and fast leave for port 1 0 1 3 252

Configuring hosts to statically join a group 253

Follow these steps to configure hosts to statically join a group 253

Gi1 0 1 enable enable 253

Gi1 0 2 enable enable 253

Gi1 0 3 enable enable 253

Hosts or layer 2 ports normally join multicast groups dynamically but you can also configure hosts to statically join a group 253

Port igmp snooping fast leave 253

Switch config if range end 253

Switch config if range ip igmp snooping 253

Switch config if range ip igmp snooping immediate leave 253

Switch config if range show ip igmp snooping interface gigabitethernet 1 0 1 3 253

Switch config interface range fastehternet 1 0 1 3 253

Switch configure 253

Switch copy running config startup config 253

The following example shows how to configure port 1 0 1 3 in vlan 2 to statically join the multicast group 239 253

Configuring mld snooping globally 255

Mld snooping configuration 255

Using the gui 255

Configuring mld snooping for vlans 256

Click apply 259

Click save 259

Configuring mld snooping for ports 259

Enable mld snooping for the port and enable fast leave if there is only one receiver connected to the port 259

Follow these steps to configure mld snooping for ports 259

Following page 259

Port config to load the 259

Choose the menu 260

Click create 260

Configuring hosts to statically join a group 260

Configuring mld snooping globally 260

Follow these steps to configure hosts to statically join a group 260

Follow these steps to configure mld snooping globally 260

Hosts or layer 2 ports normally join multicast groups dynamically but you can also configure hosts to statically join a group 260

Specify the multicast ip address vlan id select the ports to be the static member ports of the multicast group 260

Static group config 260

To load the following page 260

Using the cli 260

Before configuring mld snooping for vlans set up the vlans that the router ports and the member ports are in for details please refer to configuring 802 q vlan 261

Configuring mld snooping for vlans 261

Mld snooping enable 261

Switch config end 261

Switch config ipv6 mld snooping 261

Switch config ipv6 mld snooping drop unknown 261

Switch config show ipv6 mld snooping 261

Switch configure 261

Switch copy running config startup config 261

The following example shows how to enable mld snooping globally and the way how the switch processes multicast streams that are sent to unknown multicast groups as discard 261

The switch supports configuring mld snooping on a per vlan basis after mld snooping is enabled globally you also need to enable mld snooping and configure the corresponding parameters for the vlans that the router ports and the member ports are in 261

Unknown multicast discard 261

Follow these steps to configure mld snooping for vlans 262

Switch config ipv6 mld snooping vlan config 1 mtime 300 264

Switch configure 264

The following example shows how to enable mld snooping for vlan 1 and configure the member port aging time as 300 seconds the router port aging time as 320 seconds and then enable fast leave and report suppression for the vlan 264

Configuring mld snooping for ports 266

Follow these steps to configure mld snooping for ports 266

General query source ip fe80 1 266

Last member query count 3 266

Last member query interval 2 266

Switch config end 266

Switch config if range ipv6 mld snooping 266

Switch config interface range fastehternet 1 0 1 3 266

Switch configure 266

Switch copy running config startup config 266

The following example shows how to enable mld snooping and fast leave for port 1 0 1 3 266

Configuring hosts to statically join a group 267

Follow these steps to configure hosts to statically join a group 267

Gi1 0 1 enable enable 267

Gi1 0 2 enable enable 267

Gi1 0 3 enable enable 267

Hosts or layer 2 ports normally join multicast groups dynamically but you can also configure hosts to statically join a group 267

Port mld snooping fast leave 267

Switch config if range end 267

Switch config if range ipv6 mld snooping immediate leave 267

Switch config if range show ipv6 mld snooping interface gigabitethernet 1 0 1 3 267

Switch config ipv6 mld snooping vlan config 2 static ff80 1234 01 interface gigabitethernet 1 0 1 3 267

Switch config show ipv6 mld snooping groups static 267

Switch configure 267

Switch copy running config startup config 267

The following example shows how to configure port 1 0 1 3 in vlan 2 to statically join the multicast group ff80 1234 01 267

Configuring 802 q vlans 269

Mvr configuration 269

Using the gui 269

Choose the menu 270

Click apply 270

Configuring mvr globally 270

Enable mvr globally and configure the global parameters 270

Follow these steps to configure mvr globally 270

Mvr config 270

To load the following page 270

Adding multicast groups to mvr 271

And click 271

Click create 271

Follow these steps to add multicast groups to mvr 271

Mvr group config 271

Specify the ip address of the multicast groups 271

Then the added multicast groups will appear in the mvr group table as the following figure shows 271

To load the following page 271

You need to manually add multicast groups to the mvr choose the menu 271

Choose the menu 272

Configuring mvr for the port 272

Enable mvr and configure the port type and fast leave feature for the port 272

Follow these steps to add multicast groups to mvr 272

Port config 272

Select one or more ports to configure 272

To load the following page 272

And click 273

Choose the menu 273

Click apply 273

Follow these steps to statically add ports to an mvr group 273

Optional adding ports to mvr groups statically 273

Select the ports to add them to the mvr group 273

Static group members 273

You can add only receiver ports to mvr groups statically the switch adds or removes receiver ports to the corresponding multicast groups by snooping the report and leave messages from the hosts you can also statically add a receiver port to an mvr group 273

Your desired mvr group entry to load the following page 273

Before configuring mvr create an 802 q vlan as the multicast vlan add the all source ports to the multicast vlan as tagged ports configure 802 q vlans for the receiver ports according to network requirements note that receiver ports can only belong to one vlan and cannot be added to the multicast vlan for details refer to configuring 802 q vlan 274

Click save 274

Configuring 802 q vlans 274

Configuring mvr globally 274

Follow these steps to configure mvr globally 274

Using the cli 274

Mvr current multicast groups 3 275

Mvr enable 275

Mvr global query response time 5 tenths of sec 275

Mvr max multicast groups 256 275

Mvr mode type compatible 275

Mvr multicast vlan 2 275

Switch config mvr group 239 3 275

Switch config mvr mode compatible 275

Switch config mvr querytime 5 275

Switch config mvr vlan 2 275

Switch config show mvr 275

Switch config show mvr members 275

Switch configure 275

The following example shows how to enable mvr globally and configure the mvr mode as compatible the multicast vlan as vlan 2 and the query response time as 5 tenths of a second then add 239 239 to mvr group 275

Active 276

Configuring mvr for the ports 276

Follow these steps to configure mvr for the ports 276

Mvr group ip status members 276

Switch config end 276

Switch copy running config startup config 276

Creating the multicast profile 279

Multicast filtering configuration 279

Using the gui 279

Follow these steps to create a profile 280

In the general config section specify the profile id and mode 280

In the ip range section click 280

To load the following page configure the start ip address and end ip address of the multicast groups to be filtered and click create 280

Configure multicast filtering for ports 281

Click apply 282

Creating igmp profile multicast profile for ipv4 282

Creating the multicast profile 282

Follow these steps to bind the profile to ports and configure the corresponding parameters for the ports 282

Select one or more ports to configure 282

Specify the profile to be bound and configure the maximum groups the port can join and the overflow action 282

Using the cli 282

You can create multicast profiles for both ipv4 and ipv6 network with multicast profile the switch can define a blacklist or whitelist of multicast groups so as to filter multicast sources 282

Creating mld profile multicast profile for ipv6 283

Igmp profile 1 283

Range 226 226 0 283

Switch config end 283

Switch config igmp profile deny 283

Switch config igmp profile range 226 226 0 283

Switch config igmp profile show ip igmp profile 283

Switch config ip igmp profile 1 283

Switch config ip igmp snooping 283

Switch configure 283

Switch copy running config startup config 283

The following example shows how to configure profile 1 so that the switch filters multicast streams sent to 226 226 0 283

Mld profile 1 284

Range ff01 1234 5 ff01 1234 8 284

Switch config end 284

Switch config ipv6 mld profile 1 284

Switch config ipv6 mld snooping 284

Switch config mld profile deny 284

Switch config mld profile range ff01 1234 5 ff01 1234 8 284

Switch config mld profile show ipv6 mld profile 284

Switch configure 284

Switch copy running config startup config 284

The following example shows how to configure profile 1 so that the switch filters multicast streams sent to ff01 1234 5 ff01 1234 8 284

Binding the igmp profile to ports 285

Binding the profile to ports 285

You can bind the created igmp profile or mld profile to ports and configure the number of multicast groups a port can join and the overflow action 285

Binding port s 286

Binding the mld profile to ports 286

Gi1 0 2 286

Gi1 0 2 50 drops 286

Igmp profile 1 286

Port max groups overflow action 286

Switch config end 286

Switch config if ip igmp filter 1 286

Switch config if ip igmp snooping 286

Switch config if ip igmp snooping max groups 50 286

Switch config if ip igmp snooping max groups action drop 286

Switch config if show ip igmp profile 286

Switch config if show ip igmp snooping interface gigabitethernet 1 0 2 max groups 286

Switch config interface gigabitethernet 1 0 2 286

Switch configure 286

Switch copy running config startup config 286

The following example shows how to bind the existing profile 1 to port 1 0 2 and specify the maximum number of multicast groups that port 1 0 2 can join as 50 and the overflow action as drop 286

Binding port s 287

Mld profile 1 287

Switch config if ipv6 mld filter 1 287

Switch config if ipv6 mld snooping 287

Switch config if ipv6 mld snooping max groups 50 287

Switch config if ipv6 mld snooping max groups action drop 287

Switch config if show ipv6 mld profile 287

Switch config interface gigabitethernet 1 0 2 287

Switch configure 287

The following example shows how to bind the existing profile 1 to port 1 0 2 and specify the maximum number of multicast groups that port 1 0 2 can join as 50 and the overflow action as drop 287

Using the gui 289

Viewing ipv4 multicast table 289

Viewing multicast snooping information 289

Follow these steps to view ipv4 multicast statistics on each port 290

In the port statistics section view ipv4 multicast statistics on each port 290

Ipv4 multicast statistics to load the following page 290

To get the real time multicast statistics enable auto refresh or click refresh 290

Viewing ipv4 multicast statistics on each port 290

Ipv6 multicast table to load the following pag 291

The multicast ip address table shows all valid multicast ip vlan port entries 291

Viewing ipv6 multicast table 291

Follow these steps to view ipv6 multicast statistics on each port 292

In the port statistics section view ipv6 multicast statistics on each port 292

Ipv6 multicast statistics to load the following page 292

To get the real time ipv6 multicast statistics enable auto refresh or click refresh 292

Viewing ipv6 multicast statistics on each port 292

Using the cli 293

Viewing ipv4 multicast snooping information 293

Viewing ipv6 multicast snooping configurations 293

Configuration examples 294

Configuration scheme 294

Example for configuring basic igmp snooping 294

Network requirements 294

Using the gui 295

Using the cli 297

Verify the configurations 298

Example for configuring mvr 299

Network requirements 299

Network topology 299

Add port 1 0 1 3 to vlan 10 vlan 20 and vlan 30 as untagged ports respectively and configure the pvid of port 1 0 1 as 10 port 1 0 2 as 20 port 1 0 3 as 30 make sure port1 0 1 3 only belong to vlan 10 vlan 20 and vlan 30 respectively for details refer to configuring 802 q vlan 300

As the hosts are in different vlans in igmp snooping the querier need to duplicate multicast streams for hosts in each vlan to avoid duplication of multicast streams being sent between querier and the switch you can configure mvr on the switch 300

Configuration scheme 300

Demonstrated with t1500 28pct this section provides configuration procedures in two ways using the gui and using the cli 300

Internet 300

The switch can work in either mvr compatible mode or mvr dynamic mode when in compatible mode remember to statically configure the querier to transmit the streams of multicast group 225 to the switch via the multicast vlan here we take the mvr dynamic mode as an example 300

Using the gui 300

To load the following page create vlan 40 and add port 1 0 4 to the vlan as tagged port 301

Vlan config and click 301

Using the cli 303

Verify the configurations 305

Example for configuring unknown multicast and fast leave 306

Network requirement 306

Configuration scheme 307

Using the gui 307

Using the cli 309

Configuration scheme 310

Example for configuring multicast filtering 310

Network requirements 310

Verify the configurations 310

As shown in the following network topology host b is connected to port 1 0 1 host c is connected to port 1 0 2 and host d is connected to port 1 0 3 they are all in vlan 10 311

Create vlan 10 add port 1 0 1 3 to the vlan as untagged port and port 1 0 4 as tagged port configure the pvid of the four ports as 10 for details refer to configuring 802 q vlan 311

Demonstrated with t1500 28pct this section provides configuration procedures in two ways using the gui and using the cli 311

Global config to load the following page in the global config section enable igmp snooping globally 311

Internet 311

Network topology 311

Using the gui 311

In the igmp vlan config section click 312

In vlan 10 to load the following page enable igmp snooping for vlan 10 312

Using the cli 315

Verify the configurations 317

Appendix default parameters 318

Default parameters for igmp snooping 318

Default parameters for mld snooping 319

Default parameters for multicast filtering 320

Default parameters for mvr 320

Chapters 321

Configuring spanning tree 321

Part 11 321

Basic concepts 322

Overview 322

Spanning tree 322

Stp rstp concepts 322

Bridge id 323

Port role 323

Root bridge 323

Port status 324

Path cost 325

Root path cost 325

Mst region 326

Mstp concepts 326

Mst instance 327

Stp security 327

Vlan instance mapping 327

Configuring stp rstp parameters on ports 330

Stp rstp configurations 330

Using the gui 330

In the port config section configure stp rstp parameters on ports 331

Click apply 332

Configuring stp rstp globally 332

Stp config to load the following page 332

Follow these steps to configure stp rstp globally 333

In the parameters config section configure the global parameters of stp rstp and click apply 333

In the global config section enable spanning tree function choose the stp mode as stp rstp and click apply 334

Stp summary to load the following page 334

Verify the stp rstp information of your switch after all the configurations are finished 334

Verifying the stp rstp configurations 334

The stp summary section shows the summary information of spanning tree 335

Configuring stp rstp parameters on ports 336

Follow these steps to configure stp rstp parameters on ports 336

Using the cli 336

Configuring global stp rstp parameters 338

This example shows how to configure the priority of the switch as 36864 the forward delay as 12 seconds 339

Enable rstp 36864 2 12 20 5 20 340

Enabling stp rstp globally 340

Follow these steps to configure the spanning tree mode as stp rstp and enable spanning tree function globally 340

State mode priority hello time fwd time max age hold count max hops 340

Switch config end 340

Switch config show spanning tree bridge 340

Switch config spanning tree 340

Switch config spanning tree mode rstp 340

Switch config spanning tree priority 36864 340

Switch config spanning tree timer forward time 12 340

Switch configure 340

Switch copy running config startup config 340

This example shows how to enable spanning tree function configure the spanning tree mode as rstp and verify the configurations 340

Configuring parameters on ports in cist 342

Mstp configurations 342

Using the gui 342

Follow these steps to configure parameters on ports in cist 343

In the port config section configure the parameters on ports 343

Besides configure the priority of the switch the priority and path cost of ports in the desired instance 345

Click apply 345

Configure the region name revision level vlan instance mapping of the switch the switches with the same region name the same revision level and the same vlan instance mapping are considered as in the same region 345

Configuring the mstp region 345

Configuring the region name and revision level 345

Follow these steps to create an mst region 345

In the region config section set the name and revision level to specify an mstp region 345

Region config to load the following page 345

Configure port parameters in the desired instance 347

Configuring parameters on ports in the instance 347

Follow these steps to configure port parameters in the instance 347

In the instance port config section select the desired instance id 347

Instance port config to load the following page 347

Configuring mstp globally 349

Follow these steps to configure mstp globally 349

In the parameters config section configure the global parameters of mstp and click apply 349

Stp config to load the following page 349

In the global config section enable spanning tree function and choose the stp mode as mstp and click apply 350

Stp summary to load the following page 351

The stp summary section shows the summary information of cist 351

Verifying the mstp configurations 351

Configuring parameters on ports in cist 352

Follow these steps to configure the parameters of the port in cist 352

The mstp instance summary section shows the information in mst instances 352

Using the cli 352

Configuring the mstp region 354

Switch configure 355

This example shows how to create an mst region of which the region name is r1 the revision level is 100 and vlan 2 vlan 6 are mapped to instance 5 355

7 4094 356

Configuring the parameters on ports in instance 356

Follow these steps to configure the priority and path cost of ports in the specified instance 356

Mst instance vlans mapped 356

Region name r1 356

Revision 100 356

Switch config mst end 356

Switch config mst instance 5 vlan 2 6 356

Switch config mst name r1 356

Switch config mst revision 100 356

Switch config mst show spanning tree mst configuration 356

Switch config spanning tree mst configuration 356

Switch copy running config startup config 356

Configuring global mstp parameters 357

Follow these steps to configure the global mstp parameters of the switch 357

Gi1 0 3 144 200 n a lnkdwn n a 357

Gi1 0 3 enable 32 auto auto no no auto n a n a lnkdwn n a 357

Interface prio cost role status lag 357

Interface state prio ext cost int cost edge p2p mode role status lag 357

Mst instance 0 cist 357

Mst instance 5 357

Switch config if end 357

Switch config if show spanning tree interface gigabitethernet 1 0 3 357

Switch config if spanning tree mst instance 5 port priority 144 cost 200 357

Switch config interface gigabitethernet 1 0 3 357

Switch configure 357

Switch copy running config startup config 357

This example shows how to configure the priority as 144 the path cost as 200 of port 1 0 3 in instance 5 357

Enable mstp 36864 2 12 20 8 25 359

Enabling spanning tree globally 359

Follow these steps to configure the spanning tree mode as mstp and enable spanning tree function globally 359

State mode priority hello time fwd time max age hold count max hops 359

Switch config if end 359

Switch config if show spanning tree bridge 359

Switch config if spanning tree hold count 8 359

Switch config if spanning tree max hops 25 359

Switch config if spanning tree timer forward time 12 359

Switch config spanning tree priority 36864 359

Switch configure 359

Switch copy running config startup config 359

This example shows how to configure the cist priority as 36864 the forward delay as 12 seconds the hold count as 8 and the max hop as 25 359

Configure the port protect features for the selected ports and click apply 362

Stp security configurations 362

Stp security to load the following page 362

Using the gui 362

Configuring the stp security 363

Follow these steps to configure the root protect feature bpdu protect feature and bpdu filter feature for ports 363

Using the cli 363

Gi1 0 3 enable enable enable enable disable enable 365

Interface bpdu filter bpdu guard loop protect root protect tc protect bpdu flood 365

Switch config if end 365

Switch config if show spanning tree interface security gigabitethernet 1 0 3 365

Switch config if spanning tree bpdufilter 365

Switch config if spanning tree bpduguard 365

Switch config if spanning tree guard loop 365

Switch config if spanning tree guard root 365

Switch config interface gigabitethernet 1 0 3 365

Switch configure 365

Switch copy running config startup config 365

This example shows how to enable loop protect root protect bpdu filter and bpdu protect functions on port 1 0 3 365

As shown in figure 5 1 the network consists of three switches traffic in vlan 101 vlan 106 is transmitted in this network the link speed between the switches is 100mb s the default path cost of the port is 200000 366

Configuration example for mstp 366

Configuration scheme 366

Here we configure two instances to meet the requirement as is shown below 366

It is required that traffic in vlan 101 vlan 103 and traffic in vlan 104 vlan 106 should be transmitted along different paths 366

Mstp backwards compatible with stp and rstp can map vlans to instances to implement load balancing thus providing a more flexible method in network management here we take the mstp configuration as an example 366

Network requirements 366

To meet this requirement you are suggested to configure mstp function on the switches map the vlans to different instances to ensure traffic can be transmitted along the respective instance 366

Using the gui 367

Using the cli 373

Verify the configurations 375

Appendix default parameters 380

Default settings of the spanning tree feature are listed in the following table 380

Chapters 382

Configuring lldp 382

Part 12 382

Overview 383

Supported features 383

Configuring lldp globally 384

Lldp configurations 384

Using the gui 384

Follow these steps to configure the lldp feature globally 385

In the global config section enable lldp you can also enable the switch to forward lldp messages when lldp function is disabled click apply 385

In the parameter config section configure the lldp parameters click apply 385

Configure the admin status and notification mode for the port 386

Configuring lldp for the port 386

Follow these steps to configure the lldp feature for the interface 386

Port config to load the following page 386

Select one or more ports to configure 386

Select the tlvs type length value included in the lldp packets according to your needs 386

Click apply 387

Enable the lldp feature on the switch and configure the lldp parameters 387

Global config 387

Using the cli 387

Switch config lldp 388

Switch config lldp hold multiplier 4 388

Switch config lldp timer tx interval 30 388

Switch configure 388

The following example shows how to configure the following parameters lldp timer 4 tx interval 30 seconds tx delay 2 seconds reinit delay 3 seconds notify iinterval 5 seconds fast count 3 388

Fast packet count 3 389

Initialization delay 2 seconds 389

Lldp forward message disabled 389

Lldp med fast start repeat count 4 389

Lldp status enabled 389

Port config 389

Select the desired port and set its admin status notification mode and the tlvs included in the lldp packets 389

Switch config end 389

Switch config lldp timer fast count 3 389

Switch config lldp timer notify interval 5 389

Switch config lldp timer reinit delay 3 389

Switch config lldp timer tx delay 2 389

Switch config show lldp 389

Switch copy running config startup config 389

Trap notification interval 5 seconds 389

Ttl multiplier 4 389

Tx delay 2 seconds 389

Tx interval 30 seconds 389

Configuring lldp globally 392

Configuring lldp med globally 392

Lldp med configurations 392

Using the gui 392

Configuring lldp med for ports 393

Global config 395

Lldp status enabled 395

Switch config lldp 395

Switch config lldp med fast count 4 395

Switch config show lldp 395

Switch configure 395

The following example shows how to configure lldp med fast count as 4 395

Tx interval 30 seconds 395

Using the cli 395

Fast packet count 3 396

Initialization delay 2 seconds 396

Lldp med fast start repeat count 4 396

Port config 396

Select the desired port enable lldp med and select the tlvs type length value included in the outgoing lldp packets according to your needs 396

Switch config end 396

Switch copy running config startup config 396

Trap notification interval 5 seconds 396

Ttl multiplier 4 396

Tx delay 2 seconds 396

Using gui 399

Viewing lldp device info 399

Viewing lldp settings 399

Follow these steps to view the local information 400

In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 400

In the local info section select the desired port and view its associated local device information 400

Viewing lldp statistics 403

In the neighbors statistics section view the statistics of the corresponding port 404

Using cli 404

Viewing lldp statistics 404

Viewing the local info 404

Viewing the neighbor info 404

Using gui 405

Viewing lldp med settings 405

Follow these steps to view lldp med local information 406

In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 406

In the lldp med local info section select the desired port and view the lldp med settings 406

Follow these steps to view lldp med neighgbor information 407

In the auto refresh section enable the auto refresh feature and set the refresh rate according to your needs click apply 407

In the neighbor info section select the desired port and view the lldp med settings 407

Neighbor info to load the following page 407

Viewing the neighbor info 407

Using cli 408

Viewing lldp statistics 408

Viewing the local info 408

Viewing the neighbor info 408

Configuration example 409

Configuration scheme 409

Network requirements 409

Network topology 409

Using the gui 409

Using cli 410

Verify the configurations 411

Appendix default parameters 417

Default lldp med settings 417

Default lldp settings 417

Default settings of lldp are listed in the following tables 417

Chapters 418

Configuring dhcp service 418

Part 13 418

Dhcp relay 419

Overview 419

Supported features 419

As the following figure shows no ip addresses are assigned to vlan 10 and vlan 20 the switch uses ip address of the default agent interface 192 68 24 to apply for ip addresses for clients in both vlan 10 and vlan 20 as a result the dhcp server will assign ip addresses on 192 68 24 the same subnet with the ip address of the default agent interface to clients in both vlan 10 and vlan 20 420

Dhcp l2 relay 420

Unlike dhcp relay dhcp l2 relay is used in the situation that the dhcp server and client are in the same vlan in dhcp l2 relay in addition to normally assigning ip addresses to clients from the dhcp server the switch can record the location information of the dhcp client using option 82 the switch can add option 82 to the dhcp request packet and then transmit the packet to the dhcp server the dhcp server which supports option 82 can set the distribution policy of ip addresses and the other parameters providing a more flexible address distribution way 420

Dhcp relay configuration 421

Enabling dhcp relay and configuring option 82 421

Using the gui 421

Optional in the option 82 config section configure option 82 422

Configuring dhcp vlan relay 423

Enabling dhcp relay 424

Follow these steps to enable dhcp relay and configure the corresponding parameters 424

Specify the vlan that the clients belong to and the ip address of the dhcp server click create 424

Switch config service dhcp relay 424

Switch configure 424

The following example shows how to enable dhcp relay configure the relay hops as 5 and configure the relay time as 10 seconds 424

Using the cli 424

Dhcp relay state enabled 425

Follow these steps to configure option 82 425

Optional configuring option 82 425

Switch config end 425

Switch config show ip dhcp relay 425

Switch copy running config startup config 425

Configuring dhcp vlan relay 426

Follow these steps to configure dhcp vlan relay 426

Gi1 0 7 enable replace normal vlan20 host1 n a 426

Interface option 82 status operation strategy format circuit id remote id lag 426

Switch config if end 426

Switch config if ip dhcp relay information circut id vlan20 426

Switch config if ip dhcp relay information format normal 426

Switch config if ip dhcp relay information option 426

Switch config if ip dhcp relay information remote id host1 426

Switch config if ip dhcp relay information strategy replace 426

Switch config if show ip dhcp relay information interface gigabitethernet 1 0 7 426

Switch config interface gigabitethernet 1 0 7 426

Switch configure 426

Switch copy running config startup config 426

The following example shows how to enable option 82 on port 1 0 7 and configure the strategy as replace the format as normal the circuit id as vlan 20 and the remote id as host1 426

Dhcp vlan relay helper address is configured on the following vlan 427

Switch config end 427

Switch config if exit 427

Switch config if ip dhcp relay default interface 427

Switch config interface vlan 1 427

Switch config ip dhcp relay vlan 10 helper address 192 68 427

Switch config show ip dhcp relay 427

Switch configure 427

Switch copy running config startup config 427

The following example shows how to set vlan interface 1 the management vlan as the default relay agent interface and specify the dhcp server by entering the server address as 192 68 on vlan 10 427

Vlan 10 192 68 427

Vlan helper address 427

Dhcp l2 relay configuration 428

Enabling dhcp l2 relay 428

Using the gui 428

Configuring option 82 for ports 429

Follow these steps to enable dhcp relay and configure option 82 429

Port config to load the following page 429

Select one or more ports to configure option 82 429

Click apply 430

Enabling dhcp relay 430

Follow these steps to enable dhcp l2 relay 430

Switch config ip dhcp l2relay 430

Switch configure 430

The following example shows how to enable dhcp l2 relay globally and for vlan 2 430

Using the cli 430

Configuring option 82 for ports 431

Follow these steps to configure option 82 431

Global status enable 431

Switch config end 431

Switch config ip dhcp l2relay vlan 2 431

Switch config show ip dhcp l2relay 431

Switch copy running config startup config 431

Vlan id 2 431

Gi1 0 7 enable replace normal vlan20 host1 n a 432

Interface option 82 status operation strategy format circuit id remote id lag 432

Switch config if end 432

Switch config if ip dhcp l2relay information circut id vlan20 432

Switch config if ip dhcp l2relay information format normal 432

Switch config if ip dhcp l2relay information option 432

Switch config if ip dhcp l2relay information remote id host1 432

Switch config if ip dhcp l2relay information strategy replace 432

Switch config if show ip dhcp l2relay information interface gigabitethernet 1 0 7 432

Switch config interface gigabitethernet 1 0 7 432

Switch configure 432

Switch copy running config startup config 432

The following example shows how to enable option 82 on port 1 0 7 and configure the strategy as replace the format as normal the circuit id as vlan20 and the remote id as host1 432

Configuration scheme 433

Example for dhcp vlan relay 433

Network requirements 433

Using the gui 434

Department and r d department respectively add port 1 0 1 to vlan 10 and port 1 0 2 to vlan 20 435

Using the cli 437

Verify the configurations of the dhcp relay agent 439

Appendix default parameters 440

Default settings of dhcp l2 relay are listed in the following table 440

Default settings of dhcp relay are listed in the following table 440

Chapters 442

Configuring qos 442

Part 14 442

Bandwidth control 443

Class of service 443

Overview 443

Supported features 443

Voice vlan and auto voip 443

802 p priority 445

Class of service configuration 445

Configuration guidelines 445

Dscp priority 445

Port priority 445

Click apply 446

Configuring port priority 446

Configuring the trust mode and port to 802 p mapping 446

Follow these steps to configure the parameters of the port priority 446

Port priority to load the following page 446

Select the desired ports specify the 802 p priority and set the trust mode as untrusted 446

Using the gui 446

Configuring the 802 p to queue mapping 447

In the 802 p to queue mapping section configure the mappings and click apply 447

P priority to load the following page 447

Configuring 802 p priority 448

Configuring the 802 p to queue mapping and 802 p remap 449

Follow these steps to configure the parameters of the 802 p priority 449

In the 802 p to queue mapping section configure the mappings and click apply 449

Optional in the 802 p remap section configure the 802 p to 802 p mappings and click apply 449

P priority to load the following page 449

Click apply 450

Configuring dscp priority 450

Configuring the trust mode 450

Follow these steps to configure the trust mode 450

Port priority to load the following page 450

Select the desired ports and set the trust mode as trust dscp 450

Configuring the 802 p to queue mapping 451

In the 802 p to queue mapping section configure the mappings and click apply 451

P priority to load the following page 451

Click apply 452

Configuring the dscp to 802 p mapping and the dscp remap 452

Dscp priority to load the following page 452

Follow these steps to configure the dscp priority 452

In the dscp priority config section configure the dscp to 802 p mapping and the dscp remap 452

Specifying the scheduler settings 453

Click apply 454

Configuring port priority 454

Configuring the trust mode and the port to 802 p mapping 454

Follow these steps to configure the trust mode and the port to 802 p mapping 454

Using cli 454

Configuring the 802 p to queue mapping 455

Follow these steps to configure the 802 p to queue mapping 455

Configuring 802 p priority 456

Configuring the 802 p to queue mapping and 802 p remap 457

Follow these steps to configure the 802 p to queue mapping and 802 p remap 457

Configuring dscp priority 459

Configuring the 802 p to queue mapping 459

Configuring the trust mode 459

Dot1p remap 0 3 2 3 4 5 6 7 n a 459

Follow these steps to configure the 802 p to queue mapping 459

Follow these steps to configure the trust mode 459

Switch config end 459

Switch copy running config startup config 459

Configuring the dscp to 802 p mapping and dscp remp 460

Follow these steps to configure the dscp to 802 p mapping and dscp remap 460

Dscp 16 17 18 19 20 21 22 23 463

Dscp 24 25 26 27 28 29 30 31 463

Dscp 32 33 34 35 36 37 38 39 463

Dscp 40 41 42 43 44 45 46 47 463

Dscp 48 49 50 51 52 53 54 55 463

Dscp 56 57 58 59 60 61 62 63 463

Dscp remap value 16 17 18 19 20 21 22 23 463

Dscp remap value 24 25 26 27 28 29 30 31 463

Dscp remap value 32 33 34 35 36 37 38 39 463

Dscp remap value 40 41 42 43 44 45 46 47 463

Dscp remap value 48 49 50 51 52 53 54 55 463

Dscp remap value 56 57 58 59 60 61 62 63 463

Follow these steps to specify the scheduler settings to control the forwarding sequence of different tc queues when congestion occurs 463

Specifying the scheduler settings 463

Switch config if end 463

Switch copy running config startup config 463

Gi1 0 1 lag n a 464

Queue schedule mode weight 464

Switch config if qos queue 1 mode sp 464

Switch config if qos queue 4 mode wrr weight 5 464

Switch config if show qos queue interface gigabitethernet 1 0 1 464

Switch config interface gigabitethernet 1 0 1 464

Switch configure 464

Tc0 wrr 1 464

The following example shows how to specify the scheduler settings for port 1 0 1 set the scheduler mode of tc1 as sp mode set the scheduler mode of tc4 as wrr mode and set the queue weight as 5 464

Bandwidth control configuration 466

Configuring rate limit 466

Using the gui 466

Configuring storm control 467

Follow these steps to configure the storm control function 467

Select the desired port and configure the upper rate limit for forwarding broadcast packets multicast packets and ul frames unknown unicast frames 467

Storm control to load the following page 467

Click apply 468

Configuring rate limit 468

Follow these steps to configure the upper rate limit for the port to receive and send packets 468

Using the cli 468

Configuring storm control 469

Follow these steps to configure the upper rate limit on the port for forwarding broadcast packets multicast packets and unknown unicast frames 469

Gi1 0 5 5120 1024 n a 469

Port ingressrate kbps egressrate kbps lag 469

Switch config if bandwidth ingress 5120 egress 1024 469

Switch config if end 469

Switch config if show bandwidth interface gigabitethernet 1 0 5 469

Switch config interface gigabitethernet 1 0 5 469

Switch configure 469

Switch copy running config startup config 469

The following example shows how to configure the ingress rate as 5120 kbps and egress rate as 1024 kbps for port 1 0 5 469

Gi1 0 5 kbps 1024 0 0 shutdown 10 n a 471

Port rate mode bcrate mcrate ulrate exceed recover time lag 471

Switch config if end 471

Switch config interface gigabitethernet 1 0 5 471

Switch configure 471

Switch copy running config startup config 471

T2600g 28ts config if show storm control interface gigabitethernet 1 0 5 471

T2600g 28ts config if storm control broadcast 1024 471

T2600g 28ts config if storm control exceed shutdown recover time 10 471

T2600g 28ts config if storm control rate mode kbps 471

The following example shows how to configure the upper rate limit of broadcast packets as 1024 kbps specify the action as shutdown and set the recover time as 10 for port 1 0 5 471

Configuring oui addresses 472

Using the gui 472

Voice vlan configuration 472

Click create 473

Configuring voice vlan globally 473

Follow these steps to configure the oui addresses 473

Global config to load the following page 473

Specify the oui and the description 473

To load the following page 473

Adding ports to voice vlan 474

Click apply 474

Enable the voice vlan feature and specify the parameters 474

Follow these steps to configure voice vlan globally 474

Port config to load the following page 474

Select the desired ports and choose enable in voice vlan filed 474

Click apply 475

Follow these steps to configure voice vlan 475

Using the cli 475

Auto voip configuration 478

Configuration guidelines 478

Using the gui 478

Click apply 479

Follow these steps to configure auto voip 479

Using the cli 479

Configuration examples 483

Configuration scheme 483

Example for class of service 483

Network requirements 483

Using the gui 484

Using the cli 486

Verify the configurations 487

Example for voice vlan 488

Network requirements 488

Configuration scheme 489

Configure 802 q vlan for port 1 0 1 port 1 0 2 port 1 0 3 and port 1 0 4 489

Configure voice vlan feature on port 1 0 1 and port 1 0 2 489

Demonstrated with t2600g 28ts the following sections provide configuration procedure in two ways using the gui and using the cli 489

Internet 489

To implement this requirement you can configure voice vlan to ensure that the voice traffic can be transmitted in the same vlan and the data traffic is transmitted in another vlan in addition specify the priority to make the voice traffic can take precedence when the congestion occurs 489

To load the following page create vlan 2 and add untagged port 1 0 1 port 1 0 2 and port 1 0 4 to vlan 2 click create 489

Using the gui 489

Vlan config and click 489

Using the cli 493

Verify the configurations 495

Example for auto voip 496

Network requirements 496

Configuration scheme 497

Using the gui 497

Select port 1 0 2 set the scheduler mode as weighted and specify the queue weight as 10 for tc 7 click apply 500

Using the cli 502

Verify the configurations 503

Appendix default parameters 507

Default settings of class of service are listed in the following tables 507

Default settings of class of service are listed in the following tables 509

Default settings of voice vlan are listed in the following tables 509

Default settings of auto voip are listed in the following tables 510

Chapters 511

Configuring access security 511

Part 15 511

Access control 512

Access security 512

Overview 512

Supported features 512

Telnet 512

Access security configurations 513

Configuring the access control feature 513

Using the gui 513

In the entry table section click 514

To add an access control entry 514

When the ip based mode is selected the following window will pop up 514

When the mac based mode is selected the following window will pop up 514

Click create then you can view the created entries in the entry table 515

When the port based mode is selected the following window will pop up 515

Configuring the http function 516

Configuring the https function 518

In the ciphersuite config section select the algorithm to be enabled and click apply 519

In the number of access users section enable number control function specify the following parameters and click apply 519

In the session config section specify the session timeout and click apply 519

In the load certificate and load key section download the certificate and key 520

Configuring the ssh feature 521

Configuring the telnet function 522

Enable telnet and click apply 522

In data integrity algorithm section enable the integrity algorithm you want the switch to support and click apply 522

In import key file section select key type from the drop down list and click browse to download the desired key file 522

In the encryption algorithm section enable the encryption algorithm you want the switch to support and click apply 522

Telnet config to load the following page 522

Configuring the access control 523

Follow these steps to configure the access control 523

Using the cli 523

68 00 32 snmp telnet http https 524

Configuring the http function 524

Follow these steps to configure the http function 524

Index ip address access interface 524

Switch config end 524

Switch config show user configuration 524

Switch config user access control ip based 192 68 00 255 55 55 55 snmp telnet http https 524

Switch config user access control ip based enable 524

Switch configure 524

Switch copy running config startup config 524

The following example shows how to set the type of access control as ip based set the ip address as 192 68 00 set the subnet mask as 255 55 55 55 and make the switch support snmp telnet http and https 524

User authentication mode ip based 524

Http max users as admin 6 525

Http max users as operator 2 525

Http max users as power user 2 525

Http max users as user 2 525

Http port 80 525

Http session timeout 9 525

Http status enabled 525

Http user limitation enabled 525

Switch config end 525

Switch config ip http max user 6 2 2 2 525

Switch config ip http server 525

Switch config ip http session timeout 9 525

Switch config show ip http configuration 525

Switch configure 525

The following example shows how to set the session timeout as 9 set the maximum admin number as 6 and set the maximum operator number as 2 the maximum power user number as 2 the maximum user number as 2 525

Configuring the https function 526

Follow these steps to configure the https function 526

Switch copy running config startup config 526

Switch config ip http secure protocol ssl3 tls1 527

Switch config ip http secure server 527

Switch configure 527

The following example shows how to configure the https function enable ssl3 and tls1 protocol enable the ciphersuite of 3des ede cbc sha set the session timeout time as 15 the maximum admin number as 2 the maximum operator number as 2 the maximum power user number as 2 the maximum user number as 2 download the certificate named ca crt and the key named ca key from the tftp server with the ip address 192 68 00 527

Configuring the ssh feature 528

Begin ssh2 public key 531

Comment dsa key 20160711 531

Configuring the telnet function 531

Follow these steps enable the telnet function 531

Hmac md5 enabled 531

Key file 531

Key type ssh 2 rsa dsa 531

Switch config end 531

Switch copy running config startup config 531

Appendix default parameters 532

Default settings of access security are listed in the following tables 532

Chapters 534

Configuring aaa 534

Part 16 534

Overview 535

Aaa configuration 536

Configuration guidelines 536

Aaa application list 537

Adding radius server 537

Adding servers 537

Configure the following parameters 537

Follow these steps to add a radius server 537

Radius config and click 537

The switch supports the following access applications telnet ssh and http you can select the configured authentication method lists for each application 537

To load the following page 537

Using the gui 537

You can add one or more radius tacacs servers on the switch for authentication if multiple servers are added the server that is first added to the group has the highest priority and authenticates the users trying to access the switch the others act as backup servers in case the first one breaks down 537

Adding tacacs server 538

Click create to add the radius server on the switch 538

Click create to add the tacacs server on the switch 538

Configure the following parameters 538

Follow these steps to add a tacacs server 538

Tacacs config and click 538

To load the following page 538

And the following window will pop up 539

Click create 539

Configure the following parameters 539

Configuring server groups 539

Server group to load the following page 539

The switch has two built in server groups one for radius servers and the other for tacacs servers the servers running the same protocol are automatically added to the default server group you can add new server groups as needed 539

There are two default server groups in the list you can edit the default server groups or follow these steps to configure a new server group 539

Configuring the method list 540

Click apply 541

Click create to add the new method 541

Configuring the aaa application list 541

Follow these steps to configure the aaa application list 541

Global config to load the following page 541

In the aaa application list section select an access application and configure the login list and enable list 541

Configuring login account and enable password 542

Adding radius server 543

Adding servers 543

Follow these steps to add radius server on the switch 543

Using the cli 543

You can add one or more radius tacacs servers on the switch for authentication if multiple servers are added the server with the highest priority authenticates the users trying to access the switch and the others act as backup servers in case the first one breaks down 543

68 0 1812 1813 5 2 000aeb132397 123456 544

Adding tacacs server 544

Follow these steps to add tacacs server on the switch 544

Server ip auth port acct port timeout retransmit nas identifier shared key 544

Switch config end 544

Switch config radius server host 192 68 0 auth port 1812 timeout 8 retransmit 3 key 123456 544

Switch config show radius server 544

Switch configure 544

Switch copy running config startup config 544

The following example shows how to add a radius server on the switch set the ip address of the server as 192 68 0 the authentication port as 1812 the shared key as 123456 the timeout as 8 seconds and the retransmit number as 3 544

68 0 49 8 123456 545

Configuring server groups 545

Server ip port timeout shared key 545

Switch config end 545

Switch config show tacacs server 545

Switch config tacacs server host 192 68 0 auth port 49 timeout 8 key 123456 545

Switch configure 545

Switch copy running config startup config 545

The following example shows how to add a tacacs server on the switch set the ip address of the server as 192 68 0 the authentication port as 49 the shared key as 123456 and the timeout as 8 seconds 545

The switch has two built in server groups one for radius and the other for tacacs the servers running the same protocol are automatically added to the default server group you can add new server groups as needed 545

The two default server groups cannot be deleted or edited follow these steps to add a server group 545

Configuring the method list 546

Default local 547

Login1 radius local 547

Methodlist pri1 pri2 pri3 pri4 547

Switch config aaa authentication login login1 radius local 547

Switch config end 547

Switch config show aaa authentication login 547

Switch configure 547

Switch copy running config startup config 547

The following example shows how to create a login method list named login1 and configure the method 1 as the default radius server group and the method 2 as local 547

The following example shows how to create an enable method list named enable1 and configure the method 1 as the default radius server group and the method 2 as local 547

Configuring the aaa application list 548

Default local 548

Enable1 radius local 548

Follow these steps to apply the login and enable method lists for the application telnet 548

Methodlist pri1 pri2 pri3 pri4 548

Switch config aaa authentication enable enable1 radius local 548

Switch config end 548

Switch config show aaa authentication enable 548

Switch copy running config startup config 548

Telnet 548

You can configure authentication method lists on the following access applications telnet ssh and http 548

Follow these steps to apply the login and enable method lists for the application ssh 549

Http default default 549

Module login list enable list 549

Ssh default default 549

Switch config line enable authentication enable1 549

Switch config line end 549

Switch config line login authentication login1 549

Switch config line show aaa global 549

Switch config line telnet 549

Switch configure 549

Switch copy running config startup config 549

Telnet login1 enable1 549

The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application telnet 549

Follow these steps to apply the login and enable method lists for the application http 550

Http default default 550

Module login list enable list 550

Ssh login1 enable1 550

Switch config line enable authentication enable1 550

Switch config line end 550

Switch config line login authentication login1 550

Switch config line show aaa global 550

Switch config line ssh 550

Switch configure 550

Switch copy running config startup config 550

Telnet default default 550

The following example shows how to apply the existing login method list named login1 and enable method list named enable1 for the application ssh 550

Configuring login account and enable password 551

For enable password configuration 552

For login authentication configuration more than one login account can be created on the server besides both the user name and password can be customized 552

On radius server the user name should be set as enable and the enable password is customizable all the users trying to get administrative privileges share this enable password 552

On tacacs server configure the value of enable 15 as the enable password in the configuration file all the users trying to get administrative privileges share this enable password 552

On the server 552

Some configuration principles on the server are as follows 552

The accounts created by the radius tacacs server can only view the configurations and some network information without the enable password 552

Tips the logged in guests can get administrative privileges by using the command enable admin and providing the enable password 552

Configuration example 553

Configuration scheme 553

Network requirements 553

Using the gui 554

Using the cli 556

Verify the configuration 557

Appendix default parameters 559

Default settings of aaa are listed in the following tables 559

Chapters 561

Configuring 802 x 561

Part 17 561

Overview 562

Authentication server 563

The authentication server is usually the host running the radius server program it stores information of clients confirms whether a client is legal and informs the authenticator whether a client is authenticated 563

Configuring the radius server 564

Using the gui 564

X configuration 564

Click apply 565

Configure the parameters of the radius server 565

Configuring the radius server group 565

Follow these steps to add a radius server 565

Follow these steps to add the radius server to a server group 565

If you click 565

Server group to load the following page 565

The following window will pop up select a radius server and click save 565

To add a new server group 565

To edit the default radius server group or click 565

Configuring 802 x globally 567

Follow these steps to configure 802 x global parameters 567

Global config to load the following page 567

In the accounting dot1x method section select an existing radius server group for accounting from the pri1 drop down list and click apply 567

In the authentication dot1x method section select an existing radius server group for authentication from the pri1 drop down list and click apply 567

In the global config section configure the following parameters 567

Click apply 568

Configuring 802 x on ports 568

Follow these steps to configure 802 x authentication on the desired port 568

Port config to load the following page 568

Select one or more ports and configure the following parameters 568

Click apply 569

Authenticator state to load the following page 570

On this page you can view the authentication status of each port 570

View the authenticator state 570

Configuring the radius server 571

Follow these steps to configure radius 571

Using the cli 571

The following example shows how to enable aaa add a radius server to the server group named radius1 and apply this server group to the 802 x authentication the ip address of the radius server is 192 68 00 the shared key is 123456 the authentication port is 1812 the accounting port is 1813 572

Configuring 802 x globally 573

The following example shows how to enable 802 x authentication configure pap as the authentication method and keep other parameters as default 574

Authentication protocol pap 575

Configuring 802 x on ports 575

Follow these steps to configure the port 575

Handshake state enabled 575

Switch config dot1x auth protocol pap 575

Switch config dot1x system auth control 575

Switch config end 575

Switch config show dot1x global 575

Switch configure 575

Switch copy running config startup config 575

X accounting state disabled 575

X state enabled 575

X vlan assignment state disabled 575

Viewing authenticator state 577

Configuration example 579

Configuration scheme 579

Network requirements 579

Network topology 579

Demonstrated with t1500 28pct acting as the authenticator the following sections provide configuration procedure in two ways using the gui and using the cli 580

Internet 580

Radius config and click 580

To load the following page configure the parameters of the radius server and click create 580

Using the gui 580

Using the cli 582

Verify the configurations 583

Appendix default parameters 585

Default settings of 802 x are listed in the following table 585

Chapters 586

Configuring port security 586

Part 18 586

Overview 587

Follow these steps to configure port security 588

Port security configuration 588

Select one or more ports and configure the following parameters 588

Using the gui 588

Click apply 589

Follow these steps to configure port security 589

Using the cli 589

Switch configure 590

The following example shows how to set the maximum number of mac addresses that can be learned on port 1 0 1 as 30 enable exceed max leaned feature and configure the mode as permanent and the status as drop 590

Appendix default parameters 592

Default settings of port security are listed in the following table 592

Chapters 593

Configuring acl 593

Part 19 593

Configuration guidelines 594

Overview 594

Acl configuration 595

Configuring time range 595

Creating an acl 595

Using the gui 595

Configuring acl rules 596

Configuring mac acl rule 596

Follow these steps to configure the mac acl rule 597

In the mac acl rule section configure the following parameters 597

In the policy section enable or disable the mirroring feature for the matched packets with this option enabled choose a destination port to which the packets will be mirrored 598

In the policy section enable or disable the redirect feature for the matched packets with this option enabled choose a destination port to which the packets will be redirected 598

Click apply 599

In the policy section enable or disable the qos remark feature for the matched packets with this option enabled configure the related parameters and the remarked values will take effect in the qos processing on the switch 599

In the policy section enable or disable the rate limit feature for the matched packets with this option enabled configure the related parameters 599

Configuring ip acl rule 600

Follow these steps to configure the ip acl rule 601

In the ip acl rule section configure the following parameters 601

In the policy section enable or disable the mirroring feature for the matched packets with this option enabled choose a destination port to which the packets will be mirrored 602

In the policy section enable or disable the rate limit feature for the matched packets with this option enabled configure the related parameters 603

In the policy section enable or disable the redirect feature for the matched packets with this option enabled choose a destination port to which the packets will be redirected 603

And the following page will appear 604

Click apply 604

Click edit acl for a combined acl entry to load the following page 604

Configuring combined acl rule 604

In acl rules table section click 604

In the policy section enable or disable the qos remark feature for the matched packets with this option enabled configure the related parameters and the remarked values will take effect in the qos processing on the switch 604

Follow these steps to configure the combined acl rule 605

In the combined acl rule section configure the following parameters 605

In the policy section enable or disable the mirroring feature for the matched packets with this option enabled choose a destination port to which the packets will be mirrored 607

In the policy section enable or disable the rate limit feature for the matched packets with this option enabled configure the related parameters 607

In the policy section enable or disable the redirect feature for the matched packets with this option enabled choose a destination port to which the packets will be redirected 607

Click apply 608

In the policy section enable or disable the qos remark feature for the matched packets with this option enabled configure the related parameters and the remarked values will take effect in the qos processing on the switch 608

Configuring the ipv6 acl rule 609

Follow these steps to configure the ipv6 acl rule 610

In the ipv6 acl rule section configure the following parameters 610

Click apply 612

Click edit acl for an entry you have created and you can view the rule table we take ip acl rules table for example 612

In the policy section enable or disable the qos remark feature for the matched packets with this option enabled configure the related parameters and the remarked values will take effect in the qos processing on the switch 612

The rules in an acl are listed in ascending order of their rule ids the switch matches a received packet with the rules in order when a packet matches a rule the switch stops the match process and performs the action defined in the rule 612

Viewing the acl rules 612

Configuring acl binding 613

Configuring acl 614

Configuring time range 614

Using the cli 614

Combined access list 2600 name acl_2600 620

Ipv6 acl 620

Rule 1 permit logging disable vid 2 sip 192 68 00 sip mask 255 55 55 55 620

Switch config access list combined 1100 logging disable rule 1 permit vid 2 sip 192 68 00 sip mask 255 55 55 55 620

Switch config access list create 1100 620

Switch config end 620

Switch config show access list 2600 620

Switch configure 620

Switch copy running config startup config 620

The following example shows how to create combined acl 1100 and configure rule 1 to deny packets with source ip address 192 68 00 in vlan 2 620

Resequencing rules 622

Configuring policy 623

Follow the steps below to configure the policy actions for an acl rule 623

Policy allows you to further process the matched packets through operations such as mirroring rate limiting redirecting or changing priority 623

Rule 11 permit logging disable vid 18 623

Rule 21 permit logging disable dmac aa cc ee ff dd 33 dmask ff ff ff ff ff ff 623

Switch config end 623

Switch copy running config startup config 623

Redirect the matched packets to port 1 0 4 for rule 1 of mac acl 10 624

Switch config access list action 10 rule 1 624

Switch config action exit 624

Switch config action redirect interface gigabitethernet 1 0 4 624

Switch config show access list 10 624

Switch configure 624

Configuring acl binding 625

Follow the steps below to bind acl to a port or a vlan 625

Mac access list 10 name acl_10 625

Rule 5 permit logging disable action redirect gi1 0 4 625

Sswitch config show access list bind 625

Switch config access list bind 1 interface vlan 4 gigabitethernet 1 0 3 625

Switch config end 625

Switch configure 625

Switch copy running config startup config 625

The following example shows how to bind acl 1 to port 3 and vlan 4 625

You can bind the acl to a port or a vlan the received packets on the port or in the vlan will then be matched and processed according to the acl rules an acl takes effect only after it is bound to a port or vlan 625

Acl id acl name interface vid direction type 626

Acl_1 4 ingress vlan 626

Acl_1 gi1 0 3 ingress port 626

Switch config end 626

Switch copy running config startup config 626

Viewing acl counting 626

You can use the following command to view the number of matched packets of each acl in the privileged exec mode and any other configuration mode 626

Configuration example for acl 627

Configuration scheme 627

Network requirements 627

Using the gui 628

Configure rule 1 to permit packets with the source ip address 10 0 0 24 and destination ip address 10 0 0 24 629

In the same way configure rule 2 and rule 3 to permit packets with source ip 10 0 0 and destination port tcp 80 http service port and tcp 443 https service port 629

In the same way configure rule 4 and rule 5 to permit packets with source ip 10 0 0 and with destination port tcp 53 or udp 53 dns service port 632

In the same way configure rule 6 to deny packets with source ip 10 0 0 633

Using the cli 634

Verify the configurations 635

Appendix default parameters 636

The default settings of acl are listed in the following tables 636

Chapters 638

Configuring ipv4 impb 638

Part 20 638

Arp detection 639

Ip mac binding 639

Ipv4 impb 639

Ipv4 source guard 639

Overview 639

Supported features 639

Binding entries manually 640

Ip mac binding configuration 640

Using the gui 640

Binding entries via arp scanning 641

Click apply 641

Enter or select the port that is connected to this host 641

Enter the following information to specify a host 641

Select protect type for the entry 641

With arp scanning the switch sends the arp request packets of the specified ip field to the hosts upon receiving the arp reply packet the switch can get the ip address mac address vlan id and the connected port number of the host you can bind these entries conveniently 641

Arp scanning to load the following page 642

Follow these steps to configure ip mac binding via arp scanning 642

In the scanning option section specify an ip address range and a vlan id then click scan to scan the entries in the specified ip address range and vlan 642

In the scanning result section select one or more entries and configure the relevant parameters then click bind 642

Binding entries via dhcp snooping 643

With dhcp snooping enabled the switch can monitor the ip address obtaining process of the host and record the ip address mac address vlan id and the connected port number of the host 643

Additionally you select one or more entries to edit the host name and protect type and click apply 645

Binding table to load the following page 645

Binding table to view or edit the entries 645

In the binding table you can view search and edit the specified binding entries 645

Viewing the binding entries 645

You can specify the search criteria to search your desired entries 645

Binding entries manually 646

Binding entries via arp scanning is not supported by the cli the following sections introduce how to bind entries manually and via dhcp snooping and view the binding entries 646

Follow these steps to manually bind entries 646

Using the cli 646

You can manually bind the ip address mac address vlan id and the port number together on the condition that you have got the detailed information of the hosts 646

Here arp d for arp detection and ip v s for ip verify source 647

Host1 192 68 5 74 d4 35 76 a4 d8 10 gi1 0 5 arp d manual 647

Notice 647

Switch config end 647

Switch config ip source binding host1 192 68 5 74 d4 35 76 a4 d8 vlan 10 interface gigabitethernet 1 0 5 arp detection 647

Switch config show ip source binding 647

Switch configure 647

Switch copy running config startup config 647

The following example shows how to bind an entry with the hostname host1 ip address 192 68 5 mac address 74 d4 35 76 a4 d8 vlan id 10 port number 1 0 5 and enable this entry for the arp detection feature 647

U host ip addr mac addr vid port acl source 647

Binding entries via dhcp snooping 648

Follow these steps to bind entries via dhcp snooping 648

Global status enable 648

Switch config if ip dhcp snooping max entries 100 648

Switch config if show ip dhcp snooping 648

Switch config interface gigabitethernet 1 0 1 648

Switch config ip dhcp snooping 648

Switch config ip dhcp snooping vlan 5 648

Switch configure 648

The following example shows how to enable dhcp snooping globally and on vlan 5 and set the maximum number of binding entries port 1 0 1 can learn via dhcp snooping as 100 648

Viewing binding entries 649

Adding ip mac binding entries 650

Arp detection configuration 650

Enabling arp detection 650

Using the gui 650

Configuring arp detection on ports 651

In the vlan config section enable arp detection on the selected vlans click apply 651

Port config to load the following page 651

Arp statistics to load the following page 652

Click apply 652

Follow these steps to configure arp detection on ports 652

Select one or more ports and configure the parameters 652

Viewing arp statistics 652

You can view the number of the illegal arp packets received on each port which facilitates you to locate the network malfunction and take the related protection measures 652

Adding ip mac binding entries 653

Enabling arp detection 653

Follow these steps to enable arp detection 653

In arp detection the switch detects the arp packets based on the binding entries in the ip mac binding table so before configuring arp detection you need to complete ip mac binding configuration for details refer to ip mac binding configuration 653

In the auto refresh section you can enable the auto refresh feature and specify the refresh interval and thus the web page will be automatically refreshed 653

In the illegal arp packet section you can view the number of illegal arp packets in each vlan 653

Using the cli 653

Configuring arp detection on ports 654

Switch config if ip arp inspection limit rate 20 655

Switch config if ip arp inspection trust 655

Switch config interface gigabitethernet 1 0 2 655

Switch configure 655

The following example shows how to set port 1 02 as a trusted port and set limit rate as 20 pps and burst interval as 2 seconds on port 1 0 2 655

Viewing arp statistics 656

Adding ip mac binding entries 657

Configuring ipv4 source guard 657

Ipv4 source guard configuration 657

Using the gui 657

Adding ip mac binding entries 658

Configuring ipv4 source guard 658

Follow these steps to configure ipv4 source guard 658

In ipv4 source guard the switch filters the packets that do not match the rules of ipv4 mac binding table so before configuring arp detection you need to complete ip mac binding configuration for details refer to ip mac binding configuration 658

In the global config section choose whether to enable the log feature click apply 658

In the port config section configure the protect type for ports and click apply 658

Using the cli 658

Gi1 0 1 sip mac n a 659

Port security type lag 659

Switch config if end 659

Switch config if ip verify source sip mac 659

Switch config if show ip verify source interface gigabitethernet 1 0 1 659

Switch config interface gigabitethernet 1 0 1 659

Switch configure 659

Switch copy running config startup config 659

The following example shows how to enable ipv4 source guard on port 1 0 1 659

Configuration examples 660

Configuration scheme 660

Example for arp detection 660

Network requirements 660

Using the gui 661

Using the cli 663

Verify the configuration 664

Configuration scheme 665

Example for ip source guard 665

Network requirements 665

Using the gui 665

Using the cli 667

Verify the configuration 667

Appendix default parameters 668

Default settings of arp detection are listed in the following table 668

Default settings of dhcp snooping are listed in the following table 668

Default settings of ipv4 source guard are listed in the following table 669

Chapters 670

Configuring ipv6 impb 670

Part 21 670

Ipv6 impb 671

Ipv6 mac binding 671

Nd detection 671

Overview 671

Supported features 671

Internet 672

Ipv6 source guard 672

Ipv6 source guard is used to filter the ipv6 packets based on the ipv6 mac binding table only the packets that match the binding rules are forwarded 672

Binding entries manually 673

Ipv6 mac binding configuration 673

Using the gui 673

Binding entries via nd snooping 674

Click apply 674

Enter or select the port that is connected to this host 674

Enter the following information to specify a host 674

Select protect type for the entry 674

With nd snooping the switch monitors the nd packets and records the ipv6 addresses mac addresses vlan ids and the connected port numbers of the ipv6 hosts you can bind these entries conveniently 674

Binding entries via dhcpv6 snooping 676

Binding table to view or edit the entries 676

With dhcpv6 snooping enabled the switch can monitor the ip address obtaining process of the host and record the ipv6 address mac address vlan id and the connected port number of the host 676

Additionally you select one or more entries to edit the host name and protect type and click apply 678

Binding table to load the following page 678

Binding table to view or edit the entries 678

In the binding table you can view search and edit the specified binding entries 678

Viewing the binding entries 678

You can specify the search criteria to search your desired entries 678

Binding entries manually 679

Follow these steps to manually bind entries 679

The following sections introduce how to bind entries manually and via nd snooping and dhcp snooping and how to view the binding entries 679

Using the cli 679

You can manually bind the ipv6 address mac address vlan id and the port number together on the condition that you have got the detailed information of the hosts 679

Host1 2001 0 9d38 90d5 34 aa bb cc dd ee ff 10 gi1 0 5 nd d manual 680

Switch config end 680

Switch config ipv6 source binding host1 2001 0 9d38 90d5 34 aa bb cc dd ee ff vlan 10 interface gigabitethernet 1 0 5 nd detection 680

Switch config show ipv6 source binding 680

Switch configure 680

Switch copy running config startup config 680

The following example shows how to bind an entry with the hostname host1 ipv6 address 2001 0 9d38 90d5 34 mac address aa bb cc dd ee ff vlan id 10 port number 1 0 5 and enable this entry for nd detection 680

U host ip addr mac addr vid port acl source 680

Binding entries via nd snooping 681

Follow these steps to bind entries via nd snooping 681

Global status enable 681

Switch config ipv6 nd snooping 681

Switch config ipv6 nd snooping vlan 1 681

Switch config show ipv6 nd snooping 681

Switch configure 681

The following example shows how to enable nd snooping globally and on vlan 1 681

Vlan id 1 681

Binding entries via dhcpv6 snooping 682

Follow these steps to bind entries via dhcp snooping 682

Gi1 0 1 1000 n a 682

Interface max entries lag 682

Switch config end 682

Switch config if end 682

Switch config if ipv6 nd snooping max entries 1000 682

Switch config if show ipv6 nd snooping interface gigabitethernet 1 0 1 682

Switch config interface gigabitethernet 1 0 1 682

Switch configure 682

Switch copy running config startup config 682

The following example shows how to configure the maximum number of entries that can be learned on port 1 0 1 682

Viewing binding entries 683

Adding ipv6 mac binding entries 684

Enabling nd detection 684

Nd detection configuration 684

Using the gui 684

Click apply 685

Configuring nd detection on ports 685

Follow these steps to configure nd detection on ports 685

In the vlan config section enable nd detection on the selected vlans click apply 685

Port config to load the following page 685

Select one or more ports and configure the parameters 685

Adding ipv6 mac binding entries 686

Enabling nd detection 686

Using the cli 686

Viewing nd statistics 686

Enable disable 687

Global status enable 687

Switch config end 687

Switch config ipv6 nd detection 687

Switch config ipv6 nd detection vlan 1 687

Switch config show ipv6 nd detection 687

Switch config show ipv6 nd detection vlan 687

Switch configure 687

Switch copy running config startup config 687

The following example shows how to enable nd detection globally and on vlan 1 687

Vid enable status log status 687

Configuring nd detection on ports 688

Follow these steps to configure nd detection on ports 688

Gi1 0 1 enable n a 688

Interface trusted lag 688

On privileged exec mode or any other configuration mode you can use the following command to view nd statistics 688

Switch config if end 688

Switch config if ipv6 nd detection trust 688

Switch config if show ipv6 nd detection interface gigabitethernet 1 0 1 688

Switch config interface gigabitethernet 1 0 1 688

Switch configure 688

Switch copy running config startup config 688

The following example shows how to configure port 1 0 1 as trusted port 688

Viewing nd statistics 688

Adding ipv6 mac binding entries 690

Configuring ipv6 source guard 690

Ipv6 source guard configuration 690

Using the gui 690

Adding ipv6 mac binding entries 691

Before configuring ipv6 source guard you need to configure the sdm template as enterprisev6 691

Click apply 691

Configuring ipv6 source guard 691

Follow these steps to configure ipv6 source guard 691

Select one or more ports and configure the protect type for ports 691

The nd detection feature allows the switch to detect the nd packets based on the binding entries in the ipv6 mac binding table and filter out the illegal nd packets before configuring nd detection complete ipv6 mac binding configuration for details refer to ipv6 mac binding configuration 691

Using the cli 691

Gi1 0 1 sipv6 mac n a 692

Port security type lag 692

Switch config if end 692

Switch config if ipv6 verify source sipv6 mac 692

Switch config if show ipv6 verify source interface gigabitethernet 1 0 1 692

Switch config interface gigabitethernet 1 0 1 692

Switch configure 692

Switch copy running config startup config 692

The following example shows how to enable ipv6 source guard on port 1 0 1 692

Configuration examples 693

Configuration scheme 693

Example for nd detection 693

Network requirements 693

Using the gui 694

Using the cli 696

Verify the configuration 696

Configuration scheme 698

Example for ipv6 source guard 698

Network requirements 698

Using the gui 698

Using the cli 700

Verify the configuration 700

Appendix default parameters 701

Default settings of dhcp snooping are listed in the following table 701

Default settings of nd detection are listed in the following table 701

Default settings of ipv6 source guard are listed in the following table 702

Chapters 703

Configuring dhcp filter 703

Part 22 703

Dhcp filter 704

Overview 704

Supported features 704

Dhcpv4 filter 705

Dhcpv4 filter is used for dhcpv4 servers and ipv4 clients 705

Dhcpv6 filter 705

Dhcpv6 filter is used for dhcpv6 servers and ipv6 clients 705

Configuring the basic dhcpv4 filter parameters 706

Dhcpv4 filter configuration 706

Using the gui 706

Click apply 707

Click create 708

Configure the following parameters 708

Configuring legal dhcpv4 servers 708

Configuring the basic dhcpv4 filter parameters 708

Follow these steps to add a legal dhcpv4 server 708

Follow these steps to complete the basic settings of dhcpv4 filter 708

Legal dhcpv4 servers and 708

To load the following page 708

Using the cli 708

The following example shows how to enable dhcpv4 filter globally and how to enable dhcpv4 filter enable the mac verify feature set the limit rate as 10 pps and set the decline rate as 20 pps on port 1 0 1 709

Configuring legal dhcpv4 servers 710

Follow these steps configure legal dhcpv4 servers 710

Gi1 0 1 enable enable 10 20 n a 710

Global status enable 710

Interface state mac verify limit rate dec rate lag 710

Switch config if end 710

Switch config if ip dhcp filter 710

Switch config if ip dhcp filter decline rate 20 710

Switch config if ip dhcp filter limit rate 10 710

Switch config if ip dhcp filter mac verify 710

Switch config if show ip dhcp filter 710

Switch config if show ip dhcp filter interface gigabitethernet 1 0 1 710

Switch config interface gigabitethernet 1 0 1 710

Switch config ip dhcp filter 710

Switch configure 710

Switch copy running config startup config 710

Configuring the basic dhcpv6 filter parameters 712

Dhcpv6 filter configuration 712

Using the gui 712

Click apply 713

Configure the following parameters 713

Configuring legal dhcpv6 servers 713

Follow these steps to add a legal dhcpv6 server 713

Legal dhcpv6 servers and 713

To load the following page 713

Click create 714

Configuring the basic dhcpv6 filter parameters 714

Follow these steps to complete the basic settings of dhcpv6 filter 714

Using the cli 714

Configuring legal dhcpv6 servers 715

54 gi1 0 1 716

Server ip interface 716

Switch config end 716

Switch config ipv6 dhcp filter server permit entry server ip 2001 54 interface gigabitethernet 1 0 1 716

Switch config show ipv6 dhcp filter server permit entry 716

Switch configure 716

Switch copy running config startup config 716

The following example shows how to create an entry for the legal dhcpv6 server whose ipv6 address is 2001 54 and connected port number is 1 0 1 716

Configuration examples 717

Configuration scheme 717

Example for dhcpv4 filter 717

Network requirements 717

Using the gui 718

Using the cli 719

Example for dhcpv6 filter 720

Network requirements 720

Verify the configuration 720

Configuration scheme 721

Using the gui 721

Using the cli 723

Verify the configuration 723

Appendix default parameters 725

Default settings of dhcpv4 filter are listed in the following table 725

Chapters 726

Configuring dos defend 726

Part 23 726

Overview 727

Dos defend configuration 728

Follow these steps to configure dos defend 728

In the dos defend config section select one or more defend types according to your needs and click apply the following table introduces each type of dos attack 728

In the dos defend section enable dos protection and click apply 728

Using the gui 728

Click apply 729

Follow these steps to configure dos defend 729

Using the cli 729

Appendix default parameters 732

Default settings of network security are listed in the following tables 732

Chapters 733

Monitoring the system 733

Part 24 733

Overview 734

Monitoring the cpu 735

Using the cli 735

Using the gui 735

Monitoring the memory 737

Using the cli 737

Using the gui 737

Unit current memory utilization 738

Traffic monitor 740

Using the gui 740

To view a port s traffic statistics in detail click statistics on the right side of the entry 741

On privileged exec mode or any other configuration mode you can use the following command to view the traffic information of each port or lag 744

Using the cli 744

Appendix default parameters 745

Chapters 746

Mirroring traffic 746

Part 26 746

Mirroring 747

Using the gui 747

Follow these steps to configure the mirroring session 748

In the destination port config section specify a destination port for the mirroring session and click apply 748

In the source interfaces config section specify the source interfaces and click apply traffic passing through the source interfaces will be mirrored to the destination port there are three source interface types port lag and cpu choose one or more types according to your need 748

Follow these steps to configure mirroring 749

Switch config monitor session 1 destination interface gigabitethernet 1 0 10 749

Switch configure 749

The following example shows how to copy the received and transmitted packets on port 1 0 1 2 3 and the cpu to port 1 0 10 749

Using the cli 749

Configuration examples 751

Configuration scheme 751

Network requirements 751

Using the gui 751

Using the cli 752

Verify the configuration 753

Appendix default parameters 754

Default settings of switching are listed in th following tables 754

Chapters 755

Configuring dldp 755

Part 27 755

Overview 756

Configuration guidelines 757

Dldp configuration 757

Using the gui 757

In the port config section select one or more ports enable dldp and click apply then you can view the relevant dldp information in the table 758

Follow these steps to configure dldp 759

Switch configure 759

The following example shows how to enable dldp globally configure the dldp interval as 10 seconds and specify the shutdown mode as auto 759

Using the cli 759

Appendix default parameters 761

Default settings of dldp are listed in the following table 761

Chapters 762

Configuring snmp rmon 762

Part 28 762

Basic concepts 763

Overview 763

Snmp agent 763

Snmp manager 763

A mib is a collection of managed objects that is organized hierarchically the objects define the attributes of the managed device including the names status access rights and data types each object can be addressed through an object identifier oid 764

Also tp link switches support the following public mibs 764

As the following figure shows the mib hierarchy can be depicted as a tree with a nameless root the levels of which are assigned by different organizations the top level mib object ids belong to different standards organizations while lower level object ids are allocated by associated organizations vendors can define private branches that include managed objects for their own products 764

Lldp ext dot1 mib 764

Lldp ext med mib 764

Lldp mib 764

Rfc1213 mib 764

Rfc1493 bridge mib 764

Rfc1757 rmon mib 764

Rfc2618 radius auth client mib 764

Tp link switches provide private mibs that can be identified by the oid 1 1863 the mib file can be found on the provided cd or the download center of our official website http www tp link com en download center html 764

An snmp engine can be uniquely identified by an engine id within an administrative domain since there is a one to one association between snmp engines and snmp entities we can also use the engine id to uniquely and unambiguously identify the snmp entity within that administrative domain 765

An snmp engine is a part of the snmp entity every snmp entity has one and only one engine an snmp engine provides services for ending and receiving messages authenticating and encrypting messages and controlling access to managed objects 765

An snmp entity is a device running the snmp protocol both the snmp manager and snmp agent are snmp entities 765

For detail information about the supported public mibs see supported public mibs for tp link switches which can be found on the training center of our website 765

Http www tp link com en configuration guides html 765

Rfc2620 radius acc client mib 765

Rfc2674 pbridge mib 765

Rfc2674 qbridge mib 765

Rfc2863 pbridge mib 765

Rfc2925 disman ping mib 765

Rfc2925 disman traceroute mib 765

Snmp engine 765

Snmp entity 765

Snmp version 765

The device supports three snmp versions snmpv1 snmpv2c and snmpv3 table 1 2 lists features supported by different snmp versions and table 1 3 shows corresponding application scenarios 765

Enabling snmp 767

Snmp configurations 767

Using the gui 767

Click apply 768

Creating an snmp view 768

Follow these steps to create an snmp view 768

Global config to load the following page 768

Nms manages mib objects based on the snmp view an snmp view is a subset of a mib the system provides a default view named viewdefault and you can create other snmp views according to your needs 768

To load the following page enter a view name and specify the view type and a mib object that is related to the view 768

Click create 769

Creating snmp communities for snmp v1 v2c 769

Set the community name access rights and the related view 769

Snmp v1 v2c and click 769

To load the following page 769

Assign a name to the group then set the security level and the read view write view and notify view 770

Click create 770

Create an snmp group and configure related parameters 770

Creating an snmp group for snmp v3 770

Follow these steps to create an snmp group 770

Snmp group and click 770

To load the following page 770

Click create 771

Creating snmp users for snmp v3 771

Follow these steps to create an snmp user 771

Snmp user and click 771

Specify the user name user type and the group which the user belongs to then configure the security level 771

To load the following page 771

Click create 772

Enabling snmp 772

If you have chosen authnopriv or authpriv as the security level you need to set corresponding authentication mode or privacy mode if not skip the step 772

Using the cli 772

Bad snmp version errors 773

Snmp agent is enabled 773

Snmp packets input 773

Switch config show snmp server 773

Switch config snmp server 773

Switch config snmp server engineid remote 123456789a 773

Switch configure 773

The following example shows how to enable snmp and set 123456789a as the remote engine id 773

Unknown community name 773

Bad value errors 774

Creating an snmp view 774

Encoding errors 774

General errors 774

Get next pdus 774

Get request pdus 774

Illegal operation for community name supplied 774

Local engine id 80002e5703000aeb13a23d 774

No such name errors 774

Number of altered variables 774

Number of requested variables 774

Remote engine id 123456789a 774

Response pdus 774

Set request pdus 774

Snmp packets output 774

Specify the oid object identifier of the view to determine objects to be managed 774

Switch config end 774

Switch config show snmp server engineid 774

Switch copy running config startup config 774

Too big errors maximum packet size 1500 774

Trap pdus 774

Creating snmp communities for snmp v1 v2c 775

Create an snmp group and set user access control with read write and notify views meanwhile set the authentication and privacy modes to secure the communication between the nms and managed devices 776

Creating an snmp group for snmpv3 776

Index name type mib view 776

Nms monitor read write view 776

Switch config end 776

Switch config show snmp server community 776

Switch config snmp server community nms monitor read write view 776

Switch configure 776

Switch copy running config startup config 776

The following example shows how to set an snmp community name the community as the nms monitor and allow the nms to view and modify parameters of view 776

1 nms1 v3 authpriv view1 view1 777

No name sec mode sec lev read view write view notify view 777

Switch config end 777

Switch config show snmp server group 777

Switch config snmp server group nms1 smode v3 slev authpriv read view1 notify view1 777

Switch configure 777

Switch copy running config startup config 777

The following example shows how to create an snmpv3 group with the group name as nms1 the security level as authpriv and the read and notify view are both view1 777

Configure users of the snmp group users belong to the group and use the same security level and access rights as the group 778

Creating snmp users for snmpv3 778

Configuring the information of nms hosts 780

Notification configurations 780

Using the gui 780

Choose a notification type based on the snmp version if you choose the inform type you need to set retry times and timeout interval 781

Click create 781

Specify the user name or community name used by the nms host and configure the security model and security level based on the settings of the user or community 781

Enabling snmp traps 782

Select the traps to enable according to your needs 782

The supported traps are listed on the page follow these steps to enable any or all of these traps 782

Trap config to load the following page 782

Click apply 783

Configure parameters of the nms host and packet handling mechanism 784

Configuring the nms host 784

Using the cli 784

Enabling snmp traps 785

Enabling the snmp extended traps globally 786

Switch config end 786

Switch config snmp server traps snmp linkup 786

Switch configure 786

Switch copy running config startup config 786

The following example shows how to configure the switch to send linkup traps 786

Switch config end 787

Switch config snmp server traps bandwidth control 787

Switch configure 787

Switch copy running config startup config 787

The following example shows how to configure the switch to enable bandwidth control traps 787

Enabling the snmp security traps globally 788

Enabling the vlan traps globally 788

Switch config end 788

Switch config snmp server traps vlan 788

Switch configure 788

Switch copy running config startup config 788

The following example shows how to configure the switch to enable all the snmp vlan traps 788

Enabling the acl trap globally 789

Enabling the ip traps globally 789

Switch config end 789

Switch config snmp server traps acl 789

Switch config snmp server traps security dhcp filter 789

Switch configure 789

Switch copy running config startup config 789

The following example shows how to configure the switch to enable acl trap 789

The following example shows how to configure the switch to enable dhcp filter trap 789

Enabling the snmp poe traps globally 790

Switch config end 790

Switch config snmp server traps ip change 790

Switch configure 790

Switch copy running config startup config 790

The following example shows how to configure the switch to enable ip change trap 790

Enabling the link status trap for ports 791

Switch config end 791

Switch config if end 791

Switch config if snmp server traps link status 791

Switch config interface gigabitethernet 1 0 1 791

Switch config snmp server traps power 791

Switch configure 791

Switch copy running config startup config 791

The following example shows how to configure the switch to enable all poe traps 791

The following example shows how to configure the switch to enable link status trap 791

Configuring statistics group 793

Rmon configurations 793

Using the gui 793

Click create 794

Configuring history group 794

Follow these steps to configure the history group 794

History to load the following page 794

Select a history entry and specify a port to be monitored 794

Set the sample interval and the maximum buckets of history entries 794

Choose an event entry and set the snmp user of the entry 795

Configuring event group 795

Enter the owner name and set the status of the entry click apply 795

Event to load the following page 795

Follow these steps to configure the event group 795

Set the description and action to be taken when the event is triggered 795

Alarm to load the following page 796

Before you begin please complete configurations of statistics entries and event entries because the alarm entries must be associated with statistics and event entries 796

Configuring alarm group 796

Enter the owner name and set the status of the entry click apply 796

Follow these steps to configure the alarm group 797

Select an alarm entry choose a variable to be monitored and associate the entry with a statistics entry 797

Set the sample type the rising and falling threshold the corresponding event action mode and the alarm type of the entry 797

Configuring statistics 798

Enter the owner name and set the status of the entry click apply 798

Using the cli 798

Gi1 0 1 monitor valid 799

Gi1 0 2 monitor valid 799

Index port owner state 799

Switch config end 799

Switch config rmon statistics 1 interface gigabitethernet 1 0 1 owner monitor status valid 799

Switch config rmon statistics 2 interface gigabitethernet 1 0 2 owner monitor status valid 799

Switch config show rmon statistics 799

Switch configure 799

Switch copy running config startup config 799

The following example shows how to create two statistics entries on the switch to monitor port 1 0 1 and 1 0 2 respectively the owner of the entries are both monitor and the status are both valid 799

Configuring history 800

Gi1 0 1 100 50 monitor enable 800

Index port interval buckets owner state 800

Switch config end 800

Switch config rmon history 1 interface gigabitethernet 1 0 1 interval 100 owner monitor buckets 50 800

Switch config show rmon history 800

Switch configure 800

The following example shows how to create a history entry on the switch to monitor port 1 0 1 set the sample interval as 100 seconds maximum buckets as 50 and the owner as monitor 800

Configuring event 801

Switch config rmon event 1 user admin description rising notify type notify owner monitor 801

Switch configure 801

Switch copy running config startup config 801

The following example shows how to create an event entry on the switch set the user name as admin the event type as notify set the switch to initiate notifications to the nms and the owner as monitor 801

Admin rising notify notify monitor enable 802

Configuring alarm 802

Index user description type owner state 802

Switch config end 802

Switch config show rmon event 802

Switch copy running config startup config 802

Configuration example 805

Network requirements 805

Configuration scheme 806

Using the gui 806

Using the cli 811

Verify the configurations 813

Appendix default parameters 817

Default settings of snmp are listed in the following tables 817

Default settings of notification are listed in the following table 818

Default settings of rmon are listed in the following tables 819

Chapters 821

Diagnosing the device network 821

Part 29 821

Diagnosing the device 822

Using the gui 822

Gi1 0 2 pair a normal 2 10m 823

On privileged exec mode or any other configuration mode you can use the following command to check the connection status of the cable that is connected to the switch 823

Pair b normal 2 10m 823

Pair c normal 0 10m 823

Pair d normal 2 10m 823

Port pair status length error 823

Switch show cable diagnostics interface gigabitehternet 1 0 2 823

The following example shows how to check the cable diagnostics of port 1 0 2 823

Using the cli 823

Diagnosing the network 824

Troubleshooting with ping testing 824

Using the gui 824

Troubleshooting with tracert testing 825

Approximate round trip times in milli seconds 826

Configuring the ping test 826

In the tracert result section check the test results 826

Minimum 0ms maximum 0ms average 0ms 826

On privileged exec mode you can use the following command to test the connectivity between the switch and one node of the network 826

Packets sent 3 received 3 lost 0 0 loss 826

Ping statistics for 192 68 0 826

Pinging 192 68 0 with 1000 bytes of data 826

Reply from 192 68 0 bytes 1000 time 16ms ttl 64 826

Switch ping ip 192 68 0 n 3 l 1000 i 500 826

The following example shows how to test the connectivity between the switch and the destination device with the ip address 192 68 0 specify the ping times as 3 the data size as 1000 bytes and the interval as 500 milliseconds 826

Using the cli 826

Configuring the tracert test 827

Ms 1 ms 2 ms 192 68 827

Ms 2 ms 2 ms 192 68 00 827

On privileged exec mode you can use the following command to test the connectivity between the switch and routers along the path from the source to the destination 827

Switch tracert 192 68 00 2 827

The following example shows how to test the connectivity between the switch and the network device with the ip address 192 68 00 set the maxhops as 2 827

Trace complete 827

Tracing route to 192 68 00 over a maximum of 2 hops 827

Appendix default parameters 828

Default settings of network diagnostics are listed in the following tables 828

Chapters 829

Configuring system logs 829

Part 30 829

Overview 830

Backing up the logs 831

Configuration guidelines 831

Configure the local logs 831

Configure the remote logs 831

Logs are classified into the following eight levels messages of levels 0 to 4 mean the functionality of the switch is affected please take actions according to the log message 831

System logs configurations 831

System logs configurations include 831

Viewing the log table 831

Click apply 832

Configuring the local logs 832

Configuring the remote logs 832

Follow these steps to configure the local logs 832

Local logs to load the following page 832

Select your desired channel and configure the corresponding severity and status 832

Using the gui 832

You can configure up to four hosts to receive the switch s system logs these hosts are called log servers the switch will forward the log message to the servers once a log 832

Backing up the logs 833

Log table to load the following page 834

Select a module and a severity to view the corresponding log information 834

Viewing the log table 834

Configuring the local logs 835

Follow these steps to configure the local logs 835

Using the cli 835

Configuring the remote logs 836

6 disable 837

68 48 5 enable 837

Index host ip severity status 837

Switch config end 837

Switch config logging host index 2 192 68 48 5 837

Switch config show logging loghost 837

Switch configure 837

Switch copy running config startup config 837

The following example shows how to set the remote log on the switch enable log server 2 set its ip address as 192 68 48 and allow logs of levels 0 to 5 to be sent to the server 837

Configuration example 838

Configuration scheme 838

Network requirements 838

Using the gui 838

Using the cli 839

Verify the configurations 839

Appendix default parameters 840

Default settings of maintenance are listed in the following tables 840

Ce mark warning 841

Eu declaration of conformity 841

Fcc statement 841

Industry canada statement 841

Bsmi notice 842

Korea warning statements 842

限用物質含有情況標示聲明書 842

Do not attempt to disassemble repair or modify the device 843

Do not use damaged charger or usb cable to charge the device 843

Explanation of the symbols on the product label 843

Keep the device away from water fire humidity or hot environments 843

Please read and follow the above safety information when operating the device we cannot guarantee that no accidents or damage will occur due to improper use of the device please use this product with care and operate at your own risk 843

Safety information 843

Copyright trademarks 844

Tp-Link T1500G-10PS V2 Руководство пользователя онлайн

Содержание

Похожие устройства