Configuration Guide JetStream 12-Port 10GBase-T Smart Switch with 4 10G SFP+ Slots T1700X-16TS 1910011973 REV2.0.
FCC STATEMENT This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.
•• 請勿將本產品置放於靠近熱源的地方。除非有正常的通風,否則不可放在密閉位置中。 •• 請不要私自打開機殼,不要嘗試自行維修本產品,請由授權的專業人士進行此項工作。 此為甲類資訊技術設備,于居住環境中使用時,可能會造成射頻擾動,在此種情況下,使用者 會被要求採取某些適當的對策。 Продукт сертифіковано згідно с правилами системи УкрСЕПРО на відповідність вимогам нормативних документів та вимогам, що передбачені чинними законодавчими актами України.
CONTENTS About This Guide Intended Readers................................................................................................................................................................. 1 Conventions............................................................................................................................................................................ 1 More Information.......................................................................................................
Setting the System Time.......................................................................................................................................................31 Setting the Daylight Saving Time......................................................................................................................................33 User Management Configurations..............................................................................................................................
Enabling the Telnet Function...............................................................................................................................................67 SDM Template Configuration........................................................................................................................................ 68 Using the GUI..............................................................................................................................................................
Network Requirements........................................................................................................................................................100 Configuration Scheme.........................................................................................................................................................101 Using the GUI..................................................................................................................................................
Using the GUI..........................................................................................................................................................................................132 Adding Static MAC Address Entries ...........................................................................................................................132 Modifying the Aging Time of Dynamic Address Entries...................................................................................
Using the GUI..........................................................................................................................................................................................160 Using the CLI...........................................................................................................................................................................................162 Appendix: Default Parameters ...........................................................................
Using the CLI...........................................................................................................................................................................................195 Appendix: Default Parameters....................................................................................................................................199 Configuring Private VLAN Overview............................................................................................................
Enabling STP/RSTP Globally.............................................................................................................................................235 MSTP Configurations.....................................................................................................................................................237 Using the GUI...........................................................................................................................................................
Configuring IGMP Snooping Last Listener Query................................................................................289 Verifying IGMP Snooping Status....................................................................................................................289 Configuring the Port’s Basic IGMP Snooping Features....................................................................................290 Enabling IGMP Snooping on the Port...........................................................
Configuring Report Message Suppression.............................................................................................304 Configuring Unknown Multicast.....................................................................................................................305 Configuring IGMP Snooping Parameters on the Port........................................................................................306 Configuring Router Port Time and Member Port Time.....................................
Configuring MLD Snooping in the VLAN...................................................................................................................329 Configuring MLD Snooping Globally in the VLAN................................................................................329 (Optional) Configuring the Static Router Ports in the VLAN...........................................................330 (Optional) Configuring the Forbidden Router Ports in the VLAN..............................................
Configuring Router Port Time and Member Port Time......................................................................347 Configuring Static Router Port........................................................................................................................348 Configuring Forbidden Router Port..............................................................................................................349 Configuring Static Multicast (Multicast IP and Forward Port)............................
Using the CLI.............................................................................................................................................................................381 Example for Configuring Multicast Filtering...........................................................................................................................382 Network Requirements...................................................................................................................................
Using the CLI...........................................................................................................................................................................................418 Viewing IPv4 Routing Table...............................................................................................................................................418 Viewing IPv6 Routing Table.............................................................................................................
Configuring QoS QoS .......................................................................................................................................................................................445 Overview....................................................................................................................................................................................................445 Supported Features..............................................................................
Configuring Voice VLAN Mode on Ports...................................................................................................................489 Using the CLI ..........................................................................................................................................................................................490 Configuration Example..................................................................................................................................
Using the GUI..........................................................................................................................................................................................544 Binding Entries Manually.....................................................................................................................................................544 Binding Entries Dynamically.........................................................................................................
Using the GUI..........................................................................................................................................................................................585 Globally Enabling AAA..........................................................................................................................................................585 Adding Servers....................................................................................................................
LLDP Configurations......................................................................................................................................................626 Using the GUI..........................................................................................................................................................................................626 Global Config...........................................................................................................................
Configuring Maintenance Maintenance .....................................................................................................................................................................669 Overview....................................................................................................................................................................................................669 Supported Features................................................................................
Configuring SNMP & RMON SNMP Overview................................................................................................................................................................690 SNMP Configurations.....................................................................................................................................................691 Using the GUI.............................................................................................................................
Using the CLI...........................................................................................................................................................................................730 Appendix: Default Parameters....................................................................................................................................
About This Guide Intended Readers About This Guide This Configuration Guide provides information for managing T1700X Series Switches. Please read this guide carefully before operation. Intended Readers This Guide is intended for network managers familiar with IT concepts and network terminologies. Conventions When using this guide, please notice that features of the switch may vary slightly depending on the model and software version you have.
About This Guide More Information [] Items in square brackets [ ] are optional. | Alternative items are grouped in braces and separated by vertical bars |. Italic Font A variable (an actual value must be assigned). For example: speed {10 | 100 | 1000 | 10000} For example: bridge aging-time aging-time Common combination: {[ ][ ][ ]} A least one item in the square brackets must be selected.
Part 1 Accessing the Switch CHAPTERS 1. Overview 2. Web Interface Access 3.
Accessing the Switch 1 Overview Overview You can access and manage the switch using the GUI (Graphical User Interface, also called web interface in this text) or using the CLI (Command Line Interface). There are equivalent functions in the web interface and the command line interface, while web configuration is easier and more visual than the CLI configuration. You can choose the method according to their available applications and preference.
Accessing the Switch 2 Web Interface Access Web Interface Access You can access the switch’s web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication. The following example shows how to login via the HTTP server. 2.1 Login To manage your switch through a web browser in the host PC: 1) Make sure that the route between the host PC and the switch is available. 2) Launch a web browser.
Accessing the Switch Figure 2-3 2.2 Web Interface Access Web interface Save Config Function The switch’s configuration files fall into two types: the running configuration file and the start-up configuration file. After you perform configurations on the sub-interfaces and click Apply, the modifications will be saved in the running configuration file. The configurations will be lost when the switch reboots.
Accessing the Switch Figure 2-4 2.3 Web Interface Access Save Config Disable the Web Server You can shut down the HTTP server or HTTPS server to block any access to the web interface. Go to System > Access Security > HTTP Config, disable the HTTP server and click Apply.
Accessing the Switch Web Interface Access Go to System > Access Security > HTTPS Config, disable the HTTPS server and click Apply. Figure 2-6 2.4 Disbale the HTTPS Server Configure the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.
Accessing the Switch Web Interface Access 2) Choose the IP Address Mode as Static. Enter the new access address in the IP Address field and click Apply. Make sure that the route between the host PC and the switch’s new IP address is available. Figure 2-8 Specify the IP address 3) Enter the new IP address in the web browser to access the switch. 4) Click Save Config to save the settings. Configure the Default Gateway The following example shows how to configure the switch’s gateway.
Accessing the Switch Web Interface Access Subnet Mask Specify the subnet mask as 255.255.255.0. Next Hop Configure your desired default gateway as the next hop’s IP address. Distance Specify the distance as 1. 2) Click Save Config to save the settings. 3) Check the routing table to verify the default gateway you configured. The entry marked in red box displays the valid default gateway.
Accessing the Switch 3 Command Line Interface Access Command Line Interface Access Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines. Console connection requires the host PC connecting to the switch’s console port directly, while Telnet and SSH connection support both local and remote access. The following table shows the typical applications used in the CLI access.
Accessing the Switch Figure 3-1 Command Line Interface Access CLI Main Window 4) Enter enable to enter the User EXEC Mode to further configure the switch. Figure 3-2 User EXEC Mode Note: In Windows XP, go to Start > All Programs > Accessories > Communications > Hyper Terminal to open the Hyper Terminal and configure the above settings to log in to the switch.
Accessing the Switch 3.2 Command Line Interface Access Telnet Login The switch supports Login Local Mode for authentication by default. Login Local Mode: Username and password are required, which are both admin by default. The following steps show how to manage the switch via the Login Local Mode: 1) Make sure the switch and the PC are in the same LAN (Local Area Network). Click Start and type in cmd in the Search bar and press Enter. Figure 3-3 Open the cmd Window 2) Type in telnet 192.168.0.
Accessing the Switch Command Line Interface Access Figure 3-6 Enter Privileged EXEC Mode Now you can manage your switch with CLI commands through Telnet connection. 3.3 SSH Login SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs: Password Authentication Mode: Username and password are required, which are both admin by default.
Accessing the Switch Figure 3-8 Command Line Interface Access Configurations in PuTTY 2) Enter the login username and password to log in to the switch, and you can continue to configure the switch. Figure 3-9 Log In to the Switch Key Authentication Mode 1) Open the PuTTY Key Generator. In the Parameters section, select the key type and enter the key length. In the Actions section, click Generate to generate a public/private key pair.
Accessing the Switch Command Line Interface Access Figure 3-10 Generate a Public/Private Key Pair Note: • The key length should be between 512 and 3072 bits. • You can accelerate the key generation process by moving the mouse quickly and randomly in the Key section. 2) After the keys are successfully generated, click Save public key to save the public key to a TFTP server; click Save private key to save the private key to the host PC.
Accessing the Switch Command Line Interface Access 3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure: Figure 3-12 Download the Public Key to the Switch Note: • The key type should accord with the type of the key file. In the above CLI, v1 corresponds to SSH-1 (RSA), and v2 corresponds to SSH-2 RSA and SSH-2 DSA. • The key downloading process cannot be interrupted.
Accessing the Switch Command Line Interface Access Figure 3-14 Download the Private Key to PuTTY 6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully. Figure 3-15 3.4 Log In to the Switch Disable Telnet login You can shut down the Telnet function to block any Telnet access to the CLI interface.
Accessing the Switch Command Line Interface Access Using the CLI: Switch#configure Switch(config)#telnet disable 3.5 Disable SSH login You can shut down the SSH server to block any SSH access to the CLI interface. Using the GUI: Go to System > Access Security > SSH Config, disable the SSH server and click Apply. Figure 3-17 Shut down SSH server Using the CLI: Switch#configure Switch(config)#no ip ssh server 3.
Accessing the Switch 3.7 Command Line Interface Access Change the Switch's IP Address and Default Gateway If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to. Change the IP Address By default, all the ports belong to VLAN 1 with the VLAN interface IP 192.168.0.1/24.
Part 2 Managing System CHAPTERS 1. System 2. System Info Configurations 3. User Management Configurations 4. System Tools Configurations 5. Access Security Configurations 6. SDM Template Configuration 7.
Managing System 1 System 1.1 Overview System The System module is mainly used to configure and view the system information of the switch. It provides controls over the type of the access users and the access security. 1.2 Supported Features System Info The System Info is mainly used for the basic properties configuration. You can view the switch’s port status and system information, and configure the device description, system time, and daylight saving time.
Managing System System SSH Config function is based on the SSH protocol, a security protocol established on application and transport layers. The function with SSH is similar to a telnet connection, but SSH can provide information security and powerful authentication. SDM Template The switch SDM (Switch Database Management) templates prioritize system resources to optimize support for certain features.
Managing System 2 System Info Configurations System Info Configurations With system information configurations, you can: View the system summary Specify the device description Set the system time Set the daylight saving time 2.1 Using the GUI 2.1.1 Viewing the System Summary Choose the menu System > System Info > System Summary to load the following page. Figure 2-1 Viewing the System Summary Port Status Indication Indicates that the corresponding 10Gbps port is not connected to a device.
Managing System System Info Configurations Indicates that the corresponding 10Gbps port is at the speed of 100Mbps or 1000Mbps. Indicates that the corresponding SFP+ port is not connected to a device. Indicates the SFP+ port is at the speed of 10Gbps. Indicates the SFP+ port is at the speed of 1000Mbps. Move the cursor to the port to view the detailed information of the port. Figure 2-2 Port Information Port Information Indication Port Displays the port number of the switch.
Managing System System Info Configurations 2.1.2 Specifying the Device Description Choose the menu System > System Info > Device Description to load the following page. Figure 2-4 Specifying the Device Description 1) In the Device Description section, specify the following information. Device Name Enter the name of the switch. Device Location Enter the location of the switch. System Contact Enter the contact information. 2) Click Apply. 2.1.
Managing System System Info Configurations Current System Time Displays the current date and time of the switch. Current Time Source Displays the current time source of the switch. In the Time Config section, follow these steps to configure the system time: 1) Choose one method to set the system time and specify the information. Manual Set the system time manually. Date: Specify the date of the system. Time: Specify the time of the system.
Managing System Figure 2-6 System Info Configurations Setting the Daylight Saving Time Follow these steps to configure Daylight Saving Time: 1) In the DST Config section, select Enable to enable the Daylight Saving Time function. 2) Choose one method to set the Daylight Saving Time of the switch and specify the information. Predefined Mode If you select Predefined Mode, choose a predefined DST schedule for the switch. USA: Select the Daylight Saving Time of the USA. It is from 2: 00 a.m.
Managing System System Info Configurations Date Mode If you select Date Mode, specify an absolute time range for the Daylight Saving Time of the switch. This configuration will be used only one time. Offset: Specify the time to set the clock forward by. Start Time: Specify the start time of Daylight Saving Time. The interval between start time and end time should be more than 1 day and less than 1 year(365 days). End Time: Specify the end time of Daylight Saving Time.
Managing System System Info Configurations System Description - JetStream 12-Port 10GBase-T Smart Switch with 4 10G SFP+ Slots System Name - T1700X-16TS System Location - SHENZHEN Contact Information - www.tp-link.com Hardware Version - T1700X-16TS 2.0 Software Version - 2.0.0 Build 20160909 Rel.52515(s) System Time - 2016-01-04 10:07:38 Running Time - 3 day - 2 hour - 8 min - 26 sec 2.2.
Managing System System Info Configurations The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as http://www.tp-link.com. Switch#configure Switch(config)#hostname Switch_A Switch(config)#location BEIJING Switch(config)#contact-info http://www.tp-link.
Managing System System Info Configurations The detailed information of each time-zone are displayed as follows: UTC-12:00 —— TimeZone for International Date Line West. UTC-11:00 —— TimeZone for Coordinated Universal Time-11. UTC-10:00 —— TimeZone for Hawaii. UTC-09:00 —— TimeZone for Alaska. UTC-08:00 —— TimeZone for Pacific Time (US Canada). UTC-07:00 —— TimeZone for Mountain Time (US Canada). UTC-06:00 —— TimeZone for Central Time (US Canada). UTC-05:00 —— TimeZone for Eastern Time (US Canada).
Managing System Step 3 System Info Configurations Use the following command to verify the system time information. show system-time Verify the system time information. Use the following command to verify the NTP mode configuration information. show system-time ntp Verify the system time information of NTP mode. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file.
Managing System Step 2 System Info Configurations Use the following command to select a predefined Daylight Saving Time configuration: system-time dst predefined [ USA | Australia | Europe | New-Zealand ] Specify the Daylight Saving Time using a predefined schedule. USA | Australia | Europe | New-Zealand: Select one mode of Daylight Saving Time. USA: 02:00 a.m. on the Second Sunday in March ~ 02:00 a.m. on the First Sunday in November. Australia: 02:00 a.m. on the First Sunday in October ~ 03:00 a.m.
Managing System System Info Configurations smonth : Enter the start month of Daylight Saving Time. There are 12 values showing as follows: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. sday : Enter the start day of Daylight Saving Time, which ranges from 1 to 31. stime : Enter the start time of Daylight Saving Time,in the format of HH:MM. syear : Enter the start year of Daylight Saving Time. emonth : Enter the end month of Daylight Saving Time.
Managing System 3 User Management Configurations User Management Configurations With user management configurations, you can: Create Admin accounts Create accounts of other types 3.1 Using the GUI 3.1.1 Creating Admin Accounts Choose the menu System > User Management > User Config to load the following page. Figure 3-1 Create Admin Accounts Follow these steps to create an Admin account: 1) In the User Info section, select Admin from the drop-down list and specify the user name and password.
Managing System User Management Configurations Access Level Select the access level as Admin. Admin: Admin can edit, modify and view all the settings of different functions. Operator: Operator can edit, modify and view most of the settings of different functions. Power User: Power User can edit, modify and view some of the settings of different functions. User: User can only view the settings without the right to edit or modify. Password Type a password for users' login.
Managing System User Management Configurations User Name Create a user name for users' login. It contains 16 characters at most, composed of digits, English letters and under dashes only. Access Level Select the access level as Operator, Power User or User. Admin: Admin can edit, modify and view all the settings of different functions. Operater: Operator can edit, modify and view most of the settings of different functions.
Managing System 3.2 User Management Configurations Using the CLI 3.2.1 Creating Admin Accounts Follow these steps to create an Admin account: Step 1 configure Step 2 Use the following command to create an account unencrypted or symmetric encrypted. Enter global configuration mode. user name name { privilege admin } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Admin. name : Enter a user name for users’ login.
Managing System User Management Configurations Step 3 show user account-list Verify the information of the current users. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. 3.2.2 Creating Accounts of Other Types You can create accounts with the access level of Operator, Power user and User here. You also need to go to the AAA section to create an Enable Password for these accounts.
Managing System Step 2 User Management Configurations Use the following command to create an account unencrypted or symmetric encrypted. user name name { privilege operator | power_user | user } password { [ 0 ] password | 7 encrypted-password } Create an account whose access level is Operator, Power User or User. name : Enter a user name for users’ login. It contains 16 characters at most, composed of digits, English letters and underscore only.
Managing System Step 4 User Management Configurations Use the following command to create an enable password unencrypted or symmetric encrypted. enable admin password { [ 0 ] password | 7 encrypted-password } Create an Enable Password. It can change the users’ access level to Admin. By default, it is empty. 0: Specify the encryption type. 0 indicates that the password you entered is unencrypted, and the password is saved to the configuration file unencrypted. By default, the encryption type is 0.
Managing System User Management Configurations The following example shows how to create a uesr with the access level of Operator, set the user name as user1 and set the password as 123. Enable AAA function and set the enable password as abc123.
Managing System 4 System Tools Configurations System Tools Configurations With system tools configurations, you can: Configure the boot file Restore the configuration of the switch Back up the configuration file Upgrade the firmware Reboot the switch Configure the reboot schedule Reset the switch 4.1 Using the GUI 4.1.1 Configuring the Boot File Choose the menu System > System Tools > Boot Config to load the following page.
Managing System System Tools Configurations Select Select one or more units to be configured. Unit Displays the number of the unit. Current Startup Image Displays the current startup image. Next Startup Image Select the next startup image. When the switch is powered on, it will try to start up with the next startup image. The next startup and backup image should not be the same. Backup Image Select the backup image.
Managing System System Tools Configurations 4.1.3 Backing up the Configuration File Choose the menu System > System Tools > Config Backup to load the following page. Figure 4-3 Backing up the Configuration File In the Config Backup section, select one unit and click Export to export the configuration file. 4.1.4 Upgrading the Firmware Choose the menu System > System Tools > Firmware Upgrade to load the following page.
Managing System System Tools Configurations After upgrading, the device will reboot automatically with the backup image Select this option to reboot automatically with the backup image after upgrading. 4.1.5 Rebooting the switch Choose the menu System > System Tools > System Reboot to load the following page. Figure 4-5 Rebooting the switch In the System Reboot section, select the desired unit and click Reboot. Target Unit Select the desired unit to reboot. By default, it is ALL Unit.
Managing System System Tools Configurations Time (HH:MM)/ Date (DD/MM/ YY) Specify the date and time for the switch to reboot. Time (HH:MM): Specify the time for the switch to reboot, in the format of HH:MM Date (DD/MM/YY): Specify the date for the switch to reboot, in the format of DD/ MM/YYYY. The date should be within 30 days. Save Before Reboot Select to save the switch’s configurations before it reboots. 4.1.
Managing System System Tools Configurations Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the next startup image as image 1 and set the backup image as image 2. Switch#configure Switch(config)#boot application filename image1 startup Switch(config)#boot application filename image2 backup Switch(config)#show boot Boot config: Current Startup Image - image1.
Managing System System Tools Configurations Switch>enable Switch#copy tftp startup-config ip-address 192.168.0.100 filename file1 Start to load user config file...... Operation OK! Now rebooting system...... 4.2.3 Backing up the Configuration File Follow these steps to back up the current configuration of the switch in a file: Step 1 enable Step 2 copy startup-config tftp ip-address ip-addr filename name Enter privileged mode. Back up the configuration file to TFTP server.
Managing System System Tools Configurations Switch>enable Switch#firmware upgrade ip-address 192.168.0.100 filename file3.bin It will only upgrade the backup image. Continue? (Y/N):Y Operation OK! Reboot with the backup image? (Y/N): Y 4.2.5 Rebooting the switch Follow these steps to reboot the switch: Step 1 enable Step 2 reboot Enter privileged mode. Reboot the switch. 4.2.
Managing System System Tools Configurations Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the switch to reboot at 12:00 on 15/01/2016. Switch#configure Switch(config)#reboot-schedule at 12:00 15/01/2016 save_before_reboot Reboot system at 15/01/2016 12:00.
Managing System 5 Access Security Configurations Access Security Configurations With access security configurations, you can: Configure the Access Control feature Configure the HTTP feature Configure the HTTPS feature Configure the SSH feature Enable the telnet function 5.1 Using the GUI 5.1.1 Configuring the Access Control Feature Choose the menu System > Access Security > Access Control to load the following page.
Managing System Access Interface Access Security Configurations Select the interface to control the methods for users’ accessing. The selected access interfaces will only affect the users you set before. SNMP: A function to manage the network devices via NMS. Telnet: A connection type for users to remote login. SSH: A connection type based on SSH protocol. HTTP: A connection type based on HTTP protocol. HTTPS: A connection type based on SSL protocol.
Managing System Access Security Configurations 5.1.2 Configuring the HTTP Function Choose the menu System > Access Security > HTTP Config to load the following page. Figure 5-2 Configuring the HTTP Function 1) In the Global Control section, Select Enable and click Apply to enable the HTTP function. HTTP HTTP function is based on the HTTP protocol. It allows users to manage the switch through a web browser. 2) In the Session Config section, specify the Session Timeout and click Apply.
Managing System Access Security Configurations 5.1.3 Configuring the HTTPS Function Choose the menu System > Access Security > HTTPS Config to load the following page. Table 5-1 Configuring the HTTPS Function 1) In the Global Config section, select Enable to enable HTTPS function and select the protocol the switch supports. Click Apply. HTTPS Select Enable to enable the HTTPS function. HTTPS function is based on the SSL or TLS protocol. It provides a secure connection between the client and the switch.
Managing System SSL Version 3 Access Security Configurations Select Enable to make the switch support SSL Version 3 protocol. SSL is a transport protocol. It can provide server authentication, encryption and message integrity to allow secure HTTP connection. TLS Version 1 Select Enable to make the switch support TLS Version 1 protocol. TLS is a transport protocol upgraded from SSL. It supports a different encryption algorithm from SSL, so TLS and SSL are not compatible.
Managing System Access Security Configurations 5.1.4 Configuring the SSH Feature Choose the menu System > Access Security > SSH Config to load the following page. Figure 5-3 Configuring the SSH Feature 1) In the Global Config section, select Enable to enable SSH function and specify other parameters. SSH Select Enable to enable the SSH function. SSH is a protocol working in application layer and transport layer. It can provide a secure, remote connection to a device.
Managing System Access Security Configurations 2) In the Encryption Algorithm section, select the encryption algorithm you want the switch to support and click Apply. 3) In Data Integrity Algorithm section, select the integrity algorithm you want the switch to support and click Apply. 4) In Key Download section, select key type from the drop-down list and select the desired key file to down. Key Type Select the key type.
Managing System Step 2 Access Security Configurations Use the following command to control the users’ access by limiting the IP address: user access-control ip-based { ip-addr ip-mask } [ snmp ] [ telnet ] [ ssh ] [ http ] [ https ] [ ping ] [ all ] Only the users within the IP-range you set here are allowed to access the switch. ip-addr : Specify the IP address of the user. ip-mask : Specify the subnet mask of the user.
Managing System Access Security Configurations User authentication mode: IP based Index IP Address Access Interface ----- ----------------- ------------------------------- 1 192.168.0.0/24 SNMP Telnet HTTP HTTPS Switch(config)#end Switch#copy running-config startup-config 5.2.2 Configuring the HTTP Function Follow these steps to configure the HTTP function: Step 1 configure Step 2 ip http server Step 3 ip http session timeout minutes Enter global configuration mode.
Managing System Access Security Configurations Switch(config)#ip http session timeout 9 Switch(config)#ip http max-user 6 5 Switch(config)#show ip http configuration HTTP Status: Enabled HTTP Session Timeout: 9 HTTP User Limitation: Enabled HTTP Max Admin Users: 6 HTTP Max Guest Users: 5 Switch(config)#end Switch#copy running-config startup-config 5.2.
Managing System Step 5 Access Security Configurations ip http secure-session timeout minutes Specify the Session Timeout time. The system will log out automatically if users do nothing within the Session Timeout time. minutes : Specify the timeout time, which ranges from 5 to 30 minutes. The default value is 10. Step 6 ip http secure-max-users admin-num guest-num Specify the maximum number of users that are allowed to connect to the HTTPS server. The total number of users should be no more than 16.
Managing System Access Security Configurations Switch(config)#ip http secure-session timeout 15 Switch(config)#ip http secure-max-users 1 2 Switch(config)#ip http secure-server download certificate ca.crt ip-address 192.168.0.100 Start to download SSL certificate...... Download SSL certificate OK. Switch(config)#ip http secure-server download key ca.key ip-address 192.168.0.100 Start to download SSL key...... Download SSL key OK.
Managing System Access Security Configurations Step 4 ip ssh timeout value Specify the idle timeout time. The system will automatically release the connection when the time is up. value : Enter the value of the timeout time, which ranges from 1 to 120 seconds. The default value is 120 seconds. Step 5 ip ssh max-client num Specify the maximum number of the connections to the SSH server. New connection will not be established when the number of the connections reaches the maximum number you set.
Managing System Access Security Configurations Switch(config)#ip ssh version v2 Switch(config)#ip ssh timeout 100 Switch(config)#ip ssh max-client 4 Switch(config)#ip ssh algorithm AES128-CBC Switch(config)#ip ssh algorithm Cast128-CBC Switch(config)#ip ssh algorithm HMAC-MD5 Switch(config)#ip ssh download v2 publickey ip-address 192.168.0.100 Start to download SSH key file...... Download SSH key file OK.
Managing System Access Security Configurations Switch(config)#end Switch#copy running-config startup-config 5.2.5 Enabling the Telnet Function Follow these steps enable the Telnet function: Step 1 configure Step 2 telnet enable Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config Enter global configuration mode. Enable the telnet function. By default, it is enabled. Save the settings in the configuration file.
Managing System 6 SDM Template Configuration SDM Template Configuration SDM Template function is used to configure system resources in the switch to optimize support for specific features. The switch provides three templates, and the hardware resources allocation is different. Users can choose one according to how the switch is used in the network. 6.1 Using the GUI Choose the menu System > SDM Template to load the following page.
Managing System 6.2 SDM Template Configuration SDM Template Displays the name of the templates. IP ACL Rules Displays the number of IP ACL Rules including Lay3 ACL Rules and Lay4 ACL Rules. MAC ACL Rules Displays the number of Lay2 ACL Rules. COMBINED ACL Rules Displays the number of combined ACL rules. IPv6 ACL Rules Displays the number of IPv6 ACL rules. ARP Detection Entries Displays the number of TCAM entries for ARP defend.
Managing System SDM Template Configuration The following example shows how to set the SDM template as enterpriseV4. Switch#config Switch(config)#show sdm prefer enterpriseV4 “enterpriseV4” template: number of IP ACL Rules : 360 number of MAC ACL Rules : 230 number of Combined ACL Rules :0 number of IPV6 ACL Rules :0 number of IPV6 Source Guard Entries : 0 number of ARP Detection Entries :7 Switch(config)#sdm prefer enterpriseV4 Switch to “enterpriseV4” tempale.
Managing System 7 Appendix: Default Parameters Appendix: Default Parameters Default settings of System Info are listed in the following tables. Table 7-1 Default Settings of Device Description Configuration Parameter Default Setting Device Name The model name of the switch. Device Location SHENZHEN System Contact www.tp-link.
Managing System Appendix: Default Parameters Default settings of Access Security are listed in the following tables.
Managing System Appendix: Default Parameters Parameter Default Setting HMAC-SHA1 Enabled HMAC-MD5 Enabled Key Type: SSH-2 RSA/DSA Table 7-10 Default Settings of Telnet Configuration Parameter Default Setting Control Mode Enabled Default settings of SDM Template are listed in the following table.
Part 3 Managing Physical Interfaces CHAPTERS 1. Physical Interface 2. Basic Parameters Configurations 3. Port Mirror Configuration 4. Port Security Configuration 5. Port Isolation Configurations 6. Loopback Detection Configuration 7.
Managing Physical Interfaces 1 Physical Interface 1.1 Overview Physical Interface Interfaces of a device are used to exchange data and interact with other network devices. Interfaces are classified into physical interfaces and logical interfaces. Physical interfaces are the ports on the front panel or rear panel of the switch. Logical interfaces are manually configured and do not physically exist, such as loopback interfaces and routing interfaces.
Managing Physical Interfaces Basic Parameters Configurations 2 Basic Parameters Configurations 2.1 Using the GUI Choose the menu Switching > Port > Port Config to load the following page. Figure 2-1 Configuring Basic Parameters Follow these steps to set basic parameters for ports: Select and configure your desired ports or LAGs. Then click Apply. UNIT:1/LAGS Click 1 to configure physical ports. Click LAGS to configure LAGs. Type Displays the port type.
Managing Physical Interfaces Basic Parameters Configurations Flow Control With this option enabled, the switch synchronizes the data transmission speed with the peer device, thus avoiding the packet loss caused by congestion. By default, it is disabled. Jumbo: With this option enabled, the port can send jumbo frames. The default MTU (Maximum Transmission Unit) size for frames received and sent on all ports is 1518 bytes.
Managing Physical Interfaces Step 3 Basic Parameters Configurations Configure basic parameters for the port: description string Give a port description for identification. string : Content of a port description, ranging from 1 to 16 characters. shutdown no shutdown Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets. By default, all ports are enabled.
Managing Physical Interfaces Basic Parameters Configurations Switch(config)#interface ten-gigabitEthernet 1/0/1 Switch(config-if)#no shutdown Switch(config-if)#description router connection Switch(config-if)#speed auto Switch(config-if)#duplex auto Switch(config-if)#flow-control Switch(config-if)#jumbo Switch(config-if)#show interface configuration gigabitEthernet 1/0/1 Port State Speed Duplex ---- ----- ----- ------ Auto Auto Te1/0/1 Enable FlowCtrl Jumbo -------- ----- Enable Enable Des
Managing Physical Interfaces 3 Port Mirror Configuration 3.1 Using the GUI Port Mirror Configuration Choose the menu Switching > Port > Port Mirror to load the following page. Figure 3-1 Mirror Session List The above page displays a mirror session, and no more session can be created. Click Edit to configure this mirror session on the following page.
Managing Physical Interfaces Figure 3-2 Port Mirror Configuration Configuring Port Mirror Follow these steps to configure Port Mirror: 1) In the Destination Port section, specify a monitoring port for the mirror session, and click Apply. 2) In the Source Port section, select one or multiple monitored ports for configuration. Then set the parameters and click Apply. UNIT:1/LAGS Click 1 to select physical ports. Click LAGS to select LAGs.
Managing Physical Interfaces Port Mirror Configuration Note: 3.2 • The member port of an LAG cannot be set as a monitoring port or monitored port. • A port cannot be set as the monitoring port and monitored port at the same time. Using the CLI Follow these steps to configure Port Mirror. Step 1 configure Step 2 monitor session session_num destination interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } Enter global configuration mode.
Managing Physical Interfaces Destination Port: Port Mirror Configuration Te1/0/10 Source Ports(Ingress): Te1/0/1-3 Source Ports(Egress): Te1/0/1-3 Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide 83
Managing Physical Interfaces Port Security Configuration 4 Port Security Configuration 4.1 Using the GUI Choose the menu Switching > Port > Port Security to load the following page. Figure 4-1 Port Security Follow these steps to configure Port Security: 1) Select one or multiple ports for security configuration. 2) Specify the maximum number of the MAC addresses that can be learned on the port, and then select the learn mode of the MAC addresses.
Managing Physical Interfaces Learn Mode Port Security Configuration Select the learn mode of the MAC addresses on the port. Three modes are provided: Dynamic: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting. Static: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually. The learned entries will be cleared after the switch is rebooted.
Managing Physical Interfaces Step 3 Port Security Configuration mac address-table max-mac-count { [max-number num ] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ] } Enable the port security feature of the port and configure the related parameters. num : The maximum number of MAC addresses that can be learned on the port. The valid values are from 0 to 64. The default value is 64. mode: Learn mode of the MAC address.
Managing Physical Interfaces Port Security Configuration Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide 87
Managing Physical Interfaces 5 Port Isolation Configurations 5.1 Using the GUI Port Isolation Configurations Choose the menu Switching > Port > Port Isolation to load the following page. Figure 5-1 Port Isolation List The above page displays the port isolation list. Click Edit to configure Port Isolation on the following page.
Managing Physical Interfaces Figure 5-2 Port Isolation Configurations Port Isolation Follow these steps to configure Port Isolation: 1) In the Port section, select one or multiple ports to be isolated. 2) In the Forward Portlist section, select the forward ports or LAGs which the isolated ports can only communicate with. It is multi-optional. 3) Click Apply. 5.
Managing Physical Interfaces Step 4 Port Isolation Configurations show port isolation interface { fastEthernet port | gigabitEthernet port | tengigabitEthernet port } Verify the Port Isolation configuration of the specified port. Step 5 end Step 6 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file.
Managing Physical Interfaces Loopback Detection Configuration 6 Loopback Detection Configuration 6.1 Using the GUI To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring QoS. Choose the menu Switching > Port > Loopback Detection to load the following page.
Managing Physical Interfaces Loopback Detection Configuration Loopback Detection Status Enable loopback detection globally. Detection Interval Set the interval of sending loopback detection packets. Automatic Recovery Time Set the recovery time globally, after which the blocked port in Auto Recovery mode can automatically recover to normal status. The valid values are from 1 to 1000 seconds and the default value is 30 seconds. It should be integral times of detection interval.
Managing Physical Interfaces Step 2 Step 3 Loopback Detection Configuration loopback-detection Enable the loopback detection feature globally. By default, it is disabled. loopback-detection interval interval-time Set the interval of sending loopback detection packets which is used to detect the loops in the network. interval-time: The interval of sending loopback detection packets. The valid values are from 1 to 1000 seconds. By default, the value is 30 seconds.
Managing Physical Interfaces Loopback Detection Configuration Switch#configure Switch(config)#loopback-detection Switch(config)#show loopback-detection global Loopback detection global status : enable Loopback detection interval : 30 s Loopback detection recovery time : 3 intervals Switch(config-if)#end Switch#copy running-config startup-config The following example shows how to enable loopback detection of port 1/0/3 and set the process mode as alert and recovery mode as auto: Switch#configure Switch(con
Managing Physical Interfaces Configuration Examples 7 Configuration Examples 7.1 Example for Port Mirror 7.1.1 Network Requirements As shown below, several hosts and a network analyzer are directly connected to the switch. For network security and troubleshooting, the network manager needs to use the network analyzer to monitor the data packets from the end hosts. Figure 7-1 Network Topology Te1/0/2-5 Hosts Te1/0/1 Switch Network Analyzer 7.1.
Managing Physical Interfaces Figure 7-2 Configuration Examples Mirror Session List 2) Click Edit on the above page to load the following page. In the Destination Port section, select port 1/0/1 as the monitoring port and click Apply. Figure 7-3 Destination Port Configuration 3) In the Source Port section, select ports 1/0/2-5 as the monitored ports, and enable Ingress and Egress to allow the received and sent packets to be copied to the monitoring port. Then click Apply.
Managing Physical Interfaces Figure 7-4 Configuration Examples Source Port Configuration 4) Click Save Config to save the settings. 7.1.
Managing Physical Interfaces 7.2 Configuration Examples Example for Port Isolation 7.2.1 Network Requirements As shown below, three hosts and a server are connected to the switch and all belong to VLAN 10. With the VLAN configuration unchanged, Host A is not allowed to communicate with the other hosts except the server, even if the MAC address or IP address of Host A is changed. Figure 7-5 Network Topology Switch Te1/0/1 Te1/0/2 Host A Te1/0/4 Te1/0/3 Host B Host C VLAN 10 Server 7.2.
Managing Physical Interfaces Figure 7-6 Configuration Examples Port Isolation List 2) Click Edit on the above page to load the following page. Select port 1/0/1 as the isolated port, and select port 1/0/4 as the forwarding port. Click Apply. Figure 7-7 Port Isolation Configuration 3) Click Save Config to save the settings.
Managing Physical Interfaces Configuration Examples 7.2.4 Using the CLI Switch#configure Switch(config)#interface ten-gigabitEthernet 1/0/1 Switch(config-if)#port isolation gi-forward-list 1/0/4 Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Switch#show port isolation interface Port LAG Forward-List ---- --- ------------ Te1/0/1 N/A Te1/0/4 Te1/0/2 N/A Te1/0/1-28,Po1-14 Te1/0/3 N/A Te1/0/1-28,Po1-14 ...... 7.3 Example for Loopback Detection 7.3.
Managing Physical Interfaces Figure 7-8 Configuration Examples Network Topology Switch A Te1/0/1 Te1/0/2 Te1/0/3 Management Host Access-layer Switches Loop 7.3.2 Configuration Scheme Enable loopback detection on ports 1/0/1-3 and configure SNMP to receive the notifications. For detailed instructions about SNMP, refer to Configuring SNMP & RMON. Here we introduce how to configure loopback detection and monitor the detection result on the management interface of the switch.
Managing Physical Interfaces Figure 7-10 Configuration Examples Port Configuration 4) Monitor the detection result on the above page. The Loop status and Block status are displayed on the right side of ports. 7.3.4 Using the CLI 1) Enable loopback detection globally and configure the detection interval and recovery time.
Managing Physical Interfaces Configuration Examples Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#exit Switch(config)#interface ten-gigabitEthernet 1/0/3 Switch(config-if)#loopback-detection Switch(config-if)#loopback-detection config process-mode port-based recovery-mode auto Switch(config-if)#end Switch#copy running-config startup-config Verify the Configuration Verify the global configuration: Switch#show loopback-detection global Loopback de
Managing Physical Interfaces 8 Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in th following tables.
Managing Physical Interfaces Appendix: Default Parameters Parameter Default Setting Port Status Disable Operation mode Alert Recovery mode Auto Configuration Guide 105
Part 4 Configuring LAG CHAPTERS 1. LAG 2. LAG Configuration 3. Configuration Example 4.
Configuring LAG 1 LAG 1.1 Overview LAG With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface to increase link bandwidth and configure the backup ports to enhance the connection reliability. 1.2 Supported Features You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol). Static LAG The member ports are manually added to the LAG.
Configuring LAG 2 LAG Configuration LAG Configuration To complete LAG configuration, follow these steps: 1) Configure the global load-balancing algorithm. 2) Configure Static LAG or LACP. Configuration Guidelines Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should be set as LACP mode.
Configuring LAG 2.1 LAG Configuration Using the GUI 2.1.1 Configuring Load-balancing Algorithm Choose the menu Switching > LAG > LAG Table to load the following page. Figure 2-1 Global Config In the Global Config section, select the load-balancing algorithm. Click Apply. Hash Algorithm Select the Hash Algorithm, based on which the switch can choose the port to send the received packets. In this way, different data flows are forwarded on different physical links to implement load balancing.
Configuring LAG LAG Configuration Figure 2-2 Hash Algorithm Configuration Switch A Switch B Hosts Server 2.1.2 Configuring Static LAG or LACP For one port, you can choose only one LAG mode: Static LAG or LACP. And make sure both ends of a link use the same LAG mode. Configuring Static LAG Choose the menu Switching > LAG > Static LAG to load the following page. Figure 2-3 Static LAG Follow these steps to configure the static LAG: 1) In the LAG Config section, select an LAG for configuration.
Configuring LAG LAG Configuration Configuring LACP Choose the menu Switching > LAG > LACP to load the following page. Figure 2-4 LACP Config Follow these steps to configure LACP: 1) Specify the system priority for the switch and click Apply. System Priority Specify the system priority for the switch. A smaller value means a higher priority. To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device.
Configuring LAG LAG Configuration Port Priority (0-65535) Specify the Port Priority. A smaller value means a higher port priority. Mode Select the LACP mode for the port. The port with higher priority in an LAG will be selected as the active port to forward data. If two ports have the same priority value, the port with a smaller port number has the higher priority. In LACP, the switch uses LACPDU (Link Aggregation Control Protocol Data Unit) to negotiate the parameters with the peer end.
Configuring LAG LAG Configuration The following example shows how to set the global load-balancing mode as src-dst-mac: Switch#configure Switch(config)#port-channel load-balance src-dst-mac Switch(config)#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-mac EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination MAC address IPv6: Source XOR Destination MAC address Switch(config-if)#end Switch#copy run
Configuring LAG LAG Configuration The following example shows how to add ports1/0/5-8 to LAG 2 and set the mode as static LAG: Switch#configure Switch(config)#interface range ten-gigabitEthernet 1/0/5-8 Switch(config-if-range)#channel-group 2 mode on Switch(config-if-range)#show etherchannel 2 summary Flags: D - down P - bundled in port-channel U - in use I - stand-alone H - hot-standby(LACP only) s - suspended R - layer3 S - layer2 u - unsuitable for bundling f - failed to allocate aggregator w
Configuring LAG Step 4 LAG Configuration channel-group num mode { on | active | passive } Add the port to an LAG and set the mode as LACP. num : The group number of the LAG. mode: LAG mode. Here you need to select LACP mode: active or passive. In LACP, the switch uses LACPDU (Link Aggregation Control Protocol Data Unit) to negotiate the parameters with the peer end. In this way, the two ends select active ports and form the aggregation link.
Configuring LAG LAG Configuration Switch(config-if-range)#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 6 Port Flags State LACP Port Priority Admin Key Oper Key Port Number Port State Te1/0/1 SA Up 32768 0x6 0x4b1 0x1 0x7d Te1/0/2 SA Down 32768 0x6 0 0x2 0x45 Te1/0/3 SA Down 32768 0x6 0 0x3 0x45 Te1/0/4 SA Down 32768 0x6 0 0x4 0x45 Switch(config-i
Configuring LAG Configuration Example 3 Configuration Example 3.1 Network Requirements As shown below, users and servers are connected to Switch A and Switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches. 3.
Configuring LAG 3.3 Configuration Example Using the GUI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Choose the menu Switching > LAG > LAG Table to load the following page. Select the hash algorithm as ‘SRC MAC+DST MAC’. Figure 3-2 Global Configuration 2) Choose the menu Switching > LAG > LACP Config to load the following page. In the Global Config section, specify the system priority of Switch A as 0 and Click Apply.
Configuring LAG Configuration Example 4) Click Save Config to save the settings. 3.4 Using the CLI The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example. 1) Configure the load-balancing algorithm as “src-dst-mac”. Switch#configure Switch(config)#port-channel load-balance src-dst-mac 2) Specify the system priority of Switch A as 0. Remember to ensure that the system priority value of Switch B is bigger than 0.
Configuring LAG Configuration Example Switch#show lacp sys-id 0, 000a.eb13.
Configuring LAG 4 Appendix: Default Parameters Appendix: Default Parameters Default settings of Switching are listed in the following tables.
Part 5 Monitoring Traffic CHAPTERS 1. Traffic Monitor 2.
Monitoring Traffic 1 Traffic Monitor Traffic Monitor With Traffic Monitor function, you can monitor the traffic on the switch, including: Traffic Summary Traffic Statistics in Detail 1.1 Using the GUI 1.1.1 Viewing the Traffic Summary Choose the menu Switching > Traffic Monitor > Traffic Summary to load the following page.
Monitoring Traffic Traffic Monitor 2) In the Traffic Summary section, click 1 to show the information of the physical ports, and click LAGS to show the information of the LAGs. Packets Rx: Displays the number of packets received on the port. Error packets are not counted in. Packets Tx: Displays the number of packets transmitted on the port. Error packets are not counted in. Octets Rx: Displays the number of octets received on the port. Error octets are counted in.
Monitoring Traffic Traffic Monitor Auto Refresh: With this option enabled, the switch refreshes the web timely. Refresh Rate: Specify the refresh interval in seconds. 2) In Port Select, select a port or LAG, and click Select. 3) In the Statistics section, view the detailed information of the selected port or LAG. Received: Displays the detailed information of received packets. Broadcast: Displays the number of valid broadcast packets received on the port. Error frames are not counted in.
Monitoring Traffic Sent: Traffic Monitor Displays the detailed information of sent packets. Broadcast: Displays the number of valid broadcast packets transmitted on the port. Error frames are not counted in. Multicast: Displays the number of valid multicast packets transmitted on the port. Error frames are not counted in. Unicast: Displays the number of valid unicast packets transmitted on the port. Error frames are not counted in.
Monitoring Traffic 1.2 Traffic Monitor Using the CLI On privileged EXEC mode or any other configuration mode, you can use the following command to view the traffic information of each port or LAG: show interface counters [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | portchannel port-channel-id ] port : The port number. port-channel-id : The group number of the LAG. If you enter no port number or group number, the information of all ports and LAGs will be displayed.
Monitoring Traffic 2 Appendix: Default Parameters Appendix: Default Parameters Table 2-1 Traffic Statistics Monitoring Parameter Default Setting Traffic Summary Auto Refresh Disable Refresh Rate 10 seconds Traffic Statistics Auto Refresh Disable Refresh Rate 10 seconds Configuration Guide 128
Part 6 Managing MAC Address Table CHAPTERS 1. MAC Address Table 2. Address Configurations 3. Security Configurations 4. Example for Security Configurations 5.
Managing MAC Address Table MAC Address Table 1 MAC Address Table 1.1 Overview The MAC address table contains address information that the switch uses to forward traffic between ports. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports. These entries can be manually input or automatically learned by the switch. Based on the MAC-address-to-port mapping in the table, the switch forwards the packet only to the associated port.
Managing MAC Address Table MAC Address Table Security Configurations Configuring MAC Notification Traps You can configure traps and SNMP (Simple Network Management Protocol) to monitor and receive notifications of the usage of the MAC address table and the MAC address change activity. For example, you can configure the switch to send you notifications when new users access the network.
Managing MAC Address Table 2 Address Configurations Address Configurations With MAC address table, you can: Add static MAC address entries Change the address aging time Add filtering address entries View address table entries 2.1 Using the GUI 2.1.1 Adding Static MAC Address Entries You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.
Managing MAC Address Table Figure 2-1 Address Configurations Adding MAC Addresses Manually Follow these steps to add a static MAC address entry: 1) Enter the MAC address, VLAN ID and select a port to bind them together. VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received. Port Specify a port to which packets with the specific MAC address are forwarded. The port must belong to the specified VLAN.
Managing MAC Address Table Figure 2-2 Address Configurations Binding Dynamic MAC Address Entries Follow these steps to bind dynamic MAC address entries: 1) Select your desired MAC address entries. You can select the entries from the Dynamic Address Table, or quickly search them out by MAC address/ VLAN ID/ port in the Search Option section. 2) Click Bind, and then the selected entries will not age.
Managing MAC Address Table Address Configurations 2.1.2 Modifying the Aging Time of Dynamic Address Entries Choose the menu Switching > MAC Address > Dynamic Address to load the following page. Figure 2-3 Modifying the Aging Time of Dynamic Address Entries Follow these steps to modify the aging time of dynamic address entries: 1) In the Aging Config section, enable Auto Aging, and enter your desired length of time.
Managing MAC Address Table Address Configurations 2.1.3 Adding MAC Filtering Address Entries Choose the menu Switching > MAC Address > Filtering Address to load the following page. Figure 2-4 Adding MAC Filtering Address Entries Follow these steps to add MAC filtering address entries: 1) In the Create Filtering Address section, enter the MAC Address and VLAN ID.
Managing MAC Address Table Address Configurations Choose the menu Switching > MAC Address > Address Table to load the following page. Figure 2-5 2.2 Viewing Address Table Entries Using the CLI 2.2.1 Adding Static MAC Address Entries Follow these steps to add static MAC address entries: Step 1 configure Enter global configuration mode.
Managing MAC Address Table Step 2 Address Configurations mac address-table static mac-addr vid vid interface { gigabitEthernet port | tengigabitEthernet port } Bind the MAC address, VLAN and port together to add a static address to the VLAN. mac-addr : Enter the MAC address and packets with this destination address received in the specified VLAN are forwarded to the specified port. The format is xx:xx:xx:xx:xx:xx, for example, 00:00:00:00:00:01.
Managing MAC Address Table Address Configurations 2.2.2 Modifying the Aging Time of Dynamic Address Entries Follow these steps to modify the aging time of dynamic address entries: Step 1 configure Step 2 mac address-table aging-time aging-time Enter global configuration mode. Set your desired length of address aging time for dynamic address entries. aging-time: Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated.
Managing MAC Address Table Address Configurations Step 3 end Step 4 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. Note: • In the same VLAN, once an address is configured as a filtering address, it cannot be set as a static address, and vice versa. • Multicast or broadcast addresses cannot be set as filtering addresses . The following example shows how to add the MAC filtering address 00:1e:4b:04:01:5d to VLAN 10.
Managing MAC Address Table 3 Security Configurations Security Configurations With security configurations of the MAC address table, you can: Configure MAC notification traps Limit the number of MAC addresses in VLANs 3.1 Using the GUI 3.1.1 Configuring MAC Notification Traps Choose the menu Switching > MAC Address > MAC Notification to load the following page.
Managing MAC Address Table Security Configurations 1) In the MAC Notification Global Config section, enable this feature, configure the relevant options, and click Apply. Global Status Enable MAC notification feature globally. Table Full Notification Enable Table Full Notification, and when address table is full, a notification will be generated and sent to the management host . Notification Interval Specify a time value in seconds between 1 to 1000 to bundle the notifications and reduce traffic.
Managing MAC Address Table Security Configurations Follow these steps to limit the number of MAC addresses in VLANs: 1) Enter the VLAN ID to limit the number of MAC addresses that can be learned in the specified VLAN. VLAN ID Specify an existing VLAN in which you want to limit the number of MAC addresses. 2) Enter your desired value in Max Learned MAC to set a threshold. Max Learned MAC Set the maximum number of MAC addresses in the specific VLAN. It ranges from 0 to 16383.
Managing MAC Address Table Step 4 Security Configurations mac address-table notification interval time Set your desired interval time between each set of New MAC Learned notifications that are generated. time: Specify a time value in seconds between 1to 1000 to bundle the notifications and reduce traffic. By default, it is 1 second.
Managing MAC Address Table Security Configurations Switch(config-if)#mac address-table notification new-mac-learned enable Switch(config-if)#show mac address-table notification interface ten-gigabitEthernet 1/0/1 Mac Notification Global Config Notification Global Status : enable Table Full Notification Status: disable Notification Interval : 10 Port LrnMode Change Exceed Max Limit ---- -------------- ---------------- Te1/0/1 disable disable New Mac Learned ---------------enable Switch(confi
Managing MAC Address Table Security Configurations The following example shows how to limit the number of MAC addresses to 100 in VLAN 10, and configure the switch to drop packets of new source MAC addresses when the limit is exceeded.
Managing MAC Address Table Example for Security Configurations 4 Example for Security Configurations 4.1 Network Requirements Several departments are connected to the company network as shown in Figure 4-1. Now the Marketing Department that is in VLAN 10 has network requirements as follows: Free the network system from illegal accesses and MAC address attacks by limiting the number of access users in this department to 100.
Managing MAC Address Table 4.3 Example for Security Configurations Using the GUI 1) Choose the menu Switching > MAC Address > MAC VLAN Security to load the following page. Set the maximum number of MAC address in VLAN 10 as 100, choose drop mode and click Create. Figure 4-2 Configuring VLAN Security 2) Choose the menu Switching > MAC Address > MAC Notification to load the following page. Enable Global Status, set notification interval as 10 seconds, and click Apply.
Managing MAC Address Table Example for Security Configurations 3) Click Save Config to save the settings. 4) Enable SNMP and set a management host. For detailed SNMP configurations, please refer to Configuring SNMP & RMON. 4.4 Using the CLI 1) Set the maximum number of MAC address in VLAN 10 as 100, and choose drop mode. Switch#configure Switch(config)#mac address-table security vid 10 max-learn 100 drop 2) Configure the new-MAC-learned trap on port 2 and set notification interval as 10 seconds.
Managing MAC Address Table 5 Appendix: Default Parameters Appendix: Default Parameters Default settings of the MAC Address Table are listed in the following tables.
Part 7 Configuring 802.1Q VLAN CHAPTERS 1. Overview 2. 802.1Q VLAN Configuration 3. Configuration Example 4.
Configuring 802.1Q VLAN 1 Overview Overview VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions: To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN. It reduces the influence of broadcast traffic in Layer 2 network to the whole network.
Configuring 802.1Q VLAN 2 802.1Q VLAN Configuration 802.1Q VLAN Configuration To complete 802.1Q VLAN configuration, follow these steps: 1) Configure PVID (Port VLAN ID) of the port; 2) Configure the VLAN, including creating a VLAN and adding the configured port to the VLAN. 2.1 Using the GUI 2.1.1 Configuring the PVID of the Port Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Figure 2-1 Configuring the Port Select a port and configure its PVID. Click Apply.
Configuring 802.1Q VLAN PVID 802.1Q VLAN Configuration The default VLAN ID of the port with the values between 1 and 4094. It is used mainly in the following two ways: • When the port receives a tagged packet, the switch inserts a VLAN tag to the packet based on the PVID. • When the port receives a UL packet or a broadcast packet, the switch broadcasts the packet within the default VLAN. LAG Displays the LAG (Link Aggregation Group) which the port belongs to.
Configuring 802.1Q VLAN 802.1Q VLAN Configuration 2) Select the untagged port(s) and the tagged port(s) respectively to add to the created VLAN based on the network topology. Untagged port The selected ports will forward untagged packets in the target VLAN. Tagged port The selected ports will forward tagged packets in the target VLAN. 3) Click Apply. 2.2 Using the CLI 2.2.
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Switch(config-vlan)#show vlan id 2 VLAN ------2 Name -------- Status --------- RD Ports --------- active Switch(config-vlan)#end Switch#copy running-config startup-config 2.2.
Configuring 802.1Q VLAN 802.1Q VLAN Configuration Vlan Name 1 System-VLAN ---- ----------- Egress-rule --------------- Untagged Switch(config-if)#end Switch#copy running-config startup-config 2.2.
Configuring 802.1Q VLAN 802.
Configuring 802.1Q VLAN 3 Configuration Example 3.1 Network Requirements Configuration Example Offices of both Department A and Department B in the company are located in different places, and computers in different offices are connected to different switches. It is required that computers can communicate with each other in the same department but not with computers in the other department. 3.
Configuring 802.1Q VLAN 3.3 Configuration Example Network Topology The figure below shows the network topology. Host A1 and Host A2 are used in Department A, while Host B1 and Host B2 are used in Department B. Switch 1 and Switch 2 are located in two different places. Host A1 and Host B1 are connected to port 1/0/2 and port 1/0/3 on Switch 1 respectively, while Host A2 and Host B2 are connected to port 1/0/6 and port 1/0/7 on Switch 2 respectively.
Configuring 802.1Q VLAN Figure 3-2 Configuration Example Create VLAN 10 for Department A 2) Click Create again to load the following page. Create VLAN 20 with the description of Department-B. Add port 1/0/3 as an untagged port and port 1/0/4 as a tagged port to VLAN 20. Then click Apply.
Configuring 802.1Q VLAN Figure 3-3 Configuration Example Create VLAN 20 for Department B 3) Click Save Config to save the settings. 3.5 Using the CLI The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A, and configure the description as Department-A. Similarly, create VLAN 20 for Department B, and configure the description as Department-B.
Configuring 802.1Q VLAN Configuration Example Switch_1(config)#interface ten-gigabitEthernet 1/0/2 Switch_1(config-if)#switchport general allowed vlan 10 untagged Switch_1(config-if)#exit Switch_1(config)#interface ten-gigabitEthernet 1/0/3 Switch_1(config-if)#switchport general allowed vlan 20 untagged Switch_1(config-if)#exit 3) Set the port mode of port 1/0/4 as Tagged, and then add it to both VLAN 10 and VLAN 20.
Configuring 802.1Q VLAN 4 Appendix: Default Parameters Appendix: Default Parameters Default settings of 802.1Q VLAN are listed in the following table. Table 4-1 Default Settings of 802.
Part 8 Configuring MAC VLAN CHAPTERS 1. Overview 2. MAC VLAN Configuration 3. Configuration Example 4.
Configuring MAC VLAN 1 Overview Overview VLAN is generally divided by ports. This way of division is simple but isn’t suitable for those networks that require frequent topology changes. With the popularity of mobile office, a terminal device may access the switch via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time.
Configuring MAC VLAN 2 MAC VLAN Configuration MAC VLAN Configuration To complete MAC VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN. 2) Bind the MAC address to the VLAN. 3) Enable MAC VLAN for the port. Configuration Guidelines When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN.
Configuring MAC VLAN MAC VLAN Configuration 2.1.2 Binding the MAC Address to the VLAN Choose the menu VLAN > MAC VLAN > MAC VLAN to load the following page. Figure 2-1 MAC VLAN Configuration Follow these steps to bind the MAC address to the VLAN: 1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN. MAC Address Enter the MAC address of the device. The address should be in 00-00-00-00-0001 format.
Configuring MAC VLAN MAC VLAN Configuration Choose the menu VLAN > MAC VLAN > Port Enable to load the following page. Figure 2-2 Enable MAC VLAN for the Port Follow these steps to enable MAC VLAN for the port: Select your desired ports to enable MAC VLAN, and click Apply. Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG but not its own. The configurations of the port can take effect only after it leaves the LAG. 2.2 Using the CLI 2.2.1 Configuring 802.
Configuring MAC VLAN Step 3 MAC VLAN Configuration show mac-vlan vid Verify the configuration of MAC VLAN. vid : Specify the MAC VLAN to be displayed. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to bind the MAC address 00:19:56:8A:4C:71 to VLAN 10, with the address description as Dept.A.
Configuring MAC VLAN Step 6 MAC VLAN Configuration copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable MAC VLAN for port 1/0/1. Switch#configure Switch(config)#interface ten-gigabitEthernet 1/0/1 Switch(config-if)#mac-vlan Switch(config-if)#show mac-vlan interface Port ------- STATUS ----------- Te1/0/1 Enable Te1/0/2 Disable ......
Configuring MAC VLAN Configuration Example 3 Configuration Example 3.1 Network Requirements Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in.
Configuring MAC VLAN Configuration Example connecting the laptops, set the port type as Untagged; for the ports connecting to other switch, set the port type as Tagged. 2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports. Demonstrated with T1700X-16TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 3.
Configuring MAC VLAN Figure 3-3 Configuration Example VLAN Configuration 3) Choose the menu VLAN > MAC VLAN > MAC VLAN to load the following page. Enter MAC Address, Description, VLAN ID and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20. Figure 3-4 MAC VLAN Configuration 4) Choose the menu VLAN > MAC VLAN > Port Enable to load the following page. Select port 1/0/1 and click Apply to enable MAC VLAN for it.
Configuring MAC VLAN Figure 3-5 Configuration Example Enable MAC VLAN for the Port 5) Click Save Config to save the settings. Configurations for Switch 3 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10, and add port 1/0/4 as untagged port and ports 1/0/2-3 as tagged ports to VLAN 10. Click Apply. Figure 3-6 1) VLAN Configuration Click Create to load the following page.
Configuring MAC VLAN Figure 3-7 Configuration Example 802.1Q VLAN Configuration 2) Click Save Config to save the settings. 3.4 Using the CLI Configurations for Switch 1 and Switch 2 The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example. 1) Create VLAN 10 for Department A and create VLAN 20 for Department B.
Configuring MAC VLAN Configuration Example Switch_1(config-if)#switchport general allowed vlan 10,20 tagged Switch_1(config-if)#exit 3) Set port 1/0/1 as untagged port, and add it to both VLAN 10 and VLAN 20. Then enable MAC VLAN for port 1/0/1.
Configuring MAC VLAN Configuration Example 3) Set port 1/0/4 and port 1/0/5 as untagged ports, and respectively add them to VLAN 10 and VLAN 20.
Configuring MAC VLAN Configuration Example ......
Configuring MAC VLAN 4 Appendix: Default Parameters Appendix: Default Parameters Default settings of MAC VLAN are listed in the following table.
Part 9 Configuring Protocol VLAN CHAPTERS 1. Overview 2. Protocol VLAN Configuration 3. Configuration Example 4.
Configuring Protocol VLAN 1 Overview Overview Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze special fields of received packets, encapsulate the packets in specific formats, and forward the packets of different protocols to the corresponding VLANs.
Configuring Protocol VLAN 2 Protocol VLAN Configuration Protocol VLAN Configuration To complete protocol VLAN configuration, follow these steps: 1) Configure 802.1Q VLAN, including creating a VLAN and setting the port type. 2) Create protocol template. 3) Configure Protocol VLAN. Configuration Guidelines You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates.
Configuring Protocol VLAN Protocol VLAN Configuration 2.1.2 Creating Protocol Template Choose the menu VLAN > Protocol VLAN > Protocol Template to load the following page. Figure 2-1 Create a Protocol Template Follow these steps to create a protocol template: 1) Check whether your desired template already exists in the Protocol Template Table section. If not, create it in the Create Protocol Template section. Protocol Name Enter the name of the new protocol template.
Configuring Protocol VLAN Figure 2-2 Protocol VLAN Configuration Configure the Protocol Group Follow these steps to configure the protocol group: 1) In the Protocol Group Config section, select the protocol name and enter the VLAN ID to bind the protocol type to the VLAN. Protocol Name Select the protocol type. VLAN ID Enter the ID of the 802.1Q VLAN to be bound to the protocol type. 2) In the Protocol Group Member section, select the port or LAG to add to the protocol group. 3) Click Apply.
Configuring Protocol VLAN Protocol VLAN Configuration 2.2.2 Creating a Protocol Template Follow these steps to create a protocol template: Step 1 configure Step 2 protocol-vlan template name protocol-name frame { ether_2 ether-type type | snap ethertype type | llc dsap dsap_type ssap ssap_type } Enter global configuration mode. Create a protocol template. protocol-name: Specify the protocol name with 1 to 8 characters. type : Specify the Ethernet protocol type with 4 hexadecimal numbers.
Configuring Protocol VLAN Protocol VLAN Configuration Switch#copy running-config startup-config 2.2.3 Configuring Protocol VLAN Follow these steps to configure protocol VLAN: Step 1 configure Step 2 show protocol-vlan template Step 3 protocol-vlan vlan vid template index Enter global configuration mode. Check the index of each protocol template. Bind the protocol template to the VLAN. vid : ID of the 802.1Q VLAN where the port with protocol VLAN enabled is. index : Protocol template index.
Configuring Protocol VLAN Protocol VLAN Configuration 4 IPX SNAP ether-type 8137 5 AT SNAP ether-type 809B 6 IPv6 EthernetII ether-type 86DD Switch(config)#protocol-vlan vlan 10 template 6 Switch(config)#end Switch#copy running-config startup-config The following example shows how to add port 1/0/2 to the IPv6 protocol group: Switch#configure Switch(config)#interface ten-gigabitEthernet 1/0/2 Switch(config-if)#show protocol-vlan vlan Index Protocol-Name VID Member -------- ----------------
Configuring Protocol VLAN Configuration Example 3 Configuration Example 3.1 Network Requirements A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped. The figure below shows the network topology.
Configuring Protocol VLAN Configuration Example 1) Create VLAN 10 and VLAN 20, set the port type, and add each port to the corresponding VLAN. 2) Use the IPv4 protocol template provided by the switch, and create the IPv6 protocol template. 3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups. For Switch 1, configure 802.1Q VLAN according to the network topology.
Configuring Protocol VLAN Figure 3-3 Configuration Example Create VLAN 20 3) Click Save Config to save the settings. Configurations for Switch 2 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10, and add port 1/0/1 as tagged port and port 1/0/2 as untagged port to VLAN 10. Click Apply.
Configuring Protocol VLAN Figure 3-4 Configuration Example Create VLAN 10 2) Click Create to load the following page. Create VLAN 20, and add port 1/0/1 as tagged port and port 1/0/3 as untagged port to VLAN 20. Click Apply.
Configuring Protocol VLAN Figure 3-5 Configuration Example Create VLAN 20 3) Choose the menu VLAN > Protocol VLAN > Protocol Template to load the following page. Enter IPv6 in the protocol name, select the Ethernet II frame type, enter 86DD in the Ether Type field, and click Create to create the IPv6 protocol template. Tips: The IPv4 protocol template is already provided by the switch, you only need to create the IPv6 protocol template.
Configuring Protocol VLAN Configuration Example 4) Choose the menu VLAN > Protocol VLAN > Protocol Group to load the following page. Select the IP protocol name (that is the IPv4 protocol template), enter VLAN ID 10, select port 1, and click Apply. Select the IPv6 protocol name, enter VLAN ID 20, select port 1, and click Apply.
Configuring Protocol VLAN Figure 3-9 Configuration Example Protocol VLAN configuration 6) Click Save Config to save the settings. 3.4 Using the CLI Configurations for Switch 1 1) Create VLAN 10 and VLAN 20. Switch_1#configure Switch_1(config)#vlan 10 Switch_1(config-vlan)#name IPv4 Switch_1(config-vlan)#exit Switch_1(config)#vlan 20 Switch_1(config-vlan)#name IPv6 Switch_1(config-vlan)#exit 2) Set port 1/0/3 as untagged port, and add it to both VLAN 10 and VLAN 20.
Configuring Protocol VLAN Configuration Example Switch_1#copy running-config startup-config Configurations for Switch 2 1) Create VLAN 10 and VLAN 20. Switch_2#configure Switch_2(config)#vlan 10 Switch_2(config-vlan)#name IPv4 Switch_2(config-vlan)#exit Switch_2(config)#vlan 20 Switch_2(config-vlan)#name IPv6 Switch_2(config-vlan)#exit 2) Set port 1/0/1 as tagged port, and add it to both VLAN 10 and VLAN 20.
Configuring Protocol VLAN Configuration Example 5 AT SNAP ether-type 809b 6 IPv6 Ethernet II ether-type 86dd 5) Configure the protocol groups. Switch_2(config)#protocol-vlan vlan 10 template 1 Switch_2(config)#protocol-vlan vlan 20 template 6 6) Add port 1/0/1 to the protocol groups.
Configuring Protocol VLAN Configuration Example Switch_2#show vlan VLAN Name Status Ports -------------------------------------------- ------- ------------- ---------- 1 System-VLAN active Te1/0/1, Te1/0/4, Te1/0/5, Te1/0/6 Te1/0/7, Te1/0/8, Te1/0/9, Te1/0/10 ......
Configuring Protocol VLAN 4 Appendix: Default Parameters Appendix: Default Parameters Default settings of Protocol VLAN are listed in the following table.
Part 10 Configuring Private VLAN CHAPTERS 1. Overview 2. Private VLAN Configurations 3. Configuration Example 4.
Configuring Private VLAN 1 Overview Overview Common large networks such as ISP networks generally isolate users by VLAN. However, with the increasing number of users, upper-layer devices have to create large amount of VLANs to manage all the users. According to IEEE 802.1Q protocol, each upperlayer device can create no more than 4094 VLANs, which means upper-layer devices in backbone networks will face shortage of VLANs.
Configuring Private VLAN Overview If private VLAN is configured on Switch B, Switch A only needs to recognize primary VLAN, VLAN5; and end users can be isolated by secondary VLANs, VLAN2, VLAN3 and VLAN4, saving VLAN resources for Switch A.
Configuring Private VLAN 2 Private VLAN Configurations Private VLAN Configurations With private VLAN configuration, you can: 1) Create Private VLAN 2) Configure Private VLAN on Ports 2.1 Using the GUI 2.1.1 Creating Private VLAN Choose the menu VLAN > Private VLAN > PVLAN Config to load the following page. Figure 2-1 PVLAN Config 1) In Create Private VLAN section, enter the IDs of Primary VLAN and Secondary VLAN, and select Secondary VLAN Type as you need.
Configuring Private VLAN Secondary VLAN Type Private VLAN Configurations Select the Secondary VLAN Type. Isolated VLAN: Select this option and users in different isolated VLANs cannot communicate with each other. Community VLAN: Select this option and users in different community VLANs can communicate with each other. 2) Click Create. 2.1.2 Configuring the Up-link Port The switch requires that only access port can be added to a private VLAN.
Configuring Private VLAN Secondary VLAN Private VLAN Configurations Specify the ID of the secondary VLAN to add the port to the secondary VLAN. 2) Click Apply. Note: When configuring the up-link port, you only need to add the port to one private VLAN and set the port type as Promiscuous. The switch will automatically add the port to private VLANs with the same primary VLAN. 2.1.3 Configuring the Down-link Port The switch requires that only access port can be added to a private VLAN.
Configuring Private VLAN Private VLAN Configurations Primary VLAN Specify the ID of the primary VLAN to add the port to the primary VLAN. Secondary VLAN Specify the ID of the secondary VLAN to add the port to the secondary VLAN. 2) Click Apply. 2.2 Using the CLI 2.2.1 Creating Private VLAN Note: If you need to create a private VLAN with existing VLANs, delete all member ports of the existing VLANs before creating the private VLAN.
Configuring Private VLAN Step 8 Private VLAN Configurations vlan vlan-id Specify the primary VLAN ID, and enter VLAN configuration mode. Step 9 private-vlan association vlan-list Specify the ID or the ID list of the secondary VLAN(s) to pair with this primary VLAN. To avoid long response time of the switch, you are recommended to pair less than 10 secondary VLANs with the primary VLAN at a time. vlan-list : Specify the ID or the ID list of the secondary VLAN(s).
Configuring Private VLAN Private VLAN Configurations 2.2.2 Configuring the Up-link Port The switch requires that only access port can be added to a private VLAN. Step 1 configure Step 2 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter global configuration mode. Enter interface configuration mode. port : Specify the port to be configured.
Configuring Private VLAN Private VLAN Configurations Switch(config)#interface ten-gigabitEthernet 1/0/2 Switch(config-if)#switchport private-vlan promiscuous Swtich(config-if)#switchport private-vlan mapping 6 5 Switch(config-if)#exit Switch(config)#show vlan private-vlan Primary Secondary Type Ports --------- ------------- --------------- -------------- 6 Te1/0/2 5 Community Switch(config)#show vlan private-vlan interface ten-gigabitEthernet 1/0/2 Port type --------- ---------- Te1/0/2 Promi
Configuring Private VLAN Private VLAN Configurations Step 5 show vlan private-vlan Step 6 show vlan private-vlan interface [gigabitEthernet port | ten-gigabitEthernet port | portchannel port-channel-id ] Verify configurations of private VLAN. Verify private VLAN configurations of ports. port : Specify the port ID. port-channel-id : Specify the port-channel ID. Step 7 end Step 8 copy running-config startup-config Return to Privileged EXEC Mode. Save the settings in the configuration file.
Configuring Private VLAN 3 Configuration Example 3.1 Network Requirements Configuration Example Usually, an ISP divides its network into subnets to differentiate different areas by using VLAN. Company A belongs to Area VI which is marked as VLAN 6 by the ISP. It is required that departments in Company A can achieve Layer 2 isolation by using VLAN and users in the same department can communicate with each other. 3.
Configuring Private VLAN Figure 3-1 Configuration Example Network Topology Switch C Te1/0/3 Te1/0/2 VLAN6 Company A Switch A Te1/0/10 Te1/0/11 VLAN5 3.4 ... VLAN7 Using the GUI Configurations for Switch A 1) Creating private VLAN Choose the menu VLAN > Private VLAN > PVLAN Config to load the following page. Create primary VLAN 6 and secondary VLAN 5, select Community as the Secondary VLAN Type, click Create and primary VLAN 6 is paired with secondary VLAN 5.
Configuring Private VLAN Figure 3-2 Configuration Example Creating Private VLAN 2) Add up-link port to the private VLAN and configure the port type Choose the menu VLAN > Private VLAN > Port Config to load the following page. Add port 1/0/2 to primary VLAN 6 and secondary VLAN 5, and select Promiscuous as its port type.
Configuring Private VLAN Configuration Example 3) Add down-link port to the private VLAN and configure the port type Choose the menu VLAN > Private VLAN > Port Config to load the following page. Add port 1/0/10 to primary VLAN 6 and secondary VLAN 5, add port 1/0/11 to primary VLAN 6 and secondary VLAN 7, and select Host as their port type. Figure 3-4 3.
Configuring Private VLAN Configuration Example Switch_A(config-vlan)#exit Switch_A(config)#vlan 6 Switch_A(config-vlan)#private-vlan association 5 Switch_A(config-vlan)#exit 3) Create secondary VLAN 7, and pair it with primary VLAN 6 into a private VLAN Switch_A(config)#vlan 7 Switch_A(config-vlan)#private-vlan community Switch_A(config-vlan)#exit Switch_A(config)#vlan 6 Switch_A(config-vlan)#private-vlan association 7 Switch_A(config-vlan)#exit 4) Add up-link port to the corresponding private VLAN and
Configuring Private VLAN Configuration Example Verify the Configurations Switch A Verify the configuration of private VLAN: Switch_A(config)#show vlan private-vlan Primary Secondary Type Ports --------- ------------- --------------- -------------- 6 5 Community Te1/0/2,1/0/10 6 7 Community Te1/0/2,1/0/11 Verify the configuration of ports: Swtich_A(config)#show vlan private-vlan interface Port type --------- ---------- Te1/0/1 Normal Te1/0/2 Promiscuous Te1/0/3 Normal Te1/0/4 N
Configuring Private VLAN 4 Appendix: Default Parameters Appendix: Default Parameters Default settings of Private VLAN are listed in the following tables.
Part 11 Configuring Spanning Tree CHAPTERS 1. Spanning Tree 2. STP/RSTP Configurations 3. MSTP Configurations 4. STP Security Configurations 5. Configuration Example for MSTP 6.
Configuring Spanning Tree 1 Spanning Tree 1.1 Overview Spanning Tree STP STP (Spanning Tree Protocol) is a layer 2 Protocol that prevents loops in the network. As is shown in Figure 1-1, STP helps to: Block specified ports of the switches to build a loop-free topology. Detect topology changes and automatically generate a loop-free topology. Figure 1-1 STP Function STP RSTP RSTP (Rapid Spanning Tree Protocol) provides the same features as STP.
Configuring Spanning Tree Figure 1-2 Spanning Tree STP/RSTP Topology Root bridge Designated port Root port Designated port Root port Designated port Root port Root port Designated port Designated port Backup port Alternate port Root Bridge The root bridge is the root of a spanning tree. There is only one root bridge in each spanning tree, and the root bridge has the lowest bridge ID. Bridge ID The value of the priority and MAC address of the switch. It is used to select the root bridge.
Configuring Spanning Tree Spanning Tree In RSTP/MSTP, the alternate port is the backup for the root port. It is blocked when the root port works normally. Once the root port fails, the alternate port will become the new root port. In STP, the alternate port is always blocked. Backup Port If a port is not selected as the designated port for it receives better BPDUs from the switch it belongs to, it will become an backup port. In RSTP/MSTP, the backup port is the backup for the designated port.
Configuring Spanning Tree Spanning Tree Learning and Forwarding status correspond exactly to the Learning and Forwarding status specified in STP. In TP-Link switches, the port status includes: Blocking, Learning, Forwarding and Disconnected. Blocking In this status, the port receives and sends BPDUs. The other packets are dropped. Learning In this status, the port receives and sends BPDUs. It also receives the other user packets to update its MAC address table, but doesn’t forward them.
Configuring Spanning Tree Spanning Tree BPDU The packets used to generate the spanning tree. The BPDUs (Bridge Protocol Data Unit) contain a lot of information, like bridge ID, root path cost, port priority and so on. Switches share these information to help determine the tree topology. 1.2.2 MSTP Concepts MSTP, compatible with STP and RSTP, has the same basic elements used in STP and RSTP. Based on the networking topology, this section will introduce some concepts only exist in MSTP.
Configuring Spanning Tree Figure 1-4 Spanning Tree MST Region A C B Instance 1 (root bridge: A) VLAN 3 Instance 2 (root bridge: B) VLAN 4-5 IST (root bridge: C) Other VLANs Instance 1 Instance 2 IST Blocked port VLAN-Instance Mapping VLAN-Instance Mapping describes the mapping relationship between VLANs and instances. Multiple VLANs can be mapped to a same instance, but one VLAN can be mapped to only one instance.
Configuring Spanning Tree Spanning Tree If the switch cannot receive BPDUs because of link congestions or link failures, the root port will become a designated port and the alternate port will transit to forwarding status, so loops will occur. With Loop Protect function enabled, the port will temporarily transit to blocking state when the port does not receive BPDUs. After the link restores to normal, the port will transit to its normal state, so loops can be prevented.
Configuring Spanning Tree Spanning Tree A switch removes MAC address entries upon receiving TC-BPDUs (the packets used to announce changes in the network topology). If a user maliciously sends a large number of TC-BPDUs to a switch in a short period, the switch will be busy with removing MAC address entries, which may decrease the performance and stability of the network.
Configuring Spanning Tree 2 STP/RSTP Configurations STP/RSTP Configurations To complete the STP/RSTP configuration, follow these steps: 1) Configure STP/RSTP parameters on ports. 2) Configure STP/RSTP globally. 3) Verify the STP/RSTP configurations. Configuration Guidelines Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Configuring Spanning Tree STP/RSTP Configurations Status Enable or disable spanning tree function on the desired port. Priority Enter the value of the port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port. Ext-Path Cost Enter the value of the external path cost.
Configuring Spanning Tree Port Role STP/RSTP Configurations Displays the role that the port plays in the spanning tree. Root Port: Indicates the port is a root port. Designated Port: Indicates the port is a designated port . Alternate Port: Indicates the port is a backup of a root port. Backup Port: Indicates the port is a backup of a designated port. Disabled: Indicates the port is not participating in the spanning tree. Port Status Displays the port status.
Configuring Spanning Tree STP/RSTP Configurations Follow these steps to configure STP/RSTP globally: 1) In the Parameters Config section, configure the global parameters of STP/RSTP and click Apply. CIST Priority Specify the CIST priority of the switch. The valid values are from 0 to 61440, which are divisible by 4096.By default, it is 32768. The switch with the lower value has the higher priority. CIST priority is usually a parameter configured in MSTP, which means the priority of a switch in CIST.
Configuring Spanning Tree Mode STP/RSTP Configurations Select the desired spanning tree mode as STP/RSTP on the switch. By default, it’s STP. STP: Specify the spanning tree mode as STP. RSTP: Specify the spanning tree mode as RSTP. MSTP: Specify the spanning tree mode as MSTP. 2.1.3 Verifying the STP/RSTP Configurations Verify the STP/RSTP information of your switch after all the configurations are finished. Choose the menu Spanning Tree > STP Config > STP Summary to load the following page.
Configuring Spanning Tree 2.2 STP/RSTP Configurations Spanning-Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local bridge. The local bridge is the current switch. Root Bridge Displays the bridge ID of the root bridge. External Path Cost Displays the root path cost from the switch to the root bridge. Regional Root Bridge It is the root bridge of IST. It is not displayed when you choose the spanning tree mode as STP/RSTP.
Configuring Spanning Tree Step 4 STP/RSTP Configurations spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure STP/RSTP parameters on the desired port . pri: Specify the value of port priority. The valid values are from 0 to 240, which are divisible by 16, and the default value is 128. The port with the lower value has the higher priority.
Configuring Spanning Tree STP/RSTP Configurations Interface State Prio Ext-Cost Int-Cost ---------- ---- ------ -------- ---- Auto No Te1/0/3 LnkDwn ------Enable 32 Auto Edge P2p Mode Role Status --------- ----- ----- ------- No(auto) N/A N/A Switch(config-if)#end Switch#copy running-config startup-config 2.2.
Configuring Spanning Tree STP/RSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: • 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age This example shows how to configure the priority of the switch as 36864, the Forward Delay as 12 seconds: Switch#configure Switch(config)#spanning-tree priority 36864 Switch(config)#spanning-tree timer forward-time 12 Switch(config)#show spanning-tree br
Configuring Spanning Tree Step 6 STP/RSTP Configurations copy running-config startup-config Save the settings in the configuration file. This example shows how to enable spanning tree function, configure the spanning tree mode as RSTP and verify the configurations: Switch#configure Switch(config)#spanning tree mode rstp Switch(config)#spanning-tree Switch(config)#show spanning-tree active Spanning tree is enabled Spanning-tree’s mode: RSTP (802.
Configuring Spanning Tree 3 MSTP Configurations MSTP Configurations To complete the MSTP configuration, follow these steps: 1) Configure parameters on ports in CIST. 2) Configure the MSTP region. 3) Configure the MSTP globally. 4) Verify the MSTP configurations. Configuration Guidelines Before configuring the spanning tree, it's necessary to make clear the role that each switch plays in a spanning tree.
Configuring Spanning Tree MSTP Configurations Status Enable or disable spanning tree function on the desired port. Priority Enter the value of port priority from 0 to 240 divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in CIST. Ext-Path Cost Enter the value of the external path cost.
Configuring Spanning Tree Port Role MSTP Configurations Displays the role that the port plays in CIST. Root Port: Indicates the port is the root port in CIST. Designated Port: Indicates the port is the designated port in CIST. Master Port: Indicates the port provides the lowest root path cost from the region to the root bridge in CIST. In CIST, each region is regarded as a ‘switch‘, and the master port is the root port of that ‘switch‘.
Configuring Spanning Tree MSTP Configurations Follow these steps to create an MST region: 1) In the Region Config section, set the name and revision level to specify an MSTP region. Region Name Configure the name for an MST region using up to 32 characters. By default, it is the MAC address of the switch. Revision Enter the revision number from 0 to 65535. By default, it is 0. 2) Click Apply.
Configuring Spanning Tree MSTP Configurations Instance ID Displays the instance ID. Status Displays the status of the instance. Priority Enter a value from 0 to 61440 to specify the priority of the switch, which is divisible by 4096, and the default value is 32768. The switch with the lower value has the higher priority, and the switch with the highest priority will be elected as the root bridge in the desired instance. VLAN ID Enter the VLAN ID mapped to the corresponding instance ID.
Configuring Spanning Tree MSTP Configurations Configuring Parameters on Ports in the Instance Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Figure 3-4 Configuring Port Parameters in the Instance Follow these steps to configure port parameters in the instance: 1) In the Instance ID Select section, select the desired instance ID for its port configuration. Instance ID Select the desired instance.
Configuring Spanning Tree Priority MSTP Configurations Enter the value of port priority from 0 to 240, which is divisible by 16, and the default value is 128. The port with the lower value has the higher priority. In the same condition, the port with the highest priority will be elected as the root port in the desired instance. Path Cost Enter the value of the path cost. The default setting is Auto, which means the port calculates the path cost automatically according to the port’s link speed.
Configuring Spanning Tree MSTP Configurations 3.1.3 Configuring MSTP Globally Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Figure 3-5 Configure MSTP Function Globally Follow these steps to configure MSTP globally: 1) In the Parameters Config section, Configure the global parameters of MSTP and click Apply. CIST Priority Enter a value from 0 to 61440 to specify the CIST priority of the switch, which is divisible by 4096, and the default value is 32768.
Configuring Spanning Tree MSTP Configurations Note: To prevent frequent network flapping, make sure that Hello Time, Forward Delay, and Max Age conform to the following formulas: • 2*(Hello Time + 1) <= Max Age • 2*(Forward Delay - 1) >= Max Age 2) In the Global Config section, enable Spanning-Tree function and choose the STP mode as MSTP and click Apply. Spanning-Tree Enable or disable spanning tree function globally on the switch. Mode Select the desired STP mode as MSTP on the switch.
Configuring Spanning Tree MSTP Configurations 3.1.4 Verifying the MSTP Configurations Choose the menu Spanning Tree > STP Config > STP Summary to load the following page. Figure 3-6 Verifying the MSTP Configurations The STP Summary section shows the summary information of CIST: Spanning Tree Displays the status of the spanning tree function. Spanning-Tree Mode Displays the spanning tree mode. Local Bridge Displays the bridge ID of the local switch. The local bridge is the current switch.
Configuring Spanning Tree MSTP Configurations Internal Path Cost Displays the internal path cost. It is the root path cost from the current switch to the root bridge in IST. Designated Bridge Displays the bridge ID of the designated bridge in CIST. Root Port Displays the root port of in CIST. Latest TC Time Displays the latest time when the topology is changed. TC Count Displays how many times the topology has changed. The MSTP Summary section shows the information in MST instances: 3.
Configuring Spanning Tree Step 4 MSTP Configurations spanning-tree common-config [ port-priority pri ] [ ext-cost ext-cost ] [ int-cost int-cost ][ portfast { enable | disable }] [ point-to-point { auto | open | close }] Configure the parameters on ports in CIST. pri: Specify the value of port priority. The valid values are from 0 to 240, which are divisible by 16, and the default value is 128. The port with the lower value has the higher priority.
Configuring Spanning Tree MSTP Configurations Switch(config)#interface ten-gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree common-config port-priority 32 Switch(config-if)#show spanning-tree interface ten-gigabitEthernet 1/0/3 MST-Instance 0 (CIST) Interface State Prio Ext-Cost Int-Cost Edge P2p Mode Role Status -------- --------- ---- -------- -------- ---- ----- ------ ------ Te1/0/3 Enable 32 Auto Auto No(auto) N/A N/A No --------- LnkDwn
Configuring Spanning Tree Step 4 MSTP Configurations name name Configure the region name of the region. name : Specify the region name, used to identify an MST region. The valid values are from 1 to 32 characters. Step 5 revision revision Configure the revision level of the region. revision: Specify the revision level of the region. The valid values are from 0 to 65535. Step 6 instance instance-id vlan vlan-id Configure the VLAN-Instance mapping. instance-id : Specify the Instance ID.
Configuring Spanning Tree MSTP Configurations MST-Instance Vlans-Mapped ------------- ------------------------------------------------------------ 0 1,7-4094 5 2-6, ---------------------------------------------------------------------------Switch(config-mst)#end Switch#copy running-config startup-config Configuring the Parameters on Ports in Instance Follow these steps to configure the priority and path cost of ports in the specified instance: Step 1 configure Step 2 interface { fastEthernet
Configuring Spanning Tree Step 6 MSTP Configurations copy running-config startup-config Save the settings in the configuration file.
Configuring Spanning Tree Step 3 MSTP Configurations spanning-tree timer {[ forward-time forward-time ] [ hello-time hello-time ] [ max-age max-age ]} (Optional) Configure the Forward Delay, Hello Time and Max Age. forward-time: Specify the value of Forward Delay. The valid values are from 4 to 30 in seconds, and the default value is 15. Forward Delay is the time for the port to transit its state after the network topology is changed. hello-time: Specify the value of Hello Time.
Configuring Spanning Tree MSTP Configurations Switch(config-if)#spanning-tree timer forward-time 12 Switch(config-if)#spanning-tree hold-count 8 Switch(config-if)#spanning-tree max-hops 25 Switch(config-if)#show spanning-tree bridge State Mode ------- ------- -------- -------- Enable Mstp Priority 36864 Hello-Time 2 Fwd-Time Max-Age Hold-Count Max-Hops -------- -------- --------- -------- 12 20 8 25 Switch(config-if)#end Switch#copy running-config startup-config 3.2.
Configuring Spanning Tree MSTP Configurations Spanning tree is enabled Spanning-tree’s mode: MSTP (802.
Configuring Spanning Tree MSTP Configurations Local Bridge Priority Address : 32768 : 00-0a-eb-13-12-ba Interface Prio Cost Role Status ----------- ---- -------- --------- -------Gi/0/16 128 200000 Altn Gi/0/20 128 200000 Mstr Blk Fwd Switch(config)#end Switch#copy running-config startup-config Configuration Guide 256
Configuring Spanning Tree 4 STP Security Configurations STP Security Configurations With STP security, you can: Configure the Loop Protect function. Configure the Root Protect function. Configure the TC Protect function. Configure the BPDU Protect function. Configure the BPDU Filter function. 4.1 Using the GUI 4.1.1 Configuring the STP Security Choose the menu Spanning Tree > STP Security > Port Protect to load the following page.
Configuring Spanning Tree STP Security Configurations Configure the Port Protect features for the selected ports, and click Apply. UNIT Select the desired unit or LAGs for configuration. Loop Protect Enable or disable the Loop Protect function. It is recommended to enable this function on root ports and alternate ports. Loop Protect function is used to prevent loops caused by link congestions or link failures.
Configuring Spanning Tree STP Security Configurations Choose the menu Spanning Tree > STP Security > TC Protect to load the following page. Figure 4-2 Configuring the TC Protect Configure the parameters of TC Protect feature, and click Apply. 4.2 TC Threshold Enter a number from 1 to 100, and the default value is 20. It is the maximum number of the TC-BPDUs received by the switch in a TC Protect Cycle. TC Protect Cycle Enter a value from 1 to 10 to specify the TC Protect Cycle.
Configuring Spanning Tree Step 4 STP Security Configurations spanning-tree guard root (Optional) Enable the Root Protect function on the port. It is recommended to enable this function on the designated ports of the root bridge. Root Protect function is used to ensure that the desired root bridge will not lose its position. With root protect function enabled, the port will temporarily transit to blocking state when it receives higher-priority BDPUs.
Configuring Spanning Tree STP Security Configurations Interface BPDU-Filter BPDU-Guard Loop-Protect Root-Protect TC-Protect ------------ ----------- --------- Te1/0/3 Enable ---------- ------------ Enable Enable -----------Enable Disable Switch(config-if)#end Switch#copy running-config startup-config 4.2.
Configuring Spanning Tree STP Security Configurations Switch#configure Switch(config)#spanning-tree tc-defend threshold 25 period 8 Switch(config)#interface ten-gigabitEthernet 1/0/3 Switch(config-if)#spanning-tree guard tc Switch(config-if)#show spanning-tree interface-security ten-gigabitEthernet 1/0/3 Interface BPDU-Filter BPDU-Guard Loop-Protect Root-Protect TC-Protect ------------ ----------Te1/0/3 Enable ---------Enable -----------Enable -----------Enable --------- Enable Switch(config-if)#en
Configuring Spanning Tree 5 Configuration Example for MSTP Configuration Example for MSTP MSTP, backwards-compatible with STP and RSTP, can map VLANs to instances to enable load-balancing, thus providing a more flexible method in network management. Here we take the MSTP configuration as an example. 5.1 Network Requirements As shown in Figure 5-1, the network consists of three switches. Traffic in VLAN 101-VLAN 106 is transmitted in this network.
Configuring Spanning Tree Figure 5-2 Configuration Example for MSTP VLAN-Instance Mapping Switch A Te1/0/1 Te1/0/2 Te1/0/1 Switch B Te1/0/1 Te1/0/2 Te1/0/2 Switch C Instance 1: VLAN 101 -VLAN 103 Instance 2: VLAN 104 -VLAN 106 Blocked Port The overview of configuration is as follows: 1) Enable the Spanning Tree function on the ports in each switch. 2) Configure Switch A, Switch B and Switch C in the same region. Configure the region name as 1, and the revision level as 100.
Configuring Spanning Tree Figure 5-3 Configuration Example for MSTP Enable Spanning Tree Function on Ports 2) Choose the menu Spanning Tree > MSTP Instance > Region Config to load the following page. Set the region name as 1 and the revision level as 100. Figure 5-4 Configuring the MST Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2.
Configuring Spanning Tree Figure 5-5 Configuration Example for MSTP Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/1 in instance 1 as 400000.
Configuring Spanning Tree Figure 5-6 Configuration Example for MSTP Configure the Path Cost of Port 1/0/1 In Instance 1 5) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings.
Configuring Spanning Tree Figure 5-7 Configuration Example for MSTP Configure the Global MSTP Parameters of the Switch 6) Click Save Config to save the settings. Configurations for Switch B 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings.
Configuring Spanning Tree Figure 5-9 Configuration Example for MSTP Configuring the Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2. Figure 5-10 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Configure the priority of Switch B as 0 to set it as the root bridge in instance 1.
Configuring Spanning Tree Figure 5-11 Configuration Example for MSTP Configuring the Priority of Switch B in Instance 1 5) Choose the menu Spanning Tree > MSTP Instance > Instance Port Config to load the following page. Set the path cost of port 1/0/2 in instance 2 as 400000.
Configuring Spanning Tree Figure 5-12 Configuration Example for MSTP Configure the Path Cost of Port 1/0/2 in Instance 2 6) Choose the menu Spanning Tree > STP Config > STP Config to load the following page. Enable MSTP function globally. Here we leave the values of the other global parameters as default settings.
Configuring Spanning Tree Figure 5-13 Configuration Example for MSTP Configuring the MSTP Globally 7) Click Save Config to save the settings. Configurations for Switch C 1) Choose the menu Spanning Tree > STP Config > Port Config to load the following page. Enable the spanning tree function on port 1/0/1 and port 1/0/2. Here we leave the values of the other parameters as default settings.
Configuring Spanning Tree Figure 5-15 Configuration Example for MSTP Configuring the Region 3) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2. Figure 5-16 Configuring the VLAN-Instance Mapping 4) Choose the menu Spanning Tree > MSTP Instance > Instance Config to load the following page. Configure the priority of Switch C as 0 to set it as the root bridge in instance 2.
Configuring Spanning Tree Figure 5-17 Configuration Example for MSTP Configuring the Priority of Switch C in Instance 2 5) Choose the menu Spanning Tree > STP Instance > STP Config to load the following page. Enable MSTP function globally, here we leave the values of the other global parameters as default settings. Figure 5-18 Configuring the MSTP Globally 6) Click Save Config to save the settings.
Configuring Spanning Tree 5.4 Configuration Example for MSTP Using the CLI Configurations for Switch A 1) Enable the spanning tree function on port 1/0/1 and port 1/0/2, and specify the path cost of port 1/0/1 in instance 1 as 400000.
Configuring Spanning Tree Configuration Example for MSTP Switch(config-if)#spanning-tree Switch(config-if)#spanning-tree mst instance 2 cost 400000 Switch(config-if)#exit Switch(config)#interface ten-gigabitEthernet 1/0/1 Switch(config-if)#spanning-tree Switch(config-if)#exit 2) Configure the region name as 1, the revision number as 100; map VLAN101-VLAN103 to instance 1; map VLAN104-VLAN106 to instance 2; configure the priority of Switch B in instance 1 as 0 to set it as the root bridge in instance 1: S
Configuring Spanning Tree Configuration Example for MSTP Switch(config-mst)#name 1 Switch(config-mst)#revision 100 Switch(config-mst)#instance 1 vlan 101-103 Switch(config-mst)#instance 2 vlan 104-106 Switch(config-mst)#exit Switch(config)#spanning-tree mst instance 2 priority 0 3) Configure the spanning tree mode as MSTP, then enable spanning tree function globally.
Configuring Spanning Tree Configuration Example for MSTP Te1/0/1 128 400000 Root Fwd N/A Te1/0/2 128 200000 Altn Blk N/A Verify the configurations of Switch A in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority :0 Address : 3c-46-d8-9d-88-f7 Internal Cost : 200000 Root Port :2 Designated Bridge Priority :0 Address : 3c-46-d8-9d-88-f7 Local Bridge Priority : 32768 Address : 00-0a-eb-13-23-97 Interface Prio Cost Role Status ---
Configuring Spanning Tree Priority Configuration Example for MSTP :0 Address : 00-0a-eb-13-12-ba Local Bridge Priority :0 Address : 00-0a-eb-13-12-ba Interface Prio Cost ----------- ---- -------- Role Status --------- -------- Te1/0/1 128 200000 Desg Fwd Te1/0/2 128 200000 Desg Fwd Verify the configurations of Switch B in instance 2: Switch(config)#show spanning-tree mst instance 2 MST-Instance 2 Root Bridge Priority Address :0 : 3c-46-d8-9d-88-f7 Internal Cost : 400000 Root Port
Configuring Spanning Tree Configuration Example for MSTP Switch(config)#show spanning-tree mst instance 1 MST-Instance 1 Root Bridge Priority :0 Address : 00-0a-eb-13-12-ba Internal Cost : 200000 Root Port :2 Designated Bridge Priority :0 Address : 00-0a-eb-13-12-ba Local Bridge Priority : 32768 Address : 3c-46-d8-9d-88-f7 Interface Prio ----------- ------ Cost Role -------- Status --------- ---------- Te1/0/1 128 200000 Desg Fwd Te1/0/2 128 200000 Root Fwd Verify the conf
Configuring Spanning Tree Configuration Example for MSTP Address : 3c-46-d8-9d-88-f7 Interface Prio ---------- ------ Te1/0/1 128 200000 Desg Fwd Te1/0/2 128 200000 Desg Fwd Cost Role Status ----------- -------- ---------- Configuration Guide 281
Configuring Spanning Tree 6 Appendix: Default Parameters Appendix: Default Parameters Default settings of the Spanning Tree feature are listed in the following table.
Configuring Spanning Tree Appendix: Default Parameters Parameter Default Setting Port Priority 128 Path Cost Auto Configuration Guide 283
Part 12 Configuring Layer 2 Multicast CHAPTERS 1. Layer 2 Multicast 2. IGMP Snooping Configurations 3. Configuring MLD Snooping 4. Viewing Multicast Snooping Configurations 5. Configuration Examples 6.
Configuring Layer 2 Multicast 1 Layer 2 Multicast 1.1 Overview Layer 2 Multicast In a point-to-multipoint network, packets can be sent in three ways: unicast, broadcast and multicast. With unicast, many copies of the same information will be sent to all the receivers, occupying a large bandwidth. With broadcast, information will be sent to all users in the network no matter they need it or not, wasting network resources and impacting information security.
Configuring Layer 2 Multicast Layer 2 Multicast Demonstrated as below: Figure 1-1 IGMP Snooping Multicast packets transmission with IGMP Snooping Multicast packets transmission without IGMP Snooping Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Receiver Host B Host C Receiver Host A Receiver Host B Host C Receiver Multicast packets 1.
Configuring Layer 2 Multicast 2 IGMP Snooping Configurations 2.1 Using the GUI IGMP Snooping Configurations 2.1.1 Configuring IGMP Snooping Globally Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Figure 2-1 IGMP Snooping Global Config Enabling IGMP Snooping Globally Before configuring functions related to IGMP Snooping, enable IGMP Snooping globally first. 1) Select Enable to enable IGMP Snooping globally. 2) Click Apply.
Configuring Layer 2 Multicast IGMP Snooping Configurations For switches that support MLD Snooping, IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable MLD Snooping globally on the Multicast > MLD Snooping > Snooping Config page at the same time. Follow these steps to configure unknown multicast. 1) Configure Unknown Multicast as Forward or Discard.
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring IGMP Snooping Last Listener Query Configure the Last Listener Query Interval and Last Listener Query Count when the switch receives an IGMP leave message. If specified count of Multicast-Address-Specific Queries (MASQs) are sent and no report message is received, the switch will delete the multicast address from the multicast forwarding table.
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.1.2 Configuring the Port’s Basic IGMP Snooping Features Choose the menu Multicast > IGMP Snooping > Port Config to load the following page. Figure 2-2 Enable IGMP Snooping on Port Enabling IGMP Snooping on the Port Follow these steps to enable or disable IGMP Snooping on the port. 1) Select the port to be configured and select Enable under the IGMP Snooping column. 2) Click Apply.
Configuring Layer 2 Multicast Fast Leave IGMP Snooping Configurations With Fast Leave enabled on a port, the switch will remove this port from the forwarding list of the corresponding multicast group once the port receives a leave message. You should only use this function when there is a single receiver present on the port. 2) Click Apply. 2.1.3 Configuring IGMP Snooping in the VLAN Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page.
Configuring Layer 2 Multicast IGMP Snooping Configurations Router Port Time Specify the aging time of the router ports in the VLAN. If the router port does not receive any IGMP general query message within the router port time, the switch will no longer consider this port as a router port and delete it from the router port list. The valid values are from 60 to 600 seconds. When the router port time is 0, the VLAN uses the global time.
Configuring Layer 2 Multicast IGMP Snooping Configurations Choose the menu Multicast > IGMP Snooping > Multicast VLAN to load the following page. Figure 2-4 Multicast VLAN Config Creating Multicast VLAN and Configuring Basic Settings In the Multicast VLAN section, follow these steps to enable Multicast VLAN and to finish the basic settings: 1) Set up the VLAN that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
Configuring Layer 2 Multicast IGMP Snooping Configurations Router Port Time Specify the aging time of the router ports in the multicast VLAN. If the router port does not receive any IGMP general query message within the router port time, the switch will no longer consider this port as a router port and delete it from the router port table. The valid values are from 60 to 600 seconds. When the router port time is 0, the VLAN uses the global time.
Configuring Layer 2 Multicast Forbidden Router Ports IGMP Snooping Configurations Select the ports to forbid them from being router ports in the VLAN. 2) Click Apply. Note: When configuration is finished, all multicast data through the ports in the VLAN will be processed in this multicast VLAN. 2.1.5 (Optional) Configuring the Querier IGMP Snooping Querier sends general query packets regularly to maintain the multicast forwarding table.
Configuring Layer 2 Multicast IGMP Snooping Configurations Viewing Settings of IGMP Querier The IGMP Snooping Querier Table displays all the related settings of the IGMP querier. 2.1.6 Configuring IGMP Profile With IGMP Profile, the switch can define a blacklist or whitelist of multicast addresses so as to filter multicast sources, Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page.
Configuring Layer 2 Multicast IGMP Snooping Configurations Editing IP Range of the Profile Follow these steps to edit profile mode and its IP range: 1) Click Edit in the IGMP Profile Info table. Edit its IP range and click Add to save the settings. Figure 2-7 Add IP-range Profile ID Displays the ID of the profile to be edited. Mode Select Permit or Deny as the filtering mode. Permit: similar to a whitelist, means that the switch only allows specified member ports to join specific multicast groups.
Configuring Layer 2 Multicast Figure 2-8 IGMP Snooping Configurations Profile Binding Binding Profile and Member Ports Follow these steps to bind the profile to the port. 1) Select the port to be bound, and enter the Profile ID in the Profile ID column. Select Select the port to be bound. Port Displays the port number. Profile ID Enter the profile ID you create to bind the profile to the port. One port can only be bound to one profile.
Configuring Layer 2 Multicast IGMP Snooping Configurations Max Group Enter the number of multicast groups the port can join. The valid values are from 0 to 1000. Overflow Action Select the action towards the new multicast group when the number of multicast groups the port joined exceeds max group. Drop: Drop all subsequent membership report messages, and the port will not join any new multicast groups.
Configuring Layer 2 Multicast IGMP Snooping Configurations Auto Refresh If Auto Refresh is enabled, statistics of IGMP packets on this page will refresh automatically. Refresh Period After Auto Refresh is enabled, enter the interval between each refresh. The valid values are from 3 to 300 seconds. 2) Click Apply. Viewing IGMP Statistics The IGMP Statistics table displays all kinds of IGMP statistics of all the ports. 2.1.
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring IGMP Accounting Globally To use this function, you should also enable Authentication, Authorization and Accounting (AAA) globally and configure RADIUS server on the switch. Follow these steps to enable IGMP Accounting globally. 1) Enable IGMP Accounting globally. Accounting Select Enable to enable IGMP Snooping accounting. 2) Click Apply.
Configuring Layer 2 Multicast Figure 2-11 IGMP Snooping Configurations Static Member Port Configuring Static Member Port Follow these steps to configure static member port. 1) Enter the Multicast IP and VLAN ID. Specify the Static Member Port. Multicast IP Specify the multicast group that the static member is in. VLAN ID Specify the VLAN that the static member is in. Forward Port Specify one or more ports to be the static member port in the multicast group.
Configuring Layer 2 Multicast 2.2 IGMP Snooping Configurations Using the CLI 2.2.1 Enabling IGMP Snooping Globally Step 1 configure Step 2 ip igmp snooping Step 3 end Step 4 show ip igmp snooping Step 5 copy running-config startup-config Enter global configuration mode. Enable IGMP Snooping Globally. Return to privileged EXEC mode. Show the basic IGMP snooping configuration. Save the settings in the configuration file. 2.2.
Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#interface ten-gigabitEthernet 1/0/3 Switch(config-if)#ip igmp snooping Switch(config-if)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times :2 Last Query Interval :1 Global Member Age Time Global Router Age Time Global Report Suppression :260 :300 :Disable Global Authentication Accounting:Disable Enable Port:Te1/0/3 Enable VLAN: Switch(config-if)#end Switch#copy running-config startup-conf
Configuring Layer 2 Multicast IGMP Snooping Configurations The following example shows how to enable Report Message Suppression: Switch#configure Switch(config)#ip igmp snooping Switch(config)#ip igmp snooping report-suppression Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times :2 Last Query Interval :1 Global Member Age Time Global Router Age Time Global Report Suppression :260 :300 :Enable Global Authentication Accounting:Disable Enable Port: E
Configuring Layer 2 Multicast IGMP Snooping Configurations For switches that support MLD Snooping, IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable MLD Snooping globally at the same time.
Configuring Layer 2 Multicast IGMP Snooping Configurations Step 3 end Step 4 show ip igmp snooping Step 5 copy running-config startup-config Return to privileged EXEC mode. Show the basic IGMP snooping configuration. Save the settings in the configuration file.
Configuring Layer 2 Multicast Step 2 IGMP Snooping Configurations interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list } Enter interface configuration mode Step 3 ip igmp snooping immediate-leave Step 4 show ip igmp snooping interface [fastEthernet [ port | port-list ] | gigabitEthernet [ port | portlist ]
Configuring Layer 2 Multicast Step 2 IGMP Snooping Configurations interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list } Enter interface configuration mode Step 3 ip igmp snooping max-groups maxgroup Step 4 ip igmp snooping max-groups action {drop | replace} Enter the number of multicast groups the port ca
Configuring Layer 2 Multicast IGMP Snooping Configurations Switch#copy running-config startup-config 2.2.5 Configuring IGMP Snooping Last Listener Query Step 1 configure Step 2 ip igmp snooping last-listener query-inteval interval Step 3 Enter global configuration mode. interval determines the interval between MASQs sent by the switch. The valid values are from 1 to 5 seconds. ip igmp snooping last-listener query-count num num determines the number of MASQs sent by the switch.
Configuring Layer 2 Multicast IGMP Snooping Configurations Enable VLAN: Switch(config)#end Switch#copy running-config startup-config 2.2.6 Configuring IGMP Snooping Parameters in the VLAN Configuring Router Port Time and Member Port Time Step 1 configure Step 2 ip igmp snooping vlan-config vlan-id-list [rtime router-time | mtime member-time ] Enter global configuration mode. router-time is the aging time of the router ports in the specified VLAN, ranging from 60 to 600 seconds.
Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#show ip igmp snooping vlan 3 Vlan Id: 3 Router Time:500 Member Time:400 Static Router Port:None Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Step 2 ip igmp snooping vlan-config vlan-id-list [rport interface {gigabitEthernet port-list | gigabitEthernet port-list | port-channel port-channel-id }] Enter global config
Configuring Layer 2 Multicast IGMP Snooping Configurations Static Router Port:Te1/0/2 Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Forbidden Router Port Step 1 configure Step 2 ip igmp snooping vlan-config vlan-id-list router-ports-forbidden interface {gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Enter global configuration mode.
Configuring Layer 2 Multicast IGMP Snooping Configurations Switch(config)#end Switch#copy running-config startup-config Configuring Static Multicast (Multicast IP and Forward Port) Step 1 configure Step 2 ip igmp snooping vlan-config vlan-id-list static ip interface {gigabitEthernet port-list | tengigabitEthernet port-list | port-channel port-channel-id } Enter global configuration mode. vlan-id-list specifies the VLAN to be configured. ip specifies the static multicast IP address.
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.7 Configuring IGMP Snooping Parameters in the Multicast VLAN Configuring Router Port Time and Member Port Time Step 1 configure Step 2 ip igmp snooping multi-vlan-config [vlan-id ] [rtime router-time | mtime member-time ] Enter global configuration mode. vlan-id specifies the VLAN to be created or to be configured. router-time is the aging time of the router ports in the multicast VLAN, ranging from 60 to 600 seconds.
Configuring Layer 2 Multicast IGMP Snooping Configurations Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Step 2 ip igmp snooping multi-vlan-config [vlan-id ] [rport interface {gigabitEthernet port-list | tengigabitEthernet port-list | port-channel port-channel-id }] Enter global configuration mode. vlan-id specifies the VLAN to be created or to be configured. port-list and port-channel-id are the static router ports in the multicast VLAN.
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring Forbidden Router Port Step 1 configure Step 2 ip igmp snooping multi-vlan-config [vlan-id ] router-ports-forbidden interface {gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Enter global configuration mode. vlan-id specifies the multicast VLAN to be configured. port-list and port-channel-id are the ports that cannot become router ports in the multicast VLAN.
Configuring Layer 2 Multicast IGMP Snooping Configurations Configuring Replace Source IP Step 1 configure Step 2 ip igmp snooping multi-vlan-config [vlan-id ] replace-sourceip ip Enter global configuration mode. vlan-id specifies the multicast VLAN to be configured. ip specifies the new source IP. The switch will replace the source IP in the IGMP multicast data sent by the multicast VLAN with the IP address you enter.
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.8 Configuring the Querier Enabling IGMP Querier Step 1 configure Step 2 ip igmp snooping querier vlan vlan-id Step 3 Enter global configuration mode. vlan-id specifies the VLAN to enable IGMP Querier. show ip igmp snooping querier [vlan vlan-id ] Show the IGMP querier configuration. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring Layer 2 Multicast Step 2 IGMP Snooping Configurations ip igmp snooping querier vlan vlan-id {query-interval interval | max-response-time response-time | general-query source-ip ip-addr } vlan-id specifies the VLAN where the querier is. interval is the interval between general query messages sent by the querier. response-time is the host’s maximum response time to general query messages in a range of 1 to 25 seconds.
Configuring Layer 2 Multicast IGMP Snooping Configurations 2.2.9 Configuring Multicast Filtering Creating Profile Step 1 configure Step 2 ip igmp profile id Step 3 Enter global configuration mode. Create a new profile and enter profile configuration mode. permit deny Configure the profile's filtering mode. permit is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.
Configuring Layer 2 Multicast IGMP Snooping Configurations range 226.0.0.5 226.0.0.10 Switch(config)#end Switch#copy running-config startup-config Binding Profile to the Port Step 1 configure Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | portchannel port-channel-id | range port-channe port-channel-list } Enter global configuration mode.
Configuring Layer 2 Multicast IGMP Snooping Configurations range 226.0.0.5 226.0.0.10 Binding Port(s) Te1/0/2 Switch(config)#end Switch#copy running-config startup-config 2.2.
Configuring Layer 2 Multicast IGMP Snooping Configurations Te1/0/2 enable Switch(config)#end Switch#copy running-config startup-config Note: IGMP Authentication takes effect only after AAA is enabled and RADIUS server is configured. Enabling IGMP Accounting Globally Step 1 configure Step 2 ip igmp snooping accounting Step 3 show ip igmp snooping Step 4 end Step 5 copy running-config startup-config Enter global configuration mode. Enable IGMP Accounting globally.
Configuring Layer 2 Multicast 3 Configuring MLD Snooping 3.1 Using the GUI Configuring MLD Snooping 3.1.1 Configuring MLD Snooping Globally Choose the menu Multicast > MLD Snooping > Snooping Config Figure 3-1 MLD Snooping Global Config Enabling MLD Snooping Globally Before configuring functions related to MLD Snooping, enable MLD Snooping globally first. 1) Select Enable to enable MLD Snooping globally. 2) Click Apply.
Configuring Layer 2 Multicast Configuring MLD Snooping IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable IGMP Snooping globally on the Multicast > IGMP Snooping > Snooping Config page at the same time. Follow these steps to configure unknown multicast. 1) Configure Unknown Multicast as Forward or Discard. Unknown Multicast Configure the way how the switch processes the multicast data sent to unknown multicast groups as Forward or Discard.
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring MLD Snooping Last Listener Query Configure the Last Listener Query Interval and Last Listener Query Count when the switch receives an MLD leave message. If specified count of Multicast-Address-Specific Queries (MASQs) are sent and no report message is received, the switch will delete the multicast address from the multicast forwarding table.
Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.2 Configuring the Port’s Basic MLD Snooping Features Choose the menu Multicast > MLD Snooping > Port Config to load the following page. Figure 3-2 Enable MLD Snooping on Port Enabling MLD Snooping on the Port Follow these steps to enable or disable MLD Snooping on the port. 1) Select the port to be configured and select Enable under the MLD Snooping column. 2) Click Apply.
Configuring Layer 2 Multicast Fast Leave Configuring MLD Snooping With Fast Leave enabled on a port, the switch will remove this port from the forwarding list of the corresponding multicast group once the port receives a leave message. You should only use this function when there is a single receiver present on the port. 2) Click Apply. 3.1.3 Configuring MLD Snooping in the VLAN Choose the menu Multicast > MLD Snooping > VLAN Config to load the following page.
Configuring Layer 2 Multicast Configuring MLD Snooping Router Port Time Specify the aging time of the router ports in the VLAN. If the router port does not receive any MLD general query message within the router port time, the switch will no longer consider this port as a router port and delete it from the router port list. The valid values are from 60 to 600 seconds. When the router port time is 0, the VLAN uses the global time. Member Port Time Specify the aging time of the member ports in the VLAN.
Configuring Layer 2 Multicast Figure 3-4 Configuring MLD Snooping Multicast VLAN Config Creating Multicast VLAN and Configuring Basic Settings In the Multicast VLAN section, follow these steps to enable Multicast VLAN and to finish the basic settings: 1) Set up the VLAN that the router ports and the member ports are in. For details, please refer to Configuring 802.1Q VLAN.
Configuring Layer 2 Multicast Member Port Time Configuring MLD Snooping Specify the aging time of the member ports in the multicast VLAN. If the member port does not receive any MLD membership report message from the multicast group within the member port time, the switch will no longer consider this port as a member port and delete it from the multicast forwarding table. The valid values are from 60 to 600 seconds. When the member port time is 0, the VLAN uses the global time. 3) Click Apply.
Configuring Layer 2 Multicast Configuring MLD Snooping Note: When configuration is finished, all multicast data through the ports in the VLAN will be processed in this multicast VLAN. 3.1.5 (Optional) Configuring the Querier MLD Snooping Querier sends general query packets regularly to maintain the multicast forwarding table. Choose the menu Multicast > MLD Snooping > Querier Config to load the following page.
Configuring Layer 2 Multicast Configuring MLD Snooping 3.1.6 Configuring MLD Profile With MLD Profile, the switch can define a blacklist or whitelist of multicast addresses so as to filter multicast sources, Choose the menu Multicast > MLD Snooping > Profile Config to load the following page. Figure 3-6 Profile Create Creating Profile Follow these steps to create a profile and configure its filtering mode. 1) Create a profile and configure its filtering mode.
Configuring Layer 2 Multicast Configuring MLD Snooping Editing IP Range of the Profile Follow these steps to edit profile mode and its IP range: 1) Click Edit in the MLD Profile Info table. Edit its IP range and click Add to save the settings. Figure 3-7 Add IP-range 2) In the IP-range Table, you can select an IP range and click Delete to delete an IP range. 3) Click Submit to save the settings; click Back to go back to the previous page. 3.1.
Configuring Layer 2 Multicast Figure 3-8 Configuring MLD Snooping Profile Binding Binding Profile and Member Ports Follow these steps to bind the profile to the port. 1) Select the port to be bound, and enter the Profile ID in the Profile ID column. Select Select the port to be bound. Port Displays the port number. Profile ID Enter the profile ID you create to bind the profile to the port. One port can only be bound to one profile.
Configuring Layer 2 Multicast Configuring MLD Snooping Max Group Enter the number of multicast groups the port can join. The valid values are from 0 to 1000. Overflow Action Select the action towards the new multicast group when the number of multicast groups the port joined exceeds max group. Drop: Drop all subsequent membership report messages, and the port will not join any new multicast groups.
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Auto Refresh Follow these steps to configure auto refresh. 1) Enable or disable Auto Refresh. Auto Refresh If Auto Refresh is enabled, statistics of MLD packets on this page will refresh automatically. Refresh Period After Auto Refresh is enabled, enter the interval between each refresh. The valid values are from 3 to 300 seconds. 2) Click Apply.
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Static Member Port Follow these steps to configure static member port. 1) Enter the Multicast IP and VLAN ID. Specify the Static Member Port. Multicast IP Specify the multicast group that the static member is in. VLAN ID Specify the VLAN that the static member is in. Forward Port Specify one or more ports to be the static member port in the multicast group.
Configuring Layer 2 Multicast Step 2 Configuring MLD Snooping interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | portchannel port-channel-id | range port-channe port-channel-list } Enter interface configuration mode. Step 3 ipv6 mld snooping Step 4 show ipv6 mld snooping Step 5 end Step 6 copy running-config startup-config Enable MLD Snooping on the specified port.
Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.3 Configuring MLD Snooping Parameters Globally Configuring Report Message Suppression Step 1 configure Step 2 ipv6 mld snooping report-suppression Step 3 show ipv6 mld snooping Step 4 end Step 5 copy running-config startup-config Enter global configuration mode. Enable Report Message Suppression globally.
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Unknown Multicast Step 1 configure Step 2 ipv6 mld snooping drop-unknown Step 3 show ipv6 mld snooping Step 4 end Step 5 copy running-config startup-config Enter global configuration mode. Configure the way how the switch processes the multicast data from unknown multicast groups as Discard. Unknown multicast groups are multicast groups whose destination multicast address is not in the multicast forwarding table of the switch.
Configuring Layer 2 Multicast Configuring MLD Snooping Switch#copy running-config startup-config 3.2.4 Configuring MLD Snooping Parameters on the Port Configuring Router Port Time and Member Port Time Step 1 configure Step 2 ipv6 mld snooping rtime rtime Enter global configuration mode. ipv6 mld snooping mtime mtime rtime is the aging time of router ports, ranging from 60 to 600 seconds. mtime is the aging time of member ports, ranging from 60 to 600 seconds.
Configuring Layer 2 Multicast Configuring MLD Snooping Switch(config)#end Switch#copy running-config startup-config Configuring Fast Leave Step 1 configure Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | portchannel port-channel-id | range port-channe port-channel-list } Enter global configuration mode.
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Max Group and Overflow Action on the Port Step 1 configure Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | portchannel port-channel-id | range port-channe port-channel-list } Enter global configuration mode. Enter interface configuration mode.
Configuring Layer 2 Multicast Te1/0/3 Configuring MLD Snooping 500 Drop Switch(config-if)#end Switch#copy running-config startup-config 3.2.5 Configuring MLD Snooping Last Listener Query Step 1 configure Step 2 ipv6 mld snooping last-listener query-inteval interval Step 3 Enter global configuration mode. interval determines the interval between MASQs sent by the switch. The valid values are from 1 to 5 seconds.
Configuring Layer 2 Multicast Configuring MLD Snooping Enable Port: Enable VLAN: Switch(config)#end Switch#copy running-config startup-config 3.2.6 Configuring MLD Snooping Parameters in the VLAN Configuring Router Port Time and Member Port Time Step 1 configure Step 2 ipv6 mld snooping vlan-config vlan-id-list [rtime router-time | mtime member-time ] Enter global configuration mode. router-time is the aging time of the router ports in the specified VLAN, ranging from 60 to 600 seconds.
Configuring Layer 2 Multicast Configuring MLD Snooping Forbidden Router Port:None Switch(config)#show ipv6 mld snooping vlan 3 Vlan Id: 3 Router Time:500 Member Time:400 Static Router Port:None Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Step 2 ipv6 mld snooping vlan-config vlan-id-list [rport interface {gigabitEthernet port-list | tengigabitEthernet port-list | port-channel port-channe
Configuring Layer 2 Multicast Configuring MLD Snooping Member Time:0 Static Router Port:Te1/0/2 Dynamic Router Port:None Forbidden Router Port:None Switch(config)#end Switch#copy running-config startup-config Configuring Forbidden Router Port Step 1 configure Step 2 ipv6 mld snooping vlan-config vlan-id-list router-ports-forbidden interface {gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Enter global configuration mode.
Configuring Layer 2 Multicast Configuring MLD Snooping Forbidden Router Port:Te1/0/4-6 Switch(config)#end Switch#copy running-config startup-config Configuring Static Multicast (Multicast IP and Forward Port) Step 1 configure Step 2 ipv6 mld snooping vlan-config vlan-id-list static ip interface {gigabitEthernet port-list | tengigabitEthernet port-list | port-channel port-channel-id } Enter global configuration mode. vlan-id-list specifies the VLAN to be configured.
Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.7 Configuring MLD Snooping Parameters in the Multicast VLAN Configuring Router Port Time and Member Port Time Step 1 configure Step 2 ipv6 mld snooping multi-vlan-config [vlan-id ] [rtime router-time | mtime member-time ] Enter global configuration mode. vlan-id specifies the VLAN to be created or to be configured. router-time is the aging time of the router ports in the multicast VLAN, ranging from 60 to 600 seconds.
Configuring Layer 2 Multicast Configuring MLD Snooping Switch#copy running-config startup-config Configuring Static Router Port Step 1 configure Step 2 ipv6 mld snooping multi-vlan-config [vlan-id ] [rport interface {gigabitEthernet port-list | tengigabitEthernet port-list | port-channel port-channel-id }] Enter global configuration mode. vlan-id specifies the VLAN to be created or to be configured. port-list and port-channel-id are the static router ports in the multicast VLAN.
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Forbidden Router Port Step 1 configure Step 2 ipv6 mld snooping multi-vlan-config [vlan-id ] router-ports-forbidden interface {gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Enter global configuration mode. vlan-id specifies the multicast VLAN to be configured. port-list and port-channel-id are the ports that cannot become router ports in the multicast VLAN.
Configuring Layer 2 Multicast Configuring MLD Snooping Configuring Replace Source IP Step 1 configure Step 2 ipv6 mld snooping multi-vlan-config [vlan-id ] replace-sourceip ip Enter global configuration mode. vlan-id specifies the multicast VLAN to be configured. ip specifies the new source IP. The switch will replace the source IP in the MLD multicast data sent by the multicast VLAN with the IP address you enter.
Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.8 Configuring the Querier Enabling MLD Querier Step 1 configure Step 2 ipv6 mld snooping querier vlan vlan-id Step 3 Enter global configuration mode. vlan-id specifies the VLAN to enable MLD Querier. show ipv6 mld snooping querier [vlan vlan-id ] Show the MLD querier configuration. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring Layer 2 Multicast Step 2 Configuring MLD Snooping ipv6 mld snooping querier vlan vlan-id {query-interval interval | max-response-time response-time | general-query source-ip ip-addr } vlan-id specifies the VLAN where the querier is. interval is the interval between general query messages sent by the querier. response-time is the host’s maximum response time to general query messages in a range of 1 to 25 seconds.
Configuring Layer 2 Multicast Configuring MLD Snooping 3.2.9 Configuring Multicast Filtering Creating Profile Step 1 configure Step 2 ipv6 mld profile id Step 3 Enter global configuration mode. Create a new profile and enter profile configuration mode. deny permit Configure the profile’s filtering mode. permit is similar to a whitelist, indicating that the switch only allow specific member ports to join specific multicast groups.
Configuring Layer 2 Multicast Configuring MLD Snooping range ff01::1234:5 ff01::1234:8 Switch(config)#end Switch#copy running-config startup-config Binding Profile to the Port Step 1 configure Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | portchannel port-channel-id | range port-channe port-channel-list } Enter global configuration mode.
Configuring Layer 2 Multicast Configuring MLD Snooping range ff01::1234:5 ff01::1234:8 Binding Port(s) Te1/0/2 Switch(config)#end Switch#copy running-config startup-config Configuration Guide 359
Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations 4 Viewing Multicast Snooping Configurations 4.1 Using the GUI 4.1.1 Viewing IPv4 Multicast Snooping Configurations Choose the menu Multicast > Multicast Table > IPv4 Multicast Table to view all valid Multicast IP-VLAN-Port entries. Figure 4-1 IPv4 Multicast Table Search Option Search Option Search for specific multicast entries by using Multicast IP, VLAN ID and Forward Port.
Configuring Layer 2 Multicast Figure 4-2 4.2 Viewing Multicast Snooping Configurations IPv6 Multicast Table Using the CLI 4.2.1 Viewing IPv4 Multicast Snooping Configurations show ip igmp snooping Displays global settings of IGMP Snooping. show ip igmp snooping interface [ fastEthernet [ port | port-list ] | gigabitEthernet [port | port-list] | tengigabitEthernet [port | port-list]] {basic-config | max-groups | packet-stat} Displays settings of IGMP Snooping on the port(s).
Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations show ip igmp snooping groups [ vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN. count: displays the number of multicast groups. dynamic: displays information of all dynamic multicast groups. dynamic count: displays the number of dynamic mu lticast groups. static: displays information of all static multicast groups.
Configuring Layer 2 Multicast Viewing Multicast Snooping Configurations show ipv6 mld snooping groups [vlan vlan-id ] [count | dynamic | dynamic count | static | static count ] Displays information of specific multicast group in all VLANs or in the specific VLAN. count displays the number of multicast groups. dynamic displays information of all dynamic multicast groups. dynamic count displays the number of dynamic multicast groups. static displays information of all static multicast groups.
Configuring Layer 2 Multicast Configuration Examples 5 Configuration Examples 5.1 Example for Configuring Basic IGMP Snooping 5.1.1 Network Requirements Host B, Host C and Host D are in the same VLAN of the switch. All of them want to receive multicast data sent to multicast group 225.1.1.1. As shown in the following topology, Host B, Host C and Host D are connected to port 1/0/1, port 1/0/2 and port 1/0/3 respectively. Port 1/0/4 is the router port connected to the multicast querier.
Configuring Layer 2 Multicast Configuration Examples Enable IGMP Snooping in the VLAN. Demonstrated with T1700X-16TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.1.3 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping globally, and keep the default values in the Router Port Time and Member Port Time fields.
Configuring Layer 2 Multicast Figure 5-3 Configuration Examples Enable IGMP Snooping on the Ports 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10 and add Untagged port 1/0/1-3 and Tagged port 1/0/4 to VLAN 10.
Configuring Layer 2 Multicast Figure 5-4 Configuration Examples Configure Link Type 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1-4 as 10.
Configuring Layer 2 Multicast Figure 5-5 Configuration Examples Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Keep 0 as the Router Port Time and Member Port Time, which means the global settings will be used.
Configuring Layer 2 Multicast Figure 5-6 Configuration Examples Enable IGMP Snooping in the VLAN 6) Click Save Config to save the settings. 5.1.4 Using the CLI 1) Enable IGMP Snooping globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4. Switch(config)#interface range ten-gigabitEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit 3) Create VLAN 10.
Configuring Layer 2 Multicast Configuration Examples Switch(config-if-range)#exit Switch(config)#interface ten-gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 5) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range ten-gigabitEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 6) Enable IGMP Snooping in VLAN 10. Switch(config)#ip igmp snooping vlan-config 10 7) Save the settings.
Configuring Layer 2 Multicast Global Report Suppression Configuration Examples :Disable Global Authentication Accounting:Disable Enable Port:Te1/0/1-4 Enable VLAN:10 5.2 Example for Configuring Multicast VLAN 5.2.1 Network Requirements Host B, Host C and Host D are in three different VLANs of the switch. All of them want to receive multicast data sent to multicast group 225.1.1.1. 5.2.
Configuring Layer 2 Multicast Figure 5-7 Configuration Examples Network Topoloy for Multicast VLAN Internet Source Querier VLAN 40 Te1/0/4 Te1/0/1 Te1/0/3 Te1/0/2 Host B Receiver Host C Receiver Host D Receiver Demonstrated with T1700X-16TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.2.4 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Configuring Layer 2 Multicast Figure 5-8 Configuration Examples Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page. Enable IGMP Snooping on port 1/0/1-4.
Configuring Layer 2 Multicast Configuration Examples 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 40 and add Untagged port 1/0/1-4 to VLAN 40. Figure 5-10 Configure Link Type 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1 as 10, port 1/0/2 as 20, port 1/0/3 as 30 and port 1/0/4 as 40.
Configuring Layer 2 Multicast Figure 5-11 Configuration Examples Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > Multicast VLAN to load the following page. Enable Multicast VLAN and configure VLAN 40 as the multicast VLAN. Keep Router Port Time and Member Port Time as 0. Figure 5-12 Create Multicast VLAN 6) Click Save Config to save the settings. 5.2.5 Using the CLI 1) Enable IGMP Snooping Globally.
Configuring Layer 2 Multicast Configuration Examples Switch(config)#interface range ten-gigabitEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit 3) Create VLAN 10. Switch(config)#vlan 10 Switch(config-vlan)#name vlan10 Switch(config-vlan)#exit 4) Add port 1/0/1-3 to VLAN 10 and set the link type as untagged. Add port 1/0/4 to VLAN 10 and set the link type as tagged.
Configuring Layer 2 Multicast 10 Configuration Examples vlan10 active Te1/0/1, Te1/0/2, Te1/0/3, Te1/0/4 Show status of IGMP Snooping globally, on the ports and in the multicast VLAN: Switch(config)#show ip igmp snooping IGMP Snooping :Enable Unknown Multicast :Pass Last Query Times :2 Last Query Interval :1 Global Member Age Time Global Router Age Time Global Report Suppression :260 :300 :Disable Global Authentication Accounting:Disable Enable Port:Te1/0/1-4 Enable VLAN:Multicast VLAN 10 5
Configuring Layer 2 Multicast Figure 5-13 Configuration Examples Network Topology for Unknow Multicast and Fast Leave Internet Source Querier Te1/0/4 VLAN 10 Te1/0/2 Host B Receiver 5.3.2 Configuration Scheme After the channel is changed, the client (Host B) still receives irrelevant multicast data, the data from the previous channel and possibly other unknown multicast data, which increases the network load and results in network congestion.
Configuring Layer 2 Multicast Figure 5-14 Configuration Examples Configure IGMP Snooping Globally Note: IGMP Snooping and MLD Snooping share the setting of Unknown Multicast, so you have to enable MLD Snooping globally on the Multicast > MLD Snooping > Snooping Config page at the same time. 2) Choose the menu Multicast > IGMP Snooping > Port Config to load the following page. Enable IGMP Snooping on port 1/0/2 and port 1/0/4 and enable Fast Leave on port 1/0/2.
Configuring Layer 2 Multicast Figure 5-15 Configuration Examples Configure IGMP Snooping Globally 3) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10.
Configuring Layer 2 Multicast Configuration Examples 4) Click Save Config to save the settings. 5.3.4 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Configure Unknown Multicast as Discard globally. Switch(config)#ip igmp snooping drop unknown 3) Enable IGMP Snooping on port 1/0/2 and enable Fast Leave. On port 1/0/4, enable IGMP Snooping.
Configuring Layer 2 Multicast Configuration Examples Global Report Suppression :Disable Global Authentication Accounting:Disable Enable Port:Te1/0/2,1/0/4 Enable VLAN:10 Show settings of IGMP Snooping on port 1/0/2: Switch(config)#show ip igmp snooping interface ten-gigabitEthernet 1/0/2 basic-config Port ---- IGMP-Snooping Fast-Leave ------------- ---------- Te1/0/2 enable 5.4 enable Example for Configuring Multicast Filtering 5.4.
Configuring Layer 2 Multicast Figure 5-17 Configuration Examples Network Topology for Multicast Filtering Internet Source Querier Te1/0/4 Te1/0/1 Te1/0/3 Te1/0/2 Host B Receiver Host C Receiver Host D Receiver VLAN 10 Demonstrated with T1700X-16TS, this section provides configuration procedures in two ways: using the GUI and using the CLI. 5.4.4 Using the GUI 1) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Configuring Layer 2 Multicast Figure 5-18 Configuration Examples Configure IGMP Snooping Globally 2) Choose the menu Multicast > IGMP Snooping > Snooping Config to load the following page.
Configuring Layer 2 Multicast Configuration Examples 3) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10 and add Untagged port 1/0/1-3 and Tagged port 1/0/4 to VLAN 10. Figure 5-20 Configure Link Type 4) Choose the menu VLAN > 802.1Q VLAN > Port Config to load the following page. Configure the PVID of port 1/0/1-4 as 10.
Configuring Layer 2 Multicast Figure 5-21 Configuration Examples Create VLAN and Add Member Ports 5) Choose the menu Multicast > IGMP Snooping > VLAN Config to load the following page. Enable IGMP Snooping in VLAN 10. Keep 0 as the Router Port Time and Member Port Time, which means the global settings will be used.
Configuring Layer 2 Multicast Figure 5-22 Configuration Examples Enable IGMP Snooping in the VLAN 6) Specify the multicast data that Host C and Host D can receive. a. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. Create Profile 1, select Permit as the Mode and click Create. Figure 5-23 Create Profile 1 b. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page.
Configuring Layer 2 Multicast Figure 5-24 Configuration Examples Edit Add IP-range in Profile 1 c. Choose the menu Multicast > IGMP Snooping > Profile Binding to load the following page. Select port 1/0/2 and port 1/0/3, enter 1 in the Profile ID field and click Apply to bind Profile 1 to these ports. Figure 5-25 Bind Profile 1 to Port 1/0/2 and Port 1/0/3 7) Specify the multicast data that Host B can receive a. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page.
Configuring Layer 2 Multicast Figure 5-26 Configuration Examples Profile 2 b. Choose the menu Multicast > IGMP Snooping > Profile Config to load the following page. In the IGMP Profile Info table, click Edit in the Profile 2 entry, enter 225.0.0.2 in both Start IP and End IP fields, and click Add. Figure 5-27 Edit Add IP-range in Profile 2 c. Choose the menu Multicast > IGMP Snooping > Profile Binding to load the following page.
Configuring Layer 2 Multicast Figure 5-28 Configuration Examples Bind Profile 2 to Port 1/0/1 8) Click Save Config to save the settings. 5.4.5 Using the CLI 1) Enable IGMP Snooping Globally. Switch#configure Switch(config)#ip igmp snooping 2) Enable IGMP Snooping on port 1/0/1-4. Switch(config)#interface range ten-gigabitEthernet 1/0/1-4 Switch(config-if-range)#ip igmp snooping Switch(config-if-range)#exit 3) Create VLAN 10.
Configuring Layer 2 Multicast Configuration Examples Switch(config-if-range)#switchport general allowed vlan 10 untagged Switch(config-if-range)#exit Switch(config)#interface ten-gigabitEthernet 1/0/4 Switch(config-if)#switchport general allowed vlan 10 tagged Switch(config-if)#exit 5) Set the PVID of port 1/0/1-4 as 10. Switch(config)#interface range ten-gigabitEthernet 1/0/1-4 Switch(config-if-range)#switchport pvid 10 Switch(config-if-range)#exit 6) Enable IGMP Snooping in VLAN 10.
Configuring Layer 2 Multicast Configuration Examples 11) Save the settings.
Configuring Layer 2 Multicast Appendix: Default Parameters 6 Appendix: Default Parameters 6.
Configuring Layer 2 Multicast Function IGMP Accounting and Authentication 6.
Configuring Layer 2 Multicast Function IGMP Snooping Querier Appendix: Default Parameters Parameter Default Setting Enable or Not Disabled Query Interval 60 seconds Max Response Time 10 seconds General Query Source IP FE80::02FF:FFFF:FE00:0001 Configuration Guide 395
Part 13 Configuring Logical Interfaces CHAPTERS 1. Overview 2. Logical Interfaces Configurations 3.
Configuring Logical Interfaces 1 Overview Overview Interfaces of a device are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into physical interfaces and logical interfaces. Physical interfaces are the ports on the front panel or rear panel of the switch. Logical interfaces are manually configured and do not physically exist, such as loopback interfaces and routing interfaces. This chapter introduces the configurations for logical interfaces.
Configuring Logical Interfaces 2 Logical Interfaces Configurations Logical Interfaces Configurations To complete IPv4 interface configuration, follow these steps: 1) Create a Layer 3 interface 2) Configure IPv4 parameters of the created interface 3) View detailed information of the created interface To complete IPv6 interface configuration, follow these steps: 1) Create a Layer 3 interface 2) Configure IPv6 parameters of the created interface 3) View detailed information of the created interface 2.
Configuring Logical Interfaces IP Address Mode Logical Interfaces Configurations Specify the IP address assignment mode of the interface. None: No IP address will be assigned. Static: Assign an IP address manually. DHCP: Assign an IP address through DHCP . BOOTP: Assign an IP address through BOOTP. IP Address Specify the IP address of the interface if you choose “Static” as the IP address assignment mode. Subnet Mask Specify the subnet mask of the interface’s IP address.
Configuring Logical Interfaces IP Address Mode Logical Interfaces Configurations Specify the IP address assignment mode of the interface. None: No IP address will be assigned. Static: Assign an IP address manually. DHCP: Assign an IP address through DHCP . BOOTP: Assign an IP address through BOOTP. IP Address Specify the IP address of the interface if you choose “Static” as the IP address assignment mode. Subnet Mask Specify the subnet mask of the interface’s IP address.
Configuring Logical Interfaces Figure 2-3 Logical Interfaces Configurations Configuring the IPv6 Parameters 1) Enable IPv6 function on the interface of switch in the General Config section. Then click Apply. Interface ID Displays the interface ID. IPv6 Enable or disable IPv6 function on the interface of switch. 2) Configure the IPv6 link-local address of the interface manually or automatically in the Link-local Address Config section. Then click Apply.
Configuring Logical Interfaces Logical Interfaces Configurations Link-local Address Enter a link-local address if you choose “Manual” as the link-local address configuration mode. Status Displays the status of the link-local address. Normal: Indicates that the link-local address is normal. Try: Indicates that the link-local address may be newly configured. Repeat: Indicates that the link-local address is duplicate.
Configuring Logical Interfaces Logical Interfaces Configurations Valid Lifetime Displays the valid lifetime of the global address. Status Displays the status of the global address. Normal: Indicates that the global address is normal. Try: Indicates that the global address may be newly configured. Repeat: Indicates that the global address is duplicate. It is illegal to access the switch using this global address. 2.1.
Configuring Logical Interfaces Step 2 Logical Interfaces Configurations Create a VLAN interface: interface vlan vlan-id vlan-id : Specify an IEEE 802.1Q VLAN ID that already exists, ranging from 1 to 4094. Create a loopback interface: interface loopback { id } id: Specify the ID of the loopback interface, ranging from 1 to 64.
Configuring Logical Interfaces Logical Interfaces Configurations 2.2.2 Configuring IPv4 Parameters of the Interface Follow these steps to configure the IPv4 parameters of the interface. Step 1 configure Step 2 interface { interface-type } { interface-number } Enter global configuration mode. Enter layer 3 interface configuration mode. interface-type : Type of the layer 3 interface, including fastEthernet, gigabitEthernet, ten-gigabitEthernet, loopback and VLAN.
Configuring Logical Interfaces Interface --------Te1/0/1 Logical Interfaces Configurations IP-Address Method Status Protocol Shutdown ---------------------------------192.168.0.100/24 Static Up Up no Switch(config-if)#end Switch#copy running-config startup-config 2.2.3 Configuring IPv6 Parameters of the Interface Follow these steps to configure the IPv6 parameters of the interface. Step 1 configure Step 2 interface { interface-type } { interface-number } Enter global configuration mode.
Configuring Logical Interfaces Step 5 Logical Interfaces Configurations Configure the IPv6 global address for the specified interface: Automatically configure the interface’s global IPv6 address via RA message: ipv6 address ra Configure the interface’s global IPv6 address according to the address prefix and other configuration parameters from its received RA (Router Advertisement) message.
Configuring Logical Interfaces Logical Interfaces Configurations ICMP error messages limited to one every 1000 milliseconds ICMP redirects are enable MTU is 1500 bytes ND DAD is enable, number of DAD attempts: 1 ND retrans timer is 1000 milliseconds ND reachable time is 30000 milliseconds Switch(config-if)#end Switch#copy running-config startup-config Configuration Guide 408
Configuring Logical Interfaces 3 Appendix: Default Parameters Appendix: Default Parameters Default settings of interface are listed in the following tables. Table 3-1 Configuring the IPv4 Parameters of the Interface Parameter Default Setting Interface ID VLAN IP Address Mode None Admin Status Enable Recovery mode Auto Table 3-2 Configuring the IPv6 Parameters of the Interface Parameter IPv6 Default Setting Disable On VLAN interface 1, it is enabled by default.
Part 14 Configuring Static Routing CHAPTERS 1. Overview 2. IPv4 Static Routing Configuration 3. IPv6 Static Routing Configuration 4. Viewing Routing Table 5. Example for Static Routing 6.
Configuring Static Routing 1 Overview Overview Static routing is a form of routing that is configured manually by adding non-aging entries into a routing table. The manually-configured routing information guides the router in forwarding data packets to the specific destination. On a simple network with a small number of devices, you only need to configure static routes to ensure that the devices from different subnets can communicate with each other.
Configuring Static Routing IPv4 Static Routing Configuration 2 IPv4 Static Routing Configuration 2.1 Using the GUI Choose the menu Routing> Static Routing > IPv4 Static Routing Config to load the following page. Figure 2-1 Configuring the IPv4 Static Routing 1) In the IPv4 Static Routing Config section, configure the corresponding parameters to add an IPv4 static route. Then click Create. Destination Specify the destination IPv4 address of the packets.
Configuring Static Routing 2.2 IPv4 Static Routing Configuration Using the CLI Follow these steps to create an IPv4 static route. Step 1 configure Step 2 ip route { dest-address } { mask } { next-hop-address } [ distance ] Enter global configuration mode. Add an IPv4 static route. dest-address: Specify the destination IPv4 address of the packets. mask: Specify the subnet mask of the destination IPv4 address. next-hop-address: Specify the IPv4 gateway address to which the packet should be sent next.
Configuring Static Routing IPv6 Static Routing Configuration 3 IPv6 Static Routing Configuration 3.1 Using the GUI Choose the menu Routing> Static Routing > IPv6 Static Routing Config to load the following page. Figure 3-1 Configuring the IPv6 Static Routing 1) In the IPv6 Routing section, enable IPv6 routing function and click Apply. 2) In the IPv6 Static Routing Config section, configure corresponding parameters to add an IPv6 static route. Then click Create.
Configuring Static Routing 3.2 IPv6 Static Routing Configuration Using the CLI Follow these steps to enable IPv6 routing function and create an IPv6 static route. Step 1 configure Step 2 interface { interface-type } { interface-number } Enter global configuration mode. Enter layer 3 interface configuration mode. interface-type : Type of the layer 3 interface, including fastEthernet, gigabitEthernet, ten-gigabitEthernet, loopback and VLAN. interface-number: Number of the interface.
Configuring Static Routing C 3000::/64 is directly connected, Vlan1 S 3200::/64 [1/0] via 3100::1234, Vlan2 IPv6 Static Routing Configuration Switch(config)#end Switch#copy running-config startup-config Configuration Guide 416
Configuring Static Routing 4 Viewing Routing Table Viewing Routing Table You can view routing tables to learn about the network topology. The switch supports IPv4 routing table and IPv6 routing table. 4.1 Using the GUI 4.1.1 Viewing IPv4 Routing Table Choose the menu Routing> Routing Table > IPv4 Routing Table to load the following page. Figure 4-1 Viewing IPv4 Routing Table View the IPv4 routes in the IPv4 Routing Information Summary section. Protocol Displays the type of the route entry.
Configuring Static Routing Viewing Routing Table 4.1.2 Viewing IPv6 Routing Table Choose the menu Routing> Routing Table > IPv6 Routing Table to load the following page. Figure 4-2 Viewing IPv6 Routing Table View the IPv6 routes in the IPv6 Routing Information Summary section. 4.2 Protocol Displays the type of the route entry. Destination Network Displays the destination IP address and subnet mask. Next Hop Displays the IPv6 gateway address to which the packet should be sent next.
Configuring Static Routing Viewing Routing Table 4.2.2 Viewing IPv6 Routing Table On privileged EXEC mode or any other configuration mode, you can use the following command to view IPv6 routing table: show ipv6 route [ static | connected ] View the IPv6 route entries of the specified type. If not specified, all types of route entries will be displayed. static: View the static IPv6 routes. connected: View the connected IPv6 routes.
Configuring Static Routing Example for Static Routing 5 Example for Static Routing 5.1 Network Requirements As shown below, Host A and Host B are on different network segments. To meet business needs, Host A and Host B need establish a connection without using dynamic routing protocols to ensure stable connectivity. Figure 5-1 Network Topology Te1/0/1 Te1/0/2 10.1.1.1/24 Host A 10.1.1.100/24 5.2 10.1.10.1/24 Switch A Te1/0/2 Te1/0/1 10.1.2.1/24 10.1.10.2/24 Switch B Host B 10.1.2.
Configuring Static Routing Figure 5-2 Create a Routed Port Te1/0/1 for Switch A Figure 5-3 Create a Routed Port Te1/0/2 for Switch A Example for Static Routing 2) Choose the menu Routing> Static Routing > IPv4 Static Routing Config to load the following page. Add a static route entry with the destination as 10.1.2.0, the subnet mask as 255.255.255.0 and the next hop as 10.1.10.2. For switch B, add a static route entry with the destination as 10.1.1.0, the subnet mask as 255.255.255.
Configuring Static Routing Example for Static Routing with the mode as static, the IP address as 10.1.10.1, the mask as 255.255.255.0 and the admin status as Enable. Switch_A#configure Switch_A(config)#interface ten-gigabitEthernet 1/0/1 Switch_A(config-if)#no switchport Switch_A(config-if)#ip address 10.1.1.1 255.255.255.0 Switch_A(config-if)#exit Switch_A(config)#interface ten-gigabitEthernet 1/0/2 Switch_A(config-if)#no switchport Switch_A(config-if)#ip address 10.1.10.1 255.255.255.
Configuring Static Routing Example for Static Routing * - candidate default C 10.1.2.0/24 is directly connected, Vlan30 C 10.1.10.0/24 is directly connected, Vlan20 S 10.1.1.0/24 [1/0] via 10.1.10.1, Vlan20 Connectivity Between Switch A and Switch B Run the ping command on switch A to verify the connectivity: Switch_A#ping 10.1.2.1 Pinging 10.1.2.1 with 64 bytes of data : Reply from 10.1.2.1 : bytes=64 time<16ms TTL=64 Reply from 10.1.2.1 : bytes=64 time<16ms TTL=64 Reply from 10.1.2.
Configuring Static Routing 6 Appendix: Default Parameter Appendix: Default Parameter Default setting of static routing is listed in the following table.
Part 15 Configuring DHCP Relay CHAPTERS 1. Overview 2. DHCP Relay Configuration 3. Configuration Example 4.
Configuring DHCP Relay 1 Overview Overview DHCP Relay is used to process and forward DHCP packets between different subnets. Since the client requests a dynamic IP address via broadcast, the basic network model of DHCP requires that the client and the server should be on the same LAN. Therefore, each LAN should be equipped with a DHCP server, thus increasing the costs of network construction. DHCP Relay solves this problem.
Configuring DHCP Relay 2 DHCP Relay Configuration DHCP Relay Configuration To complete DHCP Relay configuration, follow these steps: 1) Enable DHCP Relay and configure Option 82. 2) Specify DHCP server for the Interface. 2.1 Using the GUI 2.1.1 Enabling DHCP Relay and Configuring Option 82 Choose the menu Routing > DHCP Relay > Global Config to load the following page.
Configuring DHCP Relay Existed Option 82 field DHCP Relay Configuration Select the operation for the Option 82 field of the DHCP request packets. Keep: Indicates keeping the Option 82 field of the packets. Replace: Indicates replacing the Option 82 field of the packets with the switch defined one. By default, the Circuit ID is defined to be the VLAN and the number of the port which receives the DHCP Request packets.
Configuring DHCP Relay 2.2 DHCP Relay Configuration Using the CLI 2.2.1 Enabling DHCP Relay Follow these steps to enable DHCP Relay: Step 1 configure Step 2 service dhcp relay Step 3 end Step 4 copy running-config startup-config Enter global configuration mode. Enable DHCP Relay. Return to Privileged EXEC Mode. Save the settings in the configuration file.
Configuring DHCP Relay Step 3 DHCP Relay Configuration ip dhcp relay information policy { keep | replace | drop } Configure how to process Option 82 information. keep: The switch will keep the Option 82 information in the packet. replace: The switch will replace the Option 82 information with the customized configurations on the switch.
Configuring DHCP Relay DHCP Relay Configuration Switch#copy running-config startup-config 2.2.3 Specifying DHCP Server for the Interface Follow these steps to specify DHCP server for the interface: Step 1 configure Step 2 Enter Layer 3 interface configuration mode: Enter global configuration mode. interface vlan vid Enter VLAN interface configuration mode. vid :Specify the ID of the VLAN that will be configured as a DHCP relay agent. The valid values are from 1 to 4094.
Configuring DHCP Relay DHCP Relay Configuration Switch(config-if)#show ip dhcp relay ...... DHCP relay helper address is configured on the following interfaces: Interface Helper address ---------- -------------- VLAN 66 192.168.1.
Configuring DHCP Relay Configuration Example 3 Configuration Example 3.1 Network Requirements A company wants to assign IP addresses to all computers in two departments, and there is only one DHCP server available. It is required that computers in the same department should be on the same subnet, while computers in different departments should be on different subnets. 3.
Configuring DHCP Relay Configuration Example 3) Configure the interface address of the VLANs. For details, refer to Configuring 802.1Q VLAN. 4) Configure DHCP Relay on the switch. Enable DHCP Relay, and add DHCP server address to each VLAN. When these configurations are finished, the DHCP server can assign IP addresses to computers in the two departments, with each department on one subnet.
Configuring DHCP Relay Figure 3-3 Configuration Example Specify DHCP Server for Interface VLAN 20 3) Click Save Config to save the settings. 3.4 Using the CLI Follow these steps to configure DHCP Relay: 1) Enable DHCP Relay. Switch#configure Switch(config)#service dhcp relay 2) Specify the DHCP server for the interface VLAN 10. Switch(config)#interface vlan 10 Switch(config-if)#ip helper-address 192.168.0.
Configuring DHCP Relay 4 Appendix: Default Parameters Appendix: Default Parameters Default settings of DHCP Relay are listed in the following table.
Part 16 Configuring ARP CHAPTERS 1. Overview 2.
Configuring ARP 1 Overview Overview ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. Taking an IP address as input, ARP learns the associated MAC address, and stores the IP-MAC address association in an ARP entry for rapid retrieval.
Configuring ARP 2 ARP Configurations ARP Configurations With ARP configurations, you can: View dynamic and static ARP entries. Add or delete static ARP entries. 2.1 Using the GUI 2.1.1 Viewing the ARP Entries The ARP table consists of two kinds of ARP entries: dynamic and static. Dynamic Entry: Automatically learned and will be deleted after aging time. Static Entry: Added manually and will be remained unless modified or deleted manually.
Configuring ARP ARP Configurations 2.1.2 Adding Static ARP Entries Manually You can add desired static ARP entries by manually specifying the IP addresses and MAC addresses. Choose the menu Routing > ARP > Static ARP to load the following page. Figure 2-2 Adding Static ARP Entries Follow these steps to add static ARP Entries: In the ARP Config section, enter the IP address and MAC address and click Create. 2.2 IP address Specify the IP address. MAC address Specify the MAC address.
Configuring ARP Step 3 ARP Configurations show arp [ip ] [mac ] or show ip arp [ip ] [mac ] Verify the ARP entries. ip : Specify the IP address of your desired ARP entry. mac: Specify the MAC address of your desired ARP entry. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file. This example shows how to create a static ARP entry with the IP as 192.168.0.
Configuring ARP Step 3 ARP Configurations arp timeout timeout Configure the ARP aging time of the VLAN interface or routed port . timeout: Specify the value of aging time, which ranges from 1 to 3000 in seconds. The default value is 600 seconds. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config Save the settings in the configuration file.
Configuring ARP ARP Configurations show ip arp { gigabitEthernet port | port-channel lagid | vlan id } Verify the active ARP entries associated with a Layer 3 interface. port: Specify the number of the routed port. lagid: Specify the ID of the LAG. id: Specify the VLAN interface ID.
Part 17 Configuring QoS CHAPTERS 1. QoS 2. DiffServ Configuration 3. Bandwidth Control Configuration 4. Configuration Examples 5.
Configuring QoS 1 QoS 1.1 Overview QoS With network scale expanding and applications developing, Internet traffic is dramatically increased, thus resulting in network congestion, packet drops and long transmission delay. Typically, networks treat all traffic equally on FIFO (First In First Out) delivery basis, but nowadays many special applications like VoD, video conferences, etc. require more bandwidth or shorter transmission delay to guarantee the performance.
Configuring QoS 2 DiffServ Configuration DiffServ Configuration To complete differentiated services configuration, follow these steps: 1) Configure the priority mode to classify packets with different priorities. 2) Configure the schedule mode to control the forwarding sequence of packets. Configuration Guidelines Deploy the priority mode appropriate to your network requirements. Three modes are supported on the switch, 802.1P Priority, DSCP Priority and Port Priority. »» 802.1P Priority 802.
Configuring QoS 2.1 DiffServ Configuration Using the GUI 2.1.1 Configuring Priority Mode The instructions of the three priority modes are described respectively in this section. Configuring 802.1P Priority Choose the menu QoS > DiffServ > 802.1P Priority to load the following page. Figure 2-1 802.1P/CoS Mapping Follow these steps to configure the 802.1P Priority: 1) Configure the Tag-id/CoS-id-TC mapping relations. Tag-id/CoS-id Select the desired Tag-id/CoS-id to configure.
Configuring QoS DiffServ Configuration Configuring DSCP Priority Note: In DSCP priority mode, the packets are firstly mapped to CoS queues, then to TC queues according to the CoS-id-TC mapping relations. Go to QoS > DiffServ > 802.12P Priority and check the CoSid-TC mapping relations before configuring DSCP priority. Choose the menu QoS > DiffServ > DSCP Priority to load the following page.
Configuring QoS DiffServ Configuration Configuring Port Priority Note: In port priority mode, the packets are firstly mapped to CoS queues, then to TC queues according to the CoS-id-TC mapping relations. Go to QoS > DiffServ > 802.12P Priority and check the CoS-id-TC mapping relations before configuring port priority. Choose the menu QoS > DiffServ > Port Priority to load the following page.
Configuring QoS DiffServ Configuration 2.1.2 Configuring Schedule Mode Configure the schedule mode to control the forwarding sequence of different TC queues when congestion occurs. Choose the menu QoS > DiffServ > Schedule Mode to load the following page. Figure 2-4 Schedule Mode Follow these steps to configure the schedule mode: 1) Select a schedule mode. SP-Mode Strict-Priority Mode. In this mode, the queue with higher priority will occupy the whole bandwidth.
Configuring QoS DiffServ Configuration Queue Weight Configure the weight value of the each TC queue. In WRR mode, the 8 queues will take up the bandwidth according to their ratio. The default values of TC0, TC1, TC2, TC3, TC4, TC5,TC6 and TC7 are 1, 2, 4, 8, 16, 32, 64 and 127 respectively. In SP+WRR mode, TC7 and the queue with its weight value set as 0 are in the SP group; other queues, with none-zero weight value, belong to the WRR group.
Configuring QoS Step 6 DiffServ Configuration copy running-config startup-config Save the settings in the configuration file. The following example shows how to map CoS2 to TC0, and keep other CoS-id-TC as default: Switch#configure Switch(config)#qos queue cos-map 2 0 Switch(config)#show qos status 802.1p priority is enabled. DSCP priority is disabled.
Configuring QoS DiffServ Configuration Step 5 show qos status Verify that DSCP priority is enabled. show qos dscp-map Verify the DSCP-TC mapping relations. Step 6 end Step 7 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring QoS DiffServ Configuration Configuring Port Priority Select the desired port to set the priority. Packets from this ingress port are mapped to the TC queue based on port priority. Step 1 configure Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter global configuration mode. Enter interface configuration mode. Step 3 show qos cos-map Step 4 qos cos-id Check the CoS-id-TC mapping relations.
Configuring QoS DiffServ Configuration Switch(config)#show qos cos-map -----+-----+-----+----+-----+-----+-----+----+---Tag |0 |1 |2 |3 |4 |5 |6 |7 -----+-----+-----+----+-----+-----+-----+----+---TC |TC1 |TC0 |TC2 |TC3 |TC4 |TC5 |TC6 |TC7 -----+-----+-----+----+-----+-----+-----+----+---Switch(config)#interface range ten-gigabitEthernet 1/0/1-3 Switch(config-if-range)#qos 0 Switch(config-if-range)#show qos interface ten-gigabitEthernet 1/0/1-3 Port CoS Value LAG ---------- --------------- --
Configuring QoS Step 2 DiffServ Configuration qos queue mode {sp | wrr | sp+wrr | equ} Configure the schedule mode of TC queues. sp: The Strick Priority mode. In SP mode, the queue with higher priority will occupy the whole bandwidth. Packets in the queue with lower priority are sent only when the queue with higher priority is empty. wrr: In WRR mode, packets in all the queues are sent in order based on the weight value for each queue. By default, the weight value ratio of TC0 to TC7 is 1:2:4:...:27.
Configuring QoS DiffServ Configuration The following example shows how to configure the schedule mode as WRR, with the weight values of TC0 to TC7 as 4, 7, 10, 13,16,19,22,25: Switch#configure Switch(config)#qos queue mode wrr Switch(config)#qos queue weight 0 4 Switch(config)#qos queue weight 1 7 Switch(config)#qos queue weight 2 10 Switch(config)#qos queue weight 3 13 Switch(config)#qos queue weight 4 16 Switch(config)#qos queue weight 5 19 Switch(config)#qos queue weight 6 22 Switch(config)#qos queue w
Configuring QoS 3 Bandwidth Control Configuration Bandwidth Control Configuration To implement bandwidth control, you can: Limit the ingress/egress traffic rate on each port by configuring the Rate Limit function; Limit the broadcast, multicast and UL frame forwarding rate on each port to avoid network broadcast storm by configuring the Storm Control function. 3.1 Using the GUI 3.1.1 Configuring Rate Limit Choose the menu QoS > Bandwidth Control > Rate Limit to load the following page.
Configuring QoS Bandwidth Control Configuration LAG Displays the aggregation group which the port is in. 2) Click Apply. 3.1.2 Configuring Storm Control Choose the menu QoS > Bandwidth Control > Storm Control to load the following page. Figure 3-2 Storm Control Follow these steps to configure the Storm Control function: 1) Select the port(s) and configure the upper rate limit for forwarding broadcast packets, multicast packets and UL frames.
Configuring QoS Bandwidth Control Configuration Multicast Rate Mode / Multicast To enable the multicast rate control, select a multicast rate mode and specify the upper rate limit for receiving broadcast packets in the Multicast field. The packet traffic exceeding the rate will be discarded. The switch supports the following three rate modes: kbps: Specify the upper rate limit in kilo-bits per second, which ranges from 1 to 1000000 kbps. This mode is invalid if PPS is enabled.
Configuring QoS Step 2 Bandwidth Control Configuration interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. Step 3 bandwidth {[ingress ingress-rate ] [egress egress-rate ]} Configure the upper rate limit for the port to receive and send packets. ingress-rate: Configure the upper rate limit for receiving packets on the port. The valid values are from 1 to 1000000 Kbps.
Configuring QoS Step 2 Bandwidth Control Configuration interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list } Enter interface configuration mode. Step 3 Use the following commands to specify the upper rate limit of the broadcast packets, multicast packets and unknown unicast frames in pps: storm-control pps Configure the storm control mode as pps (packets per second) on the port.
Configuring QoS Bandwidth Control Configuration The following example shows how to configure the upper rate limit of broadcast packets as 148800 pps on port 1/0/5: Switch#configure Switch(config)#interface ten-gigabitEthernet 1/0/5 Switch(config-if)#storm-control pps Switch(config-if)#storm-control broadcast pps 148800 Switch(config-if)#show storm-control interface ten-gigabitEthernet 1/0/5 Port BcRate Mcate UlRate LAG --------- ---------------- -------------- -------------- ------------- Te1/0/
Configuring QoS Configuration Examples 4 Configuration Examples 4.1 Example for Configuring SP Mode 4.1.1 Network Requirements Two hosts, Admin and Host A, can access the local network server through the switch. Configure the switch to ensure the traffic from the Admin can be treated preferentially when congestion occurs. Only when the traffic from the Admin is completely forwarded will the traffic from Host A be forwarded. The figure below shows the network topology.
Configuring QoS Configuration Examples 4.1.3 Using the GUI 1) Choose QoS > DiffServ > 802.1P Priority to load the following page, and check the corresponding CoS-id of TC0 and TC1. Figure 4-2 CoS-TC Mapping relations 2) Choose QoS > DiffServ > Port Priority to load the following page, and set the priority for port 1/0/1 to CoS 0 (mapping to TC1) and priority for port 1/0/2 to CoS 1 (mapping to TC0).
Configuring QoS Configuration Examples 3) Choose QoS > DiffServ > Schedule Mode to load the following page, and select SPMode as the schedule mode. Click Apply. Figure 4-4 Configure Schedule Mode 4) Click Save Config to save the settings. 4.1.4 Using the CLI 1) Check the corresponding CoS-id of TC0 and TC1.
Configuring QoS Configuration Examples 3) Select SP-Mode as the schedule mode and save the settings. Switch(config)#qos queue mode sp Switch(config)#exit Switch#copy running-config startup-config Verify the configuration Verify the port-CoS mapping: Switch(config)#show qos interface Port CoS Value LAG --------- ------------ ------------ Te1/0/1 0 N/A Te1/0/2 1 N/A ... Verify the schedule mode.
Configuring QoS Configuration Examples Figure 4-5 QoS Application Topology Gi1/0/2 Router Gi1/0/1 Switch B Server 10.10.88.5/24 Te1/0/3 Te1/0/2 Te1/0/1 Switch A VLAN 10 RD Dept. 10.10.10.0/24 VLAN 20 Marketing Dept. 10.10.20.0/24 4.2.2 Configuration Scheme Configure Switch A to add different VLAN tags to the packets from the two departments respectively.
Configuring QoS Figure 4-6 Configuration Examples Configure VLAN 10 2) Click Create again to load the following page. Create VLAN 20 with the description of Marketing. Add port 1/0/2 as an untagged port and port 1/0/4 as a tagged port to VLAN 20. Then click Apply.
Configuring QoS Figure 4-7 Configuration Examples Configure VLAN 20 3) Click save config to save the settings. Configurations for Switch B (Demonstrated with T3700G-28TQ) 1) Choose VLAN > 802.1Q VLAN > Port Config to load the following page. For port 1/0/1, set the Link Type as TRUNK, and for port 1/0/2, set the Link Type as ACCESS. Click Apply.
Configuring QoS Figure 4-8 Configuration Examples Configure the Port 2) Choose VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10 and VLAN 20, and add port 1/0/1 to the two VLANs; create VLAN 30, and add port 1/0/2 to VLAN 30.
Configuring QoS Figure 4-9 Figure 4-10 Configuration Examples Configure VLAN 10 Configure VLAN 20 Configuration Guide 472
Configuring QoS Figure 4-11 Configuration Examples Configure VLAN30 3) Create MAC ACL 10 with its Rule ID as 1 and Operation as Permit. Choose ACL> ACL Config > ACL Create to load the following page. Create ACL 10, and click Apply. Figure 4-12 Create MAC ACL 10 Choose ACL> ACL Config > MAC ACL to load the following page. Select ACL 10, specify the Rule ID as 1 and the Operation as Permit. Click Apply.
Configuring QoS Figure 4-13 Configuration Examples Create Rule 1 4) Create Policy RD and bind it to ACL 10, select QoS Remark and set Local Priority to TC1. Choose ACL > Policy Config > Policy Create to load the following page. Create a policy with the Policy Name RD and click Apply. Figure 4-14 Create Policy RD Choose ACL > Policy Config > Action Create to load the following page. Select Policy RD, and ACL 10, click QoS Remark and set the Local Priority to TC 1. Click Apply.
Configuring QoS Figure 4-15 Configuration Examples Action Create 5) Create Policy Marketing and bind it to ACL 10, select QoS Remark and set Local Priority to TC0. Choose ACL > Policy Config > Policy Create to load the following page. Create a policy with the Policy Name Marketing and click Apply. Figure 4-16 Create Policy Marketing Choose ACL > Policy Config > Action Create to load the following page. Select Policy Marketing, and ACL 10, click QoS Remark and set the Local Priority to TC 0.
Configuring QoS Figure 4-17 Configuration Examples Action Create 6) Choose ACL > Policy Binding > VLAN Binding. Bind Policy RD and Policy Marketing to VLAN10 and VLAN 20 respectively. Figure 4-18 Bind Policy RD to VLAN 10 Figure 4-19 Bind Policy Marketing to VLAN 20 7) Choose QoS > DiffServ > Schedule Mode. Select WRR-Mode as the schedule mode, and click Apply. No configuration is required here because queues based on ACL rules have higher priority.
Configuring QoS Configuration Examples Figure 4-20 Configure Schedule Mode 8) Click Save Config to save the settings. 4.2.4 Using the CLI Note: Before configuration, ensure network segments are reachable to each other. Configurations for Switch A (Demonstrated with T1700X-16TS) 1) Create VLAN 10 with the name RD and VLAN 20 with the name Marketing.
Configuring QoS Configuration Examples Switch_A#copy running-config startup-config Configurations for For Switch B (Demonstrated with T3700G-28TQ) 1) Create VLAN 10 and VLAN 20. Configure the Link Type of port 1/0/1 as Trunk, and add it to the two VLANs.
Configuring QoS Configuration Examples Switch_B(config)#access-list policy action RD 10 Switch_B(config-action)#qos-remark priority 1 Switch_B(config-action)#exit 5) Create Policy Marketing and bind it to ACL 10, enable QoS Remark and set Local Priority to TC0.
Configuring QoS Configuration Examples 10 RD active Te1/0/1, Te1/0/3 20 Marketing active Te1/0/2, Te1/0/3 Switch B: Verify ACL configuration: Switch_B#show access-list Mac access list 10 1 permit Verify Policy and Action configuration: Switch_B(config)#show access-list policy Policy name : RD access-list 10 priority 1 Policy name : Marketing access-list 10 priority 0 Verify Policy binding: Switch_B#show access-list bind Index Policy Name Interface/VID Direction Type ------- --------------
Configuring QoS 5 Appendix: Default Parameters Appendix: Default Parameters DiffServ Table 5-1 DiffServ Parameter Default Setting Port Priority Enabled. Packets from all ports are mapped to the same TC queue. 802.1P Priority Enabled. See Table 5-3 for Tag-id/CoS-id-TC mapping relations. DSCP Priority Disabled. See Table 5-4 for DSCP-CoS-id mapping relations. Schedule Mode Equ-Mode.
Configuring QoS Appendix: Default Parameters Bandwidth Control Table 5-4 Bandwidth Control Parameter Default Setting Rate Limit Disabled Storm Control Disabled Configuration Guide 482
Part 18 Configuring Voice VLAN CHAPTERS 1. Overview 2. Voice VLAN Configuration 3. Configuration Example 4.
Configuring Voice VLAN 1 Overview Overview The voice VLAN feature is used to prioritize the transmission of voice traffic. Voice traffic is typically more time-sensitive than data traffic, and the voice quality can deteriorate a lot because of packet loss and delay. To ensure the high voice quality, you can configure the voice VLAN and set priority for voice traffic. Voice VLAN Modes on Ports A voice VLAN can operate in two modes: manual mode and automatic mode.
Configuring Voice VLAN Overview OUI Address (Organizationally Unique Identifier Address) The OUI address is used by the switch to determine whether a packet is a voice packet. An OUI address is the first 24 bits of a MAC address, and is assigned as a unique identifier by IEEE (Institute of Electrical and Electronics Engineers) to a device vendor.
Configuring Voice VLAN 2 Voice VLAN Configuration Voice VLAN Configuration To complete the Voice VLAN configuration, follow these steps: 1) Create a VLAN. 2) (Optional) Configure OUI addresses. 3) Configure Voice VLAN globally. 4) Configure Voice VLAN mode on ports. Configuration Guidelines Before configuring voice VLAN, you need to create a VLAN for voice traffic. For details about VLAN Configuration, please refer to Configuring 802.1Q VLAN.
Configuring Voice VLAN 2.1 Voice VLAN Configuration Using the GUI 2.1.1 (Optional) Configuring OUI Addresses If the OUI address of your voice device is not in the OUI table, you need to add the OUI address to the table. Choose the menu QoS > Voice VLAN > OUI Config to load the following page. Figure 2-1 Configuring OUI Addresses Follow these steps to add OUI addresses: 1) Enter an OUI address and the corresponding mask, and give a description about the OUI address.
Configuring Voice VLAN Voice VLAN Configuration 2.1.2 Configuring Voice VLAN Globally Choose the menu QoS > Voice VLAN > Global Config to load the following page. Figure 2-2 Configuring Voice VLAN Globally Follow these steps to configure the voice VLAN globally: 1) Enable the voice VLAN feature, and enter a VLAN ID. VLAN ID Specify an existing VLAN as the voice VLAN. 2) Set the aging time for the voice VLAN.
Configuring Voice VLAN Voice VLAN Configuration 2.1.3 Configuring Voice VLAN Mode on Ports Choose the menu QoS > Voice VLAN > Port Config to load the following page. Figure 2-3 Configuring Voice VLAN Mode on Ports Follow these steps to configure voice VLAN mode on ports: 1) Select your desired ports and choose the port mode. Port Mode Choose the way of adding the selected ports to the voice VLAN.
Configuring Voice VLAN Voice VLAN Configuration Security Mode For packets that will be forwarded in the voice VLAN, you can configure the security mode to prevent malicious traffic with faked voice VLAN tag. For packets to other VLANs, how the switch processes the packets is determined by whether the selected ports permit the VLAN or not, independent of voice VLAN security mode.
Configuring Voice VLAN Step 5 Voice VLAN Configuration voice vlan aging time (Optional) Set the aging time for ports in automatic voice VLAN mode. time: Specify the length of time that a port remains in the voice VLAN after the port receives a voice packet. Aging time works only for ports in automatic voice VLAN mode. The range is 1 to 43200 minutes; the default is 1440 minutes. Step 6 voice vlan vid Specify an existing VLAN as the voice VLAN.
Configuring Voice VLAN Voice VLAN Configuration Step 13 end Step 14 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to set port 1/0/1 in manual voice VLAN mode. Configure the switch to forward voice traffic with an IEEE 802.
Configuring Voice VLAN 3 Configuration Example 3.1 Network Requirements Configuration Example The company plans to install IP phones in the office area and the meeting room, and has requirements as follows: In the office area »» IP phones share switch ports used by computers, because no more ports are available for IP phones. »» Transmit voice traffic in an exclusive path with high quality. »» Avoid attacks from malicious data flows.
Configuring Voice VLAN Configuration Example In the meeting room, computers and IP phones are connected to different ports of Switch B. Ports connected to IP phones use the voice VLAN for voice traffic, and ports connected to computers use the default VLAN for data traffic. Voice traffics from Switch A and Switch B are forwarded to voice gateway and Internet through Switch C. Figure 3-1 Network Topology Internet Te1/0/3 Switch C Te1/0/2 Te1/0/1 Te1/0/2 IP Phone 10 ......
Configuring Voice VLAN Figure 3-2 Configuration Example Creating a VLAN 2) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable voice VLAN, enter 10 in the VLAN ID field and set aging time as 1440 minutes and priority as 6. Then click Apply. Figure 3-3 Configuring Voice VLAN Globally 3) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Select port 1/0/1, choose auto mode and enable security mode. Select port 1/0/2 and choose manual mode.
Configuring Voice VLAN Configuration Example Figure 3-4 Configuring Voice VLAN Mode on Port 1/0/1 Figure 3-5 Configuring Voice VLAN Mode on Port 1/0/2 Configuration Guide 496
Configuring Voice VLAN Configuration Example 4) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and edit VLAN 10 to load the following page. Add port 1/0/2 to the voice VLAN. Figure 3-6 Adding Port 1/0/2 to the Voice VLAN 5) Choose the menu LLDP > Basic Config> Global Config to load the following page. Enable LLDP globally. Figure 3-7 Enabling LLDP Globally 6) Choose the menu LLDP > LLDP-MED> Global Config to load the following page. Set fast start count as 4.
Configuring Voice VLAN Figure 3-9 Configuration Example Configuring LLDP-MED on Ports Configuration Guide 498
Configuring Voice VLAN Configuration Example Click Detail of port1/0/1 to load the following page. Configure the TLV information which will be carried in LLDP-MED frames and sent out by port 1/0/1. Select all TLVs, and configure location identification parameters. Figure 3-10 Configuring TLVs For details about LLDP-MED, please refer to Configuring LLDP. 8) Click Save Config to save the settings. Configurations for Switch B 1) Choose the menu VLAN > 802.
Configuring Voice VLAN Figure 3-11 Configuration Example Creating a VLAN 2) Choose the menu QoS > Voice VLAN > Global Config to load the following page. Enable voice VLAN, enter 10 in the VLAN ID field and set priority as 6. Figure 3-12 Configuring Voice VLAN Globally 3) Choose the menu QoS > Voice VLAN > Port Config to load the following page. Select ports 1/0/1-3, choose manual mode and enable security mode. Figure 3-13 Configuring Voice VLAN Mode on Ports 4) Choose the menu VLAN > 802.
Configuring Voice VLAN Figure 3-14 Configuration Example Adding Ports to the Voice VLAN 5) Click Save Config to save the settings. Configurations for Switch C 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config and click Create to load the following page. Create VLAN 10 and add ports 1/0/1-3 as tagged ports to the VLAN.
Configuring Voice VLAN Figure 3-15 Configuration Example Creating a VLAN and Adding Ports to the VLAN 2) Click Save Config to save the settings. 3.5 Using the CLI Configurations for Switch A 1) Create VLAN 10. Switch_A#configure Switch_A(config)#vlan 10 Switch_A(config-vlan)#name VoiceVLAN Switch_A(config-vlan)#exit 2) Configure the aging time as 1440 minutes for port in automatic voice VLAN mode, and set the 802.1p priority of voice packets as 6. Set VLAN 10 as the voice VLAN.
Configuring Voice VLAN Configuration Example Switch_A(config-if)#switchport voice vlan mode auto Switch_A(config-if)#switchport voice vlan security Switch_A(config-if)#exit 4) Configure port 1/0/2 to manual voice VLAN mode, and add it to the voice VLAN as a tagged port.
Configuring Voice VLAN Configuration Example 3) Configure ports 1/0/1-3 to manual voice VLAN mode and enable security mode. Switch_B(config)#interface range ten-gigabitEthernet 1/0/1-3 Switch_B(config-if-range)#switchport voice vlan mode manual Switch_B(config-if-range)#switchport voice vlan security Switch_B(config-if-range)#exit 4) Add ports 1/0/1-3 to the voice VLAN.
Configuring Voice VLAN Configuration Example Voice Priority: 6 Verify the voice VLAN configuration on the ports: Switch_A#show voice vlan switchport Port Auto-mode Security ------ ------------ State LAG ------------ ------------ ------ Te1/0/1 Auto Enabled Inactive N/A Te1/0/2 Manual Disabled Active N/A Te1/0/3 Auto Disabled Inactive N/A ......
Configuring Voice VLAN VLAN ----10 Configuration Example Name Status ---------------- --------VoiceVlan active Ports --------------------------------Te1/0/1, Te1/0/2, Te1/0/3 Configuration Guide 506
Configuring Voice VLAN 4 Appendix: Default Parameters Appendix: Default Parameters Default settings of voice VLAN are listed in the following tables.
Part 19 Configuring ACL CHAPTERS 1. ACL 2. ACL Configurations 3. Configuration Example for ACL 4.
Configuring ACL 1 ACL 1.1 Overview ACL The rapid growth of network size and traffic brings challenges to network security and bandwidth allocation. Packet filtering can help prevent unauthorized access behaviors, limit network traffic and improve bandwidth use. ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules.
Configuring ACL 2 ACL Configurations ACL Configurations To configure ACL Binding, follow these steps: 1) Create an ACL and configure the rules. 2) Bind the ACL to a port or VLAN. To configure Policy Binding, follow these steps: 1) Create an ACL and configure the rules. 2) Create a Policy and configure the policy action. 3) Bind the Policy to a port or VLAN.
Configuring ACL ACL Configurations Choose the menu ACL > ACL Config > ACL Create to load the following page. Figure 2-1 Creating an ACL Follow these steps to create an ACL: 1) Enter a number to identify the ACL. ACL ID Enter a number to identify the ACL. 2) Click Apply. 2.1.2 Configuring ACL Rules Add rules to the ACL. For details, refer to “Configuring the MAC ACL Rule”, “Configuring the Standard-IP ACL Rule”, “Configuring the Extend-IP ACL Rule”, and “Configuring the IPv6 ACL Rule”.
Configuring ACL ACL Configurations ACL ID Select an MAC ACL from the drop-down list. Rule ID Specify the rule ID, which ranges from 0 to 999. It should not be the same as any existing MAC ACL Rule IDs. Operation Select an operation to be performed when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. 2) Configure the rule’s packet-matching criteria. S-MAC/Mask Enter the source MAC address with a mask.
Configuring ACL ACL Configurations Operation Select an operation to be performed when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. 2) Configure the rule’s packet-matching criteria. S-IP/Mask Specify the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Specify the destination IP address with a mask.
Configuring ACL ACL Configurations 2) Configure the rule’s packet-matching criteria. S-IP/Mask Specify the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Specify the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. IP Protocol Select a protocol type from the drop-down list.
Configuring ACL Rule ID ACL Configurations Specify the rule ID, which ranges from 0 to 999. It should not be the same as any existing IPv6 ACL Rule IDs. Operation Select an operation to be performed when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. 2) Configure the rule’s packet-matching criteria. DSCP Specify a DSCP value to be matched. Flow Label Specify a Flow Label value to be matched.
Configuring ACL ACL Configurations Choose the menu ACL > ACL Config > ACL Summary to load the following page. Figure 2-6 ACL Information 2.1.3 Configuring Policy To configure the policy, follow these steps: 1) Create a policy. 2) Apply an ACL to the Policy. Creating a Policy Choose th menu ACL > Policy Config > Policy Create to load the following page. Figure 2-7 Creating a Policy Follow these steps to create a policy: Enter a Policy Name, and click Apply.
Configuring ACL ACL Configurations Follow these steps to configure the action of the policy: Select your preferred policy and ACL, and click Apply. Select Policy Select a Policy from the drop-down list. Select ACL Select an ACL to be applied to the Policy. 2.1.4 Configuring the ACL Binding and Policy Binding You can select ACL binding or Policy binding according to your needs. An ACL or Policy takes effect only after it is bound to a port or VLAN.
Configuring ACL ACL Configurations Binding the ACL to a VLAN Choose the menu ACL > ACL Binding > VLAN Binding to load the following page. Figure 2-10 Binding the ACL to a VLAN Follow these steps to bind the ACL to a VLAN: Select the ACL and enter the VLAN ID, and click Apply. ACL ID Select an ACL from the drop-down list. VLAN ID Enter the VLAN ID. Configuring the Policy Binding You can bind the Policy to a port or a VLAN.
Configuring ACL ACL Configurations Binding the Policy to a Port Choose the menu ACL > Policy Binding > Port Binding to load the following page. Figure 2-11 Binding the Policy to a Port Follow these steps to bind the Policy to a Port: Select the Policy and the port to be bound, and click Apply. Policy Name Select a Policy from the drop-down list. Binding the Policy to a VLAN Choose the menu ACL > Policy Binding > VLAN Binding to load the following page.
Configuring ACL ACL Configurations ACL ID Select an ACL from the drop-down list. VLAN ID Enter the VLAN ID. Verifying the Binding Configuration Verifying the ACL Binding You can view both port binding and VLAN binding entries in the table. You can also delete existing entries if needed. Choose the menu ACL > ACL Binding > Binding Table to load the following page.
Configuring ACL ACL Configurations Choose the menu ACL > Policy Binding > Binding Table to load the following page. Figure 2-14 2.2 Verifying the Policy Binding Using the CLI 2.2.1 Configuring ACL Follow the steps to create different types of ACL and configure the ACL rules. You can define the rules based on source or destination IP addresses, source or destination MAC addresses, protocol type and so on.
Configuring ACL Step 3 ACL Configurations rule rule-id {deny | permit} [ [smac source-mac ] smask source-mac-mask ] [ [dmac destinationmac ] dmask destination-mac-mask ] Add an MAC ACL rule. rule-id : Specify the rule ID, which ranges from 0 to 999. It should not be the same as any existing MAC ACL rule IDs deny | permit: Specify the operation to be performed with the packets that match the rule. By default, it is set to permit.
Configuring ACL ACL Configurations Configuring the Standard-IP ACL Step 1 configure Enter global configuration mode. Step 2 access-list create access-list-num Create a Standard-IP ACL. access-list-num: Enter an ACL ID. The ID ranges from 500 to 1499. Step 3 access-list standard acl-id rule rule-id { deny | permit } [[ sip source-ip ] smask source-ip-mask ] [[ dip destination-ip ] dmask destination-ip-mask ] Add a rule to the ACL. acl-id: The ID number of the ACL you have created.
Configuring ACL ACL Configurations rule 1 permit sip 192.168.1.100 smask 255.255.255.255 Switch(config)#end Switch#copy running-config startup-config Configuring the Extend-IP ACL Step 1 configure Enter global configuration mode Step 2 access-list create access-list-num Create an Extend-IP ACL access-list-num: Enter an ACL ID. The ID ranges from 1500 to 2499.
Configuring ACL ACL Configurations Switch(config)#access-list create 1700 Switch(config)#access-list extended 1700 Rule 7 deny sip 192.168.2.100 smask 255.255.255.255 protocol 6 d-port 23 Switch(config)#show access-list 1700 Extended IP access list 1700 Rule 7 deny sip 192.168.2.100 smask 255.255.255.
Configuring ACL Step 3 ACL Configurations access-list ipv6 acl-id rule rule-id {permit | deny}[dscp dscp-value] [flow-label flow-labelvalue ] [sip source-ip-address sip-mask source-ip-mask ] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port-number ] [d-port destination-port-number ] Add a rule to the ACL. acl-id: The ID number of the ACL you have created. rule-id: Specify the rule ID, which ranges from 0 to 999.
Configuring ACL ACL Configurations Switch(config)#show access-list 3600 IPv6 access list 3600 rule 1 deny sip cdcd:910a:2222:5498:8475:1111:3900:2020 sip-mask ffff:ff:ff:ffff:ffff Switch(config)#end Switch#copy running-config startup-config 2.2.2 Configuring Policy Follow the steps below to create a policy and configure the policy actions. Step 1 configure Step 2 access-list policy name name Enter global configuration mode Create a Policy. name : Assign the policy a name with 1 to 16 characters.
Configuring ACL ACL Configurations access-list 600 Switch(config)#end Switch#copy running-config startup-config 2.2.3 ACL Binding and Policy Binding You can select ACL binding or Policy binding according to your needs. An ACL Rule and Policy takes effect only after they are bound to a port or VLAN. ACL Binding You can bind the ACL to a port or a VLAN. The received packets will then be matched and processed according to the ACL rules.
Configuring ACL ACL Configurations Switch(config-if)#exit Switch(config)#interface vlan 4 Switch(config-if)#access-list bind acl 2 Switch(config-if)#show access-list bind Index Policy Name Interface/VID Direction Type ----- ----------- ------------- -------- ---Index ACL ID Interface/VID Direction Type ----- ----------- ------------- -------- ---1 1 Te1/0/3 Ingress Port 2 2 4 Ingress Vlan Switch(config-if)#end Switch#copy running-config startup-config Policy Binding You ca
Configuring ACL Step 5 ACL Configurations copy running-config startup-config Save the settings in the configuration file.
Configuring ACL Configuration Example for ACL 3 Configuration Example for ACL 3.1 Network Requirements A company’s server group can provide different types of services. It is required that: The Marketing department can only access the server group. The Marketing department can only visit HTTP and HTTPS websites on the Internet. 3.
Configuring ACL Configuration Example for ACL 2) Configure permit rules to match packets with source IP address 10.10.70.0/24, and destination ports TCP 80, TCP 443 and TCP/UDP 53. These rules allow the Marketing department to visit http and HTTPS websites on the Internet. 3) Configure a deny rule to match packets with source IP address 10.10.70.0. This rule blocks other network services. The switch matches the packets with the rules in order, starting with Rule 1.
Configuring ACL Figure 3-3 Configuration Example for ACL Configuring Rule 1 3) Choose the menu ACL > ACL Config > Extend ACL to load the following page. Configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and UDP 443 (HTTPS service port).
Configuring ACL Configuration Example for ACL 4) Choose the menu ACL > Policy Config > Policy Create to load the following page. Configure Rule 4 and Rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-6 Configuring Rule 4 Figure 3-7 Configuring Rule 5 5) Choose the menu ACL > Policy Config > Policy Create to load the following page. Configure Rule 6 to deny packets with source IP 10.10.70.0.
Configuring ACL Figure 3-8 Configuration Example for ACL Configuring Rule 6 6) Choose the menu ACL > Policy Config > Policy Createto load the following page. Then create Policy Market. Figure 3-9 Creating the Policy 7) Choose the menu ACL > Policy Config > Action Create to load the the following page. Then apply ACL 1600 to Policy Market. Figure 3-10 Applying the ACL to the Policy 8) Choose the menu ACL > Policy Binding > Port Binding to load the following page.
Configuring ACL Figure 3-11 Configuration Example for ACL Binding the Policy to Port 1/0/1 9) Click Save Config to save the settings. 3.5 Using the CLI 1) Create Extended-IP ACL 1600. Switch#configure Switch(config)#access-list create 1600 2) Configure rule 1 to permit packets with source IP 10.10.70.0 and destination IP 10.10.80.0. Switch(config)#access-list extended 1600 rule 1 permit sip 10.10.70.0 smask 255.255.255.0 dip 10.10.80.0 dmask 255.255.255.
Configuring ACL Configuration Example for ACL Switch(config)#access-list extended 1600 rule 5 permit sip 10.10.70.0 smask 255.255.255.0 protocol 17 d-port 53 5) Configure Rule 6 to deny packets with source IP 10.10.70.0. Switch(config)#access-list extended 1600 rule 6 deny sip 10.10.70.0 smask 255.255.255.0 6) Create Policy Market, and then apply ACL 1600 to it.
Configuring ACL 4 Appendix: Default Parameters Appendix: Default Parameters For MAC ACL: Parameter Default Setting Operation Permit For Standard-IP ACL: Parameter Default Setting Operation Permit For Extend-IP ACL: Parameter Default Setting Operation Permit IP Protocol All For IPv6 ACL: Parameter Default Setting Operation Permit Configuration Guide 538
Part 20 Configuring Network Security CHAPTERS 1. Network Security 2. IP-MAC Binding Configurations 3. DHCP Snooping Configuration 4. ARP Inspection Configurations 5. DoS Defend Configuration 6. 802.1X Configuration 7. AAA Configuration 8. Configuration Examples 9.
Configuring Network Security 1 Network Security 1.1 Overview Network Security Network Security provides multiple protection measures for the network. Users can configure the security functions according to their needs. 1.2 Supported Features The switch supports multiple network security features, for example, IP-MAC Binding, DHCP Snooping, ARP Inspection and so on.
Configuring Network Security Figure 1-1 Network Security Network Topology of Basic DHCP Security Legal DHCP Server Tursted Port Untrusted Port Clients Switch Untrusted Port Ilegal DHCP Server Additionally, with DHCP Snooping, the switch can monitor the IP address obtaining process of each client host and record the IP address, MAC address, VLAN ID and the connected port number of the host for automatic binding. Option 82 Option 82 records the location of the DHCP client.
Configuring Network Security Network Security DoS Defend The DoS (Denial of Service) defend feature provides protection against DoS attacks. DoS attacks occupy the network bandwidth maliciously by sending numerous service requests to the hosts. It results in an abnormal service or breakdown of the network. With DoS Defend feature, the switch can analyze the specific fields of the IP packets, distinguish the malicious DoS attack packets and discard them directly.
Configuring Network Security Network Security server and send them to the client. The authenticator allows authenticated clients to access the LAN through the connected ports but denies clients from accessing the LAN through the unauthenticated ports. Authentication Server The authentication server is usually the host running the RADIUS server program. It stores information of clients, confirms whether a client is legal and informs the authenticator whether a client is authenticated.
Configuring Network Security 2 IP-MAC Binding Configurations IP-MAC Binding Configurations You can complete IP-MAC binding in two ways: Manual Binding Dynamical Binding (including ARP Scanning and DHCP Snooping) Additionally, you can search the specified entries in the Binding Table. 2.1 Using the GUI 2.1.
Configuring Network Security IP-MAC Binding Configurations Host Name Enter the host name for identification. IP Address Enter the IP address. MAC Address Enter the MAC address. VLAN ID Enter the VLAN ID. 2) Select protect type for the entry. Protect Type Select the protect type for the entry: None: This entry will not be applied to any feature. ARP Detection: This entry will be applied to the ARP Detection feature. 3) Select the port that is connected to this host. 4) Click Bind. 2.1.
Configuring Network Security IP-MAC Binding Configurations Choose the menu Network Security > IP-MAC Binding > ARP Scanning to load the following page. Figure 2-2 ARP Scanning Follow these steps to configure IP-MAC Binding via ARP scanning: 1) In the Scanning Option section, specify an IP address range and a VLAN ID. Then click Scan to scan the entries in the specified IP address range and VLAN. Start IP Address/ End IP Address Specify an IP range by entering a start and end IP address.
Configuring Network Security Collision IP-MAC Binding Configurations Displays the collision status of the entry. Warning: The collision entries have the same IP address and MAC address, and all the collision entries are valid. This kind of collision may be caused by the MSTP function. Critical: The collision entries have the same IP address but different MAC addresses. For the collision entries learned from the same source, only the newly added entry will be valid.
Configuring Network Security IP-MAC Binding Configurations In the Binding Table section, you can view the searched entries. Additionally, you can configure the host name and protect type for one or more entries, and click Apply. Host Name Enter a host name for identification. IP Address Displays the IP address. MAC Address Displays the MAC address. VLAN ID Displays the VLAN ID. Port Displays the port number.
Configuring Network Security Step 2 IP-MAC Binding Configurations ip source binding hostname ip-addr mac-addr vlan vlan-id interface { gigabitEthernet | ten-gigabitEthernet } port { none | arp-detection } [ forced-source {arp-scanning | dhcpsnooping} ] Manually bind the host name, IP address, MAC address, VLAN ID and port number of the host, and configure the protect type for the host. In addition, you can change the source of the entry as ARP Scanning or DHCP Snooping.
Configuring Network Security IP-MAC Binding Configurations 2.2.2 Viewing Binding Entries On privileged EXEC mode or any other configuration mode, you can use the following command to view binding entries: show ip source binding View the information of binding entries, including the host name, IP address, MAC address, VLAN ID, port number, protect type and collision status. There are two types of collision status: Warning and Critical.
Configuring Network Security 3 DHCP Snooping Configuration DHCP Snooping Configuration To complete DHCP Snooping configuration, follow these steps: 1) Enable DHCP Snooping on VLAN. 2) Configure DHCP Snooping on the specified port. 3) (Optional) Configure Option 82 on the specified port. Tips: The switch can dynamically bind the entries via DHCP Snooping after step 1 and step 2 are completed. By default, the binding entries are applied to ARP Detection.
Configuring Network Security VLAN Configuration Display DHCP Snooping Configuration Displays the VLANs that have been enabled with DHCP Snooping. 3) Click Apply. 3.1.2 Configuring DHCP Snooping on Ports Choose the menu Network Security > DHCP Snooping > Port Config to load the following page. Figure 3-2 Port Config Follow these steps to configure DHCP Snooping on the specified port: 1) Select one or more ports and configure the parameters.
Configuring Network Security DHCP Snooping Configuration Rate Limit Select to enable the rate limit feature and specify the maximum number of DHCP packets that can be forwarded on the port per second. The excessive DHCP packets will be discarded. Decline Protect Select to enable the decline protect feature and specify the maximum number of DHCP Decline packets that can be forwarded on the port per second. The excessive DHCP Decline packets will be discarded. LAG Displays the LAG that the port is in.
Configuring Network Security Operation Strategy DHCP Snooping Configuration Select the operation for the Option 82 field of the DHCP request packets. Keep: Indicates keeping the Option 82 field of the packets. Replace: Indicates replacing the Option 82 field of the packets with one defined by the switch. By default, the Circuit ID is defined to be the VLAN and the number of the port which receives the DHCP Request packets.
Configuring Network Security Step 5 end Step 6 copy running-config startup-config DHCP Snooping Configuration Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to enable DHCP Snooping globally and on VLAN 5: Switch#configure Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 5 Switch(config)#show ip dhcp snooping Global Status: Enable VLAN ID: 5 Switch(config-if)#end Switch#copy running-config startup-config 3.2.
Configuring Network Security Step 5 DHCP Snooping Configuration ip dhcp snooping limit rate value Enable the limit rate feature and specify the maximum number of DHCP messages that can be forwarded on the port per second. The excessive DHCP packets will be discarded. value: Specify the limit rate value. Seven options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling limit rate.
Configuring Network Security DHCP Snooping Configuration 3.2.3 (Optional) Configuring Option 82 Option 82 records the location of the DHCP client. The switch can add the Option 82 to the DHCP request packet and then transmit the packet to the DHCP server. Administrators can check the location of the DHCP client via option 82. The DHCP server supporting Option 82 can also set the distribution policy of IP addresses and other parameters, providing more flexible address distribution way.
Configuring Network Security Step 9 DHCP Snooping Configuration copy running-config startup-config Save the settings in the configuration file.
Configuring Network Security 4 ARP Inspection Configurations ARP Inspection Configurations With ARP Inspection configurations, you can: Configure ARP Detection Configure ARP Defend View ARP Statistics 4.1 Using the GUI 4.1.1 Configuring ARP Detection The ARP Detection feature allows the switch to detect the ARP packets based on the binding entries in the IP-MAC Binding Table and filter out the illegal ARP packets. Before ARP Detection configuration, complete IP-MAC Binding configuration.
Configuring Network Security ARP Inspection Configurations 3) Click Apply. 4.1.2 Configuring ARP Defend With ARP Defend enabled, the switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the legal ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood. Choose the menu Network Security > ARP Inspection > ARP Defend to load the following page.
Configuring Network Security ARP Inspection Configurations LAG Displays the LAG that the port is in. Operation Click the Recover button to restore the port to the normal status. The ARP Defend for this port will be re-enabled. 2) Click Apply. 4.1.3 Viewing ARP Statistics You can view the number of the illegal ARP packets received on each port, which facilitates you to locate the network malfunction and take the related protection measures.
Configuring Network Security 4.2 ARP Inspection Configurations Trusted Port Indicates whether the port is an ARP trusted port or not. Illegal ARP Packet Displays the number of the received illegal ARP packets. Using the CLI 4.2.1 Configuring ARP Detection The ARP Detection feature allows the switch to detect the ARP packets basing on the binding entries in the IP-MAC Binding Table and filter the illegal ARP packets. Before ARP Detection configuration, complete IP-MAC Binding configuration.
Configuring Network Security ARP Inspection Configurations Switch(config)#interface ten-gigabitEthernet 1/0/1 Switch(config-if)#ip arp inspection trust Switch(config-if)#show ip arp inspection ARP detection global status: Enabled Port Trusted Te1/0/1 YES Te1/0/2 NO ...... Switch(config-if)#end Switch#copy running-config startup-config 4.2.
Configuring Network Security ARP Inspection Configurations Step 7 end Step 8 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring Network Security ARP Inspection Configurations Switch#copy running-config startup-config 4.2.3 Viewing ARP Statistics On privileged EXEC mode or any other configuration mode, you can use the following command to view ARP statistics: show ip arp inspection statistics View the ARP statistics on each port, including whether the port is trusted port and the number of received ARP packets on the port.
Configuring Network Security DoS Defend Configuration 5 DoS Defend Configuration 5.1 Using the GUI Choose the menu Network Security > DoS Defend > DoS Defend to load the following page. Figure 5-1 Dos Defend Follow these steps to configure DoS Defend: 1) In the Configure section, enable DoS Protection. 2) In the Defend Table section, select one or more defend types according to your needs. The following table introduces each type of DoS attack.
Configuring Network Security DoS Defend Configuration NULL Scan The attacker sends the illegal packet with its TCP index and all the control fields set to 0. During the TCP connection and data transmission, the packets with all control fields set to 0 are considered illegal. SYN sPort less 1024: The attacker sends the illegal packet with its TCP SYN field set to 1 and source port smaller than 1024.
Configuring Network Security Step 3 DoS Defend Configuration ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | pingflood | syn-flood | win-nuke } Configure one or more defend types according to your needs. The types of DoS attack are introduced as follows. land: The attacker sends a specific fake SYN (synchronous) packet to the destination host.
Configuring Network Security DoS Defend Configuration Switch(config)#ip dos-prevent Switch(config)#ip dos-prevent type land Switch(config)#show ip dos-prevent DoS Prevention State: Enabled Type Status --------- ------ Land Attack Enabled Scan SYNFIN Disabled Xmascan Disabled ......
Configuring Network Security 6 802.1X Configuration 802.1X Configuration To complete the 802.1X configuration, follow these steps: 1) Configure the RADIUS server. 2) Configure 802.1X globally. 3) Configure 802.1X on ports. Configuration Guidelines 802.1X authentication and Port Security cannot be enabled at the same time. Before enabling 802.1X authentication, make sure that Port Security is disabled. 6.1 Using the GUI 6.1.
Configuring Network Security Figure 6-2 802.1X Configuration RADIUS Config Follow these steps to create a protocol template: 1) In the Server Config section, configure the parameters of RADIUS server. 2) Click Apply. Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses.
Configuring Network Security 802.1X Configuration Choose the menu Network Security > AAA > Server Group to load the following page. Figure 6-3 Adding a Server Group Follow these steps to create a protocol template: 1) In the Add New Server Group section, specify the name and server type for the new server group, and click Add. Server Group: Specify the name of the new server group. Server Type: Select the type of the server group as RADIUS.
Configuring Network Security Figure 6-5 802.1X Configuration Add Server to Group Configuring the Dot1x List Choose the menu Network Security > AAA > Dot1x List to load the following page. Figure 6-6 Configuring the Dot1x List Follow these steps to configure RADIUS server groups for 802.1X authentication and accounting: 1) In the Authentication Dot1x Method List section, select an existing RADIUS server group for authentication from the Pri1 drop-down list and click Apply.
Configuring Network Security 802.1X Configuration 6.1.2 Configuring 802.1X Globally Choose the menu Network Security > 802.1X > Global Config to load the following page. Figure 6-7 Global Config Follow these steps to configure 802.1X global parameters: 1) In the Global Config section, enable 802.1X globally and click Apply. Auth Method Select the 802.1X authentication method. PAP: The 802.1X authentication system uses EAP packets to exchange information between the switch and the client.
Configuring Network Security Guest VLAN 802.1X Configuration Select whether to enable Guest VLAN. By default, it is disabled. If the Guest VLAN is enabled, a port can access resources in the guest VLAN even though the port is not yet authenticated; if guest VLAN is disabled and the port is not authenticated, the port cannot visit any resource in the LAN. Guest VLAN ID Enter the guest VLAN's ID. It must be an existing VLAN with the ID ranging from 2 to 4094. Accounting Enable or disable 802.
Configuring Network Security 802.1X Configuration 6.1.3 Configuring 802.1X on Ports Choose the menu Network Security > 802.1X > Port Config to load the following page. Figure 6-8 Port Config Configure 802.1X authentication on the desired port and click Apply . Status Enable 802.1X authentication on the port. Guest VLAN Select whether to enable Guest VLAN on the port. Control Mode Select the Control Mode for the port. By default, it is Auto.
Configuring Network Security 802.1X Configuration Note: If a port is in an LAG, its 802.1X authentication function cannot be enabled. Also, a port with 802.1X authentication enabled cannot be added to any LAG. 6.2 Using the CLI 6.2.
Configuring Network Security Step 5 802.1X Configuration server ip-address Add the existing servers to the server group. ip-address : Specify IP address of the server to be added to the group. Step 6 exit Step 7 aaa authentication dot1x default { method } Return to global configuration mode. Select the radius group for 802.1X authentication. method: Specify the radius group for 802.1X authentication. aaa accounting dot1x default { method } Select the radius group for 802.1X accounting.
Configuring Network Security 802.1X Configuration Switch#configure Switch#aaa enable Switch(config)#radius-server host 192.168.0.100 key 123456 auth-port 1812 acct-port 1813 Switch(config)#aaa group radius radius1 Switch(aaa-group)#server 192.168.0.100 Switch(aaa-group)#exit Switch(config)#aaa authentication dot1x default radius1 Switch(config)#aaa accounting dot1x default radius1 Switch(config)#show radius-server Server Ip Auth Port 192.168.0.
Configuring Network Security Step 3 802.1X Configuration dot1x auth-method { pap | eap } Configure the 802.1X authentication method. pap: Specify the authentication method as PAP. If this option is selected, the 802.1X authentication system uses EAP (Extensible Authentication Protocol) packets to exchange information between the switch and the client.
Configuring Network Security Step 10 802.1X Configuration copy running-config startup-config Save the settings in the configuration file. The following example shows how to enable 802.1X authentication, configure PAP as the authentication method and keep other parameters as default: Switch#configure Switch(config)#dot1x system-auth-control Switch(config)#dot1x auth-method pap Switch(config)#show dot1x global 802.
Configuring Network Security Step 3 dot1x Step 4 dot1x port-method { mac-based | port-based } 802.1X Configuration Enable 802.1X authentication for the port. Configure the control type for the port. By default, it is mac-based. mac-based: All clients connected to the port need to be authenticated. port-based: If a client connected to the port is authenticated, other clients can access the LAN without authentication. Step 5 dot1x guest-vlan (Optional) Enable guest VLAN on the port.
Configuring Network Security 802.
Configuring Network Security 7 AAA Configuration AAA Configuration In the AAA feature, the authentication can be processed locally on the switch or centrally on the RADIUS/TACACS+ server(s). To ensure the stability of the authentication system, you can configure multiple servers and authentication methods at the same time. This chapter introduces how to configure this kind of comprehensive authentication in AAA. To complete the configuration, follow these steps: 1) Globally enable AAA.
Configuring Network Security 7.1 AAA Configuration Using the GUI 7.1.1 Globally Enabling AAA Choose the menu Network Security > AAA > Global Conifg to load the following page. Figure 7-1 Global Configuration Follow these steps to globally enable AAA: 1) In the Global Config section, enable AAA. 2) Click Apply. 7.1.2 Adding Servers You can add one or more RADIUS/TACACS+ servers on the switch for authentication.
Configuring Network Security AAA Configuration Server IP Enter the IP address of the server running the RADIUS secure protocol. Shared Key Enter the shared key between the RADIUS server and the switch. The RADIUS server and the switch use the key string to encrypt passwords and exchange responses. Auth Port Specify the UDP destination port on the RADIUS server for authentication requests. The default setting is 1812.
Configuring Network Security AAA Configuration 2) Click Add to add the TACACS+ server on the switch. 7.1.3 Configuring Server Groups The switch has two built-in server groups, one for RADIUS servers and the other for TACACS+ servers. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. Choose the menu Network Security > AAA > Server Group to load the following page.
Configuring Network Security Figure 7-6 AAA Configuration Add Server to Group 7.1.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges. Choose the menu Network Security > AAA > Method List to load the following page.
Configuring Network Security AAA Configuration 1) In the Add Method List section, configure the parameters for the method to be added. Method List Name Specify a name for the method. List Type Select the authentication type. Two options are provided: Authentication Login and Authentication Enable. Pri1- Pri4 Specify the authentication methods in order. The method with priority 1 authenticates a user first, the method with priority 2 is tried if the previous method does not respond, and so on.
Configuring Network Security AAA Configuration 7.1.6 Configuring Login Account and Enable Password The login account and Enable password can be configured locally on the switch or centrally on the RADIUS/TACACS+ server(s). On the Switch The local username and password for login can be configured in the User Management feature. For details, refer to Managing System .
Configuring Network Security 7.2 AAA Configuration Using the CLI 7.2.1 Globally Enabling AAA Follow these steps to globally enable AAA: Step 1 configure Step 2 aaa enable Step 3 show aaa global Step 4 end Step 5 copy running-config startup-config Enter global configuration mode. Globally enable the AAA feature. Verify the global configuration of AAA. Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring Network Security AAA Configuration Step 1 configure Step 2 radius-server host ip-address [ auth-port port-id ] [ acct-port port-id ] [ timeout time ] [ retransmit number ] [ key { [ 0 ] string | 7 encrypted-string } ] Enter global configuration mode. Add the RADIUS server and configure the related parameters as needed. host ip-address : Enter the IP address of the server running the RADIUS protocol.
Configuring Network Security AAA Configuration Switch#copy running-config startup-config Adding TACACS+ Server Follow these steps to add TACACS+ server on the switch: Step 1 configure Step 2 tacacs-server host ip-address [ port port-id ] [ timeout time ] [ key { [ 0 ] string | 7 encrypted-string } ] Enter global configuration mode. Add the RADIUS server and configure the related parameters as needed. host ip-address : Enter the IP address of the server running the TACACS+ protocol.
Configuring Network Security AAA Configuration Switch#copy running-config startup-config 7.2.3 Configuring Server Groups The switch has two built-in server groups, one for RADIUS and the other for TACACS+. The servers running the same protocol are automatically added to the default server group. You can add new server groups as needed. The two default server groups cannot be deleted or edited.
Configuring Network Security AAA Configuration Switch(aaa-group)#end Switch#copy running-config startup-config 7.2.4 Configuring the Method List A method list describes the authentication methods and their sequence to authenticate the users. The switch supports Login Method List for users of all types to gain access to the switch, and Enable Method List for guests to get administrative privileges.
Configuring Network Security AAA Configuration Methodlist pri1 pri2 pri3 pri4 default local -- -- -- Login1 radius local -- -- Switch(config)#end Switch#copy running-config startup-config The following example shows how to create an Enable method list named Enable1, and configure the method 1 as the default radius server group and the method 2 as local.
Configuring Network Security Step 4 AAA Configuration enable authentication { method-list } Apply the Enable method list for the application Telnet. method-list : Specify the name of the Enable method list. Step 5 show aaa global Step 6 end Step 7 copy running-config startup-config Verify the configuration of application list. Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring Network Security Step 3 AAA Configuration login authentication { method-list } Apply the Login method list for the application SSH. method-list : Specify the name of the Login method list. Step 4 enable authentication { method-list } Apply the Enable method list for the application SSH. method-list : Specify the name of the Enable method list. Step 5 show aaa global Step 6 end Step 7 copy running-config startup-config Verify the configuration of application list.
Configuring Network Security Step 2 AAA Configuration ip http login authentication { method-lis t } Apply the Login method list for the application HTTP. method-list : Specify the name of the Login method list. Step 3 ip http enable authentication { method-lis t } Apply the Enable method list for the application HTTP. method-list : Specify the name of the Enable method list.
Configuring Network Security AAA Configuration To configure the local Enable password for getting administrative privileges, follow these steps: Step 1 configure Step 2 enable admin password { [ 0 ] password | 7 encrypted-password } Enter global configuration mode. Set the Enable password. This command uses symmetric encryption. 0 and 7 represent the encryption type. 0 indicates that an unencrypted key will follow. 7 indicates that a symmetric encrypted key with a fixed length will follow.
Configuring Network Security Configuration Examples 8 Configuration Examples 8.1 Example for DHCP Snooping and ARP Detection 8.1.1 Network Requirements As shown below, User 1 and User 2 get IP addresses from the DHCP server, and User 3 has a static IP address. All of them are in the default VLAN 1. Now, untrusted DHCP packets need to be filtered to ensure that the DHCP clients (User 1 and User 2) can get the IP addresses from the legal DHCP server.
Configuring Network Security Configuration Examples 3) Enable ARP Detection on Switch A to prevent ARP cheating attacks. 4) Configure ARP Defend on Switch A to limit the speed of receiving the legal ARP packets on each port, thus to prevent ARP flooding attacks. Demonstrated with T1700X-16TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI. 8.1.
Configuring Network Security Figure 8-3 Configuration Examples Port Config 3) Choose the menu Network Security > IP-MAC Binding > Manual Binding to load the following page. Enter the host name, IP address, MAC address and VLAN ID of User 3, select ARP Detection as the protect type, and select port 1/0/3 on the panel. Click Bind. Figure 8-4 Manual Binding 4) Choose the menu Network Security > IP-MAC Binding > Binding Table to load the following page.
Configuring Network Security Figure 8-5 Configuration Examples Binding Table 5) Choose the menu Network Security > ARP Inspection > ARP Detect to load the following page. Enable ARP Detection and set ports 1/0/4 as trusted port. Click Apply. Figure 8-6 ARP Detect 6) Choose the menu Network Security > ARP Inspection > ARP Defend to load the following page. Enable ARP Defend for ports 1/0/1-3 and click Apply.
Configuring Network Security Figure 8-7 Configuration Examples ARP Defend 7) Click Save Config to save the settings. 8.1.4 Using the CLI 1) Enable DHCP Snooping globally and on VLAN 1. Switch_A#configure Switch_A(config)#ip dhcp snooping Switch_A(config)#ip dhcp snooping vlan 1 2) Configure port 1/0/4 as a trusted port. Switch_A(config)#interface ten-gigabitEthernet 1/0/4 Switch_A(config-if)#ip dhcp snooping trust Switch_A(config-if)#exit 3) Manually bind the entry for User 3.
Configuring Network Security Configuration Examples 5) Configure ARP Defend on ports 1/0/1-3.
Configuring Network Security Configuration Examples ARP detection global status: Enabled Port Trusted Te1/0/1 NO Te1/0/2 NO Te1/0/3 NO Te1/0/4 YES ...... Verify the configuration of ARP Defend: Switch_A#show ip arp inspection interface Port OverSpeed Rate Current Status LAG Te1/0/1 Enabled 15 N/A Normal N/A Te1/0/2 Enabled 15 N/A Normal N/A Te1/0/3 Enabled 15 N/A Normal N/A Te1/0/4 Disabled 15 N/A N/A N/A ...... 8.2 Example for 802.1X 8.2.
Configuring Network Security Configuration Examples 8.2.3 Network Topology As shown in the following figure, Switch A acts as the authenticator. Port 1/0/1 is connected to the client, port 1/0/2 is connected to the RADIUS server, and port 1/0/3 is connected to the Internet. Figure 8-8 Network Topology Internet Switch A Authenticator Te1/0/3 Te1/0/2 Te1/0/1 RADIUS Server 192.168.0.
Configuring Network Security Figure 8-10 Configuration Examples RADIUS Config 3) Choose the menu Network Security > AAA > Server Group to load the following page. In the Add New Server Group section, specify the group name as radius1 and the server type as RADIUS. Click Add to create the server group. Figure 8-11 Create Server Group 4) On the same page, select the newly created server group and click edit to load the following page. Select 192.168.0.
Configuring Network Security Configuration Examples 6) Choose the menu Network Security > 802.1X Authentication > Global Config to load the following page. Enable 802.1X authentication and configure the Authentication Method as EAP. Enable the Quiet feature and then keep the default authentication settings. Figure 8-14 Global Config 7) Choose the menu Network Security > 802.1X Authentication > Port Config to load the following page. For port 1/0/1, enable 802.
Configuring Network Security Figure 8-15 Configuration Examples Port Config 8) Click Save Config to save the settings. 8.2.5 Using the CLI 1) Enable AAA function globally and configure the RADIUS parameters. Switch_A(config)#aaa enable Switch_A(config)#radius-server host 192.168.0.10 auth-port 1812 key 123456 Switch_A(config)#aaa group radius radius1 Switch_A(aaa-group)#server 192.168.0.
Configuring Network Security Configuration Examples 3) Disable 802.1X authentication on port 1/0/2 and port 1/0/3. Enable 802.1X authentication on port 1/0/1, set the control mode as auto, and set the control type as MAC based.
Configuring Network Security Configuration Examples Port State GuestVLAN PortControl PortMethod ---- ----- Te1/0/1 enabled disabled auto mac-based authorized N/A Te1/0/2 disabled disabled auto mac-based authorized N/A Te1/0/3 disabled disabled auto mac-based authorized N/A --------- ----------- ---------- Authorized LAG ---------- --- ......
Configuring Network Security Figure 8-16 Configuration Examples Network Topology RADIUS Server 1 192.168.0.10/24 Auth Port:1812 Management Network Administrator Switch RADIUS Server 2 192.168.0.20/24 Auth Port: 1812 8.3.2 Configuration Scheme To implement this requirement, the senior administrator can create the login account and the Enable password on the two RADIUS servers, and configure the AAA feature on the switch. The IP addresses of the two RADIUS servers are 192.168.0.10/24 and 192.168.0.
Configuring Network Security Figure 8-18 Configuration Examples Add RADIUS Server 1 3) On the same page, configure the Server IP as 192.168.0.20, the Shared Key as 123456, the Auth Port as 1812, and keep the other parameters as default. Click Add to add RADIUS Server 2 on the switch. Figure 8-19 Add RADIUS Server 2 4) Choose the menu Network Security > AAA > Server Group to load the following page. In the Add New Server Group section, specify the group name as RADIUS1 and the server type as RADIUS.
Configuring Network Security Figure 8-20 Configuration Examples Create Server Group 5) On the same page, select the newly created server group and click edit to load the following page. Select 192.168.0.10 from the drop-down list, and click Add to add RADIUS Server 1 to the group. Then select 192.168.0.20 from the drop-down list, and click Add to add RADIUS Server 2 to the group. Figure 8-21 Add Servers to Server Group 6) Choose the menu Network Security > AAA > Method List to load the following page.
Configuring Network Security Configuration Examples 7) On the same page, specify the Method List Name as Method-Enable, select the List Type as Authentication Enable, and select the Pri1 as RADIUS1. Click Add to set the method list for the Enable password authentication. Figure 8-23 Configure Enable Method List 8) Choose the menu Network Security > AAA > Global Config to load the following page.
Configuring Network Security Configuration Examples Switch(aaa-group)#exit 4) Create two method lists: Method-Login and Method-Enable, and configure the server group RADIUS1 as the authentication method for the two method lists. Switch(config)#aaa authentication login Method-Login RADIUS1 Switch(config)#aaa authentication enable Method-Enable RADIUS1 5) Configure Method-Login and Method-Enable as the authentication method for the Telnet application.
Configuring Network Security Configuration Examples Methodlist pri1 pri2 pri3 pri4 default none -- -- -- Method-Enable RADIUS1 -- -- -- ......
Configuring Network Security 9 Appendix: Default Parameters Appendix: Default Parameters Default settings of Network Security are listed in the following tables.
Configuring Network Security Table 9-3 Appendix: Default Parameters ARP Inspection Parameter Default Setting ARP Detect ARP Detect Disable Trusted Port None ARP Defend Defend Disable Speed 15 pps ARP Statistics Auto Refresh Disable Refresh Interval 5 seconds Table 9-4 802.1X Parameter Default Setting Global Config 802.
Configuring Network Security Appendix: Default Parameters Parameter Default Setting Control Mode Auto Control Type MAC Based Dot1X List Authentication Dot1x Method List List Name: default Accounting Dot1x Method List List Name: default Table 9-5 Pri1: radius Pri1:radius DoS Defend Parameter Default Setting DoS Defend Disable Table 9-6 AAA Parameter Defualt Setting Global Config AAA Disable RADIUS Config Server IP None Shared Key None Auth Port 1812 Acct Port 1813 Retransmit
Configuring Network Security Appendix: Default Parameters Parameter Defualt Setting Port 49 Server Group: There are two default server groups: radius and tacacs.
Part 21 Configuring LLDP CHAPTERS 1. LLDP 2. LLDP Configurations 3. LLDP-MED Configurations 4. Viewing LLDP Settings 5. Viewing LLDP-MED Settings 6. Configuration Example 7.
Configuring LLDP 1 LLDP 1.1 Overview LLDP LLDP (Link Layer Discovery Protocol) is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network. This protocol is a standard IEEE 802.1ab defined protocol and runs over the Layer 2 (the data-link layer) , which allows for interoperability between network devices of different vendors.
Configuring LLDP 2 LLDP Configurations LLDP Configurations With LLDP configurations, you can: 1) Enable the LLDP feature on the switch. 2) (Optional) Configure the LLDP feature globally. 3) (Optional) Configure the LLDP feature for the interface. 2.1 Using the GUI 2.1.1 Global Config Choose the LLDP > Basic Config > Global Config to load the following page.
Configuring LLDP LLDP Configurations Follow these steps to enable LLDP and configure the LLDP feature globally. 1) In the Global Config section, enable LLDP. Click Apply. 2) In the Parameters Config section, configure the LLDP parameters. Click Apply. Transmit Interval Enter the interval between successive LLDP packets that are periodically sent from the local device to its neighbors. The default is 30 seconds.
Configuring LLDP LLDP Configurations 2.1.2 Port Config Choose th menu LLDP > Basic Config > Policy Config to load the following page. Figure 2-2 Port Config Follow these steps to configure the LLDP feature for the interface. 1) Select the desired port and set its Admin Status and Notification Mode. Admin Status Set Admin Status for the port to deal with LLDP packets. Tx&Rx: The port will transmit LLDP packets and process the received LLDP packets.
Configuring LLDP LLDP Configurations Included TLVs Configure the TLVs included in the outgoing LLDP packets. TP-Link supports the following TLVs: PD: Used to advertise the port description defined by the IEEE 802 LAN station. SC: Used to advertise the supported functions and whether or not these functions are enabled. SD: Used to advertise the system’s description including the full name and version identification of the system’s hardware type, software operating system, and networking software.
Configuring LLDP Step 3 LLDP Configurations lldp hold-multiplier (Optional) Specify the amount of time the neighbor device should hold the received information before discarding it. The default is 4. TTL (Time to Live) = Hold Multiplier * Transmit Interval. Step 4 lldp timer { tx-interval tx-interval | tx-delay tx-delay | reinit-delay reinit-delay | notifyinterval notify-interval | fast-count fast-count } (Optional) Configure the timers for LLDP packet forwarding.
Configuring LLDP LLDP Configurations TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4 Switch(config)#end Switch#copy running-config startup-config 2.2.2 Port Config Select the desired port and set its Admin Status, Notification Mode and the TLVs included in the LLDP packets.
Configuring LLDP LLDP Configurations The following example shows how to configure the port 1/0/1. The port can receive and transmit LLDP packets, its notification mode is enabled and the outgoing LLDP packets include all TLVs.
Configuring LLDP 3 LLDP-MED Configurations LLDP-MED Configurations With LLDP-MED configurations, you can: 1) Configure the LLDP-MED feature globally. 2) Enable and configure the LLDP-MED feature on the interface. Configuration Guidelines LLDP-MED is used together with Voice VLAN to implement VoIP access. Besides the configuration of LLDP-MED feature, you also need configure the Voice VLAN feature. Refer to Configuring Voice VLAN for detailed instructions. 3.1 Using the GUI 3.1.
Configuring LLDP LLDP-MED Configurations 3.1.2 Port Config Choose th menu LLDP > LLDP-MED > Policy Config to load the following page. Figure 3-2 LLDP-MED Port Config Follow these steps to enable LLDP-MED: 1) Select the desired port and enble LLDP-MED. Click Apply. 2) Click Detail to enter the following page. Configure the TLVs included in the outgoing LLDP packets. If Location Identification is selected, you need configure the Emergency Number or select Civic Address to configure the details.
Configuring LLDP Figure 3-3 LLDP-MED Configurations LLDP-MED Port Config-Detail Network Policy Used to advertise VLAN configuration and the associated Layer 2 and Layer 3 attributes of the port to the Endpoint devices. Location Identification Used to assign the location identifier information to the Endpoint devices.
Configuring LLDP LLDP-MED Configurations Civic Address Configure the address of the audio device in the IETF defined address format. What: Specify the role type of the local device, DHCP Server, Switch or LLDP-MED Endpoint. Country Code: Enter the country code defined by ISO 3166 , for example, CN, US. Language, Province/State etc.: Enter the regular details. 3.2 Using the CLI 3.2.1 Global Config Step 1 configure Step 2 lldp Step 3 lldp med-fast-count count Enter global configuration mode.
Configuring LLDP LLDP-MED Configurations TTL Multiplier: 4 Tx Delay: 2 seconds Initialization Delay: 2 seconds Trap Notification Interval: 5 seconds Fast-packet Count: 3 LLDP-MED Fast Start Repeat Count: 4 Switch(config)#end Switch#copy running-config startup-config 3.2.2 Port Config Select the desired port, enable LLDP-MED and select the TLVs (Type/Length/Value) included in the outgoing LLDP packets according to your needs.
Configuring LLDP LLDP-MED Configurations Step 6 end Step 7 copy running-config startup-config Return to Privileged EXEC Mode. Save the settings in the configuration file. The following example shows how to enable LLDP-MED on port 1/0/1, configure the LLDPMED TLVs included in the outgoing LLDP packets.
Configuring LLDP LLDP-MED Status: LLDP-MED Configurations Enabled TLV Status --- -----Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Yes Switch(config)#end Switch#copy running-config startup-config Configuration Guide 639
Configuring LLDP 4 Viewing LLDP Settings Viewing LLDP Settings This chapter introduces how to view the LLDP settings on the local device. 4.1 Using GUI 4.1.1 Viewing LLDP Device Info Viewing the Local Info Choose the menu LLDP > Device Info > Local Info to load the following page.
Configuring LLDP Viewing LLDP Settings Follow these steps to view the local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated local device information. Local Interface Displays the local port ID. Chassis ID Subtype Displays the Chassis ID type. Chassis ID Displays the value of the Chassis ID.
Configuring LLDP Viewing LLDP Settings Viewing the Neighbor Info Choose the menu LLDP > Device Info > Neighbor Info to load the following page. Figure 4-2 Neighbor Info Follow these steps to view the neighbor information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Local Info section, select the desired port and view its associated neighbor device information.
Configuring LLDP Viewing LLDP Settings 4.1.2 Viewing LLDP Statistics Choose the menu LLDP > Device Statistics > Statistics Info to load the following page. Figure 4-3 Static Info Follow these steps to view LLDP statistics: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the Global Statistics section, view the global statistics of the local device. Last Update Displays the time when the statistics updated.
Configuring LLDP 4.2 Viewing LLDP Settings Transmit Total Displays the total number of the LLDP packets sent via the port. Receive Total Displays the total number of the LLDP packets received via the port. Discards Displays the total number of the LLDP packets discarded by the port. Errors Displays the total number of the error LLDP packets received via the port. Ageouts Displays the number of the aged out neighbors that are connected to the port.
Configuring LLDP Viewing LLDP-MED Settings 5 Viewing LLDP-MED Settings 5.1 Using GUI Viewing the Local Info Choose the menu LLDP > Device Info > Local Info to load the following page. Figure 5-1 LLDP-MED Local Info Follow these steps to view LLDP-MED local information: 1) In the Auto Refresh section, enable the Auto Refresh feature and set the Refresh Rate according to your needs. Click Apply. 2) In the LLDP-MED Local Info section, select the desired port and view the LLDP-MED settings.
Configuring LLDP Viewing LLDP-MED Settings Device Type Displays the local device type defined by LLDP-MED.LLDP-MED. Application Type Displays the supported applications of the local device. Unknown Policy Flag Displays the unknown location settings included in the network policy TLV. VLAN tagged Displays the VLAN Tag type of the applications, tagged or untagged. Media Policy VLAN ID Displays the 802.1Q VLAN ID of the port.
Configuring LLDP 5.2 Viewing LLDP-MED Settings Device Type Displays the LLDP-MED device type of the neighbor device. Application Type Displays the application type of the neighbor device. Location Data Format Displays the location type of the neighbor device. Power Type Displays the power type of the neighbor device. Information View more LLDP-MED details of the neighbor device.
Configuring LLDP Configuration Example 6 Configuration Example 6.1 Example for Configuring LLDP 6.1.1 Network Requirements The network administrator needs view the information of the devices in the company network to know about the link situation and network topology so that he can troubleshoot the potential network faults in advance. 6.1.2 Network Topology Exampled with the following situation: Port Te1/0/1 on Switch A is directly connected to port Te1/0/2 on Switch B.
Configuring LLDP Figure 6-2 Configuration Example LLDP Global Config 2) Choose the menu LLDP > Basic Config > Port Config to load the following page. Set the Admin Status of port Te1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets. Figure 6-3 LLDP Port Config 6.1.5 Using CLI 1) Enable LLDP globally and configure the corresponding parameters.
Configuring LLDP Configuration Example Switch_A#configure Switch_A(config)#lldp Switch_A(config)#lldp hold-multiplier 4 Switch_A(config)#lldp timer tx-interval 30 tx-delay 2 reinit-delay 3 notify-interval 5 fastcount 3 2) Set the Admin Status of port Te1/0/1 to Tx&Rx, enable Notification Mode and configure all the TLVs included in the outgoing LLDP packets.
Configuring LLDP Configuration Example Admin Status: TxRx SNMP Trap: Enabled TLV Status --- ------ Port-Description Yes System-Capability Yes System-Description Yes System-Name Yes Management-Address Yes Port-VLAN-ID Yes Protocol-VLAN-ID Yes VLAN-Name Yes Link-Aggregation Yes MAC-Physic Yes Max-Frame-Size Yes Power Yes LLDP-MED Status: Disabled TLV Status --- ------ Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Y
Configuring LLDP Configuration Example Port ID: TenGigabitEthernet1/0/1 Port description: TenGigabitEthernet1/0/1 Interface TTL: 120 System name: T1700X-16TS System description: JetStream 12-Port 10GBase-T Smart Switch with 4 10G SFP+ Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.
Configuring LLDP Configuration Example LLDP-MED Capabilities: Capabilities Network Policy Location Identification Inventory Device Type: Network Connectivity Application type: Reserved Unknown policy: Yes Tagged: No VLAN ID: 0 Layer 2 Priority: 0 DSCP: 0 Location Data Format: Civic Address LCI - What: Switch - Country Code: CN Hardware Revision: T1700X-16TS 2.0 Firmware Revision: Reserved Software Revision: 2.0.0 Build 20160905 Rel.
Configuring LLDP Configuration Example Port description: GigabitEthernet1/0/2 Interface TTL: 120 System name: T1700X-16TS System description: JetStream 12-Port 10GBase-T Smart Switch with 4 10G SFP+ Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.
Configuring LLDP 6.2 Configuration Example Example for Configuring LLDP-MED 6.2.1 Network Requirements The marketing department needs establish the voice conversation with the field office. They want to install IP phones in their office and meet the following requirements: Save the switch ports for more IP phones due to the limited number of the ports on the switch in the office; The voice traffic is transmitted in a separate VLAN to guarantee the voice quality.
Configuring LLDP Configuration Example 6.2.4 Using the GUI 1) Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Create VLAN 10, and name it as Voice VLAN. Figure 6-5 Creating a VLAN 2) Enable and configure the Voice VLAN. Choose the menu QoS > Voice VLAN > Global Config, enable Voice VLAN and set the VLAN ID to 10.
Configuring LLDP Configuration Example Figure 6-7 Configuring Voice VLAN Mode on Port 1/0/1 Figure 6-8 Configuring Voice VLAN Mode on Port 1/0/2 Configuration Guide 657
Configuring LLDP Configuration Example Choose the menu VLAN > 802.1Q VLAN > VLAN Config to load the following page. Add port 1/0/2 to the Voice VLAN. Figure 6-9 Adding Port 1/0/2 to the Voice VLAN 3) Choose the LLDP > Basic Config > Global Config to load the following page and enable LLDP globally. Figure 6-10 LLDP Global Config 4) Choose the LLDP > LLDP-MED > Global Config to load the following page and configure the fast start count. The default is 4.
Configuring LLDP Figure 6-12 Configuration Example LLDP-MED Port Config Click Detail in the Port 1/0/1 entry to configure TLVs included in the outgoing LLDPMED packets. Figure 6-13 LLDP-MED Port Config-Detail In the Location Identification Parameters section, configure the detailed address of the IP phone. Click Apply.
Configuring LLDP Figure 6-14 Configuration Example Configure the detailed address of the IP phone 6.2.5 Using the CLI 1) Create VLAN 10 and name it as Voice VLAN. Switch_A(config)#vlan 10 Switch_A(config-vlan)#name Voice_VLAN Switch_A(config)#voice vlan 10 2) Configure the Voice VLAN mode on port Te1/0/1 as Auto.
Configuring LLDP Configuration Example Switch_A(config)#interface ten-gigabitEthernet 1/0/2 Switch_A(config-if)#switchport voice vlan mode manual Switch_A(config-if)#switchport general allowed vlan 10 tagged Switch_A(config-if)#exit 4) Enable LLDP globally. Switch_A(config)#lldp 5) Configure the fast start count of LLDP-MED. The default is 4. Switch_A(config)# lldp med-fast-count 4 6) Enable the LLDP-MED on port Te1/0/1.
Configuring LLDP Configuration Example Admin Status: TxRx SNMP Trap: Enabled TLV Status --- ------ Port-Description Yes System-Capability Yes System-Description Yes System-Name Yes Management-Address Yes Port-VLAN-ID Yes Protocol-VLAN-ID Yes VLAN-Name Yes Link-Aggregation Yes MAC-Physic Yes Max-Frame-Size Yes Power Yes LLDP-MED Status: Enabled TLV Status --- ------ Network Policy Yes Location Identification Yes Extended Power Via MDI Yes Inventory Management Ye
Configuring LLDP Configuration Example Port ID: TenGigabitEthernet1/0/1 Port description: TenGigabitEthernet1/0/1 Interface TTL: 120 System name: Switch System description: JetStream 12-Port 10GBase-T Smart Switch with 4 10G SFP+ Slots System capabilities supported: Bridge Router System capabilities enabled: Bridge Router Management address type: ipv4 Management address: 192.168.0.
Configuring LLDP Configuration Example LLDP-MED Capabilities: Capabilities Network Policy Location Identification Inventory Device Type: Network Connectivity Application type: Reserved Unknown policy: Yes Tagged: No VLAN ID: 0 Layer 2 Priority: 0 DSCP: 0 Location Data Format: Civic Address LCI - What: Switch - Country Code: CN - Language: chinese - Province/State: Guangdong - County/Parish/District: China - City/Township: Shenzhen - Street: Keyuan Road - Name: South Building
Configuring LLDP Configuration Example LLDP Neighbor Information: ten-gigabitEthernet 1/0/1: Neighbor index 1: Chassis type: Network address Chassis ID: 192.168.1.117 Port ID type: Locally assigned Port ID: 64A0E714DC54:P1 Port description: SW PORT TTL: 180 System name: SEP64A0E714DC54 System description: Cisco IP Phone 7931G,V4, term System capabilities supported: Bridge Telephone System capabilities enabled: Bridge Telephone Management address type: ipv4 Management address: 192.
Configuring LLDP Configuration Example PSE pairs control ability: Maximum frame size: LLDP-MED Capabilities: Capabilities Network Policy Extended Power via MDI - PD Inventory Device Type: Endpoint Class III Application type: Voice Unknown policy: No Tagged: No VLAN ID: 4095 Layer 2 Priority: 5 DSCP: 46 Application type: Voice Signaling Unknown policy: No Tagged: No VLAN ID: 4095 Layer 2 Priority: 4 DSCP: 32 Power Type: PD Device Power Source: Unknown Power Priority: Unknow
Configuring LLDP 7 Appendix: Default Parameters Appendix: Default Parameters Default settings of LLDP are listed in the following tables.
Part 22 Configuring Maintenance CHAPTERS 1. Maintenance 2. Monitoring the System 3. System Log Configurations 4. Diagnosing the Device 5. Diagnosing the Network 6. Configuration Example for Remote Log 7.
Configuring Maintenance 1 Maintenance 1.1 Overview Maintenance The maintenance module assembles various system tools for network troubleshooting. 1.2 Supported Features The maintenance module includes system monitor, log, device diagnose, and network diagnose. System Monitor You can monitor the memory and the CPU utilizations of the switch. Log You can check system messages for debugging and network management.
Configuring Maintenance 2 Monitoring the System Monitoring the System The system monitor configurations include: Monitoring the CPU; Monitoring the memory. Configuration Guidelines The CPU and memory utilizations should be always under 80%, and excessive use may result in switch malfunctions. For example, the switch fails to respond to management requests. In similar situations, you can monitor the system to verify a CPU or memory utilization problem. 2.1 Using the GUI 2.1.
Configuring Maintenance Monitoring the System Click Monitor to enable the switch to monitor and display its CPU utilization rate every four seconds. 2.1.2 Monitoring the Memory Choose the menu Maintenance > System Monitor > Memory Monitor to load the following page. Figure 2-2 Monitoing the Memory Click Monitor to enable the switch to monitor and display its memory utilization rate every four seconds. 2.2 Using the CLI 2.2.
Configuring Maintenance Monitoring the System show cpu-utilization View the memory utilization of the switch in the last 5 seconds, 1minute and 5minutes. The following example shows how to monitor the CPU: Switch#show cpu-utilization Unit | No. | CPU Utilization Five-Seconds One-Minute Five-Minutes ------+------------------------------------------------1 | 13% 13% 13% 2.2.
Configuring Maintenance 3 System Log Configurations System Log Configurations System log configurations include: Configuring the local log; Configuring the remote log; Backing up log files; Viewing the log table. Configuration Guidelines Logs are classified into the following eight levels. Messages of levels 0 to 4 mean the functionality of the switch is affected. Please take actions according to the log message.
Configuring Maintenance 3.1 System Log Configurations Using the GUI 3.1.1 Configuring the Local Log Choose the menu Maintenance > Log> Local Log to load the following page. Figure 3-1 Configuring the Local Log Follow these steps to configure the local log: 1) Select your desired channel and configure the corresponding severity and status. Channel Local log includes 2 channels: log buffer and log file. Log buffer indicates the RAM for saving system log. The channel is enabled by default.
Configuring Maintenance System Log Configurations Choose the menu Maintenance > Log> Remote Log to load the following page. Figure 3-2 Configuring the Remote Log Follow these steps to configure remote log: 1) Select an entry to enable the status, and then set the host IP address and severity. Host IP Specify an IP address for the log host. UDP Port Displays the UDP port that receives and sends the log information. And the switch uses the standard port 514.
Configuring Maintenance Figure 3-4 System Log Configurations Viewing the Log Table Select a module and a severity to view the corresponding log information. 3.2 Time To get the exact time when the log event occurs, you need to configure the system time on the System > System Info > System Time Web management page. Module Select a module from the drop-down list to display the corresponding log information.
Configuring Maintenance Step 3 System Log Configurations logging buffer level level Specify the severity level of the log information that should be saved to the buffer. level : Enter the severity level ranging from 0 to 7. The smaller value has the higher priority. Only the log with the same or smaller severity level value can be saved. The default level is 6, indicating that the log information of levels 0 to 6 will be saved in the log buffer.
Configuring Maintenance Channel ------- System Log Configurations Level Status Sync-Periodic ----- ------ ------------- Buffer 5 enable Immediately Flash 2 enable 10 hour(s) Monitor 5 enable Immediately Switch(config)#end Switch#copy running-config startup-config 3.2.2 Configuring the Remote Log Remote Log enables the switch to send system logs to a host. To display the logs, the host should run a log server that complies with the syslog standard.
Configuring Maintenance System Log Configurations Switch(config)# show logging loghost Index Host-IP Severity Status ------ ----- ------- -------- 1 0.0.0.0 6 disable 2 192.168.0.148 5 enable 3 0.0.0.0 6 disable 4 0.0.0.
Configuring Maintenance Diagnosing the Device 4 Diagnosing the Device 4.1 Using the GUI Choose the menu Maintenance > Device Diagnose > Cable Test to load the following page. Figure 4-1 Diagnosing the Device 1) In the Port section, select your desired port for the test. 2) In the Result section, click Apply and check the test results. Port Select the port for cable testing. The interval between two cable tests for one port must be more than 3 seconds. Pair Displays the Pair number.
Configuring Maintenance Diagnosing the Device Status Displays the cable status. Test results include normal, close, open and crosstalk. Normal : The cable is normally connected. Close: A short circuit caused by an abnormal contact of wires in the cable. Open: No device is connected to the other end or the connectivity is broken. Crosstalk: Impedance mismatch caused by the poor quality of the cable. 4.2 Length If the connection status is normal, here displays the length range of the cable.
Configuring Maintenance 5 Diagnosing the Network Diagnosing the Network The configuration includes: Configuring the Ping Test; Configuring the Tracert Test. 5.1 Using the GUI 5.1.1 Configuring the Ping Test Choose the menu Maintenance > Network Diagnose > Ping to load the following page.
Configuring Maintenance Diagnosing the Network Destination IP Enter the IP address of the destination node for Ping test. Both IPv4 and IPv6 are supported. Ping Times Enter the amount of times to send test data for Ping test. We recommend that you keep the default 4 times. Data Size Enter the size of the sending data for Ping test. We recommend that you keep the default 64 bytes. Interval Specify the interval to send ICMP request packets. We recommend that you keep the default 1000 milliseconds.
Configuring Maintenance Diagnosing the Network ping [ ip | ipv6 ] { ip_addr } [ -n count ] [ -l count ] [ -i count ] Test the connectivity between the switch and destination device. ip: The type of the IP address for ping test should be IPv4. ipv6: The type of the IP address for ping test should be IPv6. ip_addr: The IP address of the destination node for ping test. If the parameter ip/ipv6 is not selected, both IPv4 and IPv6 addresses are supported, such as 192.168.0.100 or fe80::1234.
Configuring Maintenance Diagnosing the Network tracert [ ip | ipv6 ] ip_addr [ maxHops ] Test the connectivity of the gateways along the path from the source to the destination. ip: The type of the IP address for tracert test should be IPv4. ipv6: The type of the IP address for tracert test should be IPv6. ip_addr: Enter the IP address of the destination device. If the parameter ip/ipv6 is not selected, both IPv4 and IPv6 addresses are supported, such as 192.168.0.100 or fe80::1234.
Configuring Maintenance Configuration Example for Remote Log 6 Configuration Example for Remote Log 6.1 Network Requirements The company network manager needs to monitor network of department A for troubleshooting. Figure 6-1 Network Topology Department A 6.2 Switch IP: 1.1.0.2/16 PC IP: 1.1.0.1/16 Configuration Scheme The network manager can configure the remote log to receive system logs from monitored devices.
Configuring Maintenance 6.4 Configuration Example for Remote Log Using the CLI Configure the remote log host. Switch#configure Switch(config)# logging host index 1 1.1.0.1 5 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Switch# show logging loghost Index Host-IP ----- ------- Severity -------- Status ------ 1 1.1.0.1 5 enable 2 0.0.0.0 6 disable 3 0.0.0.0 6 disable 4 0.0.0.
Configuring Maintenance 7 Appendix: Default Parameters Appendix: Default Parameters Default settings of maintenance are listed in the following tables. Table 7-1 Default Settings of Local Log Parameter Default Setting Status of Log Buffer Enabled Severity of Log Buffer Level_6 Sync-Periodic of Log Buffer Immediately Status of Log File Disabled Severity of Log File Level_3 Sync-Periodic of Log File 24 hours Table 7-2 Default Settings of Remote Log Parameter Default Setting Host IP 0.
Part 23 Configuring SNMP & RMON CHAPTERS 1. SNMP Overview 2. SNMP Configurations 3. Notification Configurations 4. RMON Overview 5. RMON Configurations 6. Configuration Example 7.
Configuring SNMP & RMON 1 SNMP Overview SNMP Overview SNMP (Simple Network Management Protocol) is a standard network management protocol, widely used on TCP/IP networks. It facilitates device management using NMS (Network Management System) software. With SNMP, network managers can view or modify network device information, and troubleshoot according to notifications sent by those devices in a timely manner. The device supports three SNMP versions: SNMPv1, SNMPv2c and SNMPv3.
Configuring SNMP & RMON 2 SNMP Configurations SNMP Configurations To complete the SNMP configuration, choose an SNMP version according to network requirements and supportability of the NMS software, and then follow these steps: Choose SNMPv3 1) Enable SNMP. 2) Create an SNMP view for managed objects. 3) Create an SNMP group, and specify the access rights. 4) Create SNMP users, and configure the authentication mode, privacy mode and corresponding passwords. Choose SNMPv1 or SNMPv2c 1) Enable SNMP.
Configuring SNMP & RMON 2.1 SNMP Configurations Using the GUI 2.1.1 Enabling SNMP Choose the SNMP > SNMP Config > Global Config to load the following page. Figure 2-1 Global Config Follow these steps to configure SNMP globally: 1) In the Global Config section, enable SNMP. Click Apply. 2) In the Local Engine section, configure the local engine ID. Click Apply. Local Engine ID Set the ID of the local SNMP Agent with 10 to 64 hexadecimal digits.
Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP View to load the following page. Figure 2-2 SNMP View Set the view name and one MIB variable that is related to the view. Choose the view type and click Create to add the view entry. View Name Set the view name with 1 to 16 characters. A complete view consists of all MIB objects that have the same view name. MIB Object ID Enter a MIB Object ID to specify a specific function of the device.
Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP Group to load the following page. Figure 2-3 SNMP Group Follow these steps to create an SNMP Group: 1) Set the group name and security model. If you choose SNMPv3 as the security model, you need to further configure security level. Group Name Set the SNMP group name. You may enter 1 to 16 characters. The identifier of a group consists of a group name, security model and security level.
Configuring SNMP & RMON SNMP Configurations Read View Choose a view to allow parameters to be viewed but not modified by the NMS. The view is necessary for any group. By default, the view is viewDefault. To modify parameters of a view, you need to add it to Write View. Write View Choose a view to allow parameters to be modified but not viewed by the NMS. The default is none. The view in Write View should also be added to Read View.
Configuring SNMP & RMON Security Model SNMP Configurations Choose the SNMP version of the security model. The default is SNMPv1. The setting should be identical with that of the specified group. v1: The group’s security model is SNMPv1. v2c: In this mode, Community Name is used for authentication. You can configure Community Name on the SNMP Community. v3: The group’s security model is SNMPv3. Security Level Set the security level for the SNMPv3 group. The default is noAuthNoPriv.
Configuring SNMP & RMON SNMP Configurations Choose the menu SNMP > SNMP Config > SNMP Community to load the following page. Figure 2-5 SNMP Community Set the community name, access rights and the related view. Click Create. Community Name Set the community name with 1 to 16 characters. For SNMPv1 and SNMPv2c, the community name match is used for authentication. Access Specify the access right to the related view. The default is read-only.
Configuring SNMP & RMON Step 3 SNMP Configurations snmp-server engineID {[ local local-engineID ] [remote remote-engineID ]} (Optional) Configure the local engine ID and the remote engine ID. local-engineID: Enter the local engine ID with 10 to 64 hexadecimal digits. The ID must contain an even number of characters. It is a unique alphanumeric string, used to identify the SNMP engine on the switch. remote-engineID: Enter the remote engine ID with 10 to 64 hexadecimal digits.
Configuring SNMP & RMON SNMP Configurations 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors(Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Switch(config)#show snmp-server engineID Local engine ID : 80002e5703000aeb132397 Remote engine ID: 123456789a Switch(config)#end Switch#copy running-config startup-config 2.2.
Configuring SNMP & RMON Step 5 SNMP Configurations copy running-config startup-config Save the settings in the configuration file. The following example shows how to set a view to allow the NMS to manage all function. Name the view as View: Switch#configure Switch(config)#snmp-server view View 1 include Switch(config)#show snmp-server view No. View Name Type --- ------------ ------- MOID ---- 1 viewDefault include 1 2 viewDefault exclude 1.3.6.1.6.3.15 3 viewDefault exclude 1.3.6.1.6.3.
Configuring SNMP & RMON Step 2 SNMP Configurations snmp-server group name [ smode {v1 | v2c | v3}] [ slev {noAuthNoPriv | authNoPriv | authPriv}] [ read read-view ] [ write write-view ] [ notify notify-view ] Set an SNMP group. name : Enter the group name with 1 to 16 characters. The identifier of a group consists of a group name, security model and security level. Groups of the same identifier are recognized as being in the same group.
Configuring SNMP & RMON SNMP Configurations 2.2.4 Creating SNMP Users Configure users of the SNMP group. Users belong to the group, and use the same security level and access rights as the group. Step 1 configure Step 2 snmp-server user name { local | remote } group-name [ smode { v1 | v2c | v3 }] [ slev { noAuthNoPriv | authNoPriv | authPriv }] [ cmode { none | MD5 | SHA }] [ cpwd confirm-pwd ] [ emode { none | DES }] [ epwd encrypt-pwd ] Enter global configuration mode.
Configuring SNMP & RMON SNMP Configurations security level, SHA as the authentication algorithm, 1234 as the authentication password, DES as the privacy algorithm and 1234 as the privacy password: Switch#configure Switch(config)#snmp-server user admin remote nms-monitor smode v3 slev authPriv cmode SHA cpwd 1234 emode DES epwd 1234 Switch(config)#show snmp-server user No.
Configuring SNMP & RMON SNMP Configurations Switch(config)#snmp-server community nms-monitor read-write View Switch(config)#show snmp-server community Index Name Type MIB-View ----- ---------------- ------------ -------- 1 nms-monitor read-write View Switch(config)#end Switch#copy running-config startup-config Configuration Guide 704
Configuring SNMP & RMON 3 Notification Configurations Notification Configurations With Notification enabled, the switch can send notifications to the NMS about important events relating to the device’s operation. This facilitates the monitoring and management of the NMS. Configuration Guidelines To guarantee the communication between the switch and the NMS, ensure the switch and the NMS are able to reach one another. Functions of the SNMP Extend Trap can be configured only with CLI.
Configuring SNMP & RMON IP Mode Notification Configurations Choose an IP mode for the host, which should be coordinated with the IP Address. 2) Specify the user name or community name used by the NMS, and configure the security model and security level based on the settings of the user or community. User Name Specify the user name or community name used by the NMS. Security Model Choose the corresponding SNMP version for the NMS.
Configuring SNMP & RMON 3.2 Notification Configurations Using the CLI 3.2.1 Configuring the Host Configure parameters of the NMS host and packet handling mechanism. Step 1 configure Step 2 snmp-server host ip udp-port user-name [smode { v1 | v2c | v3 }] [slev {noAuthNoPriv | authNoPriv | authPriv }] [type { trap | inform}] [retries retries] [timeout timeout] Enter global configuration mode. Configure parameters of the NMS host and packet handling mechanism.
Configuring SNMP & RMON Step 5 Notification Configurations copy running-config startup-config Save the settings in the configuration file. The following example shows how to set the NMS host IP address as 172.168.1.222, UDP port as port 162, name used by the NMS as admin, security model as SNMPv3, security level as authPriv, notification type as Inform, retry times as 3, and the timeout interval as 100 seconds: Switch#configure Switch(config)#snmp-server host 172.168.1.
Configuring SNMP & RMON Step 3 end Step 4 copy running-config startup-config Notification Configurations Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring SNMP & RMON Step 3 end Step 4 copy running-config startup-config Notification Configurations Return to privileged EXEC mode. Save the settings in the configuration file.
Configuring SNMP & RMON Step 2 Notification Configurations interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Configure notification traps on the specified ports. port/port-list: The number or the list of the Ethernet ports that you desire to configure notification traps.
Configuring SNMP & RMON 4 RMON Overview RMON Overview RMON (Remote Network Monitoring) together with the SNMP system allows the network manager to monitor remote network devices efficiently. RMON reduces traffic flow between the NMS and managed devices, which is convenient for management in large networks. RMON includes two parts: the NMS and the Agents running on every network device. The NMS is usually a host that runs the management software to manage Agents of network devices.
Configuring SNMP & RMON 5 RMON Configurations RMON Configurations With RMON configurations, you can: Configuring the statistics group. Configuring the history group. Configuring the event group. Configuring the alarm group. Configuration Guidelines To ensure that the NMS receives notifications normally, please complete configurations of SNMP and SNMP Notification before RMON configurations. 5.1 Using the GUI 5.1.
Configuring SNMP & RMON RMON Configurations Specify the entry ID, the port to be monitored, and the owner name of the entry. Set the entry as valid or underCreation, and click Create. ID Enter the ID of the entry. Port Click Choose to specify an Ethernet port to be monitored in the entry, or enter the port number in the format of 1/0/1. Owner Enter the owner name of the entry with1 to 16 characters. Status Set the entry as valid or underCreation. By default, it is valid.
Configuring SNMP & RMON RMON Configurations Interval Set the sample interval from 10 to 3600 seconds; the default is 1800 seconds. Every history entry has its own timer. For the monitored port, the switch collects packet information and generates a record in every interval. Max Buckets Set the maximum number of records for the history entry. When the number of records exceeds the limit, the earliest record will be overwritten. The ranges are from 10 to 130; the default is 50.
Configuring SNMP & RMON RMON Configurations Description Teve a description to the event. Type Specify the action type of the event; then the switch will take the specified action to deal with the event. By default, the type is None. None: No action. Log: The switch records the event in the log, and the NMS should initiate requests to get notifications. Notify: The switch initiates notifications to the NMS. Log&Notify: The switch records the event in the log and sends notifications to the NMS.
Configuring SNMP & RMON Variable RMON Configurations Set the alarm variable to be monitored. The switch will monitor the specified variable in sample intervals and act in the set way when the alarm is triggered. The default variable is RecBytes. RecBytes: Total received bytes. RecPackets: Total received packets. BPackets: Total broadcast packets. MPackets: Total multicast packets. CRC&Align ERR: Packets that range from 64 to 1518 bytes and contain FCS Error or Alignment Error.
Configuring SNMP & RMON Alarm Type RMON Configurations Specify the alarm type for the entry. By default, the alarm type is all. Rising: The alarm is triggered only when the sampled value exceeds the rising threshold. Falling: The alarm is triggered only when the sampled value is below the falling threshold. All: The alarm is triggered when the sampled value exceeds the rising threshold or is below the falling threshold. 3) Enter the owner name, and set the status of the entry. Click Apply.
Configuring SNMP & RMON Step 5 RMON Configurations copy running-config startup-config Save the settings in the configuration file. The following example shows how to create two statistics entries on the switch to monitor port 1/0/1 and 1/0/2 respectively.
Configuring SNMP & RMON Step 3 RMON Configurations show rmon history [ index ] Displays the specified history entry and related configurations. index: Enter the index of history entries that you want to view. The range is 1 to 12, and the format is 1-3 or 5. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to create a history entry on the switch to monitor port 1/0/1.
Configuring SNMP & RMON Step 2 RMON Configurations rmon event index [ user user-name ] [ description description ] [ type { none | log | notify | log-notify }] [ owner owner-name ] Configuring RMON event entries. index: Enter the index of the event entry from 1 to12 in the format of 1-3 or 5. user-name: Enter the SNMP user name or community name of the entry. The name should be what you have set in SNMP previously. The default name is public.
Configuring SNMP & RMON RMON Configurations 5.2.
Configuring SNMP & RMON Step 3 RMON Configurations show rmon alarm [ index ] Displays the specified alarm entry and related configurations. index: Enter the index of alarm entries that you want to view. The range is 1 to 12, and the format is 1-3 or 5. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to set an alarm entry to monitor BPackets on the switch.
Configuring SNMP & RMON 6 Configuration Example 6.1 Network Requirements Configuration Example A company that deploys NMS to monitor the operation status of TP-Link switches has requirements as follows: 1) Monitor traffic flow of specified ports, and send notifications to the NMS when the actual rate of transmitting and receiving packets exceeds the preset threshold. 2) Monitor the sending status of specified ports, and regularly collect and save data for follow-up checks.
Configuring SNMP & RMON 6.3 Configuration Example Network Topology As shown in the following figure, the NMS host with IP address 172.168.1.222 is connected to the core switch, Switch B. On Switch A, ports 1/0/1 and 1/0/2 are monitored by the NMS; port 1/0/3 is connected to Switch B. And port 1/0/3 and the NMS are able to reach one another. Figure 6-1 Network Topology Te1/0/1 Switch A Te1/0/2 Te1/0/3 Switch B NMS IP: 172.168.1.
Configuring SNMP & RMON Figure 6-2 Configuration Example Enabling SNMP 2) Choose SNMP > SNMP Config > SNMP View to load the following page. Name the SNMP view as View, set MIB Object ID as 1 (which means all functions), and set the view type as Include. Click Create. Figure 6-3 SNMP View Configuration 3) Choose SNMP > SNMP Config > SNMP Group to load the following page.
Configuring SNMP & RMON Figure 6-4 Configuration Example SNMP Group Configuration 4) Choose SNMP > SNMP Config > SNMP User to load the following page. Create a user named admin for the NMS, set the user type as Remote User and specify the group name. Set the Security Model and Security Level in accordance with those of the group nms-monitor. Choose SHA authentication algorithm and DES privacy algorithm, and set corresponding passwords. Click Create.
Configuring SNMP & RMON Figure 6-6 Configuration Example Notification Configuration 6) Click Save Config to save the settings. Enabling Bandwith-control Trap The feature can be configured only with the CLI. You can enter the following commands under the CLI configuration mode: Switch>enable Switch#config Enter Privileged EXEC Mode. Enter global configuration mode. Switch(config)#snmp-server traps bandwidth-control trap.
Configuring SNMP & RMON Figure 6-8 Configuration Example Configuring Entry 2 2) Choose the menu SNMP > RMON > History to load the following page. Configure entries 1 and 2. Bind entries 1 and 2 to ports 1/0/1 and 1/0/2 respectively, and set the Interval as 100 seconds, Max Buckets as 50, the owner of the entries as monitor, and the status as Enable. Figure 6-9 History Configuration 3) Choose the menu SNMP > RMON > Event to load the following page. Configure entries 1 and 2.
Configuring SNMP & RMON Figure 6-10 Configuration Example Event Configuration 4) Choose SNMP > RMON > Alarm to load the following page. Configure entries 1 and 2.
Configuring SNMP & RMON Configuration Example Configuring SNMP 1) Enable SNMP and specify the remote engine ID. Switch#configure Switch(config)#snmp-server Switch(config)#snmp-server engineID remote 123456789a 2) Create a view with the name View; set the MIB Object ID as 1 (which represents all functions), and the view type as Include. Switch(config)#snmp-server view View 1 include 3) Create a group of SNMPv3 with the name of nms-monitor.
Configuring SNMP & RMON Configuration Example Switch(config)#rmon history 2 interface ten-gigabitEthernet 1/0/2 interval 100 owner monitor buckets 50 3) Create two event entries named admin, which is the SNMP user name. Set entry 1 as the Notify type and its description as “rising notify”. Set entry 2 as the Log type and its description as “falling log”. Set the owner of them as monitor.
Configuring SNMP & RMON Configuration Example 0 Too big errors(Maximum packet size 1500) 0 No such name errors 0 Bad value errors 0 General errors 0 Response PDUs 0 Trap PDUs Verify SNMP engine ID: Switch(config)#show snmp-server engineID Local engine ID : 80002e5703000aeb132397 Remote engine ID: 123456789a Verify SNMP view configurations: Switch(config)#show snmp-server view No. View Name Type MOID --- -------------- ------- ------------------- 1 viewDefault include 1 2 viewDefault exclude 1.3.6.
Configuring SNMP & RMON 1 admin Configuration Example remote nms-monitor v3 authPriv SHA DES Verify SNMP host configurations: Switch(config)#show snmp-server host No. Des-IP UDP Name SecMode SecLev Type Retry Timeout --- ---------------- ----- -------- --------- ---------- ------- ----- -------- 1 admin authPriv 100 172.168.1.
Configuring SNMP & RMON Configuration Example Verify RMON alarm configurations: Switch(config)#show rmon alarm Index-State: 1-Enabled Statistics index: 1 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: All Interval: 10 Owner: monitor Index-State: 2-Enabled Statistics index: 2 Alarm variable: BPkt Sample Type: Absolute RHold-REvent: 3000-1 FHold-FEvent: 2000-2 Alarm startup: All Interval: 10 Owner: monitor Configuration Gui
Configuring SNMP & RMON 7 Appendix: Default Parameters Appendix: Default Parameters Default settings of SNMP are listed in the following table.
Configuring SNMP & RMON Table 7-5 Appendix: Default Parameters Default User Settings Parameter Default Setting User Name None User Type Local User Group Name None Security Model v1 Security Level noAuthNoPriv Auth Mode None Auth Password None Privacy Mode None Privacy Password None Table 7-6 Default Community Settings Parameter Default Setting Community Name None Access read-only MIB View viewDefault Default settings of Notification are listed in the following table.
Configuring SNMP & RMON Table 7-8 Appendix: Default Parameters Default Statistics Config Settings Parameter Default Setting ID None Port None Owner None IP Mode valid Table 7-9 Default Settings for History Entries Parameter Default Setting Port 1/0/1 Interval 1800 seconds Max Buckets 50 Owner monitor Status Disable Table 7-10 Default Settings for Event Entries Parameter Default Setting User public Description None Type None Owner monitor Status Disable Table 7-11 D
Configuring SNMP & RMON Appendix: Default Parameters Parameter Default Setting Status Disable Configuration Guide 739
