L3POE-XGS4804-400 - Network switch AIRLIVE - Free user manual and instructions

USER MANUAL L3POE-XGS4804-400 AIRLIVE

24-Gigabit PoE Port + 4-10G SFP+ Port

L3-XGS2404

24-Gigabit Port + 4-10G SFP+ Port

L3POE-XGS4804

48-Gigabit PoE Port + 4-10G SFP+ Port

L3-XGS4804

48-Gigabit Port + 4-10G SFP+ Port

L3-XGF28

24-Gigabit Port SFP + 8-Gigabit Port RJ-45 (Combo) + 4-10G SFP+ Port

L3-10XGF12

12-10Gigabit Port SFP +

Web Manual

airlive®

Ver. 1.2

Revision history

Contents

L3POE-XGS2404....1

24-Gigabit PoE Port + 4-10G SFP+ Port 1

L3-XGS2404 1

24-Gigabit Port + 4-10G SFP+ Port 1

L3POE-XGS4804....1

48-Gigabit PoE Port + 4-10G SFP+ Port 1

L3-XGS4804 1

48-Gigabit Port + 4-10G SFP+ Port 1

L3-XGF28 1

24-Gigabit Port SFP + 8-Gigabit Port RJ-45 (Combo) + 4-10G SFP+ Port.....1

L3-10XGF12....1

12-10Gigabit Port SFP + 1

Web Manual 1

Ver. 1.2....1

Contents 3

1 Foreword....10

1.1 Target Audience....10

1.2 Manual Convention....10

2 Web Page Login....11

2.1 Log in the Network Management Client....11

2.2 Constitution of Client Interface 12

2.3 Navigation Bar on Web Interface....12

3 Status....18

3.1 System Information....18

3.2 Statistics....19

3.3 MAC Address Table....20

3.4 Reboot....21

3.5 Management IP Address....21

4 Network....22

4.1 DNS 22

4.2 System Time 23

5 Port....25

5.1 Port Setting 25

5.2 Error Disabled....26

5.3 Link Aggregation....27

5.3.1 Group....28

5.3.2 Port Setting 30

5.3.3 LACP 30

5.4 EEE 33

5.5 Jumbo Frame....34

5.6 Port Security ...... 34

5.7 Protected Port 35

5.8 Storm Control....36

5.9 Mirroring....38

6 POE Setting....40

6.1 PoE Port Setting 40

6.2 POE Port Timer Setting 41

6.3 POE Port Timer Reboot Setting....41

7 VLAN 43

7.1 VLAN....44

7.1.1 Create VLAN 44

7.1.2 VLAN Configuration....45

7.1.3 Membership....46

7.1.4 Port Setting....47

7.2 Voice VLAN 49

7.3 Protocol VLAN 54

7.4 MAC VLAN 58

7.5 Surveillance VLAN....61

7.6 GVRP 63

7.6.1 Property....64

7.6.2 Membership....65

7.6.3 Statistics 66

8 MAC Address Table....66

8.1 Dynamic Address....67
8.2 Static Address....68
8.3 Filtering Address 69
8.4 Port Security Address....70

9 Spanning Tree....71

9.1 Property 71
9.2 Port Setting....73
9.3 MST Instance....74
9.4 MST Port Setting....76
9.5 Statistics 80

10 Discovery....80

10.1 LLDP 81
10.2 Port Setting....82
10.3 MED Network Policy....84
10.4 MED Port Setting 85
10.5 Packet View 87
10.6 Local Information....87
10.7 Neighbor....88
10.8 Statistics....88

11 DHCP 89

11.1 Property....92
11.2 IP Pool Setting....93
11.3 VLAN IF Address Group Setting 94
11.4 Client List....94
11.5 Client Static Binding Table....95

12 Multicast....95

12.1 General....95
12.1.1 Property....95
12.1.2 Group Address 96
12.1.3 Router Port 97
12.1.4 Forward All....98

12.1.5 Throttling....98

12.1.6 Filtering Profile 99

12.2 IGMP Snooping....100

12.2.1 Property....100

12.2.2 Querier....102

12.2.3 Statistics....102

12.3 MLD Snooping .... 103

12.3.1 Property....104

12.3.2 Statistics....106

12.4 MVR....106

12.4.1 Property....107

12.4.2 Port Setting....108

12.4.3 Group Address....109

13 Routing....110

13.1 IPv4 Management and Interfaces....110

13.1.1 IPv4 Interface 110

13.1.2 IPv4 Routes....111

13.1.3 ARP....112

13.2 IPv6 Management and Interfaces ....113

13.2.1 IPv6 Interface 113

13.2.2 IPv6 Address....115

13.2.3 IPv6 Routes....115

13.2.4 Neighbors....116

13.3 Rip Routes Management ....117

13.4 Ospf Routes Management ....119

14 Security....121

14.1 RADIUS....121

14.2 TACACS+....122

14.3 AAA....124

14.3.1 Method List....124

14.3.2 Login Authentication....125

14.4 Management Access....125

14.4.1 Management Service....125

14.4.2 Management ACL....127

14.5 Authentication Manager....130

14.5.1 Property....130

14.5.2 Port Setting....132

14.5.3 MAC-Based Local Account 133

14.5.4 WEB-Based Local Account....133

14.5.5 Sessions....134

14.6 DoS....134

14.6.1 Property....134

14.6.2 Port Setting....135

14.7 Dynamic ARP Inspection....136

14.7.1 Property....136

14.7.2 Statistics....137

14.8 DHCP Snooping....137

14.8.1 Property 138

14.8.2 Statistics....140

14.8.3 Option82 Property 140

14.9 IP Source Guard....146

14.9.1 Port Setting....146

14.9.2 IMPV Binding 147

15 ACL....149

15.1 MAC ACL....150

15.2 IPv4 ACL....152

15.3 IPv6 ACL....154

15.4 ACL Binding....157

16 QoS 158

16.1 General....160

16.1.1 Property....160

16.1.2 Queue Scheduling....161

16.1.3 CoS Mapping....162

17.4 Copper Test....171

17.5 Fiber Module....171

17.6 UDLD 171

17.6.1 Property....172

17.6.2 Neighbor....173

18 Management....174

18.1 User Account....174

18.2 Firmware....174

18.3 Configuration....175

18.3.1 Upgrade....175

18.3.2 Save Configuration....176

18.4 SNMP....177

18.4.1 View....178

18.4.2 Group....179

18.4.3 Community....180

18.4.4 User....181

18.4.5 Engine ID 182

18.4.6 Trap Event....183

18.4.7 Notification....183

18.5 RMON 184

18.5.1 Statistics....185

18.5.2 History....186

18.5.3 Event....187

18.5.4 Alarm....189

1 Foreword

1.1 Target Audience

This manual is prepared for the installers and system administrators who are responsible for network installation, configuration and maintenance. It assumes that the user has understood all network communication and management protocols, as well as the technical terms, theoretical principles, practical skills, and expertise of devices, protocols and interfaces related to networking. Work experience in Graphical User Interface (GUI), Command-line Interface, Simple Network Management Protocol (SNMP) and Web Explorer is also required.

**This manual has been made with the images and layout of the L3POE-XGS2404 Switch. Note that the models L3-XGS2404, L3-XGS4804, L3-XGF28 and L3-10XGF12 do not have PoE. For these models chapter 6 and all other PoE functions are irrelevant.**

**Note model L3POE-XGS4804 Supports 802.3bt Max 90W PoE++ on ports 1\~8.**

1.2 Manual Convention

The following approaches should prevail.

GUI Convention		Description
Interpretation		Describe operations and add necessary information.
	Caution	Remind the user of cautions as improper operations will result in data loss or equipment damage.

2 Web Page Login

2.1 Log in the Network Management Client

Type in the default switch address: http://192.168.2.1 and press "Enter".

Description:
Browser standards: superior to IE 9.0, Chrome 23.0 and Firefox 20.0

Keep the IP network segment of PC consistent with that of switch but differentiate the IP address as you log in. Set PC's IP address of 192.168.2.x and the subnet mask of 255.255.255.0 for the first login (1 < x ≤ 254).

A login window appears as follows. Type in the default username of "admin" and the password of "admin". Click the "Log in" to see the switch system.

2.2 Constitution of Client Interface

The typical operation interface of Web network management system is as follows.

2.3 Navigation Bar on Web Interface

Menu items such as State, Network, Port, PoE Setting, VLAN, MAC Address Table, Spanning Tree, Discovery, DHCP, Multicast, Routing, Security, ACL, QoS, Diagnostics and Management are available on the web network management client. Each item contains submenus. Navigation bar is detailed as follows:

3 Status

3.1 System Information

According to the switch connected, web network management panel directly displays the port and product info, incl.: number of ports, port states, product info, device states, function on-off states, etc.

Instructions:

1. Click the "Status > System Information" in the navigation bar as follows:

Description:

Mouseover a port to check the port No., type, rate and state. "Edit" the "System Name", "Location" and "Contact" in the product info. "Apply" and finish.

3.2 Statistics

Introduce the detailed flow statistics at a port and the info to be refreshed or cleared manually by users.

1. Click the "Status > Port > Statistics" in the navigation bar as follows:

Description:

"Clear" the flow statistics at the current port and refresh the page.

3.3 MAC Address Table

View MAC address table information

Instructions:

1. Click the "Status > MAC Address Table" in the navigation bar as follows:

MAC Address Table

Interface data are as follows.

3.4 Reboot

1. Click the "Reboot" on the upper right as guided as follows.

3.5 Management IP Address

Change the management IP address on web interface. Instructions:

1. Click the "Routing > IPv4 Management and Interfaces > IPv4 Interface" in the navigation bar to discover IPv4 address of 192.168.2.1/24 by default as follows:

IPv4 Interface Table

4 Network

4.1 DNS

DNS is short for Domain Name System to name computers and network services from units to domain hierarchies. A domain name consists of the dots separated by a series of words or abbreviations, each corresponding to a unique IP address. DNS is the server on the Internet that resolves domain names. Applicable to Internet and other TCP/IP networks, DNS name retrieves computers and services through user-friendly names. As one of the core Internet services, DNS is a distributed database that maps domain names and IP addresses mutually.

Instructions:

1. Click on the "Network > DNS" in the navigation bar as follows.

DNS Configuration

DNS Server Configuration

Interface data are as follows.

1. "Add" to configure DNS server.

Add DNS Server

1. "Apply" and finish as follows.

DNS Server Configuration

4.2 System Time

It is mainly used to configure the system time, and select the time source, daylight-saving time, etc.

Instructions

1. Click on the "Network > System Time" in the navigation bar as follows.

Apply

Interface data are as follows.

5 Port

5.1 Port Setting

Interfaces should be identified so that users can inquire and configure Ethernet interfaces as they want.

Instructions:

1. Click the "Port > Port Setting" in the navigation bar:

Port Setting Table

1. Select the port(s) to be configured, and "Edit" as follows:

Edit Port Setting

Interface data are as follows

5.2 Error Disabled

In general, if the software of the switch detects some errors in the port, the port will be closed immediately. In other words, when the operating system of the switch detects some error events on the switch port, the switch will automatically close the port Instructions:

1. Click the "Port > Error Disabled" in the navigation bar to enable or disable configuration as follows:

Apply

5.3 Link Aggregation

Link Aggregation broadens bandwidth and reliability by bundling a group of physical interfaces into a single logical interface.

LAG (Link Aggregation Group) is a logical link bundled by multiple Ethernet links (Eth-Trunk).

Ceaselessly expanding network size increases users' demands of link bandwidth and reliability. Traditionally, high-speed interface board or the compatible equipment is usually replaced to optimize bandwidth, which is expensive and inflexible.

Link Aggregation Technology bundles multiple physical interfaces into a single logical interface without upgrading hardware. Its backup mechanism not only improves reliability, but also shares the flow load on different physical links.

As shown below, Switch A is linked with Switch B through three Ethernet links which are bundled into an Eth-Trunk logical link. Its bandwidth equals to that of the three links in total, thus broadening the bandwidth. Meanwhile, these three links back up mutually to be more reliable.

graph TD
    A["VLAN10"] -->|ge1/4| B["SwitchA"]
    B -->|ge1/1| C["SwitchB"]
    C -->|ge1/1| A
    B -->|ge1/2| C
    B -->|ge1/3| C
    D["VLAN20"] -->|ge1/5| B
    E["VLAN10"] -->|ge1/4| C
    F["VLAN20"] -->|ge1/5| C
    G["Eth-Trunk"] -->|ge1/2| C
    G -->|ge1/3| B

Link Aggregation can meet the following demands:

● Insufficient bandwidth of two switches connected with one link.

● Insufficient reliability of two switches connected with one link.

Link Aggregation can be divided into Manual Mode and LACP Mode in accordance with Link Aggregation Control Protocol (LACP) state.

In the first mode, Eth-Trunk establishment, member interface access should be added manually without LACP. It is also called the Load-sharing Mode because all links are involved in data forwarding and load sharing. In case any active link fails, LAG will average load with the remaining ones. This mode is preferred under the circumstance

that two directly connected devices require a larger link bandwidth but has no access to LACP.

5.3.1 Group

Instructions for adding a Static Link Aggregation:

1. Click the "Port > Link Aggregation > Group", select a load-balancing algorithm with a radio button. "Apply" and finish as follows:

Apply

Link Aggregation Table

Edit

1. Select one of 8 LAGs available, "Edit" the configuration page as follows:

Edit Link Aggregation Group

Apply

Close

Interface data are as follows

Illustration:

As shown below, Switch A and Switch B connect VLAN 10 and 20 via Ethernet respectively, with large data flow between them.

Both Switch A and B are expected to provide superior link bandwidth for VLAN communication. Meanwhile, there should be the redundancy for reliable data transmission and links.

Networking diagram LAG in manual mode

graph TD
    A["VLAN10"] -->|ge1/4| B["SwitchA"]
    B -->|ge1/1| C["SwitchB"]
    C -->|ge1/1| A
    B -->|ge1/2| C
    B -->|ge1/3| C
    D["VLAN20"] -->|ge1/5| B
    E["VLAN10"] -->|ge1/4| C
    F["VLAN20"] -->|ge1/5| C
    G["Eth-Trunk"] -->|ge1/2| C
    G -->|ge1/3| B

Instructions:

1. Create the ETH trunk interface in SwitchA and add a member interface to increase the link bandwidth. The configuration of SwitchB is like that of SwitchA. Click the "Port > Link Aggregation > Group", choose "LAG 1" and port GE1, 2 and 3 and move them to the selected ports on the right. "Apply" and finish as follows.

Link Aggregation Table

5.3.2 Port Setting

Attribute configuration of aggregation group member port

1. Click the "Port > Link Aggregation > Port Setting", to enter the attribute configuration interface of aggregation group member port as follows:

Port Setting Table

Edit

5.3.3 LACP

LACP (Link Aggregation Control Protocol), based on IEEE 802.3ad Standard, dynamically aggregates and disaggregates links. It exchanges info with the opposite network devices through LACPDU (Link Aggregation Control Protocol Data Unit). After a port uses LACP, it will inform the opposite network device of system priority, system MAC, port priority and No., and operation Key by transmitting a LACPDU. The opposite device will compare such info with that saved by other ports after receiving it, thus reaching an agreement on port participation in or quitting from a dynamic aggregation.

Dynamic LACP aggregation is automatically created or deleted by system, that is, internal ports can be added or removed by themselves. Only the ports connected to a same device with the same rate, duplex, and basic configuration can be aggregated. Instructions for adding a dynamic link aggregation:

1. Click the "Port > Link Aggregation > Group" in the navigation bar, select the LAG ID and LACP mode, "Edit" them as follows:

Edit Link Aggregation Group

1. Click the "Port >Link Aggregation > LACP" in the navigation bar to configure the LACP attributes such as system priority, port priority and timeout method as follows:

LACP Port Setting Table

Interface data are as follows

Description:

Please make sure there is no member interface accessing the Eth-Trunk before changing its work pattern, otherwise it fails.

Work pattern of the local network devices should be consistent with that of the opposite network devices.

Illustration

Ethernet Switch A aggregates 3 ports from GE1 to GE3 to Switch B, in order to share the load by each member port.

The following configurations are exampled by means of dynamic aggregation.

graph TD
    A["Switch A"] -->|Link aggregation| B["Switch B"]
    style A fill:#f9f,stroke:#333
    style B fill:#bbf,stroke:#333

Description:

The following is the configuration of Switch A only, which should stay the same with that of Switch B for port aggregation.

Instructions:

1. Click the "Port > Link Aggregation > Group" in the navigation bar, "Edit" with LAG 2, select GE1-GE3 in LACP mode. "Apply" and finish as follows:

Edit Link Aggregation Group

5.4 EEE

Port power will be turned down in case of zero or less flow Instructions:

1. Click the "Port > EEE" in the navigation bar, select the port and "Edit" to enter the configuration interface as follows:

EEE Setting Table

Edit EEE Setting

1. Set the port enable tag and "Apply" to complete the configuration as follows:

EEE Setting Table

5.5 Jumbo Frame

Set the MTU (Maximum Transmission Unit) of the port

Instructions:

1. Click the "Port > Jumbo Frame" in the navigation bar, enter Jumbo Frame configuration interface as follows:

5.6 Port Security

The port security feature records the Ethernet MAC address connected to the switch port through the MAC address table, and only one MAC address can communicate through this port. When packets sent by other MAC addresses pass through this port, port security features prevent it. Using port security features can prevent unauthorized devices from accessing the network and enhance security. In addition, port security features can also be used to prevent MAC address table from filling up due to MAC address flooding

Instructions:

1. Click the "Port > Port Security" in the navigation bar, enter port security configuration interface as follows:

1. Click the "Port > Port Security" in the navigation bar, select the port and "Edit" to enter the port level configuration interface as follows:

Port Security Table

Edit Port Security

5.7 Protected Port

Messages of broadcast, multicast, etc. will flood at each port even though the flow needs no mutual communication sometimes. Under this circumstance, port isolation can separate the messages between two ports.

Instructions:

1. Click the "Port > Protected Port" in the navigation bar, check the port(s) to be isolated, "Edit" to switch this function as follows:

Protected Port Table

Edit Protected Port

Instructions for achieve port isolation:

1. Click the "Port > Protected Port" in the navigation bar, check and "Edit" the GE1, 2 and 3 to be isolated. "Apply" and finish as follows:

Protected Port Table

1. GE1, 2 and 3 fail to communicate mutually like other non-isolated ports.

5.8 Storm Control

Storms generated via broadcast, unknown multicast and unicast messages are prevented as follows. These messages will be suppressed subject to packet rates respectively. The average rate of the messages received by monitoring interfaces will be compared with the max threshold configured during an inspection interval. Configured storm policing will be performed at this interface if the average rate exceeds the max

threshold.

When a L2 Ethernet interface receives the broadcast, unknown multicast or unicast messages, the device will forward them to other L2 interfaces in a same VLAN (Virtual Local Area Network) if the egress interface cannot be recognized according to destination MAC addresses. As a result, broadcast storm may occur to degrade device operation performance.

Three kinds of message flow can be controlled by storm policing characteristics to stay away from broadcast storms.

Instructions:

1. Click the "Port > Storm Control" in the navigation bar to configure the attributes related to storm policing such as mode as follows:

1. Select the appropriate port and "Edit" it by configuring the policing rates of broadcast, unknown multicast and unicast storms at each port.

Port Setting Table

1. Configure info such as storm switch and rate, "Apply" and finish as follows:

Edit Port Setting

5.9 Mirroring

Port Mirroring copies the message of a specified switch port to the destination port. The copied port is the Source Port, and the copying port is the Destination Port. Destination Port accesses to data inspection devices so that users can analyze the messages received to monitor network and troubleshoot as follows:

graph TD
    A["Network"] --> B["Mirror Source Port"]
    B --> C["PC"]
    B --> D["Mirroring Destination Port"]
    D --> E["Data Monitoring Device"]

Instance

PC1 and PC2 access Switch A through interface GE1 and GE2 respectively.

Users intend to monitor the messages transmitted from PC2 to PC1.

Instructions:

1. Click the "Port > Mirroring" in the navigation bar. 4 sets of flow mirroring rules can be configured as follows:

Mirroring Table

Edit

“*” Allow the monitor port to send or receive normal packets

1. Select one session and "Edit" it in the mirroring group configuration interface:

Edit Mirroring

Apply

Close

Interface data are as follows

6 POE Setting

PoE (Power over Ethernet) transmits data signal for the terminals based on IP (e.g. IP phone, WAP, and IP camera) and supplies the devices with direct current, without changing the existing Cat-5 network cabling status. It ensures safe structured cabling and normal network operation to minimize the cost.

6.1 PoE Port Setting

Instructions:

1. Click the "POE Setting > POE Port Setting" in the navigation bar as follows:

System info

Port Setting Table

1. Select the ports to be configured, and "Edit" as follows:

Edit Port Setting

Interface data are as follows

6.2 POE Port Timer Setting

Instructions:

1. Click the "POE Setting > POE Port Timer Setting", select the power supply time of Poe schedule. "Apply" and finish as follows

6.3 POE Port Timer Reboot Setting

By setting, the power supply can be restarted periodically based on the port.

Instructions:

1. Click the "POE Setting > POE Port Timer Reboot Setting" in the navigation bar as

follows:

Port Setting Table

Q

1. Select the port and "Edit" to enter the configuration interface

Reboot Timer Edit Port Setting

Interface data are as follows

Note:

● To use this function, you need to set the system time synchronization
● The minimum granularity time of Poe port restart is minutes
- When the restart time is set, the delay time needs to be set
- When the delay time is 00:00:00, it means that the port is no longer powered on

7 VLAN

VLAN is formulated not restricted to physical locations, which means the hosts in a same VLAN can be placed at will. As shown below, each VLAN, as a broadcast domain, divides a physical LAN into logical LANs. Hosts can exchange messages by means of traditional communication. For the hosts in different VLANs, the device such as router or L3 switch is a must.

graph TD
    A["Router"] --> B["Switch"]
    A --> C["Switch"]
    B --> D["VLAN A"]
    B --> E["VLANB"]
    C --> F["VLAN A"]
    C --> G["VLANB"]
    D <--> H["VLAN A"]
    E <--> I["VLAN B"]
    F <--> J["VLAN B"]
    G <--> K["VLAN B"]

VLAN is superior to the traditional Ethernet in terms of:

- Broadcast domain coverage: the broadcast message in a LAN is limited in a VLAN to save the bandwidth and handle the network-related issues more efficiently.

● LAN security: VLAN hosts fail to communicate with each other since the messages are separated by the broadcast domain in the data link layer. They need a router on a Layer 3 switch for Layer 3 forwarding.

- Flexibility of creating a virtual working team: VLAN can create a virtual working team beyond the control of physical network. Users have access to the network without changing the configuration if their physical locations are moving within the scope. This management switch is compatible with VLAN types based on 802.1Q, protocols, MAC, and ports. For default configuration, 802.1Q VLAN mode should be adopted. Port VLAN is divided subject to a switch's interface No. Network administrator gives each switch interface a different PVID, namely a port default VLAN. If a data frame without a VLAN tag flows into a switch interface with a PVID, it will be marked with the same PVID, or it will get rid of an additional tag even though the interface has a PVID.

- The solution to a VLAN frame depends on the interface type, which eases member definition but re-configures VLAN in case of member mobility.

7.1 VLAN

7.1.1 Create VLAN

Instructions for creating a new VLAN:

1. Click the "VLAN > VLAN > Create VLAN" to select a name in the valid VLAN box, move it to the VLAN creating box on the right (up to 256 VLANs can be created). "Apply" and finish as follows:

VLAN Table

1. The VLAN created will be displayed in the VLAN Table. Users can "Edit" the VLAN as follows:

Edit VLAN Name

Interface data are as follows.

7.1.2 VLAN Configuration

There are two methods. One is to add multiple ports under a single VLAN. The other is to add a port to multiple VLANs. They are configured according to different purposes.

Instructions for the first method to add the current port to a specified VLAN

1. Click the "VLAN > VLAN > VLAN Configuration" in the navigation bar, select the VLAN ID on the upper left, and then click the port info as follows:

VLAN Configuration Table

VLAN default ▼

Interface data are as follows.

7.1.3 Membership

Instructions for the second method to add the current port to a specified VLAN

1. Click the "VLAN > VLAN > Membership" in the navigation bar, select the port to be configured and "Edit" to configure its attributes:

Membership Table

Edit Port Setting

Interface data are as follows.

7.1.4 Port Setting

Trunk configuration. Connected with other switches, Trunk interfaces mainly connect trunk links to allow the VLAN frames to flow through. IEEE 802.1q is the encapsulation protocol of Trunk link and considers the formal standard for Virtual Bridged Local Area Networks. It changes the frame format of Ethernet by adding a 4-bit 802.1q Tag between the source MAC address field and the protocol field.

802.1q frame format

Meanings of 802.1q tag fields

Packets sent by each switch supporting 802.1q protocol contain a VLAN ID to indicate the VLAN to which the switch belongs. Therefore, Ethernet frames are divided into two types as follows in a VLAN switching network:

• Tagged frame: it refers to the frame adding a 4-bit 802.1q Tag.
• Untagged frame: it refers to the original frame without a 4-bit 802.1q Tag.

Connected with other switches, Trunk interfaces mainly connect trunk links to allow the VLAN frames to flow through.

Instructions for trunk interface configuration:

1. Click the "VLAN > VLAN > Port Setting" in the navigation bar, select the port and "Edit" it to configure the attributes:

Port Setting Table

Edit Port Setting

Interface data are as follows.

7.2 Voice VLAN

Traditionally, ACL (Access Control List) will be applied to distinguish Voice Data and QoS (Quality of Service) will be used to ensure transmission quality, thus enhancing the priority. In order to simplify user configuration and facilitate voice flow management, Voice VLAN emerges. Enabled interface judges whether it is Voice Data flow or not according to the source MAC address field accessing the interface data flow. The message in the source MAC address is the Voice Data flow, which confirms to the OUI (Organizationally Unique Identifier) of the voice devices that are configured by the system. The interfaces receiving Voice Data flow will automatically transmit to Voice VLAN, thus simplifying user configuration and Voice Data management.

OUI of Voice VLAN

OUI represents a MAC address field. Its address can be calculated based on the 48-bit MAC address and the corresponding bit of mask. The number of bits of ingress MAC address and matching OUI is determined by the length of the all "1"-bit in the mask. For example, if the MAC address is 1-1-1 and the mask is FFFF-FF00-0000, the result of execution and calculation of MAC address and corresponding mask, namely OUI, will be 0001-0000-0000.

If the first 24 bits of the ingress MAC address are matched with those of OUI, the enabled Voice VLAN interface identifies the data flow and the ingress device as the Voice Data flow and voice device respectively.

Voice VLAN is divided for user Voice Data flow. Voice VLANs are created to connect the interfaces linked with voice devices to transmit the Voice Data inside in a centralized way.

Voice Data and non-Voice Data often exist in the same network. Voice Data needs a higher priority than other business data during transmission to reduce the possible delay and packet loss.

1. Click the "VLAN > Voice VLAN > Property" in the navigation bar as follows.

Apply

Interface data are as follows.

Port Setting Table

Q

Edit Port Setting

Apply

Close

Interface data are as follows.

1. Click the "VLAN > Voice VLAN > Voice OUI" in the navigation bar to configure the address segment of OUI of Voice VLAN as follows:

Voice OUI Table

Add Voice OUI

1. Fill in corresponding configuration items.
2. "Apply" and finish as follows.

Voice OUI Table

For example, configure the Voice VLAN in manual mode so that the ports accessing IP telephony can ingress/egress the Voice VLAN and transmit voice flow within it. Create VLAN2 to operate Voice VLAN securely, which allows only Voice Data to flow through. IP telephony transmits Untagged voice flow to GE1, the ingress Trunk port. Users must customize an OUI (0011-2231-05e1) and configure the Voice VLAN networking diagram in automatic mode.

graph TD
    A["Device A"] -->|VLAN2| B["Internet"]
    C["010-1001\nOUI:0011-2200-0000\nMask:ffff-ff00-0000"] --> A
    D["Device B"] --> E["Internet"]
    E --> F["Device B"]

Instructions:

1. Create a VLAN to recognize the VLANs where employees belong. Click the "VLAN > VLAN > Create VLAN" in the navigation bar to add VLAN 2 to the VLAN list on the right. "Apply" and finish:

VLAN Table

1. Configure the Ethernet interface GE1 of Switch A in Hybrid mode. Click the "VLAN > VLAN > Port Setting" in the navigation bar, "Edit" GE1 in Hybrid mode:

Port Setting Table

1. Click the "VLAN > Voice VLAN > Voice OUI" in the navigation bar to configure and add the range of OUI MAC address, and enter the first 24 bits of MAC address of voice device: 00:11:22. "Apply" and finish as follows:

Voice OUI Table

1. Enable the Voice VLAN of port GE1. Click the "VLAN > Voice VLAN > Property" in the navigation bar to enable the global configuration, select VLAN2. Select port GE1 in the configuration list, "Edit" and enable the auto mode. "Apply" and finish as follows:

Port Setting Table

Note:

- With the auto mode enabled, ports will forward Voice VLAN messages even though there is no port in VLAN2.

7.3 Protocol VLAN

Protocol VLAN distributes different VLAN IDs according to the protocol (family) type and encapsulation format of the messages received by the interfaces.

Administrators should prepare the mapping scheme between the protocol domain of Ethernet frame and VLAN ID which will be added if untagged frames are received. Strength: Such division method will enhance the management and maintenance by binding the network services and VLANs. Shortcomings: Initial configuration of the mapping relation scheme is necessary. Address formats of protocols should be analyzed and converted, thus leading to a lower speed due to many resources consumed. Instructions:

1. Click the "VLAN > Protocol VLAN > Protocol Group" in the navigation bar as follows:

Protocol Group Table

Add Protocol Group

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish.

Protocol Group Table

1. Click the "VLAN > Protocol VLAN > Group Binding" in the navigation bar to bind the protocol No., port No. and VLAN ID, to bring the configuration into effect as follows:

Group Binding Table

Description:

Configure the matching protocols IPv4 and IPv6, as well as the ARP protocol.

For example, PC1 and 3 can access mutually, with IPv4 communication protocol binding with VLAN10. PC2 and 4 can access mutually, with IPv6 communication protocol binding with VLAN20.

Networking diagram of protocol VLAN division

graph TD
    PC3["PC3\nIPV4\nVLAN10"] -->|ge1/2| SwitchB["SwitchB"]
    SwitchB -->|ge1/3| PC4["PC4\nIPV6\nVLAN20"]
    SwitchB -->|ge1/1| PC1["PC1\nIPV4\nVLAN10"]
    SwitchB -->|ge1/1| SwitchA["SwitchA"]
    SwitchA -->|ge1/3| PC2["PC2\nIPV6\nVLAN20"]

Instructions:

1. Create a VLAN to recognize the VLANs where employees belong. Click the "VLAN > VLAN > Create VLAN", add the VLAN10 and 20 to the VLAN Creating List on the right, "Apply" and finish:

Apply

VLAN Table

1. Configure GE2 and GE3 interfaces of Switch A in Hybrid mode. Click the "VLAN > VLAN > Port Setting", "Edit" the interfaces in Hybrid mode:

Port Setting Table

1. Add the Untagged GE2 and GE3 to VLAN10 and VLAN20 respectively. Click the "VLAN > VLAN > VLAN Configuration", drop down the list to choose VLAN10 and the Untagged GE2 port. Following the same steps, add the untagged GE3 to VLAN20 as follows:

VLAN Configuration Table

VLAN VLAN0010

VLAN Configuration Table

VLAN VLAN0020

1. Add the Untagged GE2 and GE3 interfaces of Switch B to VLAN whose ports need links. Steps are like step 2 and 3.
2. Add the Tagged GE1 interface of Switch A to VLAN10 and 20. Click the "VLAN > VLAN > VLAN Configuration", drop down the list to select VLAN10 and the Tagged member of GE1. Configure VLAN20 similarly.

VLAN Configuration Table

VLAN VLAN0010

VLAN Configuration Table

VLAN VLAN0020

1. Related protocol and VLAN. VLAN IDs are assigned according to the protocol (family) type and encapsulation format of the messages received by interfaces. Click the "VLAN > Protocol VLAN > Protocol Group" in the navigation bar to add 2 rules for

protocol groups:

Protocol Group Table

1. Port, protocol group, and VLAN binding. Click the "VLAN > Protocol Group > Group Binding", "Add" to bind GE2 and binding group ID1 with VLAN10, and to bind GE3 and binding group ID2 with VLAN20:

Group Binding Table

7.4 MAC VLAN

MAC-based VLANs are divided subject to the MAC addresses in the network card. Administrators will prepare the mapping scheme between MAC address and VLAN ID which will be added if the switch receives untagged frames.

Strength: There is no need to re-configure VLAN when the physical location of a terminal user changes, which ensures user security and access flexibility. Shortcoming: It applies to the scene where network card and simple network environment are infrequently replaced, with members defined in advance.

Instructions:

1. Click the "VLAN > MAC VLAN > MAC Group" in the navigation bar, and "Add" a new MAC group as follows:

MAC Group Table

Interface data are as follows.

For example, a company with high info security requirements allows its PCs only to access the internal network. As is shown, switch GE1 connects the uplink ports of Switch A while its downstream ports connect PC1, 2 and 3. As a result, PC1, 2 and 3 can access the internal network through Switch A and Switch, while other PCs can't.

Configuration logic: following steps are used to divide the VLAN based on MAC address.

1. Create a relevant VLAN.
2. Add Ethernet interfaces to the VLAN in a correct way.
3. Connect the VLAN with the MAC addresses of PC1, 2 and 3.

Data preparation: following data should be prepared for the configuration instance:

• Set GE1 PVID of 100 on the switch.
• Set GE1 to access VLAN10 in the Untagged way on the switch.
• Set GE2 to access VLAN10 in the Tagged way on the switch.
• Set the Switch A interface by default, namely all interfaces will be added to VLAN1 in an Untagged way.
• Connect the MAC addresses of PC1, 2 and 3 with VLAN10.

Draw a networking diagram for VLAN division based on MAC addresses: Instructions:

1. Create a VLAN to recognize the VLANs where employees belong. Click the "VLAN > VLAN > Create VLAN" in the navigation bar, add VLAN10 to the VLAN Creating List on the right, "Apply" and finish as follows:

VLAN Table

Showing All ▼ entries

Showing 1 to 3 of 3 entries

1. Configure Switch's GE1 in Hybrid mode with PVID of 100 to serve as an Untagged member of VLAN10. Configure GE2 in Trunk mode to serve as a Tagged member of VLAN10.

Port Setting Table

Membership Table

1. Configure the Switch A's interfaces by default, namely all interfaces access VLAN1 in an Untagged way. Connect the MAC addresses of PC1, 2 and 3 with VLAN10. Click the "VLAN > MAC VLAN > MAC Group" in the navigation bar, enter the MAC addresses of PC1 (0022-0022-0022), PC2 (0033-0033-0033) and PC3 (0044-0044-0044), with the mask of 48-bit exact match as follows:

MAC Group Table

1. Click the "VLAN > MAC VLAN > Group Binding" in the navigation bar, "Add" to select the Hybrid port only, MAC group ID to be bound, and specified VLAN ID. "Apply" and finish:

MAC Group Table

5. Configuration verification

Only PC1, 2 and 3 have access to the internal network.

7.5 Surveillance VLAN

Surveillance VLAN is mainly used for video stream packets. In order to ensure the priority of such packets in the transmission process, it is higher than ordinary packets. Instructions:

1. Click the "VLAN > Surveillance VLAN > Property" in the navigation bar as follows.

Apply

Port Setting Table

Edit Port Setting

Interface data are as follows.

1. Click the "VLAN > Surveillance VLAN > Surveillance OUI" in the navigation bar to configure the address segment of OUI of Surveillance VLAN as follows:

Surveillance OUI Table

Add Voice OUI

1. Fill in corresponding configuration items.
2. "Apply" and finish as follows.

Surveillance OUI Table

7.6 GVRP

GVRP VLAN registration protocol is an application of general attribute registration protocol, which provides 802.1Q compatible VLAN pruning function and dynamic VLAN establishment on 802.1Q trunk port trunk port.

GVRP switches can exchange VLAN configuration information with each other, cut unnecessary broadcast and unknown unicast traffic, and create and manage VLAN dynamically on switches connected through 802.1Q trunk.

GID and GIP are used in GVRP, which provide the general state mechanism description and information dissemination mechanism for GARP based applications respectively. GVRP only runs on 802.1Q trunk links. GVRP cuts off the trunk link so that only the active VLAN is transmitted on the trunk connection. Before GVRP adds a VLAN to the trunk line, it first receives the join information from the switch. GVRP update information and timer can be changed. The GVRP ports have a variety of operating modes to control how they tailor VLANs. GVRP can dynamically add and manage VLAN for VLAN database

GVRP supports the propagation of VLAN information between devices. In GVRP, the VLAN information of a switch can be configured manually, and all other switches in the network can dynamically understand the VLANs. The terminal node can access any switch and connect to the required VLAN. In order to use GVRP, a GVRP compatible network interface card (NIC) should be installed. GVRP compatible NIC can be configured to join the required VLAN, and then access to a GVRP enabled switch. The

communication connection between NIC and switch is established, and VLAN connectivity is realized between NIC and switch.

7.6.1 Property

Global and port configuration

Instructions:

1. Click the "VLAN > GVRP > Property" in the navigation bar as follows.

Interface data are as follows.

1. Click the "VLAN > GVRP > Property" in the navigation bar, select the port and "Edit" to enter the configuration interface as follows.

Port Setting Table

Edit Port Setting

Interface data are as follows.

7.6.2 Membership

View GVRP dynamic member information Instructions:

1. Click the "VLAN > GVRP > Membership" in the navigation bar as follows.

Membership Table

7.6.3 Statistics

View port GVRP message statistics Instructions:

1. Click the "VLAN > GVRP > Statistics" in the navigation bar as follows.

8 MAC Address Table

Ethernet switches are mainly innovated to forward according to the purposes in the

data link layer. That is, MAC address will transmit the messages to corresponding ports according to the purposes. MAC address forwarding table is a L2 table illustrating MAC addresses and forwarding ports, which is the basis of fast forwarding of L2 messages.

MAC address forwarding table contains following data:

• Destination MAC Address
  ● VLAN ID belonging to port
• Forwarding ingress No. of this device

There are two message forwarding types according to MAC address table info:

• Unicast mode: the switch directly transmits the messages from the table's egress when MAC address forwarding table contains corresponding entries with the destination MAC address.
• Broadcast mode: When the switch receives the messages with the destination address full of F-bits, or there is no entry corresponding to the MAC destination address in the forwarding table, the switch will forward the messages to all ports excluding the receiving port in this way.

8.1 Dynamic Address

Aging time and table info of MAC addresses can be configured and checked on this page.

MAC address table needs constant updates to cater to network changes. It automatically generates entries that are limited by their lifetime (i.e. aging time). Those entries not refreshed after expiration will be deleted. The aging time of an entry will be recalculated if its record is refreshed before expiration.

Proper aging time helps to achieve the aging target of MAC address. Shortage of aging time may lead many switches broadcast to discover the packets of destination MAC addresses, thus influencing the switch performance.

Aging too long can cause the switch to save outdated MAC address entries, thus exhausting the forwarding resources and failing to update the forwarding table based on network changes.

The switch may remove valid MAC address table entries due to too short aging time, thus reducing forwarding efficiency. In general, the aging time recommended is 300 seconds by default.

Instructions for aging time setting:

1. Click the "MAC Address Table > Dynamic Address" in the navigation bar to the configuration and view interface:

Dynamic Address Table

Interface data are as follows

1. Fill in corresponding configuration items.
2. "Apply" and finish.

MAC Table stores the MAC address, VLAN No., Ingress/Egress info, etc. that are learned by switches. When forwarding data, it will fast locate the device egress in accordance with the destination MAC address and VLAN No. query table of Ethernet frames.

To check the MAC address table, see Section 3.3 of Chapter 3

8.2 Static Address

Static table is manually configured by users and distributed to each interface board, which won't age.

Instructions:

1. Click the "MAC Address Table > Static Address" as follows:

Static Address Table

Add Static Address

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish.

8.3 Filtering Address

The switch discards the matched data frame by configuration Instructions:

1. Click the "MAC Address Table > Filtering Address" as follows:

Filtering Address Table

Add Filtering Address

Interface data are as follows.

8.4 Port Security Address

If the MAC address is set to secure Mac, the port only allows the data frames of the secure Mac to pass through forever, and the others will be discarded Instructions:

1. Click the "MAC Address Table > Port Security Address" as follows:

Port Security Address Table

Add Port Security Address

Interface data are as follows.

9 Spanning Tree

Redundant links are often used for link backup and network reliability in the Ethernet switching network. However, such links will generate loops on the switching network, leading to broadcast storm, unstable MAC address list and other faults, thus worsening users' communication quality, or even interrupting the communication. As a result, STP (Spanning Tree Protocol) appears.

Same with the development of other protocols, from the original STP defined in IEEE 802.1D, to RSTP (Rapid Spanning Tree Protocol) defined in IEEE 802.1W and to MSTP (Multiple Spanning Tree Protocol) defined in IEEE 802.1S, STP keeps upgrading.

MSTP is compatible with RSTP and STP while RSTP is compatible with STP. The contrast among these 3 protocols is shown in the table.

The contrast among 3 protocols

After STP is deployed, the following objectives can be achieved by calculating the loops with topology:

• Loop elimination: eliminate possible communication loops by blocking redundant links.
• Link backups: activate redundant links to restore network connectivity if the active path fails.

9.1 Property

Configure STP global parameters. In specific network environment, STP parameters of some devices must be adjusted to achieve the best performance.

Instructions:

1. Click the "Spanning Tree > Property" in the navigation bar as follows:

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish.

9.2 Port Setting

In specific network environment, STP parameters of some devices need to be adjusted for the best performance.

1. Click the "Spanning Tree > Port Setting" in the navigation bar, select the port and "Edit" to configure its attributes:

Port Setting Table

Edit Port Setting

Apply

Close

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish.

9.3 MST Instance

A switching network is divided into multiple domains by MSTP, with independent spanning trees formed within each domain. Each Spanning Tree is called a MSTI (Multiple Spanning Tree Instance), and each domain is called a MST Region: Multiple Spanning Tree Region).

Description:

An instance is a group of VLANs that reduces communication cost and resource utilization rate. Each instance, independently calculated with topology, can balance the load. VLANs with the same topology can be mapped to a same instance, and they are forwarded according to the port state in corresponding MSTP instances.

In simple terms, mapped to the specified MST instance, one or more VLANs are distributed to a spanning tree at a time.

Instructions:

1. Click the "Spanning Tree > MST Instance" in the navigation bar, "Edit" the selected spanning tree instances to be configured as follows:

MST Instance Table

Edit MST Instance Setting

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish as follows.

9.4 MST Port Setting

Instructions:

1. Click the "Spanning Tree > MST Port Setting" in the navigation bar, check the port to be modified from the list of all ports of the device, "Edit" to enter the detailed configuration interface as follows:

MST Port Setting Table

Edit MST Port Setting

Apply

Close

Interface data are as follows.

1. Fill in corresponding configuration items.

2. "Apply" and finish.

Example of MSTP function configuration:

Switch A, B, C and D all run MSTP which introduces instances to share the load of VLAN10 and 20. MSTP can set up the VLAN mapping table to associate VLANs with spanning tree instances, and to map VLAN10 from instance 1 and VLAN20 from instance 2.

graph TD
    subgraph PSTI1:vlan10
        A["Switch A"] -->|gel/1| B["Switch B"]
        B -->|gel/1| C["Switch C"]
        C -->|gel/1| D["Switch D"]
        D -->|gel/1| E["PC1"]
        D -->|gel/1| F["PC2"]
        G["Root Switch:SwitchA"] --> H["Blocked port"]
    end
    I["Root Switch:SwitchB"] --> J["Blocked port"]
    style A fill:#99ccff,stroke:#333
    style B fill:#99ccff,stroke:#333
    style C fill:#99ccff,stroke:#333
    style D fill:#99ccff,stroke:#333
    style E fill:#99ccff,stroke:#333
    style F fill:#99ccff,stroke:#333

Instructions:

1. Switch A, B, C and D create VLAN10 and 20 to configure the L2 forwarding function of the devices on the Ring. Click the "VLAN > VLAN > Create VLAN" in the navigation bar, fill in the corresponding configurations. "Apply" and finish as follows.

VLAN Table

1. VLANs are added to the switch ports ingress loops. Click the "VLAN > VLAN > Membership" in the navigation bar, select the ring port to be configured, move VLAN10 and 20 to the right box and mark them with "Tagged". "Apply" and finish:

Edit Port Setting

1. Click the "Spanning Tree > Property" in the navigation bar, and choose MSTP mode as follows:

1. Configure the VLAN mapping between instance MSTI1 and MSTI2. Click the "Spanning Tree > MST Instance" to fill in corresponding parameters, and "Add" them as follows:

MST Instance Table

Note:

• Set the priority of MSTI1 to 0 and MSTI2 to 4,096 before configuring Switch A.

• Set the priority of MSTI1 to 4,096 and MSTI2 to 0 before configuring Switch B.
  ● The priority must be a multiple of 4,096.

• Switch B serves as the root bridge of MSTI2 and the backup root bridge of MSTI1 in the domain. Please refer to 5 for instructions.

• The tree-shaped network will eliminate loops.

9.5 Statistics

Instructions:

1. Click the "Spanning Tree > Statistics" in the navigation bar, entry port statistics as follows:

Statistics Table

10 Discovery

LLDP (Link Layer Discovery Protocol) is defined in IEEE 802.1ab. It is a standard L2 discovery method which integrates the info such as management addresses, device and interface identifications of local network devices and transmits to the neighbor devices. After receiving the info, they will save it in form of standard MIB (Management Information Base) for NMS query and link communication judgment.

It can also integrate the info and transmit to its own remote devices. The info received by the local network device will be kept in the form of MIB. The following shows how it works.

Block diagram of LLDP principles

graph TD
    A["Configure DHCP snooping to support Option 82 (Optional)"] <--> B["LLDP local system MIB"]
    C["Remote device customized LLDP extension MIB (Optional)"] <--> D["LLDP remote system MIB"]
    E["LLDP Agent"] --> F["Local Device Info"]
    F --> G["LLDP Frame"]
    G --> H["Remote Device Info"]
    I["Physical topology MIB (Optional)"] <--> J["Entity MIB (Optional)"]
    K["Interface MIB (Optional)"] <--> L["Other types MIB (Optional)"]
    B <--> G
    D <--> G
    F <--> G

LLDP is realized based on:

• LLDP module updates its local system MIB, as well as the customized extension MIB, through the interaction between LLDP agent and MIBs of physical topology, entity, interface and other types.
• Encapsulate the info of local network device into LLDP frames and transmit to the remote device.
• Receive the LLDP frame sent by the remote device to update LLDP remote system MIB and customized extension MIB.
  ● Master the info of remote device such as connection interface and MAC address through the transmitting & receiving function of LLDP agent.
• The local system MIB stores local device info, including device and interface IDs, system name and description, interface description, network management address, etc.
• The remote system MIB stores local device info, including device and interface IDs, system name and description, interface description, network management address, etc.

Based on LLDP, LLDP-MED allows other units to expand. The info checked by network devices facilitates fault analysis and deepens the accurate understanding of network topology by management system.

10.1 LLDP

Instructions:

1. Click the "Discovery > LLDP > Property" in the navigation bar as follows.

Interface data are as follows.

Ethernet message encapsulated with LLDPDU (LLDP Data Unit) are recognized as LLDP message. Each TLV is a unit of LLDPDU carried with specified info.

1. Fill in corresponding configuration items
2. "Apply" and finish.

10.2 Port Setting

Instructions

1. Click the "Discovery > LLDP > Port Setting" in the navigation bar as follows.

Interface data are as follows.

LLDP can work in 4 patterns: Transmit: transmit LLDP messages only; Receive: receive LLDP messages only; Normal: transmit and receive LLDP messages; Disable: neither transmit nor receive LLDP messages.

1. Check corresponding port and "Edit" the port configuration. "Apply" and finish as follows.

Interface data are as follows.

10.3 MED Network Policy

MED is based on IEEE 802.1ab. LLDP is the neighbor discovery protocol of IEEE, which can be extended by other organizations. Information identified from network devices, such as switches and wireless access points, can help with fault analysis and allow management systems to accurately understand the network topology.

Instructions

1. Click the "Discovery > LLDP > MED Network Policy" in the navigation bar as follows.

MED Network Policy Table

Add MED Network Policy

Interface data are as follows.

10.4 MED Port Setting

Instructions

1. Click the "Discovery > LLDP > MED Port Setting" in the navigation bar as follows.

MED Port Setting Table

Edit MED Port Setting

Interface data are as follows.

10.5 Packet View

Instructions

1. Click the "Discovery > LLDP > Packet View" in the navigation bar as follows.

Packet View Table

10.6 Local Information

Instructions for device summary:

1. Click the "Discovery > LLDP > Local Information" in the navigation bar as follows.

Device Summary

Instructions for port status table:

1. Click the "Discovery > LLDP > Local Information" in the navigation bar as follows.

Port Status Table

10.7 Neighbor

Instructions for LLDP neighbor displaying

1. Click the "Discovery > LLDP > Neighbor" in the navigation bar as follows.

Neighbor Table

10.8 Statistics

Instructions:

1. Click the "Discovery > LLDP > Statistics" in the navigation bar as follows.

Global Statistics

Statistics Table

11 DHCP

DHCP Server brief introduction

With the expansion of network scale and the improvement of network complexity, network configuration is becoming more and more complex. Computer location changes (such as portable computer or wireless network) and the number of computers exceeds the IP address that can be allocated.

Dynamic Host Configuration Protocol (DHCP) is developed to meet these requirements. The DHCP protocol works in the client / server mode. The DHCP client requests the configuration information from the DHCP server dynamically, and the DHCP server returns the corresponding configuration information according to the policy.

In a typical application of DHCP, it generally includes a DHCP server and multiple clients (such as PC and laptop), as shown in Figure 1-1.

graph TD
    A["DHCP Client"] --> B["LAN"]
    C["DHCP Client"] --> B
    D["DHCP Client"] --> B
    E["DHCP Client"] --> B
    F["DHCP Client"] --> B
    G["DHCP Client"] --> B
    H["DHCP Server"] --> I["X"]
    J["S"] --> K["Server"]

Figure 1-1. In a typical application of DHCP

IP address assignment of DHCP

IP address allocation strategy

According to the different needs of clients, DHCP provides three IP address allocation strategies

• Manual address assignment: the administrator binds the fixed IP address for a few specific clients (such as WWW server). Send the configured fixed IP address to the client through DHCP.
  ● Automatic address assignment: DHCP assigns IP addresses with unlimited lease term to clients.
  ● Dynamic address assignment: DHCP assigns IP address with valid period to client, and client needs to re-apply for address after expiration of service life. Most clients get this dynamic address assignment.

Dynamic IP address acquisition process

The message interaction process between DHCP client and DHCP server is shown in Figure 2-1.

graph TD
    A["DHCP Client"] -->|DHCP Discover| B["DHCP Server"]
    C["DHCP Client"] -->|DHCP Offer| D["DHCP Server"]
    E["DHCP Client"] -->|DHCP Request| F["DHCP Server"]
    G["DHCP Client"] -->|DHCP ACK| H["DHCP Server"]
    I["DHCP Client"] -->|DHCP Review| J["DHCP Server"]
    K["DHCP Client"] -->|DHCP ACK| L["DHCP Server"]

Figure 2-1. Interaction process

In order to obtain the legal dynamic IP address, the DHCP client interacts different information with the server at different stages. Generally, there are three modes as follows:

(1) DHCP client logs in to the network for the first time

When the DHCP client logs in to the network for the first time, it mainly establishes contact with the DHCP server through four stages

• The discovery phase: the stage in which the DHCP client looks for the DHCP server. The client sends the DHCP discover message in broadcast mode, and only the DHCP server will respond.
• The stage of providing IP address: that is, the stage when the DHCP server provides IP address. After receiving the DHCP discover message from the client, the DHCP server selects an unassigned IP address from the IP address pool and assigns it to the client, and sends the DHCP offer message containing the leased IP address and other settings to the client.
• The selection stage: the stage in which the DHCP client selects the IP address. If more than one DHCP server sends a DHCP offer message to the client, the client only accepts the first received DHCP offer message, and then responds to the DHCP request message by broadcasting to each DHCP server. The information contains the content of requesting IP address from the selected DHCP server.
• The confirmation stage: the stage in which the DHCP server confirms the IP address provided. When the DHCP server receives the DHCP request message answered by the DHCP client, it will send the dhcp-ack confirmation message containing the IP address and other settings provided by the client; otherwise, it will return the dhcp-nak message, indicating that the address cannot be assigned to the client. After receiving the dhcp-ack confirmation message returned by the server, the client will send ARP (the destination address is the address to which it is assigned) in broadcast mode for address detection. If no response is received within the specified time, the client will use this address.

(2) The DHCP client logs on to the network again

When the DHCP client logs in to the network again, it mainly establishes contact with the DHCP server through the following steps.

• After the DHCP client logs in to the network correctly for the first time and then logs in to the network again, it only needs to broadcast the DHCP request message containing the IP address assigned last time, and it is not necessary to send the DHCP discover message again.
• After receiving the DHCP request message, if the address requested by the client is not assigned, the dhcp-ack confirmation message will be returned to notify the DHCP client to continue using the original IP address.
• If the IP address cannot be assigned to the DHCP client (for example, it has been assigned to other clients), the DHCP server will return a dhcp-nak

message. After receiving the message, the client sends the DHCP discover message again to request a new IP address.

(3) DHCP client extends lease validity of IP address

The dynamic IP address assigned by the DHCP server to the client usually has a certain lease term. After the expiration, the server will take back the IP address. If the DHCP client wants to continue using the address, the IP lease needs to be updated.

In practice, the DHCP client sends a DHCP request message to the DHCP server by default when the IP address lease term reaches half to complete the IP lease update. If the IP address is valid, the DHCP server will respond to the dhcp-ack message to inform the DHCP client that a new lease has been obtained.

11.1 Property

DHCP global and static binding configuration Instructions:

1. Click the "DHCP > Property" in the navigation bar as follows.

DHCP Port Setting Table

Instructions for port DHCP configuration:

1. Click the "DHCP > Property", and select the port and click "Edit" as follows.

Edit Port Setting

Note:

● Enable DHCP server or DHCP relay mode, port needs to enable this function

11.2 IP Pool Setting

DHCP IP pool configuration

Instructions:

1. Click the "DHCP > IP Pool Setting", Click "Add" to add IP pool as follows.

IP Pool Table

IP Pool Table

Note:

- The start address and end address cannot be configured or contain a gateway address

11.3 VLAN IF Address Group Setting

Server group configuration

Instructions:

1. Click the "DHCP > VLAN IF Address Group Setting", enter the DHCP Server Group Table and click "Add" to configure the server group as follows.

DHCP Server Group Table

DHCP Server Group Table

VLAN interface and server group binding configuration Instructions:

1. Click the "DHCP > VLAN IF Address Group Setting", enter the VLAN Interface Address Pool Table, select the interface and server group, and then click "Apply" as follows.

Vlan Interface Address Pool Table

11.4 Client List

Client list information

Instructions:

1. Click the "DHCP > Client List", enter DHCP Client list as follows.

DHCP Client List

11.5 Client Static Binding Table

Static IP address assignment configuration

Instructions:

1. Click the "DHCP > Client Static Binding Table", enter Static Binding Table, and click "Add" as follows.

Static Binding Table

Note:

- The IP configuration of static binding is required to be within the scope of IP address assignment.

12 Multicast

12.1 General

12.1.1 Property

Instructions:

1. Click the "Multicast > General > Property" in the navigation bar as follows.

12.1.2 Group Address

According to the previous request mode of multicast, the multicast router will copy and forward data to each VLAN containing receivers when users in different VLANs request the same multicast group, which wastes a great deal of bandwidth. IGMP Snooping configures multicast VLAN by connecting the different users of switch ports to a same multicast VLAN to receive multicast data. In this way, multicast flow can only be transmitted within a multicast VLAN, thus saving bandwidth. In addition, security and bandwidth are guaranteed because multicast VLANs are completely isolated from user VLANs.

Instructions

1. Click the "Multicast > Group Address", "Add" a new static multicast item, and "Edit" the existing ones as follows:

Group Address Table

Add Group Address

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish as follows.

Group Address Table

12.1.3 Router Port

Configure and view multicast router port Instructions:

1. Click the "Multicast > General > Router Port" in the navigation bar as follows.

Router Port Table

12.1.4 Forward All

Configure and view multicast forward port Instructions:

1. Click the "Multicast > General > Forward All" in the navigation bar as follows.

Forward All Table

12.1.5 Throttling

Configure and view port multicast group restrictions Instructions:

1. Click the "Multicast > General > Throttling" in the navigation bar as follows.

Throttling Table

IP Version IPv4 ▼

Q

12.1.6 Filtering Profile

Configure and view port multicast filtering profile Instructions:

1. Click the "Multicast > General > Filtering Profile" in the navigation bar as follows.

Filtering Profile Table

Configure and view multicast filtering profile and port binding relationship

1. Click the "Multicast > General > Filtering Binding" in the navigation bar as follows.

Filtering Binding Table

IP Version IPv4

Q

12.2 IGMP Snooping

IGMP Snooping (Internet Group Management Protocol Snooping) is a constraint mechanism on L2 devices to manage and control multicast groups.

By analyzing the IGMP messages received, L2 devices establish a mapping between ports and MAC multicast addresses and forward the multicast data accordingly.

As shown below, multicast data are transmitted on L2 without IGMP snooping. When IGMP snooping runs, known multicast group data are transmitted to specified receivers while unknown multicast data are still on Layer 2.

graph TD
    subgraph "Multicast packet transmission without IGMP Snooping"
        A["Source"] --> B["Multicast router"]
        B --> C["Host A Receiver"]
        B --> D["Host B"]
        B --> E["Host C Receiver"]
        C --> F["Layer 2 switch"]
        D --> F
        E --> F
    end

    subgraph "Multicast packet transmission when IGMP Snooping runs"
        G["Source"] --> H["Multicast router"]
        H --> I["Host A Receiver"]
        H --> J["Host B"]
        H --> K["Host C Receiver"]
        I --> L["Layer 2 switch"]
        J --> L
        K --> L
    end

12.2.1 Property

IGMP Snooping is on the L2 switch between the multicast routers and the user hosts, applicable to deploy IPv4 networks. It is configured in a VLAN to snoop the IGMP/MLD messages transmitted between routers and hosts, and to establish a L2 forwarding table for multicast data, in order to manage and control the multicast data forwarding in L2 network.

Global IGMP Snooping function should be enabled since it is disabled by default. Instructions:

1. Click the "Multicast > IGMP Snooping > Property", select the VLAN to be configured from the created VLAN info, and "Edit" the details as follows:

VLAN Setting Table

Edit

Edit VLAN Setting

Close

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish.

12.2.2 Querier

Configure and view IGMP snooping Querier

Instructions:

1. Click the "Multicast > IGMP Snooping > Querier" in the navigation bar as follows.

Querier Table

Interface data are as follows.

12.2.3 Statistics

Configure and view IGMP snooping statistics Instructions:

1. Click the "Multicast > IGMP Snooping > statistics" in the navigation bar as follows.

12.3 MLD Snooping

MLD snooping is the abbreviation of multicast Listener Discovery snooping. It is an IPv6 Multicast constraint mechanism running on layer 2 devices, which is used to manage and control IPv6 Multicast Groups.

The second layer device running MLD snooping establishes a mapping relationship between port and MAC multicast address by analyzing the received MLD message, and forwards IPv6 multicast data according to the mapping relationship

As shown in the figure below, when the layer 2 device does not run MLD snooping, the IPv6 multicast data packets are broadcast at layer 2; when the layer 2 device runs MLD snooping, the multicast data packets of known IPv6 Multicast groups will not be broadcast at layer 2, but will be multicast to the designated receivers at layer 2.

graph TD
    A["Source"] --> B["Router"]
    B --> C["L2 Switch"]
    C --> D["Host A Receiver"]
    C --> E["Host B"]
    C --> F["Host C Receiver"]
    G["Source"] --> H["Router"]
    H --> I["L2 Switch"]
    I --> J["Host A Receiver"]
    I --> K["Host B"]
    I --> L["Host C Receiver"]
    M["Multicast Packets"] --> C
    M --> I

MLD snooping can only forward information to the receivers in need through layer 2 multicast, which can bring the following benefits:

• Reduce the broadcast packets in the layer 2 network and save the network bandwidth;
  ● Enhance the security of IPv6 Multicast information;
• It is convenient to charge each host separately.

12.3.1 Property

Global MLD Snooping function should be enabled since it is disabled by default. Instructions:

1. Click the "Multicast > MLD Snooping > Property", select the VLAN to be configured from the created VLAN info, and "Edit" the details as follows:

VLAN Setting Table

Interface data are as follows.

1. Fill in corresponding configuration items.

2. "Apply" and finish.

12.3.2 Statistics

Configure and view MLD snooping statistics

Instructions:

1. Click the "Multicast > MLD Snooping > statistics" in the navigation bar as follows.

12.4 MVR

In order to solve the problem of multicast traffic broadcast based on VLAN in layer 2 network, we use IGMP snooping protocol to control the receiver, that is, only the receiver can receive the multicast traffic normally.

However, IGMP snooping can only effectively control the traffic of the same multicast VLAN, but not the cross VLAN traffic. As a result, the efficiency of multiple replication of the same multicast in different VLANs still exists. In order to solve the flooding problem of cross VLAN, we adopt the dedicated multicast VLAN of multicast source traffic, as shown in the figure below

graph TD
    A["Source"] --> B["Router"]
    B --> C["L2 Switch"]
    C --> D["Host A Receiver VLAN 10"]
    C --> E["Host B Receiver VLAN 20"]
    C --> F["Host C Receiver VLAN 30"]
    B --> G["VLAN 10, VLAN 20, VLAN 30"]
    H["Source"] --> I["Router"]
    I --> J["L2 Switch"]
    J --> K["Host A Receiver VLAN 10"]
    J --> L["Host B Receiver VLAN 20"]
    J --> M["Host C Receiver VLAN 30"]
    I --> N["VLAN 100"]
    N --> O["MVR"]
    style O fill:#f9f,stroke:#333
    note right of O Multicast Packets

12.4.1 Property

Global MVR function should be enabled since it is disabled by default.

Instructions:

1. Click the "Multicast > MVR > Property", enter the MVR global configuration interface as follows:

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish.

12.4.2 Port Setting

Instructions:

1. Click the "Multicast > MVR > Port Setting", enter the MVR port setting interface as follows:

Port Setting Table

Edit Port Setting

Interface data are as follows.

12.4.3 Group Address

Instructions:

1. Click the "Multicast > MVR > Group Address", view multicast group information as follows:

Group Address Table

Interface data are as follows.

13 Routing

The switch provides three layers of VLAN interface, which is used to communicate with network layer devices. VLANIF interface is a network layer interface, which can be configured with IP address. Before creating VLANIF interface, the corresponding VLAN should be created first. With the help of VLANIF interface, switches can communicate with other network layer devices.

13.1 IPv4 Management and Interfaces

13.1.1 IPv4 Interface

Instructions:

1. Click the "Routing > IPv4 Management and Interfaces > IPv4 Interface", enter IPv4 layer 3 interface configuration as follows:

IPv4 Interface Table

Add IPv4 Interface

Interface data are as follows.

13.1.2 IPv4 Routes

Instructions:

1. Click the "Routing > IPv4 Management and Interfaces > IPv4 Routes", enter IPv4 static route interface configuration as follows:

IPv4 Routing Table

Add IPv4 Static Route

Interface data are as follows.

13.1.3 ARP

Instructions:

1. Click the "Routing > IPv4 Management and Interfaces >ARP", configure and view ARP table entries as follows:

ARP Table

Add ARP

Interface data are as follows.

13.2 IPv6 Management and Interfaces

13.2.1 IPv6 Interface

Instructions:

1. Click the "Routing > IPv6 Management and Interfaces > IPv6 Interface", enter IPv6 layer 3 interface configuration as follows:

IPv6 Interface Table

Add IPv6 Interface

Apply

Close

Interface data are as follows.

13.2.2 IPv6 Address

Instructions:

1. Click the "Routing > IPv6 Management and Interfaces > IPv6 Address", enter the IPv6 address configuration interface as follows:

IPv6 Address Table

Interface

VLAN 1

Add

Delete

Add IPv6 Interface

Apply

Close

Interface data are as follows.

13.2.3 IPv6 Routes

Instructions:

1. Click the "Routing > IPv6 Management and Interfaces > IPv6 Routes", enter IPv6 static route interface configuration as follows:

IPv6 Routing Table

Add IPv6 Static Route

Interface data are as follows.

13.2.4 Neighbors

Instructions:

1. Click the "Routing > IPv6 Management and Interfaces > Neighbors", configure and view IPv6 neighbor table entries as follows:

IPv6 Neighbor Table

Add Neighbor

Interface data are as follows.

13.3 Rip Routes Management

The routing information protocol (RIP) is a relatively outdated but still widely used internal gateway protocol (IGP), which is mainly used in the smaller homogeneous networks. RIP is a classical distance vector routing protocol, which appears in RFC 1058, and presents an improved RIP-2 among RFC1388, and was revised in RFC 1723 and RFC 2453.

RIP uses Bellman-For algorithm currently RIP IPv4 has two versions, RIPv1 and RIPv2. RIP has the following main features:

RIP is a typical distance vector routing protocol.

RIP messages sent by the broadcast address 255.255.255.255, RIPv2 send messages

by using multicast address 224.0.0.9, both using the port 520 of UDP

RIP takes the minimum hop count to the destination network as the routing metric, rather than the bandwidth and delay of the link.

RIP is designed for small networks. The number of hops is limited to 15 hops, and the 16 hop is not reachable.

RIP-1 is a kind of class routing protocol, does not supporting discontinuous subnet design.

RIP-2 support CIDR and VLSM variable subnet mask, which make it supports the discontinuous subnet mask design

RIP periodic full routing updating, make the routing table broadcast to the neighbor router, broadcast cycle default 30 seconds.

RIP protocol management distance is 120.

For small networks, in terms of occupied bandwidth, RIP is small cost and easy to configure, manage, and implement, and RIP is still in use. But RIP also has obvious shortcomings. When there is more than one network will appear loop problem. In order to solve the loop problem, IETF proposed a split-Horizon method, the routing information received at this interface will no longer go out from the interface. The scope of the division solves the routing loop problem between two routers, but can't prevent the problem which is the loop mainly formed by delay factor because of large scale network. The trigger update requires the router to transmit its routing table immediately when the link changes. These speeds up the convergence of the network, but prone to broadcast flooding. In short, the solution of the loop problem needs to consume a certain amount of time and bandwidth. If the RIP protocol is adopted, the number of links in the network can't exceed 15, which makes the RIP protocol is not suitable for large networks.

RIP Working principle

RIP is a distributed type routing protocol based on distance vector, which is the standard protocol of the Internet. Its biggest advantage is simple. The RIP protocol requires that each router in the network maintain a distance record from itself to each other destination network. The RIP protocol defines “distance” as: the distance of a router directly connected network defines as 1.the distance of a router not directly connected network defines as pass each router plus 1. "Distance" is also called "hops". RIP allows one path contain up to 15 routers, so distance equal to 16 is unreachable. So RIP protocol only applies to small Internet.

RIP 2 comes from RIP and is a supplementary protocol for RIP. It is mainly used to increase the number of loaded useful information and increase its security performance. RIPv1 and RIPv2 are UDP-based protocols. Under RIP2, each host or router sends and receives packets from UDP port 520 through the routing select process. The default routing update period for RIP protocol is 30S.

Instructions

1. Click on the "Routing > Rip Routes Management > Rip Routes Setting" in the

navigation tree as follows.

Rip Routes Info

1. Network Setting table, click "Add" enter the configuration interface as follows.

Network Setting table

Notice:

Before configuring and publishing the network, please configure the interface IP and ensure that the IP protocol and physical state of the interface are up

13.4 Ospf Routes Management

OSPF (Open Shortest Path First) is an Interior Gateway Protocol (IGP) for routing decisions within a single autonomous system (AS). It is an implementation of the link state routing protocol, under the internal gateway protocol (IGP). It is operating within the autonomous system. The shortest path is calculated using the Dixdale algorithm.

OSPF is IGP routing protocols developed by IETF's OSPF workgroup OSPF designed for IP networks support IP subnet and external routing information marking, also allows authentication of message and supports IP multicast

OSPF routing protocol is a typical link state routing protocol, which is generally used in the same routing domain. Here, routing domain refers to an autonomous system (as), which refers to a group of networks that exchange routing information through a unified routing policy or routing protocol. In this as, all OSPF routers maintain

the same database describing the as structure, which stores the state information of the corresponding links in the routing domain. It is through this database that OSPF routers calculate their OSPF routing tables

As a link state routing protocol, OSPF transmits link state multicast data LSA (link state advertisement) to all routers in a certain area, which is different from distance vector routing protocol. The router running distance vector routing protocol passes part or all of the routing tables to its neighboring routers

As for the security of information exchange, OSPF stipulates that any information exchange between routers can be authenticated when necessary, so as to ensure that only trusted routers can transmit routing information. OSPF supports a variety of authentication mechanisms, and allows different authentication mechanisms to be used among different regions. OSPF optimizes the application of link state algorithm in broadcast network (such as Ethernet) in order to make full use of hardware broadcast ability to transmit link state messages. Usually, in the topology of link state algorithm, a node represents a router. If all k routers are connected to the Ethernet, when the link state is broadcast, the packets about these K routers will reach the square of K. Therefore, OSPF allows a node to represent a broadcast network in the topology diagram. All routers in each broadcast network send link status messages to report the link status of routers in the network

Instructions

1. Click on the "Routing > Ospf Routes Management > Ospf Routes Setting" in the navigation tree as follows.

OSPF Routes Info

1. Area Network Setting, click "Add" enter the configuration interface as follows.

Area Network Setting table

Area Network Setting table

Notice:

Before configuring and publishing the network, please configure the interface IP and ensure that the IP protocol and physical state of the interface are up

14 Security

14.1 RADIUS

Instructions:

1. Click the "Security > RADIUS", enter RADIUS interface as follows:

RADIUS Table

Interface data are as follows.

14.2 TACACS+

Instructions:

1. Click the "Security > TACACS+", enter TACACS+ interface as follows:

TACACS+ Table

Add TACACS+ Server

Interface data are as follows.

14.3 AAA

14.3.1 Method List

Instructions:

1. Click the "Security > AAA > Method List", enter method list interface as follows:

Method List Table

Add Method List

Interface data are as follows.

14.3.2 Login Authentication

Instructions:

1. Click the "Security > AAA > Login Authentication", enter login authentication interface as follows:

14.4 Management Access

14.4.1 Management Service

Instructions for Telnet:

1. Click the "Security > Management Access > Management Service", enter management service interface as follows:

Instructions for SSH:

1. Click the "Security > Management Access > Management Service", enter management service interface as follows:

Instructions for HTTPS:

1. Click the "Security > Management Access > Management Service", enter management service interface as follows:

Instructions for SNMP:

1. Click the "Security > Management Access > Management Service", enter management service interface as follows:

14.4.2 Management ACL

ACLS applied to management

Instructions:

1. Click the "Security > Management Access > Management ACL", enter management ALC interface as follows:

Management ACL Table

1. Click the "Security > Management Access > Management ACE", enter management ACE interface as follows:

Management ACE Table

Interface data are as follows.

14.5 Authentication Manager

14.5.1 Property

Enable the global setting of 802.1x/MAC/WEB authentication network access control

Instructions:

1. Click the "Security > Management Manager > Property", enter global interface as follows:

Apply

Port Mode Table

Interface data are as follows.

14.5.2 Port Setting

Instructions:

1. Click the "Security > Management Manager > Port Setting", enter port setting interface as follows:

Port Setting Table

Edit Port Setting

Interface data are as follows.

14.5.3 MAC-Based Local Account

Instructions:

1. Click the "Security > Management Manager > MAC-Based Local Account", enter configuration interface as follows:

MAC-Based Local Account Table

14.5.4 WEB-Based Local Account

Instructions:

1. Click the "Security > Management Manager > WEB-Based Local Account", enter

configuration interface as follows:

WEB-Based Local Account Table

14.5.5 Sessions

Instructions:

1. Click the "Security > Management Manager > Sessions", view sessions interface as follows:

14.6 DoS

14.6.1 Property

Enable the Attack Resistance option to make the switch more secure.

Instructions

1. Click the "Security > DoS > Property" to the "DoS Global Configuration" interface as follows.

14.6.2 Port Setting

DoS attack resistance is enabled based on ports. Instructions

1. Click the "Security > DoS > Port Setting" as follows:

Port Setting Table

1. Select and "Edit" the port to enable or disable the DoS attack resistance function as

follows.

Edit Port Setting

14.7 Dynamic ARP Inspection

14.7.1 Property

Instructions

1. Click the "Security > Dynamic ARP Inspection > Property" enter global configuration interface as follows:

1. Select the port and "Edit" to enter the port configuration interface as follows:

Port Setting Table

Edit Port Setting

14.7.2 Statistics

Instructions

1. Click the "Security > Dynamic ARP Inspection > Statistics" view DAI statistics as follows:

Statistics Table

14.8 DHCP Snooping

For sake of security, the network administrator may need to record the IP address of a user surfing the Internet and to confirm the correspondence between the IP address obtained from DHCP Server and the host's MAC address.

Switch can record the user's IP address through the secure DHCP relay at the network layer.

Switch can monitor DHCP messages and record the user's IP address through DHCP Snooping at the data link layer. In addition, private DHCP Server in the network may lead to wrong IP address for the user. To ensure that users obtain IP addresses through legal DHCP Server, the DHCP Snooping security mechanism divides the ports into Trust Port and Untrust Port.

Trust Port directly or indirectly connects legal DHCP Server. It forwards the DHCP

messages received to ensure the correct IP address for DHCP Client. Untrust Port connects illegal DHCP Server. DHCPACK and DHCPOFFER messages received from the DHCP Server on the Untrust Port will be discarded to prevent incorrect IP addresses.

graph TD
    A["DHCP Client"] -->|Eth1/0/1| B["Switch A (DHCP Snooping)"]
    C["DHCP Client"] -->|Eth1/0/2| B
    D["DHCP Client"] -->|Eth1/0/1| B
    E["DHCP Server"] --> F["Internet"]
    G["Switch B (DHCP Relay)"] --> F

Typical Networking of DHCP Snooping

The following methods are used to obtain the IP address and user MAC address from DHCP Server:

• Snooping the DHCPREQUEST message
• Snooping the DHCPACK message

14.8.1 Property

Enable DHCP Snooping

Instructions:

1. Click the "Security > DHCP Snooping > Property". DHCP Snooping interface is divided into global configuration and port configuration. Select the port to be modified in the port configuration and "Edit" the details as follows:

Port Setting Table

Edit Port Setting

Interface data are as follows.

1. Fill in corresponding configuration items.
2. "Apply" and finish as follows.

Port Setting Table

14.8.2 Statistics

Instructions

1. Click the "Security > Dynamic ARP Inspection > Statistics" view DHCP Snooping statistics as follows:

Statistics Table

14.8.3 Option82 Property

Private DHCP Servers in the network may lead to wrong IP addresses obtained by users. DHCP Snooping security mechanism based on PS7024 Ethernet switch divides the ports into Trust Port and Untrust Port in order to provide the IP addresses through legal DHCP Servers.

• Trust Port directly or indirectly connects legal DHCP Server. It ensures the correct IP address for DHCP Client by forwarding the DHCP messages received.
• Untrust Port connects illegal DHCP servers. DHCP ACK and DHCPOFFER messages responded by DHCP Server on untrusted ports will be discarded to prevent incorrect IP addresses.

Option 82 is the Relay Agent Information Option in DHCP messages, which records

the location of DHCP Client. When the DHCP relay (or DHCP Snooping device) receives the request, message sent from DHCP Client to DHCP Server, administrators can add the Option 82 to locate the DHCP Client and control the security, cost, etc. More flexible approaches to address allocation are created by the servers supporting Option 82 in line with the IP addresses and other parameters allocation policies.

Up to 255 sub-options are contained in the Option 82. At least one sub-option should be defined if Option 82 is defined. The current device supports 2 sub-options: Circuit ID Sub-option and Remote ID Sub-option

Manufacturers usually fill options as needed since RFC 3046 fails to uniform the Option 82 options. As the DHCP relay device, Ethernet switch supports the extended padding formats for Option 82 sub-options and the padding defaults are as follows:

• Sub-option 1: VLAN No. and port index (port physical number minuses 1) of the port receiving the Request message sent by DHCP Client.
• Sub-option 2: bridge MAC address of DHCP relay device receiving the DHCP Client Request message.

Sub-option 1: VLAN No. and port index (port physical number minuses 1) of the port receiving the Request message sent by DHCP Client as follows.

Sub-option 2: bridge MAC address of DHCP relay device receiving the DHCPREQUEST message of DHCP Client.

DHCP Relay Supporting Mechanism of Option 82

The processes of DHCP Client acquiring IP address from DHCP Server through DHCP relay is basically the same as that directly from DHCP Server. Steps of discovery, provision, selection, and validation are essential. The supporting mechanism of DHCP relay is introduced as follows:

(1) DHCP relay will check the Option 82 in the DHCPREQUEST message received and handle it accordingly.
- For existing Option 82 messages, DHCP relay will process according to the configuration policies (discarding, replacing with relay Option 82, or maintaining original Option 82), and then forward to DHCP Server.
- For messages without Option 82, DHCP relay will add and forward the new messages to DHCP Server.
(2) DHCP relay will peel off Option 82 from the response message received from DHCP Server, and then forward the message with DHCP configuration info to DHCP Client.

Description:

DHCP Client transmits a DHCPDISCOVERY message and a DHCPREQUEST message. DHCP relay will add Option 82 to both messages due to different processing mechanisms of DHCP Servers of manufacturers for Request message. Some devices handle Option 82 in the DHCPDISCOVERY message, while others handle it in the DHCPREQUEST message.

A switch configured with DHCP Snooping and Option 82 functions receives DHCPREQUEST messages with Option 82 sent by DHCP Clients. DHCP Snooping takes different processing mechanisms according to different configuration processing strategies and sub-option contents.

Instructions:

1. Click the "Security > DHCP Snooping > Option82 Property". Global and port configurations are contained. Select the port to be configured and "Edit" the details as follows:

Port Setting Table

Edit Port Setting

Interface data are as follows.

Description:

☐ Option 82 field independently configures Circuit ID or Remote ID sub-options. It can be configured individually or simultaneously in no specific order.

DHCP Option 82 must be configured in the user bar, otherwise DHCP messages sent to DHCP Server won't carry Option 82.

When receiving the DHCP response message from DHCP Server, the message containing Option 82 will be forwarded after deleting the field, or forwarded directly if the message contains no Option 82.

1. Fill in corresponding configuration items.
2. "Apply" and finish as follows.

Apply

Port Setting Table

Illustration of DHCP Snooping Typical Configuration

As shown below, Switch port GE1-5 is connected to DHCP Server, and ports GE1-1, 2 and 3 are connected to DHCP Client A, B and C respectively.

• Enable the DHCP Snooping on the switch.
• Set the GE1-5 as the trust port of DHCP Snooping.

- Enable the Option 82 supporting function on the switch. For GE1-3 message flowing through the port, fill in the Option 82 according to the default configuration of Circuit ID and Remote ID.

Network Diagram

graph TD
    A["DHCP Server"] -->|ge1/5| B["Switch"]
    B -->|ge1/3| C["Client C"]
    B -->|ge1/2| D["Client B"]
    B -->|ge1/1| E["Client A"]

Configure DHCP snooping to support Option 82

Instructions:

1. Enable the DHCP Snooping of switch. Click the "Security > DHCP Snooping > Property" in the navigation bar to enable the function as follows:

1. Set the GE1-5 as the trust port of DHCP Snooping, fill in corresponding configurations and "Edit" as follows:

Port Setting Table