Omada TL-SG2008P - Switch TP-LINK - Free user manual and instructions

USER MANUAL Omada TL-SG2008P TP-LINK

Accessing the Switch

Determine the Management Method ....4

Web Interface Access....5

Login....5

Save the Configuration File....6

Disable the Web Server 7

Configure the Switch's IP Address and Default Gateway 8

Command Line Interface Access 10

Console Login (only for switch with console port)....10

Telnet Login 12

SSH Login....13

Disable Telnet login....17

Disable SSH login 18

Copy running-config startup-config....18

Change the Switch's IP Address and Default Gateway....19

Managing System

System 21

Overview....21

Supported Features....21

System Info Configurations 23

Using the GUI 23

Viewing the System Summary....23

Configuring the Device Description....27

Configuring the System Time 27

Configuring the Daylight Saving Time....28

Configuring LED (Only for Certain Devices)....29

Using the CLI 30

Viewing the System Summary....30

Configuring the Device Description....31

Configuring the System Time 32

Configuring the Daylight Saving Time....35

Configuring LED (Only for Certain Devices) 37

User Management Configurations.... 38

Using the GUI 38

Creating Accounts 38

Configuring Enable Password....39

Using the CLI 40

Creating Accounts 40

Configuring Enable Password....41

System Tools Configurations 44

Using the GUI 44

Configuring the Boot File 44

Restoring the Configuration of the Switch 46

Backing up the Configuration File....46

Upgrading the Firmware....47

Configuring DHCP Auto Install (Only for Certain Devices)....47

Rebooting the switch....49

Reseting the Switch....50

Using the CLI....50

Configuring the Boot File....50

Restoring the Configuration of the Switch 52

Backing up the Configuration File....52

Upgrading the Firmware....53

Configuring DHCP Auto Install (Only for Certain Devices) 53

Rebooting the Switch 55

Reseting the Switch....57

EEE Configuration.... 58

Using the CLI....58

PoE Configurations (Only for Certain Devices) 60

Using the GUI 61

Configuring the PoE Parameters Manually....61

Configuring the PoE Parameters Using the Profile....64

Using the CLI....67

Configuring the PoE Parameters Manually....67

Configuring the PoE Parameters Using the Profile....69

SDM Template Configuration....72

Using the GUI 72

Using the CLI....73

Time Range Configuration....75

Using the GUI 75

Adding Time Range Entries....75

Configuring Holiday 77

Using the CLI....78

Adding Time Range Entries....78

Configuring Holiday 79

Controller Settings (Only for Certain Devices) 81

Using the GUI 81

Enabling Cloud-Based Controller Management....81

Configuring Controller Inform URL....82

Using the CLI....82

Enabling Cloud-Based Controller Management....82

Configuring Controller Inform URL....82

Example for PoE Configurations....84

Network Requirements....84

Configuring Scheme....84

Using the GUI 84

Using the CLI 87

Appendix: Default Parameters....89

Managing Physical Interfaces

Physical Interface 93

Overview....93

Supported Features....93

Basic Parameters Configurations....94

Using the GUI 94

Using the CLI 95

Port Isolation Configurations....98

Using the GUI....98

Using the CLI....99

Loopback Detection Configuration....101

Using the GUI 101

Using the CLI....103

Configuration Examples....105

Example for Port Isolation....105

Network Requirements....105

Configuration Scheme....105

Using the GUI....105

Using the CLI 107

Example for Loopback Detection....108

Network Requirements....108

Configuration Scheme....108

Using the GUI....109

Using the CLI 110

Appendix: Default Parameters....111

Configuring LAG

LAG....113

Overview....113

Supported Features....113

LAG Configuration....114

Using the GUI 115

Configuring Load-balancing Algorithm....115

Configuring Static LAG or LACP....116

Using the CLI 118

Configuring Load-balancing Algorithm....118

Configuring Static LAG or LACP....119

Configuration Examples....123

Example for Static LAG 123

Network Requirements....123

Configuration Scheme....123

Using the GUI....123

Using the CLI 124

Example for LACP 125

Network Requirements....125

Configuration Scheme....125

Using the GUI....126

Using the CLI 127

Appendix: Default Parameters....130

Configuring DDM (Only for Certain Devices)

Overview 132

DDM Configuration....133

Using the GUI 133

Configuring DDM Globally....133

Configuring the Threshold....134

Viewing DDM Status....139

Using the CLI....139

Configuring DDM Globally....139

Configuring DDM Shutdown....140

Configuring the Threshold....141

Viewing DDM Configuration....147

Viewing DDM Status....148

Appendix: Default Parameters....149

Managing MAC Address Table

MAC Address Table....151

Overview....151

Supported Features....151

MAC Address Configurations 153

Using the GUI 153

Adding Static MAC Address Entries 153

Modifying the Aging Time of Dynamic Address Entries....155

Adding MAC Filtering Address Entries....156

Viewing Address Table Entries....156

Using the CLI....157

Adding Static MAC Address Entries 157

Modifying the Aging Time of Dynamic Address Entries....158

Adding MAC Filtering Address Entries....159

Security Configurations 161

Using the GUI....162

Configuring MAC Notification Traps 162

Limiting the Number of MAC Addresses Learned in VLANs....163

Using the CLI 165

Configuring MAC Notification Traps 165

Limiting the Number of MAC Addresses in VLANs 167

Example for Security Configurations 169

Network Requirements....169

Configuration Scheme 169

Using the GUI 170

Using the CLI 171

Appendix: Default Parameters....172

Configuring 802.1Q VLAN

Overview 174

802.1Q VLAN Configuration....175

Using the GUI 176

Configuring the VLAN....176

Configuring Port Parameters for 802.1Q VLAN 177

Using the CLI....178

Creating a VLAN 178

Adding the Port to the Specified VLAN....179

Configuring the Port....180

Configuration Example 182

Network Requirements....182

Configuration Scheme 182

Network Topology....183

Using the GUI 183

Using the CLI....186

Appendix: Default Parameters ....189

Configuring MAC VLAN

Overview 191

MAC VLAN Configuration....192

Using the GUI 192

Configuring 802.1Q VLAN 192

Binding the MAC Address to the VLAN....192

Enabling MAC VLAN for the Port....193

Using the CLI....194

Configuring 802.1Q VLAN....194

Binding the MAC Address to the VLAN....194

Enabling MAC VLAN for the Port....195

Configuration Example 196

Network Requirements....196

Configuration Scheme 196

Using the GUI 197

Using the CLI 202

Appendix: Default Parameters....206

Configuring Protocol VLAN

Overview 208

Protocol VLAN Configuration....209

Using the GUI 209

Configuring 802.1Q VLAN 209

Creating Protocol Template 210

Configuring Protocol VLAN....211

Using the CLI 212

Configuring 802.1Q VLAN 212

Creating a Protocol Template....212

Configuring Protocol VLAN....213

Configuration Example 216

Network Requirements....216

Configuration Scheme 216

Using the GUI 218

Using the CLI 224

Appendix: Default Parameters....228

Configuring VLAN-VPN (Only for Certain Devices)

VLAN-VPN 230

Overview....230

Supported Features....231

Basic VLAN-VPN Configuration 232

Using the GUI 232

Configuring 802.1Q VLAN 232

Configuring Basic VLAN-VPN 233

Using the CLI 234

Configuring 802.1Q VLAN 234

Configuring Basic VLAN-VPN 234

Flexible VLAN-VPN Configuration....237

Using the GUI 237

Using the CLI 238

Configuration Examples....240

Example for Basic VLAN VPN 240

Network Requirements....240

Configuration Scheme....240

Using the GUI....241

Using the CLI 247

Example for Flexible VLAN VPN 251

Network Requirements....251

Configuration Scheme....251

Using the GUI....252

Using the CLI 259

Appendix: Default Parameters....262

Configuring GVRP

Overview 264

GVRP Configuration....265

Using the GUI 266

Using the CLI 267

Configuration Example 270

Network Requirements....270

Configuration Scheme 270

Using the GUI 271

Using the CLI 275

Appendix: Default Parameters....279

Configuring Private VLAN (Only for Certain Devices)

Overview 281

Private VLAN Configurations 283

Using the GUI 283

Using the CLI 284

Creating Private VLAN....284

Configuring the Up-link Port 286

Configuring the Down-link Port....288

Configuration Example 290

Network Requirements....290

Configuration Scheme 290

Network Topology....290

Using the GUI 291

Using the CLI 295

Appendix: Default Parameters....299

Configuring Layer 2 Multicast

Layer 2 Multicast....301

Overview 301

Supported Features....303

IGMP Snooping Configuration 304

Using the GUI 304

Configuring IGMP Snooping Globally 304

Configuring IGMP Snooping for VLANs 305

Configuring IGMP Snooping for Ports....309

Configuring Hosts to Statically Join a Group....309

Configuring IGMP Accounting and Authentication Features....310

Using the CLI 312

Configuring IGMP Snooping Globally 312

Configuring IGMP Snooping for VLANs 313

Configuring IGMP Snooping for Ports....318

Configuring Hosts to Statically Join a Group....319

Configuring IGMP Accounting and Authentication Features....320

MLD Snooping Configuration....324

Using the GUI 324

Configuring MLD Snooping Globally....324

Configuring MLD Snooping for VLANs....325

Configuring MLD Snooping for Ports 328

Configuring Hosts to Statically Join a Group 328

Using the CLI 329

Configuring MLD Snooping Globally....329

Configuring MLD Snooping for VLANs....330

Configuring MLD Snooping for Ports 335

Configuring Hosts to Statically Join a Group....336

MVR Configuration 338

Using the GUI 338

Configuring 802.1Q VLANs....338

Configuring MVR Globally....339

Adding Multicast Groups to MVR....340

Configuring MVR for the Port....341

(Optional) Adding Ports to MVR Groups Statically 342

Using the CLI 343

Configuring 802.1Q VLANs....343

Configuring MVR Globally....343

Configuring MVR for the Ports 345

Multicast Filtering Configuration....348

Using the GUI 348

Creating the Multicast Profile....348

Configure Multicast Filtering for Ports 350

Using the CLI 351

Creating the Multicast Profile....351

Binding the Profile to Ports....354

Viewing Multicast Snooping Information....358

Using the GUI 358

Viewing IPv4 Multicast Table 358

Viewing IPv4 Multicast Statistics on Each Port 359

Viewing IPv6 Multicast Table....360

Viewing IPv6 Multicast Statistics on Each Port....361

Using the CLI 362

Viewing IPv4 Multicast Snooping Information....362

Viewing IPv6 Multicast Snooping Configurations....363

Configuration Examples....364

Example for Configuring Basic IGMP Snooping....364

Network Requirements....364

Configuration Scheme....364

Using the GUI....365

Using the CLI 367

Example for Configuring MVR 369

Network Requirements 369

Network Topology....369

Configuration Scheme....370

Using the GUI....370

Using the CLI 373

Example for Configuring Unknown Multicast and Fast Leave....376

Network Requirement....376

Configuration Scheme....377

Using the GUI....377

Using the CLI 379

Example for Configuring Multicast Filtering....380

Network Requirements....380

Configuration Scheme....380

Network Topology....381

Using the GUI....381

Using the CLI 385

Appendix: Default Parameters ....388

Default Parameters for IGMP Snooping 388

Default Parameters for MLD Snooping....389

Default Parameters for MVR....390

Default Parameters for Multicast Filtering....390

Configuring Spanning Tree

Spanning Tree....392

Overview....392

Basic Concepts 392

STP/RSTP Concepts....392

MSTP Concepts 396

STP Security 397

STP/RSTP Configurations 400

Using the GUI 400

Configuring STP/RSTP Parameters on Ports....400

Configuring STP/RSTP Globally....402

Verifying the STP/RSTP Configurations....404

Using the CLI 406

Configuring STP/RSTP Parameters on Ports....406

Configuring Global STP/RSTP Parameters 408

Enabling STP/RSTP Globally....410

MSTP Configurations 412

Using the GUI 412

Configuring Parameters on Ports in CIST 412

Configuring the MSTP Region 415

Configuring MSTP Globally....419

Verifying the MSTP Configurations 421

Using the CLI 422

Configuring Parameters on Ports in CIST 422

Configuring the MSTP Region 425

Configuring Global MSTP Parameters....428

Enabling Spanning Tree Globally....430

STP Security Configurations....432

Using the GUI 432

Using the CLI 433

Configuring the STP Security....433

Configuration Example for MSTP 436

Network Requirements....436

Configuration Scheme 436

Using the GUI 437

Using the CLI 443

Appendix: Default Parameters....450

Configuring LLDP

LLDP 453

Overview 453

Supported Features....453

LLDP Configurations 454

Using the GUI 454

Configuring LLDP Globally 454

Configuring LLDP For the Port 456

Using the CLI 457

Global Config....457

Port Config....459

LLDP-MED Configurations....462

Using the GUI 462

Configuring LLDP Globally 462

Configuring LLDP-MED Globally 462

Configuring LLDP-MED for Ports....463

Using the CLI 465

Global Config....465

Port Config....466

Viewing LLDP Settings....469

Using GUI....469

Viewing LLDP Device Info 469

Viewing LLDP Statistics 473

Using CLI 474

Viewing LLDP-MED Settings 475

Using GUI....475

Using CLI 478

Configuration Example 479

Configuration Example for LLDP 479

Network Requirements......479

Network Topology....479

Configuration Scheme....479

Using the GUI....479

Using CLI....480

Example for LLDP-MED 486

Network Requirements....486

Configuration Scheme....486

Using the GUI....486

Using CLI....489

Appendix: Default Parameters....492

Configuring L2PT (Only for Certain Devices)

Overview 494

L2PT Configuration....496

Using the GUI 496

Using the CLI 497

Configuration Example 501

Network Requirements....501

Configuration Scheme 501

Using the GUI 501

Using the CLI....502

Appendix: Default Parameters....504

Configuring PPPoE ID Insertion (Only for Certain Devices)

Overview 506

PPPoE ID Insertion Configuration....507

Using the GUI 507

Using the CLI....508

Appendix: Default Parameters....511

Configuring Layer 3 Interfaces

Overview 513

Layer 3 Interface Configurations....514

Using the GUI 514

Creating an Layer 3 Interface....514

Configuring IPv4 Parameters of the Interface 516

Configuring IPv6 Parameters of the Interface 517

Viewing Detail Information of the Interface....520

Using the CLI 521

Creating an Layer 3 Interface....521

Configuring IPv4 Parameters of the Interface 523

Configuring IPv6 Parameters of the Interface 524

Configuration Example 527

Network Requirement 527

Configuration Scheme 527

Using the GUI 527

Using the CLI 528

Appendix: Default Parameters....530

Configuring Routing

Overview 532

IPv4 Static Routing Configuration....533

Using the GUI 533

Using the CLI 534

IPv6 Static Routing Configuration 535

Using the GUI 535

Using the CLI 535

Viewing Routing Table 537

Using the GUI 537

Viewing IPv4 Routing Table....537

Viewing IPv6 Routing Table....538

Using the CLI....538

Viewing IPv4 Routing Table....538

Viewing IPv6 Routing Table....539

Example for Static Routing....540

Network Requirements....540

Configuration Scheme 540

Using the GUI 540

Using the CLI 542

Configuring DHCP Service

DHCP 546

Overview....546

Supported Features....546

DHCP Server Configuration....551

Using the GUI 551

Enabling DHCP Server 551

Configuring DHCP Server Pool 553

Configuring Manual Binding....554

Using the CLI 555

Enabling DHCP Server 555

Configuring DHCP Server Pool 558

Configuring Manual Binding....561

DHCP Relay Configuration 564

Using the GUI 564

Enabling DHCP Relay and Configuring Option 82....564

Configuring DHCP Interface Relay 566

Configuring DHCP VLAN Relay 566

Using the CLI 568

Enabling DHCP Relay 568

(Optional) Configuring Option 82 ....569

Configuring DHCP Interface Relay 571

Configuring DHCP VLAN Relay 572

DHCP L2 Relay Configuration 575

Using the GUI 575

Enabling DHCP L2 Relay 575

Configuring Option 82 for Ports....576

Using the CLI 577

Enabling DHCP L2 Relay 577

Configuring Option 82 for Ports ....578

Configuration Examples....581

Example for DHCP Server....581

Network Requirements....581

Configuration Scheme....581

Using the GUI....581

Using the CLI 583

Example for DHCP Interface Relay 583

Network Requirements....583

Configuration Scheme....584

Using the GUI....585

Using the CLI 591

Example for DHCP VLAN Relay 593

Network Requirements....593

Configuration Scheme....594

Using the GUI....595

Using the CLI 598

Example for Option 82 in DHCP Relay....600

Network Requirements....600

Configuration Scheme....601

Configuring the DHCP Relay Switch....602

Configuring the DHCP Server 604

Example for DHCP L2 Relay 606

Network Requirements....606

Configuration Scheme....606

Configuring the DHCP Relay Switch....607

Configuring the DHCP Server 610

Appendix: Default Parameters....612

Configuring ARP

Overview 616

Supported Features....616

ARP Configurations....618

Using the GUI 618

Viewing the ARP Entries....618

Adding Static ARP Entries Manually....619

Configuring Gratuitous ARP 619

Configuring Proxy ARP 620

Configuring Local Proxy ARP 621

Using the CLI....622

Configuring the ARP Entry 622

Configuring the Gratuitous ARP 624

Configuring Proxy ARP 626

Appendix: Default Parameters....629

Configuring QoS

QoS....631

Overview....631

Supported Features....631

Class of Service Configuration....633

Using the GUI 634

Configuring Port Priority....634

Configuring 802.1p Priority 636

Configuring DSCP Priority....639

Specifying the Scheduler Settings 643

Using CLI 645

Configuring Port Priority....645

Configuring 802.1p Priority 648

Configuring DSCP Priority....651

Specifying the Scheduler Settings 657

Bandwidth Control Configuration....661

Using the GUI 661

Configuring Rate Limit....661

Configuring Storm Control 662

Using the CLI....664

Configuring Rate Limit....664

Configuring Storm Control 665

Voice VLAN Configuration 668

Using the GUI 668

Configuring OUI Addresses 668

Configuring Voice VLAN Globally 669

Adding Ports to Voice VLAN 670

Using the CLI 671

Auto VoIP Configuration 674

Using the GUI 674

Using the CLI 675

Configuration Examples....679

Example for Class of Service 679

Network Requirements....679

Configuration Scheme....679

Using the GUI....680

Using the CLI 682

Example for Voice VLAN 684

Network Requirements......684

Configuration Scheme....685

Using the GUI....685

Using the CLI 689

Example for Auto VoIP 692

Network Requirements....692

Configuration Scheme....693

Using the GUI....693

Using the CLI 698

Appendix: Default Parameters....703

Configuring Access Security

Access Security 708

Overview....708

Supported Features....708

Access Security Configurations....709

Using the GUI....709

Configuring the Access Control Feature....709

Configuring the HTTP Function 712

Configuring the HTTPS Function....714

Configuring the SSH Feature 717

Configuring the Telnet Function....718

Configuring the Serial Port Parameters....719

Using the CLI....719

Configuring the Access Control Feature....719

Configuring the HTTP Function 721

Configuring the HTTPS Function....723

Configuring the SSH Feature 726

Configuring the Telnet Function....728

Configuring the Serial Port Parameters....729

Appendix: Default Parameters....730

Configuring AAA

Overview 733

AAA Configuration....734

Using the GUI 735

Adding Servers....735

Configuring Server Groups....737

Configuring the Method List....738

Configuring the AAA Application List....739

Configuring Login Account and Enable Password 740

Using the CLI....741

Adding Servers....741

Configuring Server Groups....743

Configuring the Method List....744

Configuring the AAA Application List 745

Configuring Login Account and Enable Password 750

Configuration Example 752

Network Requirements....752

Configuration Scheme 752

Using the GUI 753

Using the CLI 755

Appendix: Default Parameters....758

Configuring 802.1x

Overview 761

802.1x Configuration....762

Using the GUI 762

Configuring the RADIUS Server 762

Configuring 802.1x Globally....765

Configuring 802.1x on Ports....766

View the Authenticator State 768

Using the CLI....769

Configuring the RADIUS Server....769

Configuring 802.1x Globally....771

Configuring 802.1x on Ports....773

Viewing Authenticator State....775

Configuration Example 777

Network Requirements....777

Configuration Scheme 777

Network Topology....777

Using the GUI 778

Using the CLI 780

Appendix: Default Parameters....783

Configuring Port Security

Overview 785

Port Security Configuration....786

Using the GUI 786

Using the CLI 787

Appendix: Default Parameters....790

Configuring ACL

Overview 792

ACL Configuration....793

Using the GUI 793

Configuring Time Range 793

Creating an ACL....793

Configuring ACL Rules....794

Configuring MAC ACL Rule....794

Configuring IP ACL Rule....798

Configuring Combined ACL Rule....802

Configuring the IPv6 ACL Rule....807

Configuring the Packet Content ACL Rule 812

Configuring ACL Binding....816

Using the CLI 818

Configuring Time Range 818

Configuring ACL 818

Configuring Policy....828

Configuring ACL Binding....830

Viewing ACL Counting 831

Configuration Example for ACL....832

Configuration Example for MAC ACL....832

Network Requirements 832

Configuration Scheme....832

Using the GUI....833

Using the CLI 839

Configuration Example for IP ACL....840

Network Requirements 840

Configuration Scheme....841

Using the GUI....841

Using the CLI 847

Configuration Example for Combined ACL....849

Network Requirements 849

Configuration Scheme....849

Using the GUI....850

Using the CLI 855

Appendix: Default Parameters....857

Configuring IPv4 IMPB

IPv4 IMPB 860

Overview 860

Supported Features 860

IP-MAC Binding Configuration....861

Using the GUI 861

Binding Entries Manually 861

Binding Entries via ARP Scanning....863

Binding Entries via DHCP Snooping....864

Viewing the Binding Entries 866

Using the CLI 867

Binding Entries Manually 867

Binding Entries via DHCP Snooping....869

Viewing Binding Entries 870

ARP Detection Configuration....871

Using the GUI 871

Adding IP-MAC Binding Entries 871

Enabling ARP Detection 871

Configuring ARP Detection on Ports 872

Viewing ARP Statistics....873

Using the CLI 874

Adding IP-MAC Binding Entries 874

Enabling ARP Detection 874

Configuring ARP Detection on Ports 875

Viewing ARP Statistics....877

IPv4 Source Guard Configuration....878

Using the GUI 878

Adding IP-MAC Binding Entries 878

Configuring IPv4 Source Guard 878

Using the CLI 879

Adding IP-MAC Binding Entries 879

Configuring IPv4 Source Guard 879

Configuration Examples....881

Example for ARP Detection 881

Network Requirements....881

Configuration Scheme....881

Using the GUI....882

Using the CLI 884

Example for IP Source Guard....886

Network Requirements 886

Configuration Scheme....886

Using the GUI....886

Using the CLI 888

Appendix: Default Parameters....890

Configuring IPv6 IMPB

IPv6 IMPB 893

Overview 893

Supported Features 893

IPv6-MAC Binding Configuration....895

Using the GUI 895

Binding Entries Manually 895

Binding Entries via ND Snooping....897

Binding Entries via DHCPv6 Snooping....898

Viewing the Binding Entries....900

Using the CLI....901

Binding Entries Manually....901

Binding Entries via ND Snooping....903

Binding Entries via DHCPv6 Snooping....904

Viewing Binding Entries 905

ND Detection Configuration 906

Using the GUI 906

Adding IPv6-MAC Binding Entries....906

Enabling ND Detection....906

Configuring ND Detection on Ports....907

Viewing ND Statistics....907

Using the CLI....908

Adding IPv6-MAC Binding Entries....908

Enabling ND Detection....908

Configuring ND Detection on Ports....909

Viewing ND Statistics....910

IPv6 Source Guard Configuration....911

Using the GUI 911

Adding IPv6-MAC Binding Entries....911

Configuring IPv6 Source Guard 911

Using the CLI 912

Adding IPv6-MAC Binding Entries....912

Configuring IPv6 Source Guard 912

Configuration Examples....914

Example for ND Detection....914

Network Requirements......914

Configuration Scheme....914

Using the GUI....915

Using the CLI 917

Example for IPv6 Source Guard 918

Network Requirements....918

Configuration Scheme....919

Using the GUI....919

Using the CLI 921

Appendix: Default Parameters....922

Configuring DHCP Filter

DHCP Filter 925

Overview....925

Supported Features....925

DHCPv4 Filter Configuration....927

Using the GUI 927

Configuring the Basic DHCPv4 Filter Parameters....927

Configuring Legal DHCPv4 Servers 929

Using the CLI 929

Configuring the Basic DHCPv4 Filter Parameters....929

Configuring Legal DHCPv4 Servers....931

DHCPv6 Filter Configuration....933

Using the GUI 933

Configuring the Basic DHCPv6 Filter Parameters....933

Configuring Legal DHCPv6 Servers....934

Using the CLI 935

Configuring the Basic DHCPv6 Filter Parameters....935

Configuring Legal DHCPv6 Servers....936

Configuration Examples....938

Example for DHCPv4 Filter 938

Network Requirements....938

Configuration Scheme....938

Using the GUI....939

Using the CLI 940

Example for DHCPv6 Filter 941

Network Requirements....941

Configuration Scheme....942

Using the GUI....942

Using the CLI 944

Appendix: Default Parameters....946

Configuring DoS Defend

Overview 948

DoS Defend Configuration....949

Using the GUI 949

Using the CLI 950

Appendix: Default Parameters....953

Monitoring the System

Overview 955

Monitoring the CPU 956

Using the GUI 956

Using the CLI 956

Monitoring the Memory 958

Using the GUI 958

Using the CLI 958

Monitoring Traffic

Traffic Monitor 961

Using the GUI 961

Using the CLI 965

Appendix: Default Parameters....966

Mirroring Traffic

Mirroring....968

Using the GUI 968

Using the CLI 970

Configuration Examples....972

Network Requirements....972

Configuration Scheme 972

Using the GUI 972

Using the CLI 973

Appendix: Default Parameters....975

Configuring sFlow (Only for Certain Devices)

Overview 977

sFlow Configuration....978

Using the GUI 978

Configuring the sFlow Agent....978

Configuring the sFlow Collector 979

Configuring the sFlow Sampler 979

Using the CLI....981

Configuration Example 984

Network Requirements....984

Configuration Scheme 984

Using the GUI 984

Using the CLI....985

Appendix: Default Parameters....987

Configuring OAM (Only for Certain Devices)

Ethernet OAM....989

Overview....989

Supported Features....990

Ethernet OAM Configurations....993

Using the GUI 993

Enabling OAM and Configuring OAM Mode 993

Configuring Link Monitoring....994

Configuring RFI....996

Configuring Remote Loopback....997

Viewing OAM Status....998

Using the CLI 1000

Enabling OAM and Configuring OAM Mode 1000

Configuring Link Monitoring....1001

Configuring Remote Failure Indication....1007

Configuring Remote Loopback....1008

Verifying OAM Connection....1009

Viewing OAM Statistics....1012

Using the GUI 1012

Viewing OAMPDUs....1012

Viewing Event Logs....1014

Using the CLI....1015

Viewing OAMPDUs....1015

Viewing Event Logs....1017

Configuration Example 1019

Network Requirements....1019

Configuration Scheme....1019

Using the GUI....1019

Using the CLI 1023

Appendix: Default Parameters....1027

Configuring DLDP

Overview 1029

DLDP Configuration....1030

Using the GUI 1030

Using the CLI....1032

Appendix: Default Parameters....1034

Configuring SNMP & RMON

SNMP 1036

Overview....1036

Basic Concepts....1036

SNMP Configurations....1040

Using the GUI 1040

Enabling SNMP 1040

Creating an SNMP View....1041

Creating SNMP Communities (For SNMP v1/v2c) 1042

Creating an SNMP Group (For SNMP v3)....1043

Creating SNMP Users (For SNMP v3)....1044

Using the CLI 1045

Enabling SNMP 1045

Creating an SNMP View....1047

Creating SNMP Communities (For SNMP v1/v2c) 1048

Creating an SNMP Group (For SNMPv3)....1049

Creating SNMP Users (For SNMPv3)....1051

Notification Configurations....1053

Using the GUI 1053

Configuring the Information of NMS Hosts....1053

Enabling SNMP Traps....1055

Using the CLI 1058

Configuring the NMS Host....1058

Enabling SNMP Traps....1060

RMON 1068

RMON Configurations....1069

Using the GUI 1069

Configuring the Statistics Group....1069

Configuring History Group....1070

Configuring Event Group 1071

Configuring Alarm Group....1072

Using the CLI 1074

Configuring Statistics....1074

Configuring History....1076

Configuring Event 1077

Configuring Alarm....1078

Configuration Example 1081

Network Requirements....1081

Configuration Scheme 1082

Using the GUI 1082

Using the CLI 1087

Appendix: Default Parameters....1093

Diagnosing the Device & Network

Diagnosing the Device....1098

Using the GUI 1098

Using the CLI....1099

Diagnosing the Network....1100

Using the GUI 1100

Troubleshooting with Ping Testing....1100

Troubleshooting with Tracert Testing....1101

Using the CLI 1102

Configuring the Ping Test....1102

Configuring the Tracert Test....1103

Appendix: Default Parameters....1104

Configuring System Logs

Overview 1106

System Logs Configurations....1107

Using the GUI 1108

Configuring the Local Logs....1108

Configuring the Remote Logs....1108

Backing up the Logs 1109

Viewing the Log Table....1110

Using the CLI 1111

Configuring the Local Logs....1111

Configuring the Remote Logs....1112

Configuration Example 1114

Network Requirements....1114

Configuration Scheme 1114

Using the GUI 1114

Using the CLI 1115

Appendix: Default Parameters....1116

About This Guide

This User Guide provides information for managing JetStream Switches. Please read this guide carefully before operation.

Intended Readers

This Guide is intended for network managers familiar with IT concepts and network terminologies.

Conventions

When using this guide, notice that features available in Jetstream Switches may vary by model and software version. Availability of Jetstream Switches may also vary by region or ISP. All images, steps, and descriptions in this guide are only examples and may not reflect your actual experience.

Some models featured in this guide may be unavailable in your country or region. For local sales information, visit https://www.tp-link.com.

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Users must take full responsibility for their application of any products.

In this Guide, the following conventions are used:

PoE budget calculations are based on laboratory testing. Actual PoE power budget is not guaranteed and will vary as a result of client limitations and environmental factors.

The symbol stands for Note. Notes contains suggestions or references that helps you make better use of your device.

For GUI:

Menu Name > Submenu Name > Tab page indicates the menu structure. System > System Info > System Summary means the System Summary page under the System Info menu option that is located under the System menu.

Bold font indicates a button, a toolbar icon, menu or menu item.

For CLI:

Bold Font An unalterable keyword.

For example: show logging

Common combination:

{[]][[]} A least one item in the square brackets must be selected.

For example: bandwidth {[ingress ingress-rate] [egress egress-rate]}

This command can be used on three occasions:

bandwidth ingress ingress-rate is used to restrict ingress bandwidth.

bandwidth egress egress-rate is used to restrict egress bandwidth.

bandwidth ingress ingress-rate egress egress-rate is used to restrict ingress and egress bandwidth.

More Information

■ The latest software and documentations can be found at Download Center at https://www.tp-link.com/support.
■ The Installation Guide (IG) can be found where you find this guide or inside the package of the switch.
■ The authentication information can be found where you find this guide.
■ Specifications can be found on the product page at https://www.tp-link.com.
■ To ask questions, find answers, and communicate with TP-Link users or engineers, please visit https://community.tp-link.com to join TP-Link Community.
■ Our Technical Support contact information can be found at the Contact Technical Support page at https://www.tp-link.com/support.

Part 1

Accessing the Switch

CHAPTERS

1. Determine the Management Method
2. Web Interface Access
3. Command Line Interface Access

1 Determine the Management Method

Before building your network, choose a proper method to manage your switch based on your actual network situation. The switch supports two configuration options: Standalone Mode or Controller Mode.

Note:

Controller Mode is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If Controller Mode is available, there is SYSTEM > Controller Settings in the menu structure.

■ Controller Mode

If you want to configure and manage a large-scale network centrally, which consists of mass devices such as access points, switches, and gateways, Controller Mode is recommended. In Controller Mode, the switch can be centrally configured and monitored via Omada SDN Controller.

To prepare the switch for Omada SDN Controller Management, refer to Controller Settings (Only for Certain Devices). For detailed instructions about the network topology in such situations and how to use Omada SDN Controller, refer to the User Guide of Omada SDN Controller. The guide can be found on the download center of our official website: https://www.tp-link.com/support/download/

■ Standalone Mode

If you have a relatively small-sized network and only one or just a small number of devices need to be managed, Standalone Mode is recommended. In Standalone Mode, the switch can be singly configured and monitored via the GUI (Graphical User Interface, also called web interface in this text) or via the CLI (Command Line Interface). There are equivalent functions in the web interface and the command line interface, while web configuration is easier and more visual than the CLI configuration. You can choose the method according to their available applications and preference.

This User Guide introduces how to configure and monitor the switch in Standalone Mode.

Note:

- The GUI and CLI is inaccessible while the switch is managed by a controller. To turn the switch back to Standalone Mode and access its GUI and CLI, you can forget the switch on the controller or reset the switch.

• The first time you log in, change the password to better protect your network and devices.

2 Web Interface Access

You can access the switch's web interface through the web-based authentication. The switch uses two built-in web servers, HTTP server and HTTPS server, for user authentication.

The following example shows how to login via the HTTP server.

2.1 Login

To manage your switch through a web browser in the host PC:

1) Make sure that the route between the host PC and the switch is available.
2) Launch a web browser. The supported web browsers include, but are not limited to, the following types:

■ IE 8.0, 9.0, 10.0, 11.0
■ Firefox 26.0, 27.0
■ Chrome 32.0, 33.0

3) Enter the switch's IP address in the web browser's address bar. The switch's default IP address is 192.168.0.1.

Figure 2-1 Enter the Switch's IP Address in the Browser

4) Enter the username and password (both admin by default) in the pop-up login window.

Figure 2-2 Login Authentication

Note:

The first time you log in, change the password to better protect your network and devices.

5) The typical web interface displays below. You can view the switch's running status and configure the switch on this interface.

Figure 2-3 Web Interface

2.2 Save the Configuration File

The switch's configuration files fall into two types: the running configuration file and the start-up configuration file.

After you perform configurations on the sub-interfaces and click Apply, the modifications will be saved in the running configuration file. The configurations will be lost when the switch reboots.

If you need to keep the configurations after the switch reboots, please click save main interface to save the configurations in the start-up configuration file.

Figure 2-4 Save the Configuration

2.3 Disable the Web Server

You can shut down the HTTP server and HTTPS server to block any access to the web interface.

Go to SECURITY > Access Security > HTTP Config, disable the HTTP server and click Apply.

Figure 2-5 Shut Down HTTP Server

Go to SECURITY > Access Security > HTTPS Config, disable the HTTPS server and click Apply.

Figure 2-6 Disbale the HTTPS Server

2.4 Configure the Switch's IP Address and Default Gateway

If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.

■ Change the IP Address

By default, all the ports belong to VLAN 1 with the VLAN interface IP 192.168.0.1.

The following example shows how to change the switch's default access IP address 192.168.0.1.

1) Go to L3 FEATURES > Interface. The default access IP address in VLAN 1 in the Interface List. Click Edit IPv4 to modify VLAN1's IP address.

Figure 2-7 Change VLAN1's IP Address

2) Choose the IP Address Mode as Static. Enter the new access address in the IP Address field and click Apply. Make sure that the route between the host PC and the switch's new IP address is available.

Figure 2-8 Specify the IP Address

3) Enter the new IP address in the web browser to access the switch.

4) Click to save the settings.

■ Configure the Default Gateway

The following example shows how to configure the switch's gateway. By default, the switch has no default gateway.

1) Go to page L3 FEATURES > Static Routing > IPv4 Static Routing Config. Click to Add load the following page and configure the parameters related to the switch's gateway. Then click Create.

Figure 2-9 Configure the Default Gateway

Destination Specify the destination as 0.0.0.0.

Subnet Mask Specify the subnet mask as 0.0.0.0.

Next Hop Configure your desired default gateway as the next hop's IP address.

Distance Specify the distance as 1.

2) Click to save the settings.

3) Check the routing table to verify the default gateway you configured. The entry marked in red box displays the valid default gateway.

Figure 2-10 View the Default Gateway

3 Command Line Interface Access

Users can access the switch's command line interface through the console (only for switch with console port), Telnet or SSH connection, and manage the switch with the command lines.

Console connection requires the host PC connecting to the switch's console port directly, while Telnet and SSH connection support both local and remote access.

The following table shows the typical applications used in the CLI access.

Table 3-1 Method list

3.1 Console Login (only for switch with console port)

Follow these steps to log in to the switch via the Console port:

1) Connect the PC or terminal to the Console port on the switch with the serial cable.
2) Start the terminal emulation program (such as the Hyper Terminal) on the PC and configure the terminal emulation program as follows:

■ Baud Rate: 38400bps
■ Data Bits: 8
■ Parity: None
■ Stop Bits: 1
■ Flow Control: None

3) Type the User name and Password in the Hyper Terminal window. The default value for both of them is admin. Press Enter in the main window and Switch> will appear, which

indicates that you have successfully logged in to the switch and you can use the CLI now.

Figure 3-1 CLI Main Window

Note:

The first time you log in, change the password to better protect your network and devices.

4) Enter enable to enter the User EXEC Mode to further configure the switch.

Figure 3-2 User EXEC Mode

Note:

In Windows XP, go to Start > All Programs > Accessories > Communications > Hyper Terminal to open the Hyper Terminal and configure the above settings to log in to the switch.

3.2 Telnet Login

The switch supports Login Local Mode for authentication by default.

Login Local Mode: Username and password are required, which are both admin by default.

The following steps show how to manage the switch via the Login Local Mode:

1) Make sure the switch and the PC are in the same LAN (Local Area Network). Click Start and type in cmd in the Search bar and press Enter.

Figure 3-3 Open the CMD Window

2) Type in telnet 192.168.0.1 in the CMD window and press Enter.

Figure 3-4 Log In to the Switch

3) Type in the login username and password (both admin by default). Press Enter and you will enter User EXEC Mode.

Figure 3-5 Enter User EXEC Mode

Note:

The first time you log in, change the password to better protect your network and devices.

4) Type in enable command and you will enter Privileged EXEC Mode. By default no password is needed. Later you can set a password for users who want to access the Privileged EXEC Mode.

Figure 3-6 Enter Privileged EXEC Mode

Now you can manage your switch with CLI commands through Telnet connection.

3.3 SSH Login

SSH login supports the following two modes: Password Authentication Mode and Key Authentication Mode. You can choose one according to your needs:

■ Password Authentication Mode: Username and password are required, which are both admin by default.
■ Key Authentication Mode (Recommended): A public key for the switch and a private key for the client software (PuTTY) are required. You can generate the public key and the private key through the PuTTY Key Generator.

Before logging in via SSH, follow the steps below to enable SSH on the terminal emulation program:

Figure 3-7 Enable SSH

Password Authentication Mode

1) Open PuTTY and go to the Session page. Enter the IP address of the switch in the Host Name field and keep the default value 22 in the Port field; select SSH as the Connection type. Click Open.

Figure 3-8 Configurations in PuTTY

2) Enter the login username and password to log in to the switch, and you can continue to configure the switch.

Figure 3-9 Log In to the Switch

Note:

The first time you log in, change the password to better protect your network and devices.

Key Authentication Mode

1) Open the PuTTY Key Generator. In the Parameters section, select the key type and enter the key length. In the Actions section, click Generate to generate a public/private key pair. In the following figure, an SSH-2 RSA key pair is generated, and the length of each key is 1024 bits.

Figure 3-10 Generate a Public/Private Key Pair

Note:

• The key length should be between 512 and 3072 bits.
- You can accelerate the key generation process by moving the mouse quickly and randomly in the Key section.

2) After the keys are successfully generated, click Save public key to save the public key to a TFTP server; click Save private key to save the private key to the host PC.

Figure 3-11 Save the Generated Keys

3) On Hyper Terminal, download the public key file from the TFTP server to the switch as shown in the following figure:

Figure 3-12 Download the Public Key to the Switch

Note:

• The key type should accord with the type of the key file. In the above CLI, v1 corresponds to SSH-1 (RSA), and v2 corresponds to SSH-2 RSA and SSH-2 DSA.
  • The key downloading process cannot be interrupted.

4) After the public key is downloaded, open PuTTY and go to the Session page. Enter the IP address of the switch and select SSH as the Connection type (keep the default value in the Port field).

Figure 3-13 Configure the Host Name and Connection Type

5) Go to Connection > SSH > Auth. Click Browse to download the private key file to PuTTY. Click Open to start the connection and negotiation.

Figure 3-14 Download the Private Key to PuTTY

6) After negotiation is completed, enter the username to log in. If you can log in without entering the password, the key authentication completed successfully.

Figure 3-15 Log In to the Switch

Note:

The first time you log in, change the password to better protect your network and devices.

3.4 Disable Telnet login

You can shut down the Telnet function to block any Telnet access to the CLI interface.

■ Using the GUI:

Go to SECURITY > Access Security > Telnet Config, disable the Telnet function and click Apply.

Figure 3-16 Disable Telnet login

■ Using the CLI:

Switch#configure

Switch(config)#telnet disable

3.5 Disable SSH login

You can shut down the SSH server to block any SSH access to the CLI interface.

■ Using the GUI:

Go to SECURITY > Access Security > SSH Config, disable the SSH server and click Apply.

Figure 3-17 Shut down SSH server

■ Using the CLI:

Switch#configure

Switch(config)#no ip ssh server

3.6 Copy running-config startup-config

The switch's configuration files fall into two types: the running configuration file and the start-up configuration file.

After you enter each command line, the modifications will be saved in the running configuration file. The configurations will be lost when the switch reboots.

If you need to keep the configurations after the switch reboots, please use the command copy running-config startup-config to save the configurations in the start-up configuration file.

Switch(config)#end

Switch#copy running-config startup-config

3.7 Change the Switch's IP Address and Default Gateway

If you want to access the switch via a specified port (hereafter referred to as the access port), you can configure the port as a routed port and specify its IP address, or configure the IP address of the VLAN which the access port belongs to.

■ Change the IP Address

By default, all the ports belong to VLAN 1 with the VLAN interface IP 192.168.0.1/24. In the following example, we will show how to replace the switch's default access IP address 192.168.0.1/24 with 192.168.0.10/24.

Switch#configure

Switch(config)#interface vlan 1

Switch(config-if)#ip address 192.168.0.10 255.255.255.0

The connection will be interrupted and you should telnet to the switch's new IP address 192.168.0.10.

C:\Users\Administrator>telnet 192.168.0.10

User:admin

Password:tplink

Switch>enable

Switch#copy running-config startup-config

■ Configure the Default Gateway

In the following example, we will show how to configure the switch's gateway as 192.168.0.100. By default, the switch has no default gateway.

Switch#configure

Switch(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.100 1

Switch(config)#end

Switch#copy running-config startup-config

Part 2

Managing System

CHAPTERS

1. System
2. System Info Configurations
3. User Management Configurations
4. System Tools Configurations
5. EEE Configuration
6. PoE Configurations (Only for Certain Devices)
7. SDM Template Configuration
8. Time Range Configuration
9. Controller Settings (Only for Certain Devices)
10. Example for PoE Configurations
11. Appendix: Default Parameters

1 System

1.1 Overview

In System module, you can view the system information and configure the system parameters and features of the switch.

1.2 Supported Features

System Info

You can view the switch's port status and system information, and configure the device description, system time, and daylight saving time.

User Management

You can manage the user accounts for login to the switch. There are multiple user types which have different access levels, and you can create different user accounts according to your need.

System Tools

You can configure the boot file of the switch, backup and restore the configurations, update the firmware, reset the switch, and reboot the switch.

EEE

EEE (Energy Efficient Ethernet) is used to save power consumption of the switch during periods of low data activity. You can simply enable this feature on ports to allow power reduction.

PoE

Note:

PoE configuration is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If PoE configuration is available, there is SYSTEM > PoE in the menu structure.

Power over Ethernet (PoE) is a remote power supply function. With this function, the switch can supply power to the connected devices over twisted-pair cable.

Some devices such as IP phones, access points (APs) and cameras may be located far away from the AC power source in actual use. PoE can provide power for these devices without requiring to deploy power cables. This allows a single cable to provide both data connection and electric power to devices.

IEEE 802.3af and 802.3at are both PoE standards. The standard process of PoE power supply contains powered-device discovery, power administration, disconnect detection and optional power-device power classification.

PSE

Power sourcing equipment (PSE) is a device that provides power for PDs on the Ethernet, for example, the PoE switch. PSE can detect the PDs and determine the device power requirements.

PD

Powered device (PD) is a device receiving power from the PSE, for example, IP phones and access points. According to whether PDs comply with IEEE standard, they can be classified into standard PDs and non-standard PDs. Only standard PDs can be powered via TP-Link PoE switches.

SDM Template

SDM (Switch Database Management) Template is used to prioritize hardware resources for certain features. The switch provides three templates which allocate different hardware resources for different usage, and you can choose one according to your need.

Time Range

With this feature, you can configure a time range. You can use the time range when you configure other features like ACL.

Controller Settings

Note:

Controller Settings is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If Controller Settings is available, there is SYSTEM >Controller Settings in the menu structure.

With this feature, you can configure your switch to be discovered by Omada SDN Controller on this page, then it can be managed centrally via Omada SDN Controller.

2 System Info Configurations

With system information configurations, you can:

■ View the System Summary
■ Configure the Device Description
■ Configure the System Time
■ Configure the Daylight Saving Time
■ Configuring LED (Only for Certain Devices)

2.1 Using the GUI

2.1.1 Viewing the System Summary

Choose the menu SYSTEM > System Info > System Summary to load the System Summary page. You can view the port status and system information of the switch.

Viewing the Port Status

In the Port Status section, you can view the status and bandwidth utilization of each port.

Figure 2-1 Viewing the System Summary

The following table introduces the meaning of each port status:

Indicates the SFP port is transmitting and receiving data, but not at the highest speed.

You can move your cursor to a port to view the detailed information of the port.

Figure 2-2 Port Information

Port Information Indication

Port Displays the port number.

Type Displays the type of the port.

Speed Displays the maximum transmission rate and duplex mode of the port.

Status Displays the connection status of the port.

You can click a port to view the bandwidth utilization on this port.

Figure 2-3 Bnadwidth Utilization

RX Displays the bandwidth utilization of receiving packets on this port.

TX Displays the bandwidth utilization of sending packets on this port.

Viewing the System Information

In the System Info section, you can view the system information of the switch.

Figure 2-4 System Information

System Description Displays the system description of the switch.

Device Name Displays the name of the switch. You can edit it on the Device Description page.

2.1.2 Configuring the Device Description

Choose the menu SYSTEM > System Info > Device Description to load the following page.

Figure 2-5 Configuring the Device Description

1) In the Device Description section, configure the following parameters.

Device Name Specify a name for the switch.

Device Location Enter the location of the switch.

System Contact Enter the contact information.

2) Click Apply.

2.1.3 Configuring the System Time

Choose the menu SYSTEM > System Info > System Time to load the following page.

Figure 2-6 Configuring the System Time

In the Time Info section, you can view the current time information of the switch.

In the Time Config section, follow these steps to configure the system time:

1) Choose one method to set the system time and specify the related parameters.

2) Click Apply.

2.1.4 Configuring the Daylight Saving Time

Choose the menu SYSTEM > System Info > Daylight Saving Time to load the following page.

Figure 2-7 Configuring the Daylight Saving Time

Follow these steps to configure Daylight Saving Time:

1) In the DST Config section, enable the Daylight Saving Time function.

2) Choose one method to set the Daylight Saving Time and specify the related parameters.

3) Click Apply.

2.1.5 Configuring LED (Only for Certain Devices)

Note:

Configuring LED is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If configuring LED is available, there is SYSTEM > LED On/Off in the menu structure.

Choose the menu System > LED On/Off to load the following page. Choose the LED status and click Apply.

Figure 2-8 Configuring LED On/Off

2.2 Using the CLI

2.2.1 Viewing the System Summary

On privileged EXEC mode or any other configuration mode, you can use the following commands to view the system information of the switch:

show interface status [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port ]

View status of the interface.

port: Enter the number of the Ethernet port.

show system-info

View the system information including System Description, Device Name, Device Location, System Contact, Hardware Version, Firmware Version, System Time, Run Time and so on.

The following example shows how to view the interface status and the system information of the switch.

Switch#show interface status

...

Switch#show system-info

System Description - JetStream 48-Port Gigabit Smart Switch with 4 SFP Slots

System Name - T1600G-52TS

System Location - SHENZHEN

Contact Information - www.tp-link.com

Hardware Version - T1600G-52TS 3.0

Software Version - 3.0.0 Build 20171129 Rel.38400(s)

Bootloader Version - TP-LINK BOOTUTIL(v1.0.0)

Mac Address - 00-0A-EB-13-23-A0

Serial Number -

System Time - 2017-12-12 10:10:37

Running Time - 1 day - 2 hour - 11 min - 30 sec

2.2.2 Configuring the Device Description

Follow these steps to configure the device description:

Step 1 configure

Enter global configuration mode.

Step 2 hostname [ hostname ]

Specify the system name of the switch.

hostname: Enter the device name. The length of the name ranges from 1 to 32 characters. By default, it is the model name of the switch.

Step 3 location [ location ]

Specify the system location of the switch.

location: Enter the device location. It should consist of no more than 32 characters. By default, it is "SHENZHEN".

Step 4 contact-info [ contact-info ]

Specify the system contact Information.

contact-info: Enter the contact information. It should consist of no more than 32 characters. By default, it is "www.tp-link.com".

Step 5 show system-info

Verify the system information including system Description, Device Name, Device Location, System Contact, Hardware Version, Firmware Version, System Time, Run Time and so on.

Step 6 end

Return to privileged EXEC mode.

Step 7 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to set the device name as Switch_A, set the location as BEIJING and set the contact information as https://www.tp-link.com.

Switch#configure

Switch(config)#hostname Switch_A

Switch(config)#location BEIJING

Switch(config)#contact-info https://www.tp-link.com

Switch(config)#show system-info

System Description - JetStream 24-Port Gigabit Smart Switch with 4 SFP Slots

System Name - Switch_A

System Location - BEIJING

Contact Information - https://www.tp-link.com

...

Switch(config)#end

Switch#copy running-config startup-config

2.2.3 Configuring the System Time

Follow these steps to configure the system time:

Note:

The mode of Synchronize with PC's Clock does not support CLI command.

Step 1 configure

Enter global configuration mode.

Step 2 Use the following command to set the system time manually:

system-time manual time

Configure the system time manually.

time: Specify the date and time manually in the format of MM/DD/YYYY-HH:MM:SS. The valid value of the year ranges from 2000 to 2037.

Use the following command to set the system time by getting time from the NTP server. Ensure the NTP server is accessible. If the NTP server is on the internet, connect the switch to the internet first.

system-time ntp { timezone } { ntp-server } { backup-ntp-server } { fetching-rate }

timezone: Enter your local time-zone, which ranges from UTC-12:00 to UTC+13:00.

The detailed information of each time-zone are displayed as follows:

UTC-12:00 — TimeZone for International Date Line West.

UTC-11:00 — TimeZone for Coordinated Universal Time-11.

UTC-10:00 — TimeZone for Hawaii.

UTC-09:00 — TimeZone for Alaska.

UTC-08:00 — TimeZone for Pacific Time (US Canada).

UTC-07:00 — TimeZone for Mountain Time (US Canada).

UTC-06:00 — TimeZone for Central Time (US Canada).

UTC-05:00 — TimeZone for Eastern Time (US Canada).

UTC-04:30 —— TimeZone for Caracas.

UTC-04:00 — TimeZone for Atlantic Time (Canada).

UTC-03:30 — TimeZone for Newfoundland.

UTC-03:00 — TimeZone for Buenos Aires, Salvador, Brasilia.

UTC-02:00 — TimeZone for Mid-Atlantic.

UTC-01:00 — TimeZone for Azores, Cape Verde Is.

UTC — TimeZone for Dublin, Edinburgh, Lisbon, London.

UTC+01:00 —— TimeZone for Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

UTC+02:00 —— TimeZone for Cairo, Athens, Bucharest, Amman, Beirut, Jerusalem.

UTC+03:00 — TimeZone for Kuwait, Riyadh, Baghdad.

UTC+03:30 — TimeZone for Tehran.

UTC+04:00 —— TimeZone for Moscow, St.Petersburg, Volgograd, Tbilisi, Port Louis.

UTC+04:30 — TimeZone for Kabul.

UTC+05:00 — TimeZone for Islamabad, Karachi, Tashkent.

UTC+05:30 — TimeZone for Chennai, Kolkata, Mumbai, New Delhi.

UTC+05:45 —— TimeZone for Kathmandu.

UTC+06:00 — TimeZone for Dhaka, Astana, Ekaterinburg.

UTC+06:30 — TimeZone for Yangon (Rangoon).

UTC+07:00 — TimeZone for Novosibrisk, Bangkok, Hanoi, Jakarta.

UTC+08:00 —— TimeZone for Beijing, Chongqing, Hong Kong, Urumqi, Singapore.

UTC+09:00 —— TimeZone for Seoul, Irkutsk, Osaka, Sapporo, Tokyo.

UTC+09:30 — TimeZone for Darwin, Adelaide.

UTC+10:00 —— TimeZone for Canberra, Melbourne, Sydney, Brisbane.

UTC+11:00 —— TimeZone for Solomon Is., New Caledonia, Vladivostok.

UTC+12:00 —— TimeZone for Fiji, Magadan, Auckland, Wellington.

UTC+13:00 — TimeZone for Nuku'alofa, Samoa.

ntp-server: Specify the IP address of the primary NTP server.

backup-ntp-server: Specify the IP address of the backup NTP server.

fetching-rate: Specify the interval fetching time from the NTP server.

Step 3 Use the following command to verify the system time information.

show system-time

Verify the system time information.

Use the following command to verify the NTP mode configuration information.

show system-time ntp

Verify the system time information of NTP mode.

Step 4 end

Return to privileged EXEC mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to set the system time by Get Time from NTP Server and set the time zone as UTC+08:00, set the NTP server as 133.100.9.2, set the backup NTP server as 139.78.100.163 and set the update rate as 11.

Switch#configure

Switch(config)#system-time ntp UTC+08:00 133.100.9.2 139.78.100.163 11

Switch(config)#show system-time ntp

Backup NTP server: 139.78.100.163

Last successful NTP server: 133.100.9.2

Update Rate: 11 hour(s)

Switch(config)#end

Switch#copy running-config startup-config

2.2.4 Configuring the Daylight Saving Time

Follow these steps to configure the Daylight Saving Time:

Step 1 configure

Enter global configuration mode.

Step 2 Use the following command to select a predefined Daylight Saving Time configuration:

system-time dst predefined [USA | Australia | Europe | New-Zealand]

Specify the Daylight Saving Time using a predefined schedule.

USA | Australia | Europe | New-Zealand: Select one mode of Daylight Saving Time.

USA: 02:00 a.m. on the Second Sunday in March \~ 02:00 a.m. on the First Sunday in November.

Australia: 02:00 a.m. on the First Sunday in October \~ 03:00 a.m. on the First Sunday in April.

Europe: 01:00 a.m. on the Last Sunday in March \~ 01:00 a.m. on the Last Sunday in October.

New Zealand: 02:00 a.m. on the Last Sunday in September \~ 03:00 a.m. on the First Sunday in April.

Use the following command to set the Daylight Saving Time in recurring mode:

system-time dst recurring {sweek}{sday}{smonth}{stime}{eweek}{eday}{emonth}{etime}[offset]

Specify the Daylight Saving Time in Recuring mode.

sweek: Enter the start week of Daylight Saving Time. There are 5 values showing as follows: first, second, third, fourth, last.

sday. Enter the start day of Daylight Saving Time. There are 7 values showing as follows: Sun, Mon, Tue, Wed, Thu, Fri, Sat.

smonth: Enter the start month of Daylight Saving Time. There are 12 values showing as follows: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.

stime: Enter the start time of Daylight Saving Time, in the format of HH:MM.

eweek: Enter the end week of Daylight Saving Time. There are 5 values showing as follows: first, second, third, fourth, last.

eday. Enter the end day of Daylight Saving Time. There are 7 values showing as follows: Sun, Mon, Tue, Wed, Thu, Fri, Sat.

emonth: Enter the end month of Daylight Saving Time. There are 12 values showing as follows: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.

etime: Enter the end time of Daylight Saving Time, in the format of HH:MM.

offset: Enter the offset of Daylight Saving Time. The default value is 60.

Use the following command to set the Daylight Saving Time in date mode:

system-time dst date {smonth } {sday } {stime } {syear } {emonth } {eday } {etime } {eyear } [ offset]

Specify the Daylight Saving Time in Date mode.

smonth: Enter the start month of Daylight Saving Time. There are 12 values showing as follows: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.

sday: Enter the start day of Daylight Saving Time, which ranges from 1 to 31.

stime: Enter the start time of Daylight Saving Time, in the format of HH:MM.

syear: Enter the start year of Daylight Saving Time.

emonth: Enter the end month of Daylight Saving Time. There are 12 values showing as follows: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec.

eday: Enter the end day of Daylight Saving Time, which ranges from 1 to 31.

etime: Enter the end time of Daylight Saving Time, in the format of HH:MM.

eyear: Enter the end year of Daylight Saving Time.

offset: Enter the offset of Daylight Saving Time. The default value is 60.

Step 3 show system-time dst

Verify the DST information of the switch.

Step 4 end

Return to privileged EXEC mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to set the Daylight Saving Time by Date Mode. Set the start time as 01:00 August 1st, 2017, set the end time as 01:00 September 1st, 2017 and set the offset as 50.

Switch#configure

Switch(config)#system-time dst date Aug 1 01:00 2017 Sep 1 01:00 2017 50

Switch(config)#show system-time dst

DST starts at 01:00:00 on Aug 1 2017

DST ends at 01:00:00 on Sep 1 2017

DST offset is 50 minutes

DST configuration is one-off

Switch(config)#end

Switch#copy running-config startup-config

2.2.5 Configuring LED (Only for Certain Devices)

Note:

LED configuration is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If LED configuration is available, there is SYSTEM > LED On/Off in the menu structure.

Follow these steps to configure the LED status:

Step 1 configure

Enter global configuration mode.

Step 2 led {on | off}

Configure the LED status. By default, the LEDs are on.

on | off: Turn on or turn off the LEDs.

3 User Management Configurations

With User Management, you can create and manage the user accounts for login to the switch.

3.1 Using the GUI

There are four types of user accounts with different access levels: Admin, Operator, Power User and User.

■ There is a default Admin account which cannot be deleted. The default username and password of this account are both admin. You can also create more Admin accounts.

If you create Operator, Power User or User accounts, you need go to the AAA section to create an Enable Password. If needed, these types of users can use the Enable Password to change their access level to Admin.

3.1.1 Creating Accounts

Choose the menu SYSTEM > User Management > User Config to load the following page.

Figure 3-1 User Config Page

By default, there is a default Admin account in the table. You can click to edit this Admin account but you cannot delete it.

You can create new user accounts. Click and the following window will pop up.

Figure 3-2 Adding Account

Follow these steps to create a new user account.

1) Configure the following parameters:

Username Specify a username for the account. It contains 16 characters at most, composed of digits, English letters and symbols. No spaces, question marks and double quotation marks are allowed.

Access Level Select the access level. There are four options provided:

Admin: Admin can edit, modify and view all the settings of different functions.

Operator: Operator can edit, modify and view most of the settings of different functions.

Power User: Power User can edit, modify and view some of the settings of different functions.

User: User can only view the settings without the right to edit or modify.

Password Specify a password for the account. It contains 6–31 alphanumeric characters (case-sensitive) and symbols. No spaces are allowed.

Confirm Retype the password. Password

2) Click Create.

3.1.2 Configuring Enable Password

Choose the menu SECURITY > AAA > Global Config to load the following page.

Figure 3-3 Configure Enable Password

Follow these steps to configure Enable Password:

1) Select Set Password and specify the enable password in the Password field. It should be a string with 31 characters at most, which can contain only English letters (case-sensitive), digits and 17 kinds of special characters. The special characters are !\$%'()*,-./[]_{!}.

2) Click Apply.

Tips:

The logged-in users can enter the Enable Password on this page to get the administrative privileges.

3.2 Using the CLI

There are four types of user accounts with different access levels: Admin, Operator, Power User and User.

■ There is a default Admin account which cannot be deleted. The default username and password of this account are both admin. You can also create more Admin accounts.
If you create Operator, Power User or User accounts, you need go to the AAA section to create an Enable Password. If needed, these types of users can use the Enable Password to change their access level to Admin.

3.2.1 Creating Accounts

Follow these steps to create an account:

Step 1 configure

Enter global configuration mode.

Step 2 Use the following command to create an account unencrypted or symmetric encrypted.

user name name { privilege admin | operator | power_user | user } password { [0] password | 7 encrypted-password }

name: Enter a user name for users' login. It contains 16 characters at most, composed of digits, English letters and symbols. No spaces, question marks and double quotation marks are allowed.

admin | operator | power_user | user: Specify the access level for the user. Admin can edit, modify and view all the settings of different functions. Operator can edit, modify and view mostly the settings of different functions. Power User can edit, modify and view some of the settings of different functions. User can only view the settings without the right to edit and modify.

0: Specify the encryption type. 0 indicates that the password you entered is unencrypted, and the password is saved to the configuration file unencrypted. By default, the encryption type is 0.

password: Enter a password for users' login. It contains 6–31 alphanumeric characters (case-sensitive) and symbols. No spaces are allowed.

7: Specify the encryption type. 7 indicates that the password you entered is symmetric encrypted, and the password is saved to the configuration file symmetric encrypted.

encrypted-password: Enter a symmetric encrypted password with fixed length, which you can copy from another switch's configuration file. After the encrypted password is configured, you should use the corresponding unencrypted password to reenter this mode.

Use the following command to create an account MD5 encrypted.

user name name { privilege admin | operator | power_user | user } secret { [0] password | 5 encrypted-password }

Create an account whose access level is Admin.

name: Enter a user name for users' login. It contains 16 characters at most, composed of digits, English letters and symbols. No spaces, question marks and double quotation marks are allowed.

admin | operator | power_user | user: Specify the access level for the user. Admin can edit, modify and view all the settings of different functions. Operator can edit, modify and view mostly the settings of different functions. Power User can edit, modify and view some of the settings of different functions. User can only view the settings without the right to edit and modify.

0: Specify the encryption type. 0 indicates that the password you entered is unencrypted, but the password is saved to the configuration file MD5 encrypted. By default, the encryption type is 0.

password: Enter a password for users' login. It contains 6–31 alphanumeric characters (case-sensitive) and symbols. No spaces are allowed.

5: Specify the encryption type. 5 indicates that the password you entered is MD5 encrypted, and the password is saved to the configuration file MD5 encrypted.

encrypted-password: Enter a MD5 encrypted password with fixed length, which you can copy from another switch's configuration file.

Step 3 show user account-list

Verify the information of the current users.

Step 4 end

Return to privileged EXEC mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

3.2.2 Configuring Enable Password

Follow these steps to create an account of other type:

Step 1 configure

Enter global configuration mode.

Step 2 Use the following command to create an enable password unencrypted or symmetric encrypted.

enable admin password { [0]password | 7 encrypted-password }

Create an Enable Password. It can change the users' access level to Admin. By default, it is empty.

0: Specify the encryption type. 0 indicates that the password you entered is unencrypted, and the password is saved to the configuration file unencrypted. By default, the encryption type is 0.

password: Enter an enable password. It is a string with 31 characters at most, which can contain only English letters (case-sensitive), digits and 17 kinds of special characters. The special characters are !\$%{}*,-./[]_{}.

7: Specify the encryption type. 7 indicates that the password you entered is symmetric encrypted, and the password is saved to the configuration file symmetric encrypted.

encrypted-password: Enter a symmetric encrypted password with fixed length, which you can copy from another switch's configuration file. After the encrypted password is configured, you should use the corresponding unencrypted password to reenter this mode.

Use the following command to create an enable password unencrypted or MD5 encrypted.

enable admin secret { [0] password | 5 encrypted-password }

Create an Enable Password. It can change the users' access level to Admin. By default, it is empty.

0: Specify the encryption type. 0 indicates that the password you entered is unencrypted, but the password is saved to the configuration file MD5 encrypted. By default, the encryption type is 0.

password: Enter an enable password. It is a string with 31 characters at most, which can contain only English letters (case-sensitive), digits and 17 kinds of special characters. The special characters are !\$%{}*,-./[]_{}.

5: Specify the encryption type. 5 indicates that the password you entered is MD5 encrypted, and the password is saved to the configuration file MD5 encrypted.

encrypted-password: Enter a MD5 encrypted password with fixed length, which you can copy from another switch's configuration file. After the encrypted password is configured, you should use the corresponding unencrypted password to reenter this mode.

Step 3 show user account-list

Verify the information of the current users.

Step 4 end

Return to privileged EXEC mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

Tips:

The logged-in users can enter the enable-admin command and the Enable Password to get the administrative privileges.

The following example shows how to create a uesr with the access level of Operator, set the username as user1 and password as 123, and set the enable password as abc123.

Switch#configure

Switch(config)#user name user1 privilege operator password 123

Switch(config)#enable admin password abc123

Switch(config)#show user account-list

Switch(config)#end

Switch#copy running-config startup-config

4 System Tools Configurations

With System Tools, you can:

■ Configure the boot file
■ Restore the configuration of the switch
■ Back up the configuration file
■ Upgrade the firmware
■ Configure DHCP Auto Install
■ Reboot the switch
■ Reset the switch

4.1 Using the GUI

4.1.1 Configuring the Boot File

Choose the menu SYSTEM > System Tools > Boot Config to load the following page.

Figure 4-1 Configuring the Boot File

Follow these steps to configure the boot file:

1) In the Boot Table section, select one or more units and configure the relevant parameters.

2) Click Apply.

In the Image Table, you can view the information of the current startup image, next startup image and backup image. The displayed information is as follows:

4.1.2 Restoring the Configuration of the Switch

Choose the menu SYSTEM > System Tools > Restore Config to load the following page.

Figure 4-2 Restoring the Configuration of the Switch

Follow these steps to restore the current configuration of the switch:

1) In the Restore Config section, select the unit to be restored.
2) Click Browse and select the desired configuration file to be imported.
3) Choose whether to reboot the switch after restoring is completed. Only after the switch is rebooted will the imported configuration take effect.
4) Click Import to import the configuration file.

Note:

It will take some time to restore the configuration. Please wait without any operation.

4.1.3 Backing up the Configuration File

Choose the menu SYSTEM > System Tools > Backup Config to load the following page.

Figure 4-3 Backing up the Configuration File

In the Config Backup section, select one unit and click Export to export the configuration file.

Note:

It will take some time to export the configuration. Please wait without any operation.

4.1.4 Upgrading the Firmware

Choose the menu SYSTEM > System Tools > Firmware Upgrade to load the following page.

Figure 4-4 Upgrading the Firmware

You can view the current firmware information on this page:

Firmware Version Displays the current firmware version of the system.

Hardware Version Displays the current hardware version of the system.

Image Name Displays the image to upgrade. The operation will only affect the image displayed here.

Follow these steps to upgrade the firmware of the switch:

1) Click Browse and select the proper firmware upgrade file.

2) Choose whether to reboot the switch after upgrading is completed. Only after the switch is rebooted will the new firmware take effect.

3) Click Upgrade to upgrade the system.

Note:

• It will take some time to upgrade the switch. Please wait without any operation.
• It is recommended to backup your configuration before upgrading.

4.1.5 Configuring DHCP Auto Install (Only for Certain Devices)

Note:

DHCP Auto Install is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If DHCP Auto Install is available, there is SYSTEM > System Tools > DHCP Auto Install in the menu structure.

This feature is used to download configuration files and images from the TFTP server automatically. It requires a TFTP server and a DHCP server that supports option 67, 125 and 150 on your network. When Auto Install function starts, the switch tries to get

configuration file name, image file path and TFTP server IP address from the DHCP server, and then downloads the new image and configuration file form the TFTP server.

Choose the menu SYSTEM > System Tools > DHCP Auto Install to load the following page.

Figure 4-5 Configuring DHCP Auto Install

Configure the following parameters and click Apply:

For configuration example and detailed instructions, refer to FAQ.

Note:

• The switch will obtain a new IP address from the DHCP server during the process of Auto Install. If you want to access to the switch, you should check the new IP address on the DHCP server.
• If the Auto Install process fails, the switch will restart the process every 10 minutes. You can stop the process manually.

4.1.6 Rebooting the switch

There are two methods to reboot the switch: manually reboot the switch and configure reboot schedule to automatically reboot the switch.

Manually Rebooting the Switch

Choose the menu SYSTEM > System Tools > System Reboot > System Reboot to load the following page.

Figure 4-6 Manually Rebooting the Switch

Follow these steps to reboot the switch:

1) In the System Reboot section, select the desired unit.
2) Choose whether to save the current configuration before reboot.
3) Click Reboot.

Configuring Reboot Schedule

Choose the menu SYSTEM > System Tools > System Reboot > Reboot Schedule to load the following page.

Figure 4-7 Configuring the Reboot Schedule

Follow these steps to configure the reboot schedule:

1) Enable Reboot Schedule, and select one time schedule for the switch to reboot.

Time Interval

Specify a period of time. The switch will reboot after this period. Valid values are from 1 to 43200 minutes.

To make this schedule recur, you need to click save current configuration or enable the option Save the current configuration before reboot.

Special Time Specify the date and time for the switch to reboot.

Month/Day/Year: Specify the date for the switch to reboot.

Time (HH:MM): Specify the time for the switch to reboot, in the format of HH:MM.

2) Choose whether to save the current configuration before the reboot.
3) Click Apply.

Tips:

To delete the reboot schedule configurations, you can click Delete and the configurations will be empty.

4.1.7 Reseting the Switch

Choose the menu SYSTEM > System Tools > System Reset to load the following page.

Figure 4-8 Reseting the Switch

Follow these steps to reset the switch:

1) In the System Reset section, select the desired unit.
2) Choose whether to maintain the IP address of selected unit when resetting.
3) Click Reset.

After reset, all configurations of the switch will be reset to the factory defaults.

4.2 Using the CLI

4.2.1 Configuring the Boot File

Follow these steps to configure the boot file:

Step 1 configure

Enter global configuration mode.

The following example shows how to set the next startup image as image1, the backup image as image2, the next startup configuration file as config1 and the backup configuration file as config2.

Switch#configure

Switch(config)#boot application filename image1 startup

Switch(config)#boot application filename image2 backup

Switch(config)#boot config filename config1 startup

Switch(config)#boot config filename config2 backup

Switch(config)#show boot

Boot config:

Current Startup Image - image2.bin

Next Startup Image - image1.bin

Backup Image - image2.bin

Current Startup Config - config2.cfg

Next Startup Config - config1.cfg

Backup Config - config2.cfg

Switch(config)#end

Switch#copy running-config startup-config

4.2.2 Restoring the Configuration of the Switch

Follow these steps to restore the configuration of the switch:

Step 1 enable

Enter privileged mode.

Step 2 copy tftp startup-config ip-address

ip-addr filename name

Download the configuration file to the switch from TFTP server.

ip-addr: Specify the IP address of the TFTP server. Both IPv4 and IPv6 addresses are supported.

name: Specify the name of the configuration file to be downloaded.

Note:

It will take some time to restore the configuration. Please wait without any operation.

The following example shows how to restore the configuration file named file1 from the TFTP server with IP address 192.168.0.100.

Switch>enable

Switch#copy tftp startup-config ip-address 192.168.0.100 filename file1

Start to load user config file...

Operation OK! Now rebooting system...

4.2.3 Backing up the Configuration File

Follow these steps to back up the current configuration of the switch in a file:

Step 1 enable

Enter privileged mode.

Step 2 copy startup-config tftp ip-address

ip-addr filename name

Back up the configuration file to TFTP server.

ip-addr: Specify the IP address of the TFTP server. Both IPv4 and IPv6 addresses are supported.

name: Specify the name of the configuration file to be saved.

The following example shows how to backup the configuration file named file2 to TFTP server with IP address 192.168.0.100.

Switch>enable

Switch#copy startup-config tftp ip-address 192.168.0.100 filename file2

Start to backup user config file...

Backup user config file OK.

4.2.4 Upgrading the Firmware

Follow these steps to upgrade the firmware:

Step 1 enable

Enter privileged mode.

Step 2 firmware upgrade tftp ip-address

ip-addr filename name

Upgrade the switch's backup image via TFTP server. To boot up with the new firmware, you need to choose to reboot the switch with the backup image.

ip-addr: Specify the IP address of the TFTP server. Both IPv4 and IPv6 addresses are supported.

name: Specify the name of the desired firmware file.

Step 3 Enter Y to continue and then enter Y to reboot the switch with the backup image.

The following example shows how to upgrade the firmware using the configuration file named file3.bin. The TFTP server is 190.168.0.100.

Switch>enable

Switch#firmware upgrade tftp ip-address 192.168.0.100 filename file3.bin

It will only upgrade the backup image. Continue? (Y/N):Y

Operation OK!

Reboot with the backup image? (Y/N): Y

4.2.5 Configuring DHCP Auto Install (Only for Certain Devices)

Note:

DHCP Auto Install is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If DHCP Auto Install is available, there is SYSTEM > System Tools > DHCP Auto Install in the menu structure.

This feature is used to download configuration files and images from the TFTP server automatically. It requires a TFTP server and a DHCP server that supports option 67, 125 and 150 on your network. When Auto Install function starts, the switch tries to get

configuration file name, image file path and TFTP server IP address from the DHCP server, and then downloads the new image and configuration file form the TFTP server.

Follow these steps to configure the DHCP Auto Install.

Step 1 configure

Enter global configuration mode.

Step 2 boot autoinstall persistent-mode

Enable the auto install persistent mode. After saving configuration, the switch will start the Auto Install function automatically during next reboot process.

Step 3 boot autoinstall auto-save

Enable the auto save mode and the switch will save the configuration file downloaded as startup configuration file automatically.

Step 4 boot autoinstall auto-reboot

Enable the auto reboot mode and the switch will reboot automatically after the auto install process is completed successfully.

Step 5 boot autoinstall retry-count

count

Specify the auto install retry count which ranges from 1 to 3. The default value is 1.

Step 6 boot autoinstall start

Start the Auto Install process and the switch will download the configuration file and the backup image automatically.

Step 7 end

Return to privileged EXEC mode.

Step 8 copy running-config startup-config

Save the settings in the configuration file.

Note:

• The switch will obtain a new IP address from the DHCP server during the process of Auto Install. If you want to access to the switch, you should check the new IP address on the DHCP server.
• If the Auto Install process fails, the switch will restart the process every 10 minutes. You can stop the process manually.

The following example shows how to configure the Auto Install function.

Switch#configure

Switch(config)#boot autoinstall persistent-mode

Switch(config)#boot autoinstall auto-save

Switch(config)#boot autoinstall auto-reboot

Switch(config)#boot autoinstall retry-count 2

Switch(config)#show boot autoinstall

Auto Insatll Mode......Stop

Auto Insatll Persistent Mode......Enabled

Auto Save Mode......Enabled

Auto Reboot Mode......Enabled

Auto Insatll Retry Count......2

Auto Insatll sate......Stopped

4.2.6 Rebooting the Switch

Manually Rebooting the Switch

Follow these steps to reboot the switch:

Step 1 enable

Enter privileged mode.

Step 2 reboot

Reboot the switch.

Configuring Reboot Schedule

Follow these steps to configure the reboot schedule:

Step 1 configure

Enter global configuration mode.

Step 2 Use the following command to set the interval of reboot:

reboot-schedule in interval [ save_before_reboot ]

(Optional) Specify the reboot schedule.

interval: Specify a period of time. The switch will reboot after this period. The valid values are from 1 to 43200 minutes.

save_before_reboot: Save the configuration file before the switch reboots. To make this schedule recur, you can add this part to the command.

Use the following command to set the special time of reboot:

reboot-schedule at time [date] [save_before_reboot]

(Optional) Specify the reboot schedule.

time: Specify the time for the switch to reboot, in the format of HH:MM.

date: Specify the date for the switch to reboot, in the format of DD/MM/YYYY. The date should be within 30 days.

save_before_reboot: Save the configuration file before the switch reboots.

If no date is specified, the switch will reboot according to the time you have set. If the time you set is later than the time that this command is executed, the switch will reboot later the same day; otherwise the switch will reboot the next day.

Step 3 end

Return to privileged EXEC mode.

Step 4 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to set the switch to reboot at 12:00 on 15/08/2017.

Switch#configure

Switch(config)#reboot-schedule at 12:00 15/08/2017 save_before_reboot

Reboot system at 15/08/2017 12:00. Continue? (Y/N): Y

Reboot Schedule Settings

Reboot schedule at 2017-08-15 12:00 (in 25582 minutes)

Save before reboot: Yes

Switch(config)#end

Switch#copy running-config startup-config

4.2.7 Reseting the Switch

Follow these steps to reset the switch:

Step 1 enable

Enter privileged mode.

Step 2 reset [except-ip]

Reset the switch, and all configurations of the switch will be reset to the factory defaults.

except-ip: To maintain the IP address when resetting the switch, add this part to the command.

Follow these steps to disable the reset function of console port or reset button:

Step 1 configure

Enter global configuration mode.

Step 2 service reset-disable

Disable the reset function of console port or reset button. By default, the reset function is enabled.

Note: use the no service reset-disable command to enable the reset function of console port.

5 EEE Configuration

Choose the menu SYSTEM > EEE to load the following page.

Figure 5-1 Configuring EEE

Follow these steps to configure EEE:

1) In the EEE Config section, select one or more ports to be configured.
2) Enable or disable EEE on the selected port(s).
3) Click Apply.

5.1 Using the CLI

Follow these steps to configure EEE:

Step 1 configure

Enter global configuration mode.

Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list } Enter interface configuration mode.

Step 3 eee

Enable EEE on the port.

Step 4 end

Return to privileged EXEC mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable the EEE feature on port 1/0/1.

Switch#config

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#eee

Switch(config-if)#show interface eee

Port EEE status

Gi1/0/1 Enable

Gi1/0/2 Disable

...

Switch(config-if)#end

Switch#copy running-config startup-config

6 PoE Configurations (Only for Certain Devices)

Note:

PoE configuration is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If PoE configuration is available, there is SYSTEM > PoE in the menu structure.

With the PoE feature, you can:

■ Configure the PoE parameters manually
■ Configure the PoE parameters using the profile

You can configure the PoE parameters one by one via configuring the PoE parameters manually. You can also set a profile with the desired parameters and bind the profile to the corresponding ports to quickly configure the PoE parameters.

6.1 Using the GUI

6.1.1 Configuring the PoE Parameters Manually

Choose the menu SYSTEM > PoE > PoE Config to load the following page.

Figure 6-1 Configuring PoE Parameters Manually

Follow these steps to configure the basic PoE parameters:

1) In the PoE Config section, you can view the current PoE parameters.

In addition, you can click and configure the System Power Limit. Click Apply.

Figure 6-2 Configuring System Power Limit

Unit Displays the unit number.

System Power Limit Specify the maximum power the PoE switch can supply.

2) In the Port Config section, select the port you want to configure and specify the parameters. Click Apply.

6.1.2 Configuring the PoE Parameters Using the Profile

■ Creating a PoE Profile

Choose the menu SYSTEM > PoE > PoE Profile and click + Add to load the following page.

Figure 6-3 Creating a PoE Profile

Follow these steps to create a PoE profile:

1) In the Create PoE Profile section, specify the desired configurations of the profile.

2) Click Create.

■ Binding the Profile to the Corresponding Ports

Choose the menu SYSTEM > PoE > PoE Config to load the following page.

Figure 6-4 Binding the Profile to the Corresponding Ports

Follow these steps to bind the profile to the corresponding ports:

1) In the PoE Config section, you can view the current PoE parameters.

In addition, you can click and configure the System Power Limit. Click Apply.

Figure 6-5 Configuring System Power Limit

Unit Displays the unit number.

System Power Limit Specify the maximum power the PoE switch can supply.

2) In the Port Config section, select one or more ports and configure the following two parameters: Time Range and PoE Profile. Click Apply and the PoE parameters of the selected PoE Profile, such as PoE Status and PoE Priority, will be displayed in the table.

6.2 Using the CLI

6.2.1 Configuring the PoE Parameters Manually

Follow these steps to configure the basic PoE parameters:

Step 11 end

Return to privileged EXEC mode.

Step 12 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to set the system power limit as 160 W. Set the priority as middle and set the power limit as class3 for the port 1/0/5.

Switch#configure

Switch(config)#power inline consumption 160

Switch(config)#interface gigabitEthernet 1/0/5

Switch(config-if)#power inline supply enable

Switch(config-if)#power inline priority middle

Switch(config-if)#power inline consumption class3

Switch(config-if)#show power inline

System Power Limit: 160.0w

System Power Consumption: 0.0w

System Power Remain: 160.0w

Switch(config-if)#show power inline configuration interface gigabitEthernet 1/0/5

Switch(config-if)#show power inline information interface gigabitEthernet 1/0/5

Switch(config-if)#end

Switch#copy running-config startup-config

6.2.2 Configuring the PoE Parameters Using the Profile

Follow these steps to configure the PoE profile:

Step 1 configure

Enter global configuration mode.

Step 2 power inline consumption power-limit

Specify the maximum power the PoE switch can supply globally.

power-limit: Specify the maximum power the PoE switch can supply.

Step 3 power profile name [supply { enable | disable } [priority { low | middle | high } [consumption { power-limit | auto | class1 | class2 | class3 | class4}]]]

Create a PoE profile for the switch. In a profile, the PoE status, PoE priority and power limit are configured. You can bind a profile to the corresponding port to quickly configure the PoE function.

name: Specify a name for the PoE profile. It ranges from 1 to 16 characters. If the name contains spaces, enclose the name in double quotes.

enable | disable: Specify the PoE status for the profile. By default, it is enable.

low | middle | high: Select the priority level for the profile. When the supply power exceeds the system power limit, the switch will power off PDs on low-priority ports to ensure stable running of other PDs.

power-limit | auto | class1 | class2 | class3 | class4: Select or enter the maximum power the corresponding port can supply. The following options are provided: Auto represents that the switch will assign a value of maximum power automatically. Class1 represents 4W, Class2 represents 7W, Class3 represents 15.4W and Class4 represents 30W or you can enter a value manually. The value ranges from 1 to 300. It is in the unit of 0.1 watt. For instance, if you want to configure the maximum power as 5W, you should enter 50.

Step 4 interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }

Enter Interface Configuration mode.

port: Specify the Ethernet port number, for example 1/0/1.

port-list: Specify the list of Ethernet ports, for example 1/0/1-3, 1/0/5.

The following example shows how to create a profile named profile1 and bind the profile to the port 1/0/6.

Switch#configure

Switch(config)#power profile profile1 supply enable priority middle consumption class2

Switch(config)#show power profile

Index Name Status Priority Power-Limit(w)

1 profile1 Enable Middle Class2

Switch(config)#interface gigabitEthernet 1/0/6

Switch(config-if)#power inline profile profile1

Switch(config-if)#show power inline configuration interface gigabitEthernet 1/0/6

Switch(config-if)#end

Switch#copy running-config startup-config

7

SDM Template Configuration

7.1 Using the GUI

Choose the menu SYSTEM > SDM Template to load the following page.

Figure 7-1 Configuring SDM Template

In SDM Template Config section, select one template and click Apply. The setting will be effective after the switch is rebooted.

The Template Table displays the resources allocation of each template.

7.2 Using the CLI

Follow these steps to configure the SDM template:

The following example shows how to set the SDM template as enterpriseV4.

Switch#config

Switch(config)#show sdm prefer enterpriseV4

"enterpriseV4" template:

number of IP ACL Rules : 120

number of MAC ACL Rules : 84

number of IPV6 ACL Rules : 0

number of IPV4 Source Guard Entries : 253

number of IPV6 Source Guard Entries : 0

Switch(config)#sdm prefer enterpriseV4

Switch to "enterpriseV4" tempale.

Changes to the running SDM preferences have been stored, but cannot take effect until reboot the switch.

Switch(config)#end

Switch#copy running-config startup-config

8

Time Range Configuration

To complete Time Range configuration, follow these steps:

1) Add time range entries.
2) Configure Holiday time range.

8.1 Using the GUI

8.1.1 Adding Time Range Entries

Choose the menu SYSTEM > Time Range > Time Range Config and click + Add to load the following page.

Figure 8-1 Configuring Time Range

Follow these steps to add time range entries:

1) In the Time-Range Config section, specify a name for the entry and select the Holiday mode.

Name Specify a name for the entry.

Holiday Select to include or exclude the holiday in the time range.

Exclude: The time range will not take effect on holiday.

Include: The time range will not be affected by holiday.

To configure Holiday, refer to Configuring Holiday.

2) In the Period Time Config section, click and the following window will pop up.

Figure 8-2 Adding Period Time

Configure the following parameters and click Create:

Date Specify the start date and end date of this time range.

Time Specify the start time and end time of a day.

Day of Week Select days of a week as the period of this time range.

3) Similarly, you can add more entries of period time according to your needs. The final period time is the sum of all the periods in the table. Click Create.

Figure 8-3 View Configuration Result

8.1.2 Configuring Holiday

Choose the menu SYSTEM > Time Range > Holiday Config and click + Add to load the following page.

Figure 8-1 Configuring Holiday

Configure the following parameters and click Create to add a Holiday entry.

Holiday Name Specify a name for the entry.

Start Date Specify the start date of the Holiday time range.

End Date Specify the end date of the Holiday time range.

Similarly, you can add more Holiday entries. The final Holiday time range is the sum of all the entries.

8.2 Using the CLI

8.2.1 Adding Time Range Entries

Follow these steps to add time range entries:

Step 1 configure

Enter global configuration mode.

Step 2 time-range

name

Create a time-range entry.

name: Specify a name for the entry.

Step 3 holiday { exclude | include }

Include or exclude the holiday in the time range.

exclude: The time range will not take effect on holiday.

include: The time range will not be affected by holiday.

To configure Holiday, refer to Configuring Holiday.

Step 4 absolute from

start-date to end-date

Specify the start date and end date of this time range.

start-date: Specify the start date in the format MM/DD/YYYY.

end-date: Specify the end date in the format MM/DD/YYYY.

Step 5 periodic start

start-time end end-time day-of-the-week week-day

Specify days of a week as the period of this time range.

start-time: Specify the start end time of a day in the format HH:MM.

end-time: Specify the end time and end time of a day in the format HH:MM.

week-day: Specify the days of week in the format of 1-3, 7. The numbers 1-7 respectively represent Monday, Tuesday, Wednesday, Thursday, Friday, Saturday and Sunday.

Step 6 show time-range

View the configuration of Time Range.

Step 7 end

Return to privileged EXEC mode.

Step 8 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to create a time range entry and set the name as time1, holiday mode as exclude, absolute time as 10/01/2017 to 10/31/2017 and periodic time as 8:00 to 20:00 on every Monday and Tuesday:

Switch#config

Switch(config)#time-range time1

Switch(config-time-range)#holiday exclude

Switch(config-time-range)#absolute from 10/01/2017 to 10/31/2017

Switch(config-time-range)#periodic start 08:00 end 20:00 day-of-the-week 1,2

Switch(config-time-range)#show time-range

Time-range entry: 12 (Inactive)

Time-range entry: time1 (Inactive)

holiday: exclude

number of time slice: 1

01 - 10/01/2017 to 10/31/2017

- 08:00 to 20:00 on 1,2

Switch(config-time-range)#end

Switch#copy running-config startup-config

8.2.2 Configuring Holiday

Follow these steps to configure Holiday time range:

Step 1 configure

Enter global configuration mode.

Step 2 holiday name start-date start-date end-date end-date

Create a holiday entry.

name: Specify a name for the entry.

start-date : Specify the start date in the format MM/DD.

end-date: Specify the end date in the format MM/DD.

Step 3 show holiday

View the configuration of Holiday.

Step 4 end

Return to privileged EXEC mode.

Step 8 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to create a holiday entry and set the entry name as holiday1 and set start date and end date as 07/01 and 09/01:

Switch#config

Switch(config)#holiday holiday1 start-date 07/01 end-date 09/01

Switch(config)#show holiday

Index Holiday Name Start-End

1 holiday1 07.01-09.01

Switch(config)#end

Switch#copy running-config startup-config

9

Controller Settings (Only for Certain Devices)

Note:

Controller Settings is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If Controller Settings is available, there is SYSTEM >Controller Settings in the menu structure.

This feature prepares the switch for Omada SDN Controller Management in either of the following scenarios:

If you are using Omada Cloud-Based Controller, enable Cloud-Based Controller Management on this page, then you can further add your devices to your Omada Cloud-Based Controller.
If your switch and Omada SDN Controller are located on the same subnet, the controller can discover and manage the switch without any controller settings. Otherwise, you need to inform the switch of the controller's URL/IP address.

9.1 Using the GUI

9.1.1 Enabling Cloud-Based Controller Management

Choose the menu SYSTEM > Controller Settings to load the following page. In the Cloud-Based Controller Management section, enable Cloud-Based Controller Management and click Apply. After you add the switch to your Omada Cloud-Based Controller, you can check the connection status on this page.

Figure 9-1 Enabling Cloud-Based Controller Management

9.1.2 Configuring Controller Inform URL

Choose the menu SYSTEM > Controller Settings to load the following page. In the Controller Inform URL section, inform the switch of the controller's URL/IP address, and click Apply.

Figure 9-1 Configuring Controller Inform URL

9.2 Using the CLI

9.2.1 Enabling Cloud-Based Controller Management

Follow these steps to enable cloud-based controller management:

Step 1 configure

Enter global configuration mode.

Step 2 controller cloud-based

Enable cloud-based controller management.

Step 3 show controller

View the controller settings and status.

9.2.2 Configuring Controller Inform URL

Follow these steps to configure controller inform URL:

Step 1 configure

Enter global configuration mode.

Step 2 controller inform-url [ controller-url | controller-ip ]

Inform the switch of the controller's URL/IP address.

Step 3 show controller

View the controller settings and status.

The following example shows how to inform the switch of the controller whose IP address is 192.168.1.1:

Switch#config

Switch(config)#controller inform-url 192.168.1.1

Switch(config)#show controller

Cloud-Based Controller Management : Disabled

Connection Status : Disabled

inform URL/IP Address : 192.168.1.1:29810

10 Example for PoE Configurations

10.1 Network Requirements

The network topology of a company is shown as below. Camera1 and Camera2 work for the security of the company and cannot be power off all the time. AP1 and AP2 provide the internet service and only work in the office time.

Figure 10-1 Network Topology

graph TD
    A["Switch A"] -->|Gi1/0/1| B["Base Device"]
    A -->|Gi1/0/2 Gi1/0/3| C["Base Device"]
    A -->|Gi1/0/4| D["Base Device"]
    A -->|Gi1/0/4| E["End"]

Camera1 Camera2 AP1 AP2

10.2 Configuring Scheme

To implement this requirement, you can set a PoE time-range as the office time, for example, from 08:30 to 18:00 on work days. Then apply the settings to port 1/0/3 and 1/0/4. Port 1/0/1 and port 1/0/2 need to supply power all the time, so the time range configurations can be left as the default settings here.

10.3 Using the GUI

The configurations of port 1/0/4 is similar with the configurations of port 1/0/3. Here we take port 1/0/3 for example.

1) Choose the menu SYSTEM > Time Range > Time Range Create and click + Add to load the following page.

Figure 10-2 Creating Time Range

2) Click + Add and the following window will pop up. Set Date, Time and Day of Week as the following figure shows. Click Create.

Figure 10-3 Creating a Periodic Time

3) Specify a name for the time range. Click Create.

Figure 10-4 Configuring Time Range

4) Choose the menu SYSTEM > PoE > PoE Config to load the following page. Select port 1/0/3 and set the Time Range as OfficeTime. Click Apply.

Figure 10-5 Configure the Port

5) Click Save the settings.

10.4 Using the CLI

The configurations of Port1/0/4 is similar with the configuration of port 1/0/3. Here we take port 1/0/3 for example.

1) Create a time-range.

Switch_A#config

Switch_A(config)#time-range office-time

Switch_A(config-time-range)#holiday exclude

Switch_A(config-time-range)#absolute from 01/01/2017 to 01/01/2018

Switch_A(config-time-range)#periodic start 08:30 end 18:00 day-of-the-week 1-5

Switch_A(config-time-range)#exit

2) Enable the PoE function on the port 1/0/3. Specify the basic parameters for the port 1/0/3 and bind the time-range office-time to the port.

Switch_A(config)#interface gigabitEthernet 1/0/3

Switch_A(config-if)#power inline supply enable

Switch_A(config-if)#power inline time-range office-time

Switch_A(config-if)#end

Switch_A#copy running-config startup-config

Verify the Configuration

Verify the configuration of the time-range:

Switch_A#show time-range

Time-range entry: office-time (Active)

holiday: exclude

number of time slice: 1

01 - 01/01/2017 to 01/01/2018

- 08:00 to 18:00 on 1,2,3,4,5

Verify the configuration of the PoE basic parameters:

Switch_A#show power inline configuration interface gigabitEthernet 1/0/3

11 Appendix: Default Parameters

Default settings of System Info are listed in the following tables.

Table 11-1 Default Settings of Device Description Configuration

Table 11-2 Default Settings of System Time Configuration

Table 11-3 Default Settings of Daylight Saving Time Configuration

Default settings of User Management are listed in the following table.

Table 11-4 Default Settings of User Configuration

Default settings of System Tools are listed in the following table.

Table 11-5 Default Settings of Boot Configuration

Default setting of EEE is listed in the following table.

Table 11-6 Default Settings of EEE Configuration

(Only for certain devices) Default settings of PoE is listed in the following table.

Table 11-7 Default Settings of PoE Configuration

Default settings of SDM Template are listed in the following table.

Table 11-8 Default Settings of SDM Template Configuration

Default settings of Time Range are listed in the following table.

Table 11-9 Default Settings of Time Range Configuration

Part 3

Managing Physical Interfaces

CHAPTERS

1. Physical Interface
2. Basic Parameters Configurations
3. Port Isolation Configurations
4. Loopback Detection Configuration
5. Configuration Examples
6. Appendix: Default Parameters

1 Physical Interface

1.1 Overview

Interfaces are used to exchange data and interact with interfaces of other network devices. Interfaces are classified into physical interfaces and layer 3 interfaces.

■ Physical interfaces are the ports on the switch panel. They forward packets based on MAC address table.
■ Layer 3 interfaces are used to forward IPv4 and IPv6 packets using static or dynamic routing protocols. You can use Layer 3 interfaces for IP routing and inter-VLAN routing.

This chapter introduces the configurations for physical interfaces.

1.2 Supported Features

The switch supports the following features about physical interfaces:

Basic Parameters

You can configure port status, speed mode, duplex mode, flow control and other basic parameters for ports.

Port Isolation

You can use this feature to restrict a specific port to send packets to only the ports in the forwarding port list that you configure.

Loopback Detection

This function allows the switch to detect loops in the network. When a loop is detected on a port or VLAN, the switch will display an alert on the management interface and block the corresponding port or VLAN according to your configurations.

2 Basic Parameters Configurations

2.1 Using the GUI

Choose the menu L2 FEATURES > Switching > Port > Port Config to load the following page.

Figure 2-1 Configuring Basic Parameters

Follow these steps to configure basic parameters for the ports:

1) Configure the MTU size of jumbo frames for all the ports, then click Apply.

Jumbo Configure the size of jumbo frames. By default, it is 1518 bytes.

Generally, the MTU (Maximum Transmission Unit) size of a normal frame is 1518 bytes. If you want the switch supports to transmit frames of which the MTU size is greater than 1518 bytes, you can configure the MTU size manually here.

2) Select one or more ports to configure the basic parameters. Then click Apply.

Note:

We recommend that you set the ports on both ends of a link as the same speed and duplex mode.

2.2 Using the CLI

Follow these steps to set basic parameters for the ports.

Step 1 configure

Enter global configuration mode.

Step 2 jumbo-size

size

Change the MTU (Maximum Transmission Unit) size to support jumbo frames. The default MTU size for frames received and sent on all ports is 1518 bytes. To transmit jumbo frames, you can manually configure MTU size of frames up to 9216 bytes.

size: Configure the MTU size of jumbo frames. The value ranges from 1518 to 9216 bytes.

Step 3 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list |

Enter interface configuration mode.

Step 4 Configure basic parameters for the port:

description string

Give a port description for identification.

string: Content of a port description, ranging from 1 to 16 characters.

shutdown

no shutdown

Use shutdown to disable the port, and use no shutdown to enable the port. When the status is enabled, the port can forward packets normally, otherwise it will discard the received packets. By default, all ports are enabled.

speed {10 | 100 | 1000 | 10000 | auto}

Set the appropriate speed mode for the port.

10 | 100 | 1000 | 10000 | auto: Speed mode of the port. The options are subject to your actual product. The device connected to the port should be in the same speed and duplex mode with the port. When auto is selected, the speed mode will be determined by auto-negotiation.

duplex { auto | full | half }

Set the appropriate duplex mode for the port.

auto | full | half: Duplex mode of the port. The device connected to the port should be in the same speed and duplex mode with the port. When auto is selected, the duplex mode will be determined by auto-negotiation.

flow-control

Enable the switch to synchronize the data transmission speed with the peer device, avoiding the packet loss caused by congestion. By default, it is disabled.

Step 5 show interface configuration [fastEthernet

port | gigabitEthernet port || ten-

gigabitEthernet port | port-channel port-channel-id ]

Verify the configuration of the port or LAG.

Step 6 end

Return to privileged EXEC mode.

Step 7 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to implement the basic configurations of port1/0/1, including setting a description for the port, configuring the jumbo frame, making the port automatically negotiate speed and duplex with the neighboring port, and enabling the flow-control:

Switch#configure

Switch#jumbo-size 9216

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#no shutdown

Switch(config-if)#description router connection

Switch(config-if)#speed auto

Switch(config-if)#duplex auto

Switch(config-if)#flow-control

Switch(config-if)#show interface configuration gigabitEthernet 1/0/1

Port State Speed Duplex FlowCtrl Description

Gi1/0/1 Enable Auto Auto Enable router connection

Switch(config-if)#show jumbo-size

Global jumbo size : 9216

Switch(config-if)#end

Switch#copy running-config startup-config

3 Port Isolation Configurations

3.1 Using the GUI

Port Isolation is used to limit the data transmitted by a port. The isolated port can only send packets to the ports specified in its Forwarding Port List.

Choose the menu L2 FEATURES > Switching > Port > Port Isolation to load the following page.

Figure 3-1 Port Isolation List

The above page displays the port isolation list. Click to configure Port Isolation on the following page.

Figure 3-2 Port Isolation

Follow these steps to configure Port Isolation:

1) In the Port section, select one or multiple ports to be isolated.
2) In the Forwarding Port List section, select the forwarding ports or LAGs which the isolated ports can only communicate with. It is multi-optional.
3) Click Apply.

3.2 Using the CLI

Follow these steps to configure Port Isolation:

Step 1 configure

Enter global configuration mode.

Step 2 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list |}

Specify the port to be isolated and enter interface configuration mode.

The following example shows how to add ports 1/0/1-3 and LAG 4 to the forwarding list of port 1/0/5:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/5

Switch(config-if)#port isolation gi-forward-list 1/0/1-3 po-forward-list 4

Switch(config-if)#show port isolation interface gigabitEthernet 1/0/5

Port LAG Forward-List

Gi1/0/5 N/A Gi1/0/1-3, Po4

Switch(config-if)#end

Switch#copy running-config startup-config

4 Loopback Detection Configuration

4.1 Using the GUI

To avoid broadcast storm, we recommend that you enable storm control before loopback detection is enabled. For detailed introductions about storm control, refer to Configuring QoS.

Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the following page.

Figure 4-1 Configuring Loopback Detection

Follow these steps to configure loopback detection:

1) In the Loopback Detection section, enable loopback detection and configure the global parameters. Then click Apply.

2) In the Port Config section, select one or more ports to configure the loopback detection parameters. Then click Apply.

3) (Optional) View the loopback detection information.

Loop Status Displays whether a loop is detected on the port.

Block Status Displays whether the port is blocked.

Block VLAN Displays the blocked VLANs.

4.2 Using the CLI

Follow these steps to configure loopback detection:

Step 1 configure

Enter global configuration mode.

Step 2 loopback-detection

Enable the loopback detection feature globally. By default, it is disabled.

Step 3 loopback-detection interval

interval-time

Set the interval of sending loopback detection packets which is used to detect the loops in the network.

interval-time: The interval of sending loopback detection packets. The valid values are from 1 to 1000 seconds. By default, the value is 30 seconds.

Step 4 loopback-detection recovery-time

recovery-time

Set the auto-recovery time, after which the blocked port in Auto Recovery mode can automatically be recovered to normal status.

recovery-time: Specify the detection interval, ranging from 2 to 100,000 seconds. The default value is 90.

Step 5 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | ten-range gigabitEthernet port-list | port-channel port-channel | range port-channel port-channel-list |

Enter interface configuration mode.

Step 6 loopback-detection

Enable loopback detection for the port. By default, it is disabled.

Step 7

loopback-detection config process-mode { alert | port-based | vlan-based } recovery-mode { auto | manual }

Set the process mode when a loopback is detected on the port. There are three modes:

alert: The switch will only display alerts when a loopback is detected. It is the default setting.

port-based: In addition to displaying alerts, the switch will block the port on which the loop is detected.

vlan-based: In addition to displaying alerts, the switch will block the VLAN of the port in which the loop is detected.

Set the recovery mode for the blocked port. There are two modes:

auto: After the recovery time expires, the blocked port will automatically recover to normal status and restart to detect loops in the network.

manual: The blocked port can only be released manually. You can use the command 'loopback-detection recover' to recover the blocked port to normal status.

Step 9 show loopback-detection global

Verify the global configuration of Loopback Detection.

Step 11 end

Return to privileged EXEC mode.

Step 12 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable loopback detection globally (keep the default parameters):

Switch#configure

Switch(config)#loopback-detection

Switch(config)#show loopback-detection global

Loopback detection global status : enable

Loopback detection interval : 30s

Loopback detection recovery time : 3 intervals

Switch(config-if)#end

Switch#copy running-config startup-config

The following example shows how to enable loopback detection of port 1/0/3 and set the process mode as alert and recovery mode as auto:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/3

Switch(config-if)#loopback-detection

Switch(config-if)#loopback-detection config process-mode alert recovery-mode auto

Switch(config-if)#show loopback-detection interface gigabitEthernet 1/0/3

Switch(config-if)#end

Switch#copy running-config startup-config

5 Configuration Examples

5.1 Example for Port Isolation

5.1.1 Network Requirements

As shown below, three hosts and a server are connected to the switch and all belong to VLAN 10. Without changing the VLAN configuration, Host A is not allowed to communicate with the other hosts except the server, even if the MAC address or IP address of Host A is changed.

Figure 5-1 Network Topology

graph TD
    Switch["Switch"] -->|Gi1/0/1| HostA["Host A"]
    Switch -->|Gi1/0/2| HostB["Host B"]
    Switch -->|Gi1/0/3| HostC["Host C Server"]
    Switch -->|Gi1/0/4| HostD["Host D"]
    HostA --> VLAN10["VLAN 10"]
    HostB --> VLAN10
    HostC --> VLAN10
    HostD --> VLAN10

5.1.2 Configuration Scheme

You can configure port isolation to implement the requirement. Set port 1/0/4 as the only forwarding port for port 1/0/1, thus forbidding Host A to forward packets to the other hosts.

Since communications are bidirectional, if you want Host A and the server to communicate normally, you also need to add port 1/0/1 as the forwarding port for port 1/0/4.

Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

5.1.3 Using the GUI

1) Choose the menu L2 FEATURES > Switching > Port > Port Isolation to load the following page. It displays the port isolation list.

Figure 5-2 Port Isolation List

2) Click Edit on the above page to load the following page. Select port 1/0/1 as the port to be isolated, and select port 1/0/4 as the forwarding port. Click Apply.

Figure 5-3 Port Isolation Configuration

3) Select port 1/0/4 as the port to be isolated, and select port 1/0/1 as the forwarding port. Click Apply.

Figure 5-4 Port Isolation Configuration

4) Click Save the settings.

5.1.4 Using the CLI

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#port isolation gi-forward-list 1/0/4

Switch(config-if)#exit

Switch(config)#interface gigabitEthernet 1/0/4

Switch(config-if)#port isolation gi-forward-list 1/0/1

Switch(config-if)#end

Switch#copy running-config startup-config

Verify the Configuration

Switch#show port isolation interface

Port LAG Forward-List

Gi1/0/1 N/A Gi1/0/4

Gi1/0/2 N/A Gi1/0/1-28, Po1-14

Gi1/0/3 N/A Gi1/0/1-28, Po1-14

Gi1/0/4 N/A Gi1/0/1

...

5.2 Example for Loopback Detection

5.2.1 Network Requirements

As shown below, Switch A is a convergence-layer switch connecting to several access-layer switches. Loops can be easily caused in case of misoperation on the access-layer switches. If there is a loop on an access-layer switch, broadcast storms will occur on Switch A or even in the entire network, creating excessive traffic and degrading the network performance.

To reduce the impacts of broadcast storms, users need to detect loops in the network via Switch A and timely block the port on which a loop is detected.

Figure 5-5 Network Topology

graph TD
    A["Switch A"] -->|Gi1/0/1| B["Access-layer Switches"]
    A -->|Gi1/0/2| C["Access-layer Switches"]
    A -->|Gi1/0/3| D["Management Host"]
    B --> E["Loop"]
    C --> E
    D --> E

5.2.2 Configuration Scheme

Enable loopback detection on ports 1/0/1-3 and configure SNMP to receive the trap notifications. For detailed instructions about SNMP, refer to Configuring SNMP & RMON. Here we introduce how to configure loopback detection and monitor the detection result on the management interface of the switch.

Demonstrated with T1600G-52TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

5.2.3 Using the GUI

1) Choose the menu L2 FEATURES > Switching > Port > Loopback Detection to load the configuration page.
2) In the Loopback Detection section, enable loopback detection and web refresh globally. Keep the other parameters as default values and click Apply.

Figure 5-6 Global Configuration

3) In the Port Config section, enable ports 1/0/1-3, select the operation mode as Port-Based so that the port will be blocked when a loop is detected, and keep the recovery mode as Auto so that the port will automatically be recovered to normal status after the auto-recovery time. Click Apply.

Figure 5-7 Port Configuration

4) Monitor the detection result on the above page. The Loop status and Block status are displayed on the right side of ports.

5.2.4 Using the CLI

1) Enable loopback detection globally and configure the detection interval and recovery time.

Switch#configure

Switch(config)#loopback-detection

Switch(config)#loopback-detection interval 30

Switch(config)#loopback-detection recovery-time 3

2) Enable loopback detection on ports 1/0/1-3 and set the process mode and recovery mode.

Switch(config)#interface range gigabitEthernet 1/0/1-3

Switch(config-if-range)#loopback-detection

Switch(config-if-range)#loopback-detection config process-mode port-based recovery-mode auto

Switch(config-if-range)#end

Switch#copy running-config startup-config

Verify the Configuration

Verify the global configuration:

Switch#show loopback-detection global

Loopback detection global status : enable

Loopback detection interval: 30 s

Loopback detection recovery time : 90 s

Verify the loopback detection configuration on ports:

Switch#show loopback-detection interface

6

Appendix: Default Parameters

Default settings of Switching are listed in th following tables.

Table 6-1 Configurations for Ports

Part 4

Configuring LAG

CHAPTERS

1. LAG
2. LAG Configuration
3. Configuration Examples
4. Appendix: Default Parameters

1 LAG

1.1 Overview

With LAG (Link Aggregation Group) function, you can aggregate multiple physical ports into a logical interface, increasing link bandwidth and providing backup ports to enhance the connection reliability.

1.2 Supported Features

You can configure LAG in two ways: static LAG and LACP (Link Aggregation Control Protocol).

Static LAG

The member ports are manually added to the LAG.

LACP

The switch uses LACP to implement dynamic link aggregation and disaggregation by exchanging LACP packets with its peer device. LACP extends the flexibility of the LAG configuration.

2 LAG Configuration

To complete LAG configuration, follow these steps:

1) Configure the global load-balancing algorithm.
2) Configure Static LAG or LACP.

Configuration Guidelines

■ Ensure that both ends of the aggregation link work in the same LAG mode. For example, if the local end works in LACP mode, the peer end should also be set as LACP mode.
■ Ensure that devices on both ends of the aggregation link use the same number of physical ports with the same speed, duplex, jumbo and flow control mode.

■ A port cannot be added to more than one LAG at the same time.
■ LACP does not support half-duplex links.

■ One static LAG supports up to eight member ports. All the member ports share the bandwidth evenly. If an active link fails, the other active links share the bandwidth evenly.

■ One LACP LAG supports multiple member ports, but at most eight of them can work simultaneously, and the other member ports are backups. Using LACP protocol, the switches negotiate parameters and determine the working ports. When a working port fails, the backup port with the highest priority will replace the faulty port and start to forward data.

For the functions like IGMP Snooping, 802.1Q VLAN, MAC VLAN, Protocol VLAN, VLAN-VPN, GVRP, Voice VLAN, STP, QoS, DHCP Snooping and Flow Control, the member pot of an LAG follows the configuration of the LAG but not its own. The configurations of the port can take effect only after it leaves the LAG.

■ The port enabled with Port Security, Port Mirror, MAC Address Filtering or 802.1X cannot be added to an LAG, and the member port of an LAG cannot be enabled with these functions.

2.1 Using the GUI

2.1.1 Configuring Load-balancing Algorithm

Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page.

Figure 2-1 Global Config

In the Global Config section, select the load-balancing algorithm (Hash Algorithm), then click Apply.

Hash Algorithm

Select the Hash Algorithm, based on which the switch can choose the port to forward the received packets. In this way, different data flows are forwarded on different physical links to implement load balancing. There are six options:

SRC MAC: The computation is based on the source MAC addresses of the packets.

DST MAC: The computation is based on the destination MAC addresses of the packets.

SRC MAC+DST MAC: The computation is based on the source and destination MAC addresses of the packets.

SRC IP: The computation is based on the source IP addresses of the packets.

DST IP: The computation is based on the destination IP addresses of the packets.

SRC IP+DST IP: The computation is based on the source and destination IP addresses of the packets.

Tips:

• Load-balancing algorithm is effective only for outgoing traffic. If the data stream is not well shared by each link, you can change the algorithm of the outgoing interface.
  ■ Please properly choose the load-balancing algorithm to avoid data stream transferring only on one physical link. For example, Switch A receives packets from several hosts and forwards them to the Server with the fixed MAC address, you can set the algorithm

as "SRC MAC" to allow Switch A to determine the forwarding port based on the source MAC addresses of the received packets.

Figure 2-2 Hash Algorithm Configuration

graph LR
    A["Laptop 1"] --> B["Switch A"]
    C["Laptop 2"] --> B
    D["Laptop 3"] --> B
    B --> E["Server"]
    style A fill:#cce5ff,stroke:#333
    style C fill:#cce5ff,stroke:#333
    style D fill:#cce5ff,stroke:#333
    style E fill:#cce5ff,stroke:#333

Hosts Server

2.1.2 Configuring Static LAG or LACP

For one port, you can choose only one LAG mode: Static LAG or LACP. And make sure both ends of a link use the same LAG mode.

- Configuring Static LAG

Choose the menu L2 FEATURES > Switching > LAG > Static LAG to load the following page.

Figure 2-3 Static LAG

Follow these steps to configure the static LAG:

1) Select an LAG for configuration.

Group ID Select an LAG for static LAG configuration.

Description Displays the LAG mode.

2) Select the member ports for the LAG. It is multi-optional.

3) Click Apply.

Note:

Clearing all member ports will delete the LAG.

- Configuring LACP

Choose the menu L2 FEATURES > Switching > LAG > LACP to load the following page.

Figure 2-4 LACP Config

Follow these steps to configure LACP:

1) Specify the system priority for the switch and click Apply.

System Priority

Specify the system priority for the switch. A smaller value means a higher priority.

To keep active ports consistent at both ends, you can set the system priority of one device to be higher than that of the other device. The device with higher priority will determine its active ports, and the other device can select its active ports according to the selection result of the device with higher priority. If the two ends have the same system priority value, the device with a smaller MAC address has the higher priority.

2) Select member ports for the LAG and configure the related parameters. Click Apply.

Status Enable the LACP function of the port. By default, it is disabled.

2.2 Using the CLI

2.2.1 Configuring Load-balancing Algorithm

Follow these steps to configure the load-balancing algorithm:

Step 1 configure

Enter global configuration mode.

Step 3 show etherchannel load-balance

The following example shows how to set the global load-balancing mode as src-dst-mac:

Switch#configure

Switch(config)#port-channel load-balance src-dst-mac

Switch(config)#show etherchannel load-balance

EtherChannel Load-Balancing Configuration: src-dst-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination MAC address

IPv6: Source XOR Destination MAC address

Switch(config)#end

Switch#copy running-config startup-config

2.2.2 Configuring Static LAG or LACP

You can choose only one LAG mode for a port: Static LAG or LACP. And make sure both ends of a link use the same LAG mode.

■ Configuring Static LAG

Follow these steps to configure static LAG:

Step 1 configure

Enter global configuration mode.

Step 2 interface {fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ] Enter interface configuration mode.

Step 3 channel-group num mode on

Add the port to a static LAG.

num: The group ID of the LAG.

Step 4 show etherchannel num summary

Verify the configuration of the static LAG.

num: The group ID of the LAG.

Step 5 end

Return to privileged EXEC mode.

Step 6 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to add ports1/0/5-8 to LAG 2 and set the mode as static LAG:

Switch#configure

Switch(config)#interface range gigabitEthernet 1/0/5-8

Switch(config-if-range)#channel-group 2 mode on

Switch(config-if-range)#show etherchannel 2 summary

Flags: D - down P - bundled in port-channel U - in use

I - stand-alone H - hot-standby(LACP only) s - suspended

R - layer3 S - layer2 f - failed to allocate aggregator

u - unsuitable for bundling w - waiting to be aggregated d - default port

Group Port-channel Protocol Ports

2 Po2(S) - Gi1/0/5(D) Gi1/0/6(D) Gi1/0/7(D) Gi1/0/8(D)

Switch(config-if-range)#end

Switch#copy running-config startup-config

- Configuring LACP

Follow these steps to configure LACP:

Step 1 configure

Enter global configuration mode.

Step 2 lacp system-priority

pri

Specify the system priority for the switch.

To keep active ports consistent at both ends, you can set the priority of one device to be higher than that of the other device. The device with higher priority will determine its active ports, and the other device can select its active ports according to the selection result of the device with higher priority. If the two ends have the same system priority value, the end with a smaller MAC address has the higher priority.

pri: System priority. The valid values are from 0 to 65535, and the default value is 32768. A smaller value means a higher device priority.

Step 3 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list ]

Enter interface configuration mode.

Step 4 channel-group

num mode {active | passive}

Add the port to an LAG and set the mode as LACP.

num: The group ID of the LAG.

mode: LAG mode. Here you need to select LACP mode: active or passive.

In LACP, the switch uses LACPDU (Link Aggregation Control Protocol Data Unit) to negotiate the parameters with the peer end. In this way, the two ends select active ports and form the aggregation link. The LACP mode determines whether the port will take the initiative to send the LACPDU.

passive: The port will not send LACPDU before receiving the LACPDU from the peer end.

active: The port will take the initiative to send LACPDU.

Step 5 lacp port-priority

pri

Specify the Port Priority. The port with higher priority in an LAG will be selected as the working port. If two ports have the same priority value, the port with a smaller port number has the higher priority.

pri: Port priority. The valid values are from 0 to 65535, and the default value is 32768. A smaller value means a higher port priority.

Step 6 show lacp sys-id

Verify the global system priority.

Step 7 show lacp internal

Verify the LACP configuration of the local switch.

Step 8 end

Return to privileged EXEC mode.

Step 9 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to specify the system priority of the switch as 2:

Switch#configure

Switch(config)#lacp system-priority 2

Switch(config)#show lacp sys-id

2,000a.eb13.2397

Switch(config)#end

Switch#copy running-config startup-config

The following example shows how to add ports 1/0/1-4 to LAG 6, set the mode as LACP, and select the LACPDU sending mode as active:

Switch#configure

Switch(config)#interface range gigabitEthernet 1/0/1-4

Switch(config-if-range)#channel-group 6 mode active

Switch(config-if-range)#show lacp internal

Flags: S - Device is requesting Slow LACPDUs

F - Device is requesting Fast LACPDUs

A - Device is in active mode

P - Device is in passive mode

Channel group 6

Switch(config-if-range)#end

Switch#copy running-config startup-config

3 Configuration Examples

3.1 Example for Static LAG

3.1.1 Network Requirements

As shown below, hosts and servers are connected to switch A and switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches.

Figure 3-1 Network Topology

graph LR
    A["Hosts"] -->|Gi1/0/1 Gi1/0/1| B["Switch A Switch B"]
    B -->|Gi1/0/8 Gi1/0/8| C["Servers"]

3.1.2 Configuration Scheme

LAG function can bundle multiple physical ports into one logical interface to increase bandwidth and improve reliability. In this case we can configure static LAG to meet the requirement.

The overview of the configuration is as follows:

1) Considering there are multiple devices on each end, configure the load-balancing algorithm as 'SRC MAC+DST MAC'.
2) Add ports 1/0/1-8 to a static LAG.

Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

3.1.3 Using the GUI

The configurations of switch A and switch B are similar. The following introductions take switch A as an example.

1) Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page. Select the hash algorithm as 'SRC MAC+DST MAC'.

Figure 3-2 Global Configuration

2) Choose the menu L2 FEATURES > Switching > LAG > Static LAG to load the following page. Select LAG 1 and add ports 1/0/1-8 to LAG 1.

Figure 3-3 System Priority Configuration

3) Click Save the settings.

3.1.4 Using the CLI

The configurations of switch A and switch B are similar. The following introductions take switch A as an example.

1) Configure the load-balancing algorithm as "src-dst-mac".

Switch#configure

Switch(config)#port-channel load-balance src-dst-mac

2) Add ports 1/0/1-8 to static LAG 1.

Switch(config)#interface range gigabitEthernet 1/0/1-8

Switch(config-if-range)#channel-group 1 mode on

Switch(config-if)#end

Switch#copy running-config startup-config

Verify the Configuration

Switch#show etherchannel 1 summary

Flags: D - down

P - bundled in port-channel

U - in use

I - stand-alone

H - hot-standby(LACP only)

s - suspended

3.2 Example for LACP

3.2.1 Network Requirements

As shown below, hosts and servers are connected to Switch A and Switch B, and heavy traffic is transmitted between the two switches. To achieve high speed and reliability of data transmission, users need to improve the bandwidth and redundancy of the link between the two switches.

3.2.2 Configuration Scheme

LAG function can bundle multiple physical ports into one logical interface to increase bandwidth and improve reliability. In this case, we take LACP as an example.

As shown below, you can bundle up to eight physical ports into one logical aggregation group to transmit data between the two switches, and respectively connect the ports of the groups. In addition, another two redundant links can be set as the backup. To avoid traffic bottleneck between the servers and Switch B, you also need to configure LAG on them to increase link bandwidth. Here we mainly introduce the LAG configuration between the two switches.

Figure 3-1 Network Topology

graph LR
    A["Hosts"] -->|Gi1/0/1 Gi1/0/1| B["Switch A Switch B"]
    B -->|Gi1/0/10 Gi1/0/10| C["Servers"]

The overview of the configuration is as follows:

1) Considering there are multiple devices on each end, configure the load-balancing algorithm as 'SRC MAC+DST MAC'.
2) Specify the system priority for the switches. Here we choose Switch A as the dominate device and specify a higher system priority for it.
3) Add ports 1/0/1-10 to the LAG and set the mode as LACP.

4) Specify a lower port priority for ports 1/0/9-10 to set them as the backup ports. When any of ports 1/0/1-8 is down, the backup ports will automatically be enabled to transmit data.

Demonstrated with T1600G-52TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

3.2.3 Using the GUI

The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example.

1) Choose the menu L2 FEATURES > Switching > LAG > LAG Table to load the following page. Select the hash algorithm as 'SRC MAC+DST MAC'.

Figure 3-2 Global Configuration

2) Choose the menu L2 FEATURES > Switching > LAG > LACP Config to load the following page. In the Global Config section, specify the system priority of Switch A as 0 and Click Apply. Remember to ensure that the system priority value of Switch B is bigger than 0.

Figure 3-3 System Priority Configuration

3) In the LACP Table section, select ports 1/0/1-10, and respectively set the status, group ID, port priority and mode for each port as follows.

Figure 3-4 LACP Configuration

4) Click Save the settings.

3.2.4 Using the CLI

The configurations of Switch A and Switch B are similar. The following introductions take Switch A as an example.

1) Configure the load-balancing algorithm as "src-dst-mac".

Switch#configure

Switch(config)#port-channel load-balance src-dst-mac

2) Specify the system priority of Switch A as 0. Remember to ensure that the system priority value of Switch B is bigger than 0.

Switch(config)#lacp system-priority 0

3) Add ports 1/0/1-8 to LAG 1 and set the mode as LACP. Then specify the port priority as 0 to make them active.

Switch(config)#interface range gigabitEthernet 1/0/1-8

Switch(config-if-range)#channel-group 1 mode active

Switch(config-if-range)#lacp port-priority 0

Switch(config-if-range)#exit

4) Add port 1/0/9 to LAG 1 and set the mode as LACP. Then specify the port priority as 1 to set it as a backup port. When any of the active ports is down, this port will be preferentially selected to work as an active port.

Switch(config)#interface gigabitEthernet 1/0/9

Switch(config-if)#channel-group 1 mode active

Switch(config-if)#lacp port-priority 1

Switch(config-if)#exit

5) Add port 1/0/10 to LAG 1 and set the mode as LACP. Then specify the port priority as 2 to set it as a backup port. The priority of this port is lower than port 1/0/9.

Switch(config)#interface gigabitEthernet 1/0/10

Switch(config-if)#channel-group 1 mode active

Switch(config-if)#lacp port-priority 2

Switch(config-if)#end

Switch#copy running-config startup-config

Verify the Configuration

Verify the system priority:

Switch#show lacp sys-id

0,000a.eb13.2397

Verify the LACP configuration:

Switch#show lacp internal

Flags: S - Device is requesting Slow LACPDUs

F - Device is requesting Fast LACPDUs

A - Device is in active mode

P - Device is in passive mode

Channel group 1

4 Appendix: Default Parameters

Default settings of Switching are listed in the following tables.

Table 4-1 Default Settings of LAG

Part 5

Configuring DDM

(Only for Certain Devices)

CHAPTERS

1. Overview
2. DDM Configuration
3. Appendix: Default Parameters

1 Overview

Note:

DDM is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If DDM is available, there is L2 FEATURES > Switching > DDM in the menu structure.

The DDM (Digital Diagnostic Monitoring) function is used to monitor the status of the SFP modules inserted into the SFP ports on the switch. The user can choose to shut down the monitored SFP port automatically when the specified parameter exceeds the alarm threshold or warning threshold. The monitored parameters include: Temperature, Voltage, Bias Current, Tx Power and Rx Power.

2 DDM Configuration

To complete DDM configuration, follow these steps:

1) Enable DDM on the SFP port and configure the shutdown condition.
2) Configure the specified value for warning or alarm threshold.

2.1 Using the GUI

2.1.1 Configuring DDM Globally

Choose the menu L2 FEATURES > Switching > DDM > DDM Config and select the desired SFP port to load the following page.

Figure 2-1 Configure DDM Globally

Follow these steps to configure the DDM parameters on SFP ports:

1) In the Port Config section, select one or multiple SFP ports to configure DDM parameters.

DDM Status Enable or disable DDM feature on the SFP port.

Shutdown Specify whether to shut down the port when the alarm threshold or warning threshold is exceeded.

Alarm: Shut down the port when the alarm threshold is exceeded.

Warning: Shut down the port when the warning threshold is exceeded.

None: The port will not be shut down even if the alarm threshold or warning threshold is exceeded. This is the default option.

LAG Displays the LAG number which the port belongs to.

2) Click Apply.

2.1.2 Configuring the Threshold

Note:

The value of threshold parameters should conform to the following rule: High Alarm ≥ High Warning ≥ Low Warning ≥ Low Alarm.

Choose the menu L2 FEATURES > Switching > DDM > Threshold Config to load the following page.

■ Configuring the Temperature Threshold

Figure 2-2 Configure Temperature Threshold

Follow these steps to configure DDM's temperature threshold:

1) In the Temperature table, select one or more SFP ports to configure temperature threshold of the SFP ports.

2) Click Apply.

■ Configuring the Voltage Threshold

Figure 2-3 Configure Voltage Threshold

Follow these steps to configure DDM's voltage threshold:

1) In the Voltage table, select one or more SFP ports to configure voltage threshold on the SFP ports.

LAG Displays the LAG number which the port belongs to.

2) Click Apply.

■ Configuring the Bias Current Threshold

Figure 2-4 Configure Bias Current Threshold

Follow these steps to configure DDM's bias current threshold:

1) In the Bias Current table, select one or more SFP ports to configure bias current threshold on the SFP ports.

2) Click Apply.

■ Configuring the Rx Power Threshold

Figure 2-5 Configure Rx Power Threshold

Follow these steps to configure DDM's Rx power threshold:

1) In the RX Power table, select one or more SFP ports to configure Rx power threshold on the SFP ports.

2) Click Apply.

■ Configuring the Tx Power Threshold

Figure 2-6 Configure Tx Power Threshold

Follow these steps to configure DDM's Tx power threshold:

1) In the TX Power table, select one or more SFP ports to configure Tx power threshold on the SFP ports.

2) Click Apply.

2.1.3 Viewing DDM Status

Choose the menu L2 FEATURES > Switching > DDM > DDM Status to load the following page.

Figure 2-7 View DDM Status

In the Port Config table, view the current operating parameters for the SFP modules inserted into the SFP ports.

Temperature The current temperature of the SFP module inserted into this port.

Voltage The current voltage of the SFP module inserted into this port.

Bias Current The current bias current of the SFP module inserted into this port.

Tx Power The current Tx power of the SFP module inserted into this port.

Rx Power The current Rx power of the SFP module inserted into this port.

Data Ready Indicates whether SFP module is operational. The values are True and False.

Loss of Signal Reports local SFP module signal loss. The values are True and False.

Transmit Fault Reports remote SFP module signal loss. The values are True, False and No Signal.

2.2 Using the CLI

2.2.1 Configuring DDM Globally

Follow these steps to enable DDM on specified SFP ports:

Step 1 configure

Enter global configuration mode.

Step 2 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }

Enter interface configuration mode.

Step 3 ddm state enable

Enable DDM on this SFP port.

Step 4 show ddm configuration state

Display the DDM state of the SFP ports.

Step 5 end

Return to Privileged EXEC Mode.

Step 6 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable DDM status on SFP port 1/0/25:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/25

Switch(config-if)#ddm state enable

Switch(config-if)#show ddm configuration state

DDM Status Shutdown

Gi1/0/25 Enable None

...

Switch(config-if)#end

Switch#copy running-config startup-config

2.2.2 Configuring DDM Shutdown

Follow these steps to configure settings for shutting down SFP ports when the alarm threshold or warning threshold is exceeded:

Step 1 configure

Enter global configuration mode.

Step 2 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }

Enter interface configuration mode.

Step 3 ddm shutdown {none | warning | alarm}

none: The port will not be shut down if the alarm threshold or warning threshold is exceeded.

warning: Shut down the port when the warning threshold is exceeded.

alarm: Shut down the port when the alarm threshold is exceeded.

Step 4 show ddm configuration state

Display the DDM state of the SFP ports.

Step 5 end

Return to Privileged EXEC Mode.

Step 6 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to set SFP port 1/0/25 to shut down when the warning threshold is exceeded.

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/25

Switch(config-if)#ddm shutdown warning

Switch(config-if)#show ddm configuration state

DDM Status Shutdown

Gi1/0/25 Enable Warning

...

Switch(config-if)#end

Switch#copy running-config startup-config

2.2.3 Configuring the Threshold

■ Configuring Temperature Threshold

Follow these steps to configure the threshold of the DDM temperature on the specified SFP port.

Step 1 configure

Enter global configuration mode.

Step 2 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }

Enter interface configuration mode.

The following example shows how to set SFP port 1/0/27's high alarm temperature threshold as 110 Celsius.

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/27

Switch(config-if)#ddm temperature_threshold high_alarm 110

Switch(config-if)#show ddm configuration temperature

Temperature Threshold(Celsius):

High Alarm Low Alarm High Warning Low Warning

Gi1/0/27 110.000000 -- -- --

...

Switch(config-if)#end

Switch#copy running-config startup-config

■ Configuring Voltage Threshold

Follow these steps to configure the threshold of the DDM voltage on the specified SFP port.

Step 1 configure
Enter global configuration mode.

Step 4 show ddm configuration voltage

Display the DDM voltage threshold of the SFP ports.

The following example shows how to set SFP port 1/0/27's high alarm threshold voltage as 5 V.

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/27

Switch(config-if)#ddm vlotage_threshold high_alarm 5

Switch(config-if)#show ddm configuration voltage

Voltage Threshold(V):

High Alarm Low Alarm High Warning Low Warning

Gi1/0/27

5.000000

--

--

--

...

Switch(config-if)#end

Switch#copy running-config startup-config

■ Configuring Bias Current Threshold

Follow these steps to configure the threshold of the DDM bias current on the specified SFP port.

Step 1 configure
Enter global configuration mode.

Step 4 show ddm configuration bias_current
Display the DDM bias current threshold of the SFP ports.
Step 5 end
Return to Privileged EXEC Mode.
Step 6 copy running-config startup-config
Save the settings in the configuration file.

The following example shows how to set SFP port 1/0/27's high alarm threshold bias current as 120 mA.

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/17

Switch(config-if)#ddm vlotage_threshold high_alarm 120

Switch(config-if)#show ddm configuration bias_current

Voltage Threshold(V):

High Alarm Low Alarm High Warning Low Warning

Gi1/0/27

120.000000

--

--

--

...

Switch(config-if)#end

Switch#copy running-config startup-config

■ Configuring Rx Power Threshold

Follow these steps to configure the threshold of the DDM Rx power on the specified SFP port.

Step 1 configure
Enter global configuration mode.

Step 4 show ddm configuration rx_power
Display the DDM rx power threshold on the SFP ports.
Step 5 end
Return to Privileged EXEC Mode.
Step 6 copy running-config startup-config
Save the settings in the configuration file.

The following example shows how to set SFP port 1/0/27's high alarm threshold Rx power as 6 mW.

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/27

Switch(config-if)#ddm rx_power_threshold high_alarm 6

Switch(config-if)#show ddm configuration rx_power

Rx Power Threshold(mW):

High Alarm Low Alarm High Warning Low Warning

Gi1/0/27

6.000000

--

--

--

...

Switch(config-if)#end

Switch#copy running-config startup-config

■ Configuring Tx Power Threshold

Follow these steps to configure the threshold of the DDM Tx power on the specified SFP port.

Step 1 configure
Enter global configuration mode.

Step 4 show ddm configuration tx_power

Display the DDM tx power threshold on the SFP ports.

The following example shows how to set SFP port 1/0/27's high alarm threshold Tx power as 6 mW.

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/27

Switch(config-if)#ddm tx_power_threshold high_alarm 6

Switch(config-if)#show ddm configuration tx_power

Tx Power Threshold(mW) :

High Alarm Low Alarm High Warning Low Warning

Gi1/0/27 6.000000 -- -- --

...

Switch(config-if)#end

Switch#copy running-config startup-config

2.2.4 Viewing DDM Configuration

Follow these steps to view the DDM configuration.

Step 1 configure
Enter global configuration mode.

Step 3 end
Return to Privileged EXEC Mode.
Step 4 copy running-config startup-config
Save the settings in the configuration file.

The following example shows how to view SFP ports' Rx power threshold.

Switch#configure

Switch(config)#show ddm configuration rx_power

Rx Power Threshold(mW) :

High Alarm Low Alarm High Warning Low Warning

Gi1/0/27 6.000000 -- -- --

Gi1/0/28 -- -- -- --

Switch(config)#end

2.2.5 Viewing DDM Status

Follow these steps to view the DDM status, which is the digital diagnostic monitoring status of SFP modules inserted into the switch's SFP ports.

Step 1 configure

Enter global configuration mode.

Step 2 show ddm status

Displays all the monitoring status of SFP modules.

Step 3 end

Return to Privileged EXEC Mode.

The following example shows how to view SFP ports' DDM status.

Switch#configure

Switch(config)#show ddm status

Switch(config)#end

3 Appendix: Default Parameters

Default settings of DDM are listed in the following table.

Table 3-1 Default Settings of DDM

Part 6

Managing MAC Address Table

CHAPTERS

1. MAC Address Table
2. MAC Address Configurations
3. Security Configurations
4. Example for Security Configurations
5. Appendix: Default Parameters

1 MAC Address Table

1.1 Overview

The MAC address table contains address information that the switch uses to forward packets. As shown below, the table lists map entries of MAC addresses, VLAN IDs and ports. These entries can be manually added or automatically learned by the switch. Based on the MAC-address-to-port mapping in the table, the switch can forward packets only to the associated port.

Table 1-1 The MAC Address Table

1.2 Supported Features

The address table of the switch contains dynamic addresses, static addresses and filtering addresses. For devices which support security configurations, you can configure notification traps and limit the number of MAC addresses in a VLAN for traffic safety.

Address Configurations

■ Dynamic address

Dynamic addresses are addresses learned by the switch automatically, and the switch regularly ages out those that are not in use. That is, the switch removes the MAC address entries related to a network device if no packet is received from the device within the aging time. And you can specify the aging time if needed.

■ Static address

Static addresses are manually added to the address table and do not age. For some relatively fixed connection, for example, frequently visited server, you can manually set the MAC address of the server as a static entry to enhance the forwarding efficiency of the switch.

■ Filtering address

Filtering addresses are manually added and determine the packets with specific source or destination MAC addresses that will should dropped by the switch.

Security Configurations

Note:

Security Configurations are only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If Security Configurations are available, there are L2 FEATURES > Switching > MAC Address > MAC Notifications and L2 FEATURES > Switching > MAC Address > MAC VLAN Security in the menu structure.

■ Configuring MAC Notification Traps

You can configure traps and SNMP (Simple Network Management Protocol) to monitor and receive notifications of the usage of the MAC address table and the MAC address change activity. For example, you can configure the switch to send notifications when a new MAC address is learned, so the administrator knows a new users accesses the network.

■ Limiting the Number of MAC Addresses in VLANs

You can configure VLAN Security to limit the number of MAC addresses that can be learned in specified VLANs. The switch will not learn addresses when the number of learned addresses has reached the limit, preventing the address table from being used up by broadcasting packets of MAC address attacks.

2

MAC Address Configurations

With MAC address table, you can:

■ Add static MAC address entries
■ Change the MAC address aging time
■ Add filtering address entries
■ View address table entries

2.1 Using the GUI

2.1.1 Adding Static MAC Address Entries

You can add static MAC address entries by manually specifying the desired MAC address or binding dynamic MAC address entries.

■ Adding MAC Addresses Manually

Choose the menu L2 FEATURES > Switching > MAC Address > Static Address and click

Add

to load the following page.

Figure 2-1 Adding MAC Addresses Manually

Follow these steps to add a static MAC address entry:

1) Enter the MAC address, VLAN ID and select a port to bind them together as an address entry.

MAC Address Enter the static MAC address to be added to the static MAC address entry.

VLAN ID Specify an existing VLAN in which packets with the specific MAC address are received.

Port Specify a port to which packets with the specific MAC address are forwarded. The port must belong to the specified VLAN.

After you have added the static MAC address, if the corresponding port number of the MAC address is not correct, or the connected port (or the device) has been changed, the switch cannot forward the packets correctly. Please reset the static address entry appropriately.

2) Click Create.

■ Binding Dynamic Address Entries

If some dynamic address entries are frequently used, you can bind these entries as static entries.

Choose the menu L2 FEATURES > Switching > MAC Address > Dynamic Address to load the following page.

Figure 2-2 Binding Dynamic MAC Address Entries

Follow these steps to bind dynamic MAC address entries:

1) In the Dynamic Address Table section, Select your desired MAC address entries.
2) Click Bind, and then the selected entries will become static MAC address entries.

Note:

• In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa.
  • Multicast or broadcast addresses cannot be set as static addresses.
• Ports in LAGs (Link Aggregation Group) are not supported for static address configuration.

2.1.2 Modifying the Aging Time of Dynamic Address Entries

Choose the menu L2 FEATURES > Switching > MAC Address > Dynamic Address to load the following page.

Figure 2-3 Modifying the Aging Time of Dynamic Address Entries

Follow these steps to modify the aging time of dynamic address entries:

1) In the Aging Config section, enable Auto Aging, and enter your desired length of time.

2) Click Apply.

2.1.3 Adding MAC Filtering Address Entries

Choose the menu L2 FEATURES > Switching > MAC Address > Filtering Address and click to load the following page.

Figure 2-4 Adding MAC Filtering Address Entries

Follow these steps to add MAC filtering address entries:

1) Enter the MAC Address and VLAN ID.

MAC Address Specify the MAC address to be used by the switch to filter the received packets.

VLAN ID Specify an existing VLAN in which packets with the specific MAC address are dropped.

2) Click Create.

Note:

• In the same VLAN, once an address is configured as a filtering address, it cannot be set as a static address, and vice versa.
  • Multicast or broadcast addresses cannot be set as filtering addresses.

2.1.4 Viewing Address Table Entries

You can view entries in MAC address table to check your former operations and address information.

Choose the menu L2 FEATURES > Switching > MAC Address > Address Table and click

Search to load the following page.

Figure 2-5 Viewing Address Table Entries

2.2 Using the CLI

2.2.1 Adding Static MAC Address Entries

Follow these steps to add static MAC address entries:

Step 1 configure

Enter global configuration mode.

Step 2 mac address-table static mac-addr vid vid interface {fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port }

Bind the MAC address, VLAN and port together to add a static address to the VLAN.

mac-addr: Enter the MAC address, and packets with this destination address received in the specified VLAN are forwarded to the specified port. The format is xx:xx:xx:xx:xx:xx, for example, 00:00:00:00:00:01.

vid: Specify an existing VLAN in which packets with the specific MAC address are received.

port: Specify a port to which packets with the specific MAC address are forwarded. The port must belong to the specified VLAN.

Step 3 end

Return to privileged EXEC mode.

Step 4 copy running-config startup-config

Save the settings in the configuration file.

Note:

• In the same VLAN, once an address is configured as a static address, it cannot be set as a filtering address, and vice versa.
  • Multicast or broadcast addresses cannot be set as static addresses.
• Ports in LAGs (Link Aggregation Group) are not supported for static address configuration.

The following example shows how to add a static MAC address entry with MAC address 00:02:58:4f:6c:23, VLAN 10 and port 1. When a packet is received in VLAN 10 with this address as its destination, the packet will be forwarded only to port 1/0/1.

Switch#configure

Switch(config)# mac address-table static 00:02:58:4f:6c:23 vid 10 interface gigabitEthernet 1/0/1

Switch(config)#show mac address-table static

MAC Address Table

Total MAC Addresses for this criterion: 1

Switch(config)#end

Switch#copy running-config startup-config

2.2.2 Modifying the Aging Time of Dynamic Address Entries

Follow these steps to modify the aging time of dynamic address entries:

Step 1 configure

Enter global configuration mode.

Step 2 mac address-table aging-time

aging-time

Set your desired length of address aging time for dynamic address entries.

aging-time: Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The valid values are from 10 to 630. Value 0 means the Auto Aging function is disabled. The default value is 300 and we recommend you keep the default value if you are unsure.

Step 3 end

Return to privileged EXEC mode.

Step 4 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to modify the aging time to 500 seconds. A dynamic entry remains in the MAC address table for 500 seconds after the entry is used or updated.

Switch#configure

Switch(config)# mac address-table aging-time 500

Switch(config)#show mac address-table aging-time

Aging time is 500 sec.

Switch(config)#end

Switch#copy running-config startup-config

2.2.3 Adding MAC Filtering Address Entries

Follow these steps to add MAC filtering address entries:

Step 1 configure

Enter global configuration mode.

Step 2 mac address-table filtering

mac-addr vid vid

Add the filtering address to the VLAN.

mac-addr: Specify a MAC address to be used by the switch to filter the received packets. The switch will drop packets of which the source address or destination address is the specified MAC address. The format is xx:xx:xx:xx:xx:xx, for example, 00:00:00:00:00:01.

vid: Specify an existing VLAN in which packets with the specific MAC address will be dropped.

Step 3 end

Return to privileged EXEC mode.

Step 4 copy running-config startup-config

Save the settings in the configuration file.

Note:

• In the same VLAN, once an address is configured as a filtering address, it cannot be set as a static address, and vice versa.
  • Multicast or broadcast addresses cannot be set as filtering addresses.

The following example shows how to add the MAC filtering address 00:1e:4b:04:01:5d to VLAN 10. Then the switch will drop the packet that is received in VLAN 10 with this address as its source or destination.

Switch#configure

Switch(config)# mac address-table filtering 00:1e:4b:04:01:5d vid 10

Switch(config)#show mac address-table filtering

MAC Address Table

Total MAC Addresses for this criterion: 1

Switch(config)#end

Switch#copy running-config startup-config

3 Security Configurations

Note:

Security Configurations are only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If Security Configurations are available, there are L2 FEATURES > Switching > MAC Address > MAC Notifications and L2 FEATURES > Switching > MAC Address > MAC VLAN Security in the menu structure.

With security configurations of the MAC address table, you can:

■ Configure MAC notification traps
■ Limit the number of MAC addresses in VLANs

3.1 Using the GUI

3.1.1 Configuring MAC Notification Traps

Choose the menu L2 FEATURES > Switching > MAC Address > MAC Notification to load the following page.

Figure 3-1 Configuring MAC Notification Traps

Follow these steps to configure MAC notification traps:

1) In the MAC Notification Global Config section, enable this feature, configure the relevant options, and click Apply.

Global Status Enable MAC notification feature globally.

2) In the MAC Notification Port Config section, select one or more ports to configure the notification status. Click Apply.

3) Configure SNMP and set a management host. For detailed SNMP configurations, please refer to Configuring SNMP & RMON.

3.1.2 Limiting the Number of MAC Addresses Learned in VLANs

■ For Certain Devices

Choose the menu L2 FEATURES > Switching > MAC Address > MAC VLAN Security to load the following page.

Figure 3-2 Configuring the MAC VLAN Security Mode

MAC VLAN Security Config

MAC VLAN Security Mode:

Drop

Forward

Apply

MAC VLAN Security Table

Add

Delete

Follow these steps to limit the number of MAC addresses in VLANs:

1) In the MAC VLAN Security Config section, select the security mode for all VLANs.

Drop Packets with new source MAC addresses in the VLAN will be dropped when the maximum number of MAC addresses is exceeded.

Forward Packets of new source MAC addresses will be forwarded but the addresses will not be learned when the maximum number of MAC addresses is exceeded.

2) In the MAC VLAN Security Table section, click Add to load the following page. Enter the VLAN ID and the Max Learned Number to limit the number of MAC addresses that can be learned in the specified VLAN.

Figure 3-3 Limiting the Number of MAC Addresses in VLANs

VLAN ID Specify an existing VLAN in which you want to limit the number of MAC addresses.

3) Click Create.

■ For Certain Devices

Choose the menu L2 FEATURES > Switching > MAC Address > MAC VLAN Security and click Add to load the following page.

Figure 3-4 Limiting the Number of MAC Addresses in VLANs

Follow these steps to limit the number of MAC addresses in VLANs:

1) Enter the VLAN ID to limit the number of MAC addresses that can be learned in the specified VLAN.

VLAN ID Specify an existing VLAN in which you want to limit the number of MAC addresses.

2) Enter your desired value in Max Learned Number to set a threshold.

3) Choose the mode that the switch adopts when the maximum number of MAC addresses in the specified VLAN is exceeded.

Drop Packets with new source MAC addresses in the VLAN will be dropped when the maximum number of MAC addresses in the specified VLAN is exceeded.

Forward Packets of new source MAC addresses will be forwarded but the addresses will not be learned when the maximum number of MAC addresses in the specified VLAN is exceeded.

4) Click Create.

3.2 Using the CLI

3.2.1 Configuring MAC Notification Traps

Follow these steps to configure MAC notification traps:

Step 7 end

Return to privileged EXEC mode.

Step 8 copy running-config startup-config

Save the settings in the configuration file.

Now you have configured MAC notification traps. To receive notifications, you need to further enable SNMP and set a management host. For detailed SNMP configurations, please refer to Configuring SNMP & RMON.

The following example shows how to enable new-MAC-learned trap on port 1, and set the interval time as 10 seconds. After you have further configured SNMP, the switch will bundle notifications of new addresses in every 10 seconds and send to the management host.

Switch#configure

Switch(config)#mac address-table notification global-status enable

Switch(config)#mac address-table notification interval 10

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#mac address-table notification new-mac-learned enable

Switch(config-if)#show mac address-table notification interface gigabitEthernet 1/0/1

Mac Notification Global Config

Notification Global Status : enable

Table Full Notification Status: disable

Notification Interval : 10

Port LrnMode Change New Mac Learned

Gi1/0/1 disable enable

Switch(config-if)#end

Switch#copy running-config startup-config

3.2.2 Limiting the Number of MAC Addresses in VLANs

■ For Certain Devices

Follow these steps to limit the number of MAC addresses in VLANs:

Step 1 configure

Enter global configuration mode.

Step 2 mac address-table vlan-security mode {drop | forward}

Specify the VLAN security mode for all the VLANs.

drop | forward: The mode that the switch adopts when the maximum number of MAC addresses in the specified VLAN is exceeded.

drop: Packets of new source MAC addresses in the VLAN will be dropped when the maximum number of MAC addresses in the specified VLAN is exceeded.

forward: Packets of new source MAC addresses will be forwarded but the addresses not learned when the maximum number of MAC addresses in the specified VLAN is exceeded.

Step 3 mac address-table vlan-security vid

vid max-learn num

Configure the maximum number of MAC addresses in the specified VLAN and select a mode for the switch to adopt when the maximum number is exceeded.

vid: Specify an existing VLAN in which you want to limit the number of MAC addresses.

num: Set the maximum number of MAC addresses in the specific VLAN. It ranges from 0 to 16383.

Step 4 end

Return to privileged EXEC mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to limit the number of MAC addresses to 100 in VLAN 10, and configure the switch to drop packets of new source MAC addresses when the limit is exceeded.

Switch#configure

Switch(config)#mac address-table vlan-security mode drop

Switch(config)#mac address-table vlan-security vid 10 max-learn 100

Switch(config)#show mac address-table vlan-security vid 10

Switch(config)#end

Switch#copy running-config startup-config

■ For Certain Devices

Follow these steps to limit the number of MAC addresses in VLANs:

Step 1 configure

Enter global configuration mode.

Step 2 mac address-table security vid

vid max-learn num {drop | forward}

Configure the maximum number of MAC addresses in the specified VLAN and select a mode for the switch to adopt when the maximum number is exceeded.

vid: Specify an existing VLAN in which you want to limit the number of MAC addresses.

num: Set the maximum number of MAC addresses in the specific VLAN. It ranges from 0 to 16383.

drop | forward: The mode that the switch adopts when the maximum number of MAC addresses in the specified VLAN is exceeded.

drop: Packets of new source MAC addresses in the VLAN will be dropped when the maximum number of MAC addresses in the specified VLAN is exceeded.

forward: Packets of new source MAC addresses will be forwarded but the addresses not learned when the maximum number of MAC addresses in the specified VLAN is exceeded.

Step 3 end

Return to privileged EXEC mode.

Step 4 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to limit the number of MAC addresses to 100 in VLAN 10, and configure the switch to drop packets of new source MAC addresses when the limit is exceeded.

Switch#configure

Switch(config)#mac address-table security vid 10 max-learn 100 drop

Switch(config)#show mac address-table security vid 10

Switch(config)#end

Switch#copy running-config startup-config

4 Example for Security Configurations

4.1 Network Requirements

Several departments are connected to the company network as shown in Figure 4-1. Now the Marketing Department that is in VLAN 10 has network requirements as follows:

■ Free the network system from illegal accesses and MAC address attacks by limiting the number of access users in this department to 100.
■ Assist the network manager supervising the network with notifications of any new access users.

Figure 4-1 The Network Topology

graph TD
    A["Internet"] --> B["Switch"]
    B --> C["Gi1/0/1"]
    B --> D["Gi1/0/2"]
    B --> E["Gi1/0/3"]
    C --> F["Marketing Department VLAN 10"]
    C --> G["R&D Department VLAN 30"]
    D --> H["..."]

4.2 Configuration Scheme

VLAN Security can be configured to limit the number of access users and in this way to prevent illegal accesses and MAC address attacks.

MAC Notification and SNMP can be configured to monitor the interface which is used by the Marketing Department. Enable the new-MAC-learned notification and the SNMP, then the network manager can get notifications when new users access the network.

Demonstrated with T2600G-28TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.

4.3 Using the GUI

1) Choose the menu L2 FEATURES > Switching > MAC Address > MAC VLAN Security and click Add to load the following page. Set the maximum number of MAC address in VLAN 10 as 100, choose drop mode and click Create.

Figure 4-2 Configuring VLAN Security

2) Choose the menu L2 FEATURES > Switching > MAC Address > MAC Notification to load the following page. Enable Global Status, set notification interval as 10 seconds, and click Apply. Then, enable new-mac-learned trap on port 1/0/2 and click Apply.

Figure 4-3 Configuring New-MAC-learned Traps

3) Click Save the settings.
4) Enable SNMP and set a management host. For detailed SNMP configurations, please refer to Configuring SNMP & RMON.

4.4 Using the CLI

1) Set the maximum number of MAC address in VLAN 10 as 100, and choose drop mode.
Switch#configure
Switch(config)#mac address-table security vid 10 max-learn 100 drop
2) Configure the new-MAC-learned trap on port 1/0/2 and set notification interval as 10 seconds.
Switch(config)#mac address-table notification global-status enable
Switch(config)#mac address-table notification interval 10
Switch(config)#interface gigabitEthernet 1/0/2
Switch(config-if)#mac address-table notification new-mac-learned enable
Switch(config-if)#end
Switch#copy running-config startup-config

3) Configure SNMP and set a management host. For detailed SNMP configurations, please refer to Configuring SNMP & RMON.

Verify the Configurations

Verify the configuration of VLAN Security.

Switch#show mac address-table security vid 10

Verify the configuration of MAC Notification on port 1/0/2.

Switch#show mac address-table notification interface gigabitEthernet 1/0/2

Port LrnMode Change New Mac Learned

Gi1/0/2 disable enable

5 Appendix: Default Parameters

Default settings of the MAC Address Table are listed in the following tables.

Table 5-1 Entries in the MAC Address Table

Table 5-2 Default Settings of Dynamic Address Table

Table 5-3 Default Settings of MAC Notification

Part 7

Configuring

802.1Q VLAN

CHAPTERS

1. Overview
2. 802.1Q VLAN Configuration
3. Configuration Example
4. Appendix: Default Parameters

1 Overview

VLAN (Virtual Local Area Network) is a network technique that solves broadcasting issues in local area networks. It is usually applied in the following occasions:

■ To restrict broadcast domain: VLAN technique divides a big local area network into several VLANs, and all VLAN traffic remains within its VLAN. It reduces the influence of broadcast traffic in Layer 2 network to the whole network.
■ To enhance network security: Devices from different VLANs cannot achieve Layer 2 communication, and thus users can group and isolate devices to enhance network security.
■ For easier management: VLANs group devices logically instead of physically, so devices in the same VLAN need not be located in the same place. It eases the management of devices in the same work group but located in different places.

2 802.1Q VLAN Configuration

To complete 802.1Q VLAN configuration, follow these steps:

1) Configure the VLAN, including creating a VLAN and adding the desired ports to the VLAN.
2) Configure port parameters for 802.1Q VLAN.

2.1 Using the GUI

2.1.1 Configuring the VLAN

Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page.

Figure 2-1 Configuring VLAN

Follow these steps to configure VLAN:

1) Enter a VLAN ID and a description for identification to create a VLAN.

VLAN ID Enter a VLAN ID for identification with the values between 2 and 4094.

VLAN Name Give a VLAN description for identification with up to 16 characters.

2) Select the untagged port(s) and the tagged port(s) respectively to add to the created VLAN based on the network topology.

Untagged port The selected ports will forward untagged packets in the target VLAN.

Tagged port The selected ports will forward tagged packets in the target VLAN.

3) Click Apply.

2.1.2 Configuring Port Parameters for 802.1Q VLAN

Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page.

Figure 2-2 Configuring the Port

Select a port and configure the parameters. Click Apply.

LAG Displays the LAG (Link Aggregation Group) which the port belongs to.

Details Click the Details button to view the VLANs to which the port belongs.

2.2 Using the CLI

2.2.1 Creating a VLAN

Follow these steps to create a VLAN:

Step 1 configure
Enter global configuration mode.

The following example shows how to create VLAN 2 and name it as RD:

Switch#configure

Switch(config)#vlan 2

Switch(config-vlan)#name RD

Switch(config-vlan)#show vlan id 2

Switch(config-vlan)#end

Switch#copy running-config startup-config

2.2.2 Adding the Port to the Specified VLAN

Follow these steps to add the port to the specified VLAN:

The following example shows how to add the port 1/0/5 to VLAN 2, and specify its egress rule as tagged:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/5

Switch(config-if)#switchport general allowed vlan 2 tagged

Switch(config-if)#show interface switchport gigabitEthernet 1/0/5

Port Gi1/0/5:

PVID: 2

Acceptable frame type: All

Ingress Checking: Enable

Member in LAG: N/A

Link Type: General

Member in VLAN:

Vlan Name Egress-rule

1 System-VLAN Untagged

2 RD Tagged

Switch(config-if)#end

Switch#copy running-config startup-config

2.2.3 Configuring the Port

Follow these steps to configure the port:

Step 1 configure

Enter global configuration mode.

Step 2 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list}

Enter interface configuration mode.

Step 3 switchport pvid

vlan-id

Configure the PVID of the port(s). By default, it is 1.

vlan-id: The default VLAN ID of the port with the values between 1 and 4094.

Step 4 switchport check ingress

Enable or disable Ingress Checking. With this function enabled, the port will accept the packet of which the VLAN ID is in the port's VLAN list and discard others. With this function disabled, the port will forward the packet directly.

Step 5

switchport acceptable frame {all | tagged}

Select the acceptable frame type for the port and the port will perform this operation before Ingress Checking.

all: The port will accept both the tagged packets and the untagged packets.

tagged: The port will accept the tagged packets only.

Step 6 end

Return to privileged EXEC mode.

Step 7 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to configure the PVID of port 1/0/5 as 2, enable the ingress checking and set the acceptable frame type as all:

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/5

Switch(config-if)#switchport pvid 2

Switch(config-if)#switchport check ingress

Switch(config-if)#switchport acceptable frame all

Switch(config-if)#show interface switchport gigabitEthernet 1/0/5

Port Gi1/0/5:

PVID: 2

Acceptable frame type: All

Ingress Checking: Enable

Member in LAG: N/A

Link Type: General

Member in VLAN:

Vlan Name Egress-rule

1 System-VLAN Untagged

Switch(config-if)#end

Switch#copy running-config startup-config

3 Configuration Example

3.1 Network Requirements

■ Offices of Department A and Department B in the company are located in different places, and some computers in different offices connect to the same switch.
It is required that computers can communicate with each other in the same department but not with computers in the other department.

3.2 Configuration Scheme

■ Divide computers in Department A and Department B into two VLANs respectively so that computers can communicate with each other in the same department but not with computers in the other department.
■ Terminal devices like computers usually do not support VLAN tags. Add untagged ports to the corresponding VLANs and specify the PVID.
■ The intermediate link between two switches carries traffic from two VLANs simultaneously. Add the tagged ports to both VLANs.

3.3 Network Topology

The figure below shows the network topology. Host A1 and Host A2 are in Department A, while Host B1 and Host B2 are in Department B. Switch 1 and Switch 2 are located in two different places. Host A1 and Host B1 are connected to port 1/0/2 and port 1/0/3 on Switch 1 respectively, while Host A2 and Host B2 are connected to port 1/0/6 and port 1/0/7 on Switch 2 respectively. Port 1/0/4 on Switch 1 is connected to port 1/0/8 on Switch 2.

Figure 3-1 Network Topology

graph TD
    subgraph VLAN 10
        HostA1["Host A1"] -->|Gi1/0/2| Switch1["Switch 1"]
        HostA2["Host A2"] -->|Gi1/0/2| Switch1
        Switch1 -->|Gi1/0/4| Switch2["Switch 2"]
        Switch2 -->|Gi1/0/6| HostB1["Host B1"]
        Switch2 -->|Gi1/0/7| HostB2["Host B2"]
        Switch1 -->|Gi1/0/8| Switch2
    end
    subgraph VLAN 20
        Switch1 -->|Gi1/0/3| Switch1
        Switch1 -->|Gi1/0/4| Switch2
        Switch2 -->|Gi1/0/7| HostB2
        Switch2 -->|Gi1/0/8| HostB1
        Switch2 --> HostB2
    end

Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

3.4 Using the GUI

The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example.

1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 10 with the description of Department_A. Add port 1/0/2 as an untagged port and port 1/0/4 as a tagged port to VLAN 10. Click Create.

Figure 3-2 Creating VLAN 10 for Department A

2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click to load the following page. Create VLAN 20 with the description of Department_B. Add port 1/0/3 as an untagged port and port 1/0/4 as a tagged port to VLAN 20. Click Create.

Figure 3-3 Creating VLAN 20 for Department B

3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 as 10 and click Apply. Set the PVID of port 1/0/3 as 20 and click Apply.

Figure 3-4 Specifying the PVID for the Ports

4) Click save the settings.

3.5 Using the CLI

The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example.

1) Create VLAN 10 for Department A, and configure the description as Department-A. Similarly, create VLAN 20 for Department B, and configure the description as Department-B.

Switch_1#configure

Switch_1(config)#vlan 10

Switch_1(config-vlan)#name Department-A

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 20

Switch_1(config-vlan)#name Department-B

Switch_1(config-vlan)#exit

2) Add untagged port 1/0/2 and tagged port 1/0/4 to VLAN 10. Add untagged port 1/0/3 and tagged port 1/0/4 to VLAN 20.

Switch_1(config)#interface gigabitEthernet 1/0/2

Switch_1(config-if)#switchport general allowed vlan 10 untagged

Switch_1(config-if)#exit

Switch_1(config)#interface gigabitEthernet 1/0/3

Switch_1(config-if)#switchport general allowed vlan 20 untagged

Switch_1(config-if)#exit

Switch_1(config)#interface gigabitEthernet 1/0/4

Switch_1(config-if)#switchport general allowed vlan 10 tagged

Switch_1(config-if)#switchport general allowed vlan 20 tagged

Switch_1(config-if)#exit

3) Set the PVID of port 1/0/2 as 10, and set the PVID of port 1/0/3 as 20.

Switch_1(config)#interface gigabitEthernet 1/0/2

Switch_1(config-if)#switchport pvid 10

Switch_1(config-if)#exit

Switch_1(config)#interface gigabitEthernet 1/0/3

Switch_1(config-if)#switchport pvid 20

Switch_1(config-if)#end

Switch_1#copy running-config startup-config

Verify the Configurations

Verify the VLAN configuration:

Switch_1#show vlan

Primary Secondary Type Ports

Verify the VLAN configuration:

Switch_1(config)#show interface switchport

...

4 Appendix: Default Parameters

Default settings of 802.1Q VLAN are listed in the following table.

Table 4-1 Default Settings of 802.1Q VLAN

Part 8

Configuring MAC VLAN

CHAPTERS

1. Overview
2. MAC VLAN Configuration
3. Configuration Example
4. Appendix: Default Parameters

1 Overview

VLAN is generally divided by ports. It is a common way of division but isn't suitable for those networks that require frequent topology changes. With the popularity of mobile office, at different times a terminal device may access the network via different ports. For example, a terminal device that accessed the switch via port 1 last time may change to port 2 this time. If port 1 and port 2 belong to different VLANs, the user has to re-configure the switch to access the original VLAN. Using MAC VLAN can free the user from such a problem. It divides VLANs based on the MAC addresses of terminal devices. In this way, terminal devices always belong to their MAC VLANs even when their access ports change.

The figure below shows a common application scenario of MAC VLAN.

Figure 1-1 Common Application Scenario of MAC VLAN

graph TD
    ServerA["Server A VLAN 10"] --> Switch3["Switch 3"]
    ServerB["Server B VLAN 20"] --> Switch3
    Switch1["Switch 1 Switch 2"] --> Switch3
    Switch1 --> MeetingRoom1["Meeting Room 1"]
    Switch1 --> LaptopA["Laptop A"]
    Switch1 --> LaptopB["Laptop B"]
    Switch3 --> Switch1
    Switch3 --> Switch2["Switch 2"]
    Switch3 --> Switch3

Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in. To meet this requirement, simply bind the MAC addresses of the laptops to the corresponding VLANs respectively. In this way, the MAC address determines the VLAN each laptop joins. Each laptop can access only the server in the VLAN it joins.

2 MAC VLAN Configuration

To complete MAC VLAN configuration, follow these steps:

1) Configure 802.1Q VLAN.
2) Bind the MAC address to the VLAN.
3) Enable MAC VLAN for the port.

Configuration Guidelines

When a port in a MAC VLAN receives an untagged data packet, the switch will first check whether the source MAC address of the data packet has been bound to the MAC VLAN. If yes, the switch will insert the corresponding tag to the data packet and forward it within the VLAN. If no, the switch will continue to match the data packet with the matching rules of other VLANs (such as the protocol VLAN). If there is a match, the switch will forward the data packet. Otherwise, the switch will process the data packet according to the processing rule of the 802.1 Q VLAN. When the port receives a tagged data packet, the switch will directly process the data packet according to the processing rule of the 802.1 Q VLAN.

2.1 Using the GUI

2.1.1 Configuring 802.1Q VLAN

Before configuring MAC VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN.

2.1.2 Binding the MAC Address to the VLAN

Choose the menu L2 FEATURES > VLAN > MAC VLAN and click to load the following page.

Figure 2-1 Creating MAC VLAN

Follow these steps to bind the MAC address to the 802.1Q VLAN:

1) Enter the MAC address of the device, give it a description, and enter the VLAN ID to bind it to the VLAN.

MAC Address Enter the MAC address of the device in the format of 00-00-00-00-00-01.

Description Give a MAC address description for identification with up to 8 characters.

VLAN ID/Name Enter the ID number or name of the 802.1Q VLAN that will be bound to the MAC VLAN..

2) Click Create.

Note:

One MAC address can be bound to only one VLAN.

2.1.3 Enabling MAC VLAN for the Port

By default, MAC VLAN is disabled on all ports. You need to enable MAC VLAN for your desired ports manually.

Choose the menu L2 FEATURES > VLAN > MAC VLAN to load the following page.

Figure 2-2 Enabling MAC VLAN for the Port

In the Port Enable section, select the desired ports to enable MAC VLAN, and click Apply.

Note:

The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

2.2 Using the CLI

2.2.1 Configuring 802.1Q VLAN

Before configuring MAC VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN.

2.2.2 Binding the MAC Address to the VLAN

Follow these steps to bind the MAC address to the VLAN:

Step 1 configure

Enter global configuration mode.

Step 2 mac-vlan mac-address

mac-addr vlan vlan-id [description descript]

Bind the MAC address to the VLAN.

mac-addr: Specify the MAC address of the device in the format of xx:xx:xx:xx:xx:xx.

vlan-id: Enter the ID number of the 802.1Q VLAN that will be bound to the MAC VLAN.

descript: Specify the MAC address description for identification, with up to 8 characters.

Step 3 show mac-vlan { all | mac-address

mac-addr | vlan vlan-id }

Verify the configuration of MAC VLAN.

vid: Specify the MAC VLAN to be displayed.

Step 4 end

Return to privileged EXEC mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to bind the MAC address 00:19:56:8A:4C:71 to VLAN 10, with the address description as Dept.A.

Switch#configure

Switch(config)#mac-vlan mac-address 00:19:56:8a:4c:71 vlan 10 description Dept.A

Switch(config)#show mac-vlan vlan 10

MAC-Addr

Name

VLAN-ID

00:19:56:8A:4C:71

Dept.A

10

Switch(config)#end

Switch#copy running-config startup-config

2.2.3 Enabling MAC VLAN for the Port

Follow these steps to enable MAC VLAN for the port:

Step 1 configure

Enter global configuration mode.

Step 3 mac-vlan

Enable MAC VLAN for the port.

Step 4 show mac-vlan interface

Verify the configuration of MAC VLAN on each interface.

Step 5 end

Return to privileged EXEC mode.

Step 6 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable MAC VLAN for port 1/0/1.

Switch#configure

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#mac-vlan

Switch(config-if)#show mac-vlan interface

Port STATUS

Gi1/0/1 Enable

Gi1/0/2 Disable

...

Switch(config-if)#end

Switch#copy running-config startup-config

3 Configuration Example

3.1 Network Requirements

Two departments share all the meeting rooms in the company, but use different servers and laptops. Department A uses Server A and Laptop A, while Department B uses Server B and Laptop B. Server A is in VLAN 10 while Server B is in VLAN 20. It is required that Laptop A can only access Server A and Laptop B can only access Server B, no matter which meeting room the laptops are being used in. The figure below shows the network topology.

Figure 3-1 Network Topology

graph TD
    ServerA["Server A VLAN 10"] --> Switch1["Switch 1 Switch 2"]
    ServerB["Server B VLAN 20"] --> Switch1
    Switch1 -->|Gi1/0/2 Gi1/0/2| Switch3["Switch 3 Gi1/0/3Gi1/0/2"]
    Switch3 -->|Gi1/0/5Gi1/0/4| Switch1
    Switch1 -->|Gi1/0/3Gi1/0/2| Switch3
    Switch1 -->|Gi1/0/1Gi1/0/1| MeetingRoom1["Meeting Room 1"]
    Switch1 -->|Gi1/0/2 Gi1/0/2| MeetingRoom2["Meeting Room 2"]
    Switch1 -->|Gi1/0/1Gi1/0/1| LaptopA["Laptop A 00-19-56-8A-4C-71"]
    Switch1 -->|Gi1/0/2 Gi1/0/2| LaptopB["Laptop B 00-19-56-82-3B-70"]

3.2 Configuration Scheme

You can configure MAC VLAN to meet this requirement. On Switch 1 and Switch 2, bind the MAC addresses of the laptops to the corresponding VLANs respectively. In this way, each laptop can access only the server in the VLAN it joins, no matter which meeting room the laptops are being used in. The overview of the configuration is as follows:

1) Create VLAN 10 and VLAN 20 on each of the three switches and add the ports to the VLANs based on the network topology. For the ports connecting the laptops, set the

egress rule as Untagged; for the ports connecting to other switch, set the egress rule as Tagged.

2) On Switch 1 and Switch 2, bind the MAC addresses of the laptops to their corresponding VLANs, and enable MAC VLAN for the ports.

Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

3.3 Using the GUI

■ Configurations for Switch 1 and Switch 2

The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example.

1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click Add to load the following page. Create VLAN 10, and add untagged port 1/0/1 and tagged port 1/0/2 to VLAN 10. Click Create.

Figure 3-2 Creating VLAN 10

2) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click Add to load the following page. Create VLAN 20, and add untagged port 1/0/1 and tagged port 1/0/2 to VLAN 20. Click Create.

Figure 3-3 Creating VLAN 20

3) Choose the menu L2 FEATURES > VLAN > MAC VLAN and click Add to load the following page. Specify the corresponding parameters and click Create to bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20.

Figure 3-4 Creating MAC VLAN

4) Choose the menu L2 FEATURES > VLAN > MAC VLAN to load the following page. In the Port Enable section select port 1/0/1 and click Apply to enable MAC VLAN.

Figure 3-5 Enabling MAC VLAN for the Port

5) Click Save the settings.

■ Configurations for Switch 3

1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click

Add to load the following page. Create VLAN 10, and add untagged port 1/0/4 and tagged ports 1/0/2-3 to VLAN 10. Click Create.

Figure 3-6 Creating VLAN 10

2) Click Create to load the following page. Create VLAN 20, and add untagged port 1/0/5 and tagged ports 1/0/2-3 to VLAN 20. Click Create.

Figure 3-7 Creating VLAN 20

3) Click Save the settings.

3.4 Using the CLI

■ Configurations for Switch 1 and Switch 2

The configurations of Switch 1 and Switch 2 are the same. The following introductions take Switch 1 as an example.

1) Create VLAN 10 for Department A and create VLAN 20 for Department B.

Switch_1#configure

Switch_1(config)#vlan 10

Switch_1(config-vlan)#name deptA

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 20

Switch_1(config-vlan)#name deptB

Switch_1(config-vlan)#exit

2) Add tagged port 1/0/2 and untagged port 1/0/1 to both VLAN 10 and VLAN 20. Then enable MAC VLAN on port 1/0/1.

Switch_1(config)#interface gigabitEthernet 1/0/2

Switch_1(config-if)#switchport general allowed vlan 10,20 tagged

Switch_1(config-if)#exit

Switch_1(config)#interface gigabitEthernet 1/0/1

Switch_1(config-if)#switchport general allowed vlan 10,20 untagged

Switch_1(config-if)#mac-vlan

Switch_1(config-if)#exit

3) Bind the MAC address of Laptop A to VLAN 10 and bind the MAC address of Laptop B to VLAN 20.

Switch_1(config)#mac-vlan mac-address 00:19:56:8A:4C:71 vlan 10 description PCA

Switch_1(config)#mac-vlan mac-address 00:19:56:82:3B:70 vlan 20 description PCB

Switch_1(config)#end

Switch_1#copy running-config startup-config

■ Configurations for Switch 3

1) Create VLAN 10 for Department A and create VLAN 20 for Department B.

Switch_3#configure

Switch_3(config)#vlan 10

Switch_3(config-vlan)#name deptA

Switch_3(config-vlan)#exit

Switch_3(config)#vlan 20

Switch_3(config-vlan)#name deptB

Switch_3(config-vlan)#exit

2) Add tagged port 1/0/2 and port 1/0/3 to both VLAN 10 and VLAN 20.

Switch_3(config)#interface gigabitEthernet 1/0/2

Switch_3(config-if)#switchport general allowed vlan 10,20 tagged

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/3

Switch_3(config-if)#switchport general allowed vlan 10,20 tagged

Switch_3(config-if)#exit

3) Add untagged port 1/0/4 to VLAN 10 and untagged port 1/0/5 to VLAN 20.

Switch_3(config)#interface gigabitEthernet 1/0/4

Switch_3(config-if)#switchport general allowed vlan 10 untagged

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/5

Switch_3(config-if)#switchport general allowed vlan 20 untagged

Switch_3(config-if)#end

Switch_3#copy running-config startup-config

Verify the Configurations

Switch 1

Switch_1#show mac-vlan all

00:19:56:8A:4C:71 PCA 10

00:19:56:82:3B:70 PCB 20

Switch 2

Switch_2#show mac-vlan all

00:19:56:8A:4C:71 PCA 10

00:19:56:82:3B:70 PCB 20

Switch 3

Switch_3#show vlan

4 Appendix: Default Parameters

Default settings of MAC VLAN are listed in the following table.

Table 4-1 Default Settings of MAC VLAN

Part 9

Configuring Protocol VLAN

CHAPTERS

1. Overview
2. Protocol VLAN Configuration
3. Configuration Example
4. Appendix: Default Parameters

1 Overview

Protocol VLAN is a technology that divides VLANs based on the network layer protocol. With the protocol VLAN rule configured on the basis of the existing 802.1Q VLAN, the switch can analyze specific fields of received packets, encapsulate the packets in specific formats, and forward the packets with different protocols to the corresponding VLANs. Since different applications and services use different protocols, network administrators can use protocol VLAN to manage the network based on specific applications and services.

The figure below shows a common application scenario of protocol VLAN. With protocol VLAN configured, Switch 2 can forward IPv4 and IPv6 packets from different VLANs to the IPv4 and IPv6 networks respectively.

Figure 1-1 Common Application Scenario of Protocol VLAN

graph TD
    A["IPv4 Internet"] --> B["Switch 1"]
    C["IPv6 Internet"] --> D["Switch 2"]
    E["RouterRouter"] --> D
    B --> F["VLAN 20VLAN 10"]
    D --> G["VLAN 20VLAN 10"]
    F --> H["IPv4 Hosts VLAN 10"]
    G --> I["IPv6 Hosts VLAN 20"]

2 Protocol VLAN Configuration

To complete protocol VLAN configuration, follow these steps:

1) Configure 802.1Q VLAN.
2) Create protocol template.
3) Configure Protocol VLAN.

Configuration Guidelines

■ You can use the IP, ARP, RARP, and other protocol templates provided by TP-Link switches, or create new protocol templates.
In a protocol VLAN, when a port receives an untagged data packet, the switch will first search for the protocol VLAN matching the protocol type value of the packet. If there is a match, the switch will insert the corresponding VLAN tag to the data packet and forward it within the VLAN. Otherwise, the switch will forward the data packet to the default VLAN based on the PVID (Port VLAN ID) of the receiving port. (If MAC VLAN is also configured, the switch will first process Protocol VLAN, then MAC VLAN.) When the port receives a tagged data packet, the switch will directly process the data packet according to the processing rule of the 802.1 Q VLAN.

2.1 Using the GUI

2.1.1 Configuring 802.1Q VLAN

Before configuring protocol VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN.

2.1.2 Creating Protocol Template

Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol Template to load the following page.

Figure 2-1 Check the Protocol Template

Follow these steps to create a protocol template:

1) Check whether your desired template already exists in the Protocol Template Config section. If not, click to create a new template.

Figure 2-2 Creating a Protocol Template

Template Name Give a protocol name to identify the protocol template.

Frame Type Select the frame type of the new protocol template.

Ethernet II: A common Ethernet frame format. Select to specify the Frame Type by entering the Ether Type.

SNAP: An Ethernet 802.3 frame format based on IEEE 802.3 and IEEE 802.2 SNAP. Select to specify the Frame Type by entering the Ether Type.

LLC: An Ethernet 802.3 frame format based on IEEE 802.3 and IEEE 802.2 LLC. Select to specify the Frame Type by entering the DSAP and SSAP.

Ether Type Enter the Ethernet protocol type value for the protocol template. It is available when Ethernet II and SNAP is selected. It is the Ether Type field in the frame and is used to identify the data type of the frame.

2) Click Create.

Note:

A protocol template that is bound to a VLAN cannot be deleted.

2.1.3 Configuring Protocol VLAN

Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol VLAN Group and click to load the following page.

Figure 2-3 Configure the Protocol VLAN Group

Follow these steps to configure the protocol group:

1) In the Protocol Group Config section, specify the following parameters.

Template Name Select the previously defined protocol template.

VLAN ID/Name Enter the ID number or name of the 802.1Q VLAN that will be bound to the Protocol VLAN.

802.1p Priority

Specify the 802.1p priority for the packets that belong to the protocol VLAN. The switch will determine the forwarding sequence according this value. The packets with larger value of 802.1p priority have the higher priority.

2) Select the desired ports. Click Create.

Note:

The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

2.2 Using the CLI

2.2.1 Configuring 802.1Q VLAN

Before configuring protocol VLAN, create an 802.1Q VLAN and set the port type according to network requirements. For details, refer to Configuring 802.1Q VLAN.

2.2.2 Creating a Protocol Template

Follow these steps to create a protocol template:

Step 1 configure

Enter global configuration mode.

Step 2 protocol-vlan template name

protocol-name frame { ether_2 ether-type type | snap

ether-type type | llc dsap dsap_type ssap ssap_type}

Create a protocol template.

protocol-name: Specify the protocol name with 1 to 8 characters.

type: Enter4 hexadecimal numbers as the Ethernet protocol type for the protocol template. It is the Ether Type field in the frame and is used to identify the data type of the frame.

dsap_type: Enter 2 hexadecimal numbers as the DSAP value for the protocol template. It is the DSAP field in the frame and is used to identify the data type of the frame.

ssap_type: Enter 2 hexadecimal numbers as the SSAP value for the protocol template. It is the SSAP field in the frame and is used to identify the data type of the frame.

Step 3 show protocol-vlan template

Verify the protocol templates.

Step 4 end

Return to Privileged EXEC Mode.

Step 5 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to create an IPv6 protocol template:

Switch#configure

Switch(config)#protocol-vlan template name IPv6 frame ether_2 ether-type 86dd

Switch(config)#show protocol-vlan template

Switch(config)#end

Switch#copy running-config startup-config

2.2.3 Configuring Protocol VLAN

Follow these steps to configure protocol VLAN:

Step 1 configure

Enter global configuration mode.

Step 2 show protocol-vlan template

Check the index of each protocol template.

Step 3 protocol-vlan vlan

vid priority priority template index

Bind the protocol template to the VLAN.

vid : Enter the ID number of the 802.1Q VLAN that will be bound to the Protocol VLAN.

priority: Specify the 802.1p priority for the packets that belong to the protocol VLAN. The switch will determine the forwarding sequence according this value. The packets with larger value of 802.1p priority have the higher priority.

index : Specify the protocol template index.

Step 4 show protocol-vlan vlan

Check the protocol VLAN index (entry-id) of each protocol group.

The following example shows how to bind the IPv6 protocol template to VLAN 10 and add port 1/0/2 to protocol VLAN:

Switch#configure

Switch(config)#show protocol-vlan template

Switch(config)#protocol-vlan vlan 10 priority 5 template 6

Switch(config)#show protocol-vlan vlan

Switch(config)#interface gigabitEthernet 1/0/2

Switch(config-if)#protocol-vlan group 1

Switch(config-if)#show protocol-vlan vlan

Switch(config-if)#end

Switch#copy running-config startup-config

3 Configuration Example

3.1 Network Requirements

A company uses both IPv4 and IPv6 hosts, and these hosts access the IPv4 network and IPv6 network respectively via different routers. It is required that IPv4 packets are forwarded to the IPv4 network, IPv6 packets are forwarded to the IPv6 network, and other packets are dropped.

The figure below shows the network topology. The IPv4 host belongs to VLAN 10, the IPv6 host belongs to VLAN 20, and these hosts access the network via Switch 1. Switch 2 is connected to two routers to access the IPv4 network and IPv6 network respectively. The routers belong to VLAN 10 and VLAN 20 respectively.

Figure 3-1 Network Topology

graph TD
    A["IPv4 Internet"] --> B["Router 2Router 1"]
    B --> C["Switch 2"]
    C --> D["IPv4 Host IPv6 Host"]
    A --> E["Router 2Router 1"]
    E --> F["Switch 1"]
    F --> G["IPv4 Host IPv6 Host"]
    C --> H["Gi1/0/1 VLAN 10"]
    C --> I["Gi1/0/3 VLAN 20"]
    C --> J["Gi1/0/2 VLAN 20"]

3.2 Configuration Scheme

You can configure protocol VLAN on port 1/0/1 of Switch 2 to meet this requirement. When this port receives packets, Switch 2 will forward them to the corresponding VLANs according to their protocol types. The overview of the configuration on Switch 2 is as follows:

1) Create VLAN 10 and VLAN 20 and add each port to the corresponding VLAN.
2) Use the IPv4 protocol template provided by the switch, and create the IPv6 protocol template.
3) Bind the protocol templates to the corresponding VLANs to form protocol groups, and add port 1/0/1 to the groups.

For Switch 1, configure 802.1Q VLAN according to the network topology.

Demonstrated with T1600G-28TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.

3.3 Using the GUI

■ Configurations for Switch 1

1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click

Add to load the following page. Create VLAN 10, and add untagged port 1/0/1 and gged port 1/0/3 to VLAN 10. Click Create.

Figure 3-2 Create VLAN 10

2) Click + Add to load the following page. Create VLAN 20, and add untagged ports 1/0/2-3 to VLAN 20. Click Create.

Figure 3-3 Create VLAN 20

3) Click Save the settings.

■ Configurations for Switch 2

1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click Add to load the following page. Create VLAN 10, and add tagged port 1/0/1 and untagged port 1/0/2 to VLAN 10. Click Create.

Figure 3-4 Create VLAN 10

2) Click + Add to load the following page. Create VLAN 20, and add tagged port 1/0/1 and untagged port 1/0/3 to VLAN 20. Click Create.

Figure 3-5 Create VLAN 20

3) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > Port Config to load the following page. Set the PVID of port 1/0/2 and port 1/0/3 as 10 and 20 respectively. Click Apply.

Figure 3-6 Port Configuration

4) Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol Template and click + Add to load the following page. Enter IPv6 in the protocol name, select the Ethernet II frame type, enter 86DD in the Ether Type field, and click Create to create the IPv6 protocol template.

Tips: The IPv4 protocol template is already provided by the switch. You only need to create the IPv6 protocol template.

Figure 3-7 Create the IPv6 Protocol Template

5) Choose the menu L2 FEATURES > VLAN > Protocol VLAN > Protocol VLAN Group and click to load the following page. Select the IP protocol name (that is the IPv4 protocol template), enter VLAN ID 10, select port 1, and click Create. Select the IPv6 protocol name, enter VLAN ID 20, select port 1, and click Create.

Figure 3-8 Configure the IPv4 Protocol Group

Figure 3-9 Configure the IPv6 Protocol Group

6) Click Save the settings.

3.4 Using the CLI

■ Configurations for Switch 1

1) Create VLAN 10 and VLAN 20.

Switch_1#configure

Switch_1(config)#vlan 10

Switch_1(config-vlan)#name IPv4

Switch_1(config-vlan)#exit

Switch_1(config)#vlan 20

Switch_1(config-vlan)#name IPv6

Switch_1(config-vlan)#exit

2) Add untagged port 1/0/1 to VLAN 10. Add untagged port 1/0/2 to VLAN 20. Add untagged port 1/0/3 to both VLAN10 and VLAN 20.

Switch_1(config)#interface gigabitEthernet 1/0/1

Switch_1(config-if)#switchport general allowed vlan 10 untagged

Switch_1(config-if)#exit

Switch_1(config)#interface gigabitEthernet 1/0/2

Switch_1(config-if)#switchport general allowed vlan 20 untagged

Switch_1(config-if)#exit

Switch_1(config)#interface gigabitEthernet 1/0/3

Switch_1(config-if)#switchport general allowed vlan 10,20 untagged

Switch_1(config-if)#end

Switch_1#copy running-config startup-config

■ Configurations for Switch 2

1) Create VLAN 10 and VLAN 20.

Switch_2#configure

Switch_2(config)#vlan 10

Switch_2(config-vlan)#name IPv4

Switch_2(config-vlan)#exit

Switch_2(config)#vlan 20

Switch_2(config-vlan)#name IPv6

Switch_2(config-vlan)#exit

2) Add tagged port 1/0/1 to both VLAN 10 and VLAN 20. Specify the PVID of untagged port 1/0/2 as 10 and add it to VLAN 10. Specify the PVID of untagged port 1/0/3 as 20 and add it to VLAN 20.

Switch_2(config)#interface gigabitEthernet 1/0/1

Switch_2(config-if)#switchport general allowed vlan 10,20 tagged

Switch_2(config-if)#exit

Switch_2(config)#interface gigabitEthernet 1/0/2

Switch_2(config-if)#switchport pvid 10

Switch_2(config-if)#switchport general allowed vlan 10 untagged

Switch_2(config-if)#exit

Switch_2(config)#interface gigabitEthernet 1/0/3

Switch_2(config-if)#switchport mode general

Switch_2(config-if)#switchport pvid 20

Switch_2(config-if)#switchport general allowed vlan 20 untagged

Switch_2(config-if)#exit

3) Create the IPv6 protocol template.

Switch_2(config)#protocol-vlan template name IPv6 frame ether_2 ether-type 86dd

Switch_2(config)#show protocol-vlan template

4) Configure the protocol groups.

Switch_2(config)#protocol-vlan vlan 10 priority 0 template 1

Switch_2(config)#protocol-vlan vlan 20 priority 0 template 6

5) Add port 1/0/1 to the protocol groups.

Switch_2(config)#show protocol-vlan vlan

Switch_2(config)#interface gigabitEthernet 1/0/1

Switch_2(config-if)#protocol-vlan group 1

Switch_2(config-if)#protocol-vlan group 2

Switch_2(config-if)#exit

Switch_2(config)#end

Switch_2#copy running-config startup-config

Verify the Configurations

Switch 1

Verify 802.1Q VLAN configuration:

Switch_1#show vlan

Switch 2

Verify 802.1Q VLAN configuration:

Switch_2#show vlan

Verify protocol group configuration:

Switch_2#show protocol-vlan vlan

4 Appendix: Default Parameters

Default settings of Protocol VLAN are listed in the following table.

Table 4-1 Default Settings of Protocol VLAN

Part 10

Configuring VLAN-VPN

(Only for Certain Devices)

CHAPTERS

1. VLAN-VPN
2. Basic VLAN-VPN Configuration
3. Flexible VLAN-VPN Configuration
4. Configuration Examples
5. Appendix: Default Parameters

1 VLAN-VPN

1.1 Overview

Note:

VLAN VPN is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If VLAN VPN is available, there is L2 FEATURES > VLAN > VLAN VPN in the menu structure.

VLAN-VPN (Virtual Private Network) is an easy-to-implement layer 2 VLAN technology, and it is usually deployed at the edge of the ISP (Internet Service Provider) network.

With VLAN-VPN, when forwarding packets from the customer network to the ISP network, the switch adds an outer tag to the packets with outer VLAN ID. Thus, packets can be transmitted through ISP networks with double VLAN tags. In the ISP network, packets are forwarded according to the outer VLAN tag (VLAN tag of the ISP network), while the inner VLAN tag is treated as part of the payload. When forwarding packets from the ISP network to the customer network, the switch remove the outer VLAN tag of the packets. Thus, packets are forwarded according to the inner VLAN tag (VLAN tag of the customer network) in the customer network.

The following figure shows the typical application scenario of VLAN-VPN. To realize the communication between two customer VLANs across the ISP network, you can configure VLAN-VPN at the ISP edge switches to allow packets from customer VLAN 100 and VLAN 200 to be forwarded through the ISP network with the outer tag of VLAN 1050.

Figure 1-1 Application Scenario of VLAN-VPN

graph LR
    A["VLAN 100"] --> B["Device"]
    C["VLAN 200"] --> B
    B --> D["VLAN 1050"]
    D --> E["VLAN 100"]
    E --> F["Device"]
    G["VLAN 200"] --> F
    F --> H["Device"]

1.2 Supported Features

The VLAN-VPN function includes: basic VLAN-VPN and flexible VLAN-VPN (VLAN mapping).

Basic VLAN-VPN

All packets from customer VLANs are encapsulated with the same VLAN tag of the ISP network, and sent to the ISP network. Additionally, you can set the TPID (Tag Protocol Identifier) for compatibility with devices in the ISP network.

Flexible VLAN-VPN

You can configure different VLANs in the customer network to map to different VLANs in the ISP network.

When the switch receives a packet with the customer network tag, the switch will check the VLAN Mapping List. If a match is found, the switch encapsulates the packet with the corresponding VLAN tag of the ISP network, and forwards it to the corresponding port. If no match is found, the switch process the packet in rules of MAC VLAN, Protocol VLAN and 802.1Q VLAN. For untagged packets, the switch directly processes them in rules of MAC VLAN, Protocol VLAN and 802.1Q VLAN.

2 Basic VLAN-VPN Configuration

To complete the basic VLAN-VPN configuration, follow these steps:

1) Configure 802.1Q VLAN.
2) Configure NNI ports and UNI ports.
3) Enable VLAN-VPN globally.

Configuration Guidelines

■ The TPID preset by the switch is 0x8100. If the devices in the ISP network do not support this value, you should change it to ensure VLAN-VPN packets sent to the ISP network can be recognized and forwarded by devices of other manufacturers.
- You can go to 802.1Q VLAN section to specify the Ingress Checking feature according to your needs. If the Ingress Checking is enabled, the port will perform this operation first then process the packets based on the VLAN-VPN configuration. If Ingress Checking is disabled, the port will process the packets directly based on the VLAN-VPN configuration.

2.1 Using the GUI

2.1.1 Configuring 802.1Q VLAN

Before configuring VLAN-VPN, create 802.1Q VLAN add ports to corresponding VLANs and configure Ingress Checking on ports according to your needs. For details, refer to Configuring 802.1Q VLAN.

2.1.2 Configuring Basic VLAN-VPN

Choose the menu L2 FEATURES > VLAN > VLAN VPN > VPN Config to load the following page.

Figure 2-1 Basic VPN Configuration

Follow these steps to configure the basic VLAN-VPN parameters:

1) In the Global Config section, enable VLAN VPN globally, and click Apply.

VLAN VPN Enable the VLAN VPN function globally.

2) In the VPN Port Config section, select on or more ports and configure the corresponding parameters. Click Apply.

Port Role Select the port role that will take effect in the VLAN-VPN function.

NNI: NNI ports are usually connected to the ISP network, and the packets forwarded by these port have outer VLAN tags.

UNI: UNI ports are usually connected to the customer network. The outer VLAN tags will be added or removed when the packets are forwarded by the UNI port.

Note:

The direct shift between ports modes UNI and NNI is not supported. To switch from the current mode to another mode, you can change the port role to “--” first.

Note:

• The PVID of the UNI port should be specified as the VLAN ID of the ISP VLAN.
- The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

2.2 Using the CLI

2.2.1 Configuring 802.1Q VLAN

Before configuring VLAN-VPN, create 802.1Q VLAN, add ports to corresponding VLANs and configure Ingress Checking on ports according to your needs. For details, refer to Configuring 802.1Q VLAN.

2.2.1 Configuring Basic VLAN-VPN

Follow these steps to configure basic VLAN-VPN:

Step 1 configure

Enter global configuration mode.

Step 2 dot1q-tunnel

Enable the VLAN-VPN feature globally.

Step 3 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list}

Enter interface configuration mode.

Step 4 switchport dot1q-tunnel mode { nni | uni }

Select the port role that will take effect in the VLAN-VPN function.

nni: NNI ports are usually connected to the ISP network, and the packets forwarded by these port have outer VLAN tags.

uni: UNI ports are usually connected to the customer network. The outer VLAN tags will be added or removed when the packets are forwarded by the UNI port.

Note:

The direct shift between ports modes uni and nni is not supported. To switch from the current mode to another mode, you can use no switchport dot1q-tunnel mode to disable the current mode.

Step 5 switchport dot1q-tunnel tpid

tpid

Specify the value of TPID. TPID is a field of VLAN tag and is modified to make the double tagged packets identifiable to devices from different vendors.

tpid: Enter the IPID for the port. It must be 4 Hex integers. By default, it is 8100.

Step 6 switchport dot1q-tunnel missdrop

Enable the Missdrop feature. This option only can take effect on tagged packets. With Missdrop enabled, the tagged packets that don't match the VLAN Mapping entries will be dropped. By default, it is disabled.

Note:

For T2600G-28TS/T2600G-28MPS/T2600G-28SQ/T2600G-52TS, Missdrop can only be enabled on UNI ports.

For T2600G-18TS, Missdrop can only be enabled on NNI ports.

Step 7 switchport dot1q-tunnel use\_inner\_priority

Enable this function and the switch will determine the forwarding sequence of the packets according to the 802.1p priority of the inner VLAN tag. By default, it is disabled.

It is available only when the port mode is UNI.

Step 8 show dot1q-tunnel

Verify the global configuration of VLAN-VPN.

Step 9 show dot1q-tunnel interface

Verify the interface configuration of basic VLAN-VPN.

Step 10 end

Return to privileged EXEC mode.

Step 11 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable the VLAN-VPN feature globally, set port 1/0/1 of switch as the UNI port and 1/0/2 as the NNI port:

Switch#configure

Switch(config)#dot1q-tunnel

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#switchport dot1q-tunnel mode uni

Switch(config-if)#exit

Switch(config)#interface gigabitEthernet 1/0/2

Switch(config-if)#switchport dot1q-tunnel mode nni

Switch(config-if)#show dot1q-tunnel

VLAN-VPN Mode: Enabled

Mapping Mode: Disabled

Switch(config-if)#show dot1q-tunnel interface

Switch(config-if)#end

Switch#copy running-config startup-config

3 Flexible VLAN-VPN Configuration

To complete the flexible VLAN-VPN configuration, follow these steps:

1) Configure 802.1Q VLAN and basic VLAN-VPN.
2) Configure VLAN mapping.

Configuration Guidelines

■ Before you start, configure 802.1Q VLAN and the basic VLAN-VPN.

- You can specify the PVID of the UNI port according to your needs. The untagged packets and the tagged packets that don't the VLAN mapping entry may be added the outer VLAN tag with this PVID according to your configuration.

3.1 Using the GUI

Choose the menu L2 FEATURES > VLAN > VLAN VPN > VLAN Mapping to load the following page.

Figure 3-1 Enable Flexible VLAN-VPN

Follow these steps to configure flexible VLAN-VPN:

1) In the Global Config section, enable VLAN mapping globally and click Apply.
2) In the VLAN Mapping Config section, click + Add to load the following page. Configure the following parameters.

Figure 3-2 Create VLAN Mapping Entry

Port For some devices, choose a UNI port to enable VLAN mapping. For other devices, choose a NNI port to enable VLAN mapping.

C VLAN Specify the customer VLAN of the UNI port by entering the VLAN ID or VLAN Name.

SP VLAN Specify the ISP VLAN of the UNI port by entering the VLAN ID or VLAN Name.

Description Give a description to identify the VLAN Mapping.

3) Click Create.

3.2 Using the CLI

Follow these steps to configure flexible VLAN-VPN:

Step 1 configure

Enter global configuration mode.

Step 2 dot1q-tunnel mapping

Enable VLAN mapping globally.

Step 3 interface {fastEthernet

port | range fastEthernet port-list | gigabitEthernet port | range

gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | port-channel port-channel-id | range port-channel port-channel-list}

For some devices, choose a UNI port to enable VLAN mapping. For other devices, choose a NNI port to enable VLAN mapping.

Step 4 switchport dot1q-tunnel mapping

c-vlan sp-vlan [descript]

Set VLAN mapping entries for the specified port.

c vlan: Enter VLAN ID of the customer network.

sp vlan: Enter VLAN ID of the ISP network.

descript: Give a description to identify the VLAN Mapping.

Step 5 end

Return to privileged EXEC mode.

Step 6 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable VLAN mapping and set a VLAN mapping entry named mapping1 on port 1/0/3 to map customer network VLAN 15 to ISP network VLAN 1040:

Switch#configure

Switch(config)#dot1q-tunnel mapping

Switch(config)#show dot1q-tunnel

VLAN-VPN Mode: Enabled

Mapping Mode: Enabled

Switch(config)#interface gigabitEthernet 1/0/3

Switch(config-if)#switchport dot1q-tunnel mapping 15 1040 mapping1

Switch(config-if)#show dot1q-tunnel mapping

Switch(config-if)#end

Switch#copy running-config startup-config

4 Configuration Examples

4.1 Example for Basic VLAN VPN

4.1.1 Network Requirements

A company has two stations, and the computers belong to VLAN 100 and VLAN 200 respectively. The ISP VLAN is VLAN 1050 and the TPID adopted by the ISP network is 0x9100.

The two stations need to communicate with each other through the ISP network. And it is required that the traffic from VLAN 100 and VLAN 200 should be transmitted in VLAN 1050.

Figure 4-1 Network Topology

graph TD
    A["TPID=0x9100 VLAN1050"] --> B["Switch 1"]
    A --> C["Switch 2"]
    B --> D["Gi1/0/1"]
    B --> E["GI1/0/2 UNI Port"]
    C --> F["Gi1/0/2 UNI Port"]
    C --> G["Gi1/0/3"]
    D --> H["VLAN 200"]
    E --> I["VLAN 100"]
    F --> J["VLAN 200"]
    G --> K["VLAN 100"]
    H --> L["VLAN 200"]
    I --> M["VLAN 100"]
    J --> N["VLAN 200"]
    K --> O["VLAN 100"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#ccf,stroke:#333
    style D fill:#cfc,stroke:#333
    style E fill:#cfc,stroke:#333
    style F fill:#cfc,stroke:#333
    style G fill:#cfc,stroke:#333
    style H fill:#fcc,stroke:#333
    style I fill:#fcc,stroke:#333
    style J fill:#fcc,stroke:#333
    style K fill:#fcc,stroke:#333
    style L fill:#cff,stroke:#333
    style M fill:#cff,stroke:#333

4.1.2 Configuration Scheme

To meet the requirement that all the traffic from VLAN 100 and VLAN 200 should be transmitted through VLAN 1050, users can configure basic VLAN VPN on Switch 1 and Switch 2 to allow packets sent with double VLAN tags, and thus ensure the communication between them. The general configuration procedure is as follows:

Here we only introduce the configuration schemes on switch 1 and switch 3, for the configurations on switch 2 are the same as those on switch 1, and the configurations on switch 4 are the same as those on switch 3.

1) Configure 802.1Q VLAN on switch 1. The parameters are shown below:

2) Configure 802.1Q VLAN on switch 3. The parameters are shown below:

3) Configure VLAN VPN on switch 1. Set port 1/0/1 as NNI port and port 1/0/2 as UNI port; configure the TPID as 0x9100.

Demonstrated with T2600G-28TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.

4.1.3 Using the GUI

■ Configuring Switch 1:

1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100, VLAN 200 and VLAN 1050. Configure the egress rule of port 1/0/2 in VLAN 100 and VLAN 200 as Tagged, and in VLAN 1050 as Untagged; Configure the egress rule of port 1/0/1 in VLAN 1050 as Tagged.

Figure 4-2 Create VLAN 100

Figure 4-3 Create VLAN 200

Figure 4-4 Create VLAN 1050

2) Go to L2 FEATURES > VLAN > Port Config to set the PVID as 1050 for port 1/0/2 and leave the default vaule 1 for port 1/0/1.

Figure 4-5 Configuring PVID

3) Go to L2 FEATURES > VLAN > VLAN VPN > VPN Config, enable VLAN VPN globally; set port 1/0/1 as NNI port and port /1/0/2 as UNI port. Specify the TPID of port 1/0/1 as 9100.

Figure 4-6 Enabling VLAN VPN Globally and Configuring the Ports

4) Click Save the settings.

- Configuring Switch 3:

1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100 and VLAN 200. Configure the egress rules of port 1/0/1 in VLAN 100 as Untagged; egress rules of port 1/0/2 in VLAN 200 as Untagged; egress rule of port 1/0/3 in VLAN 100 and VLAN 200 as Tagged.

Figure 4-7 Creating VLAN 100

Figure 4-8 Creating VLAN 200

2) Go to L2 FEATURES > VLAN > Port Config to set the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Figure 4-9 Configuring PVID

3) Click save the settings.

4.1.4 Using the CLI

The configurations of Switch 1 and Switch 2 are similar. The following introductions take Switch 1 as an example.

1) Create VLAN 1050, VLAN 100 and VLAN 200.

Switch_1#configure

Switch_1(config)#vlan 1050
Switch_1(config-vlan)#name SP_VLAN
Switch_1(config-vlan)#exit
Switch_1(config)#vlan 100
Switch_1(config-vlan)#name C_VLAN100
Switch_1(config-vlan)#exit
Switch_1(config)#vlan 200
Switch_1(config-vlan)#name C_VLAN200
Switch_1(config-vlan)#exit 

2) Add port 1/0/1 to VLAN 1050 as tagged port, modify PVID as 1050, set the port as NNI port and specify the TPID as 9100.
Switch_1(config)#interface gigabitEthernet 1/0/1
Switch_1(config-if)#switchport general allowed vlan 1050 tagged
Switch_1(config-if)#switchport pvid1050
Switch_1(config-if)#switchport dot1q-tunnel mode nni
Switch_1(config-if)#switchport dot1q-tunnel tpid 9100
Switch_1(config-if)#exit 

3) Add port 1/0/2 to VLAN 1050 as untagged port, and add it to VLAN 100 and VLAN 200 as tagged port. Modify PVID of the port as 1050. Set the port as the UNI port.
Switch_1(config)#interface gigabitEthernet 1/0/2
Switch_1(config-if)#switchport general allowed vlan 1050 untagged
Switch_1(config-if)#switchport general allowed vlan 100,200 tagged
Switch_1(config-if)#switchport pvid 1050
Switch_1(config-if)#switchport dot1q-tunnel mode uni
Switch_1(config-if)#exit 

4) Enable VLAN VPN globally
Switch_1(config)#dot1q-tunnel
Switch_1(config)#end
Switch_1#copy running-config startup-config 

■ Configuring Switch 3

1) Create VLAN 100 and VLAN 200.

Switch_3#configure

Switch_3(config)#vlan 100

Switch_3(config-vlan)#name C_VLAN100

Switch_3(config-vlan)#exit

Switch_3(config)#vlan 200

Switch_3(config-vlan)#name C_VLAN200

Switch_3(config-vlan)#exit

2) Add port 1/0/1 to VLAN 100 and port 1/0/2 to VLAN 200 as untagged ports; add port 1/0/3 to VLAN 100 and VLAN 200 as tagged ports. Configure the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Switch_3(config)#interface gigabitEthernet 1/0/1

Switch_3(config-if)#switchport general allowed vlan 100 untagged

Switch_3(config-if)#switchport pvid 100

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/2

Switch_3(config-if)#switchport general allowed vlan 200 untagged

Switch_3(config-if)#switchport pvid 200

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/3

Switch_3(config-if)#switchport general allowed vlan 100,200 tagged

Switch_3(config-if)#end

Switch_3#copy running-config startup-config

Verify the VLAN VPN Configurations on Switch 1

Verify the configurations of global VLAN VPN:

Switch_3#show dot1q-tunnel

VLAN VPN Mode: Enabled

Mapping Mode: Disabled

Verify the configurations of VPN up-link port and VPN port:

Switch_3#show dot1q-tunnel interface

...

Verify the port configuration:

Switch_3#show interface switchport gigabitEthernet 1/0/1

Port Gi1/0/1:

PVID: 1050

Acceptable frame type: All

Ingress Checking: Enable

Member in LAG: N/A

Link Type: General

Member in VLAN:

Vlan Name Egress-rule

1 System-VLAN Untagged

1050 SP_VLAN Tagged

Switch_3#show interface switchport gigabitEthernet 1/0/2

Port Gi1/0/2:

PVID: 1050

Acceptable frame type: All

Ingress Checking: Enable

Member in LAG: N/A

Link Type: General

Member in VLAN:

4.2 Example for Flexible VLAN VPN

4.2.1 Network Requirements

A company has two stations, and the computers belong to VLAN 100 and VLAN 200 respectively. The ISP VLAN is VLAN 1050 and VLAN 1060, and the TPID adopted by the ISP network is 0x9100.

The two stations need to communicate with each other through the ISP network. And it is required that the traffic from VLAN 100 should be transmitted in VLAN 1050, while the traffic from VLAN 200 should be transmitted in VLAN 1060.

Figure 4-10 Network Topology

graph TD
    A["TPID=0x9100\nVLAN1050\nVLAN1050"] --> B["Switch 1"]
    A --> C["Switch 2"]
    B --> D["Gi1/0/1\nGi1/0/2 UNI Port"]
    C --> E["Gi1/0/2\nGi1/0/2 UNI Port"]
    D --> F["Switch 3"]
    E --> G["Switch 4"]
    F --> H["VLAN 200"]
    F --> I["VLAN 100"]
    G --> J["VLAN 200"]
    G --> K["VLAN 100"]

4.2.2 Configuration Scheme

To meet the requirement that all the traffic from VLAN 100 and VLAN 200 need to be transmitted through different ISP VLANs, users can configure flexible VLAN VPN on Switch 1 and Switch 2 to map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060, so packets

from VLAN 100 and VLAN 200 will be transmitted through VLAN 1050 and VLAN 1060 respectively.

Here we only introduce the configuration scheme on Switch 1 and Switch 3, for the configurations on Switch 2 are the same as that on Switch 1, and the configurations on Switch 4 are the same as that on Switch 3.

1) Configure 802.1Q VLAN on Switch 1. The parameters are shown below:

2) Configure 802.1Q VLAN on Switch 3. The parameters are shown below:

3) Configure VLAN VPN on Switch 1. Set port 1/0/1 as NNI port and port 1/0/2 as UNI port; configure the TPID as 0x9100; map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060.

Demonstrated with T2600G-28TS, this chapter provides configuration procedures in two ways: using the GUI and using the CLI.

4.2.3 Using the GUI

■ Configuring Switch 1:

1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100, VLAN 200, VLAN 1050 and VLAN 1060. Configure the egress rule of port 1/0/2 in VLAN 100 and VLAN 200 as Tagged, and Untagged in VLAN 1050 and VLAN 1060; Configure the egress rule of port 1/0/1 in VLAN 1050 and VLAN 1060 as Tagged.

Figure 4-11 Create VLAN 100

Figure 4-12 Create VLAN 200

Figure 4-13 Create VLAN 1050

Figure 4-14 Create VLAN 1060

2) Go to L2 FEATURES > VLAN > VLAN VPN > VPN Config, enable VLAN VPN globally; set port 1/0/1 as NNI port and port /1/0/2 as UNI port. Specify the TPID of port 1/0/1 as 9100.

Figure 4-15 Enabling VLAN VPN Globally and Configuring the Ports

3) Go to L2 FEATURES > VLAN > VLAN VPN > VLAN Mapping, enable VLAN Mapping globally. Then configure VLAN mapping for the UNI port 1/0/2.

Figure 4-16 Mapping VLAN 100 to VLAN 1050

Figure 4-17 Mapping VLAN 200 to VLAN 1060

4) Click to save the settings.

■ Configuring Switch 3:

1) Go to L2 FEATURES > VLAN > 802.1Q VLAN to create VLAN 100 and VLAN 200. Configure the egress rules of port 1/0/1 in VLAN 100 as Untagged; egress rules of port 1/0/2 in VLAN 200 as Untagged; egress rule of port 1/0/3 in VLAN 100 and VLAN 200 as Tagged.

Figure 4-18 Creating VLAN 100

Figure 4-19 Creating VLAN 200

2) Go to L2 FEATURES > VLAN > Port Config to set the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Figure 4-20 Configuring PVID

3) Click save the settings.

4.2.4 Using the CLI

- Configuring Switch 1

1) Create VLAN 100, VLAN 200, VLAN 1050 and VLAN 1060.

Switch_1#configure

Switch_1(config)#vlan 1050
Switch_1(config-vlan)#name SP_VLAN1050
Switch_1(config-vlan)#exit
Switch_1(config)#vlan 1060
Switch_1(config-vlan)#name SP_VLAN1060
Switch_1(config-vlan)#exit
Switch_1(config)#vlan 100
Switch_1(config-vlan)#name C_VLAN100
Switch_1(config-vlan)#exit
Switch_1(config)#vlan 200
Switch_1(config-vlan)#name C_VLAN200
Switch_1(config-vlan)#exit 

2) Add port 1/0/1 to VLAN 1050 and VLAN 1060 as tagged port, set the port as NNI port and specify the TPID as 9100.

Switch_1(config)#interface gigabitEthernet 1/0/1
Switch_1(config-if)#switchport general allowed vlan 1050,1060 tagged
Switch_1(config-if)#switchport dot1q-tunnel mode nni
Switch_1(config-if)#switchport dot1q-tunnel tpid 9100
Switch_1(config-if)#exit 

3) Add port 1/0/2 to VLAN 1050 and VLAN 1060 as untagged port, and add it to VLAN 100 and VLAN 200 as tagged port. Set the port as the UNI port.

Switch_1(config)#interface gigabitEthernet 1/0/2
Switch_1(config-if)#switchport general allowed vlan 1050,1060 untagged
Switch_1(config-if)#switchport general allowed vlan 100,200 tagged
Switch_1(config-if)#switchport dot1q-tunnel mode uni
Switch_1(config-if)#exit 

4) Enable VLAN mapping. Map VLAN 100 to VLAN 1050 and VLAN 200 to VLAN 1060 for port 1/0/2.

Switch_1(config)#dot1q-tunnel mapping
Switch_1(config)#interface gigabitEthernet 1/0/2
Switch_1(config-if)#switchport dot1q-tunnel mapping 100 1050 mapping
Switch_1(config-if)#switchport dot1q-tunnel mapping 200 1060 mapping 

Switch_1(config-if)#exit

5) Enable VLAN VPN globally

Switch_1(config)#dot1q-tunnel

Switch_1(config)#end

Switch_1#copy running-config startup-config

■ Configuring Switch 3

1) Create VLAN 100 and VLAN 200.

Switch_3#configure

Switch_3(config)#vlan 100

Switch_3(config-vlan)#name C_VLAN100

Switch_3(config-vlan)#exit

Switch_3(config)#vlan 200

Switch_3(config-vlan)#name C_VLAN200

Switch_3(config-vlan)#exit

2) Add port 1/0/1 to VLAN 100 and port 1/0/2 to VLAN 200 as untagged ports; add port 1/0/3 to VLAN 100 and VLAN 200 as tagged ports. Configure the PVID as 100 for port 1/0/1 and 200 for port 1/0/2.

Switch_3(config)#interface gigabitEthernet 1/0/1

Switch_3(config-if)#switchport general allowed vlan 100 untagged

Switch_3(config-if)#switchport pvid 100

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/2

Switch_3(config-if)#switchport general allowed vlan 200 untagged

Switch_3(config-if)#switchport pvid 200

Switch_3(config-if)#exit

Switch_3(config)#interface gigabitEthernet 1/0/3

Switch_3(config-if)#switchport general allowed vlan 100,200 tagged

Switch_3(config-if)#end

Switch_3#copy running-config startup-config

5 Appendix: Default Parameters

Default settings of VLAN VPN are listed in the following table.

Table 5-1 Default Settings of VLAN VPN

Part 11

Configuring GVRP

CHAPTERS

1. Overview
2. GVRP Configuration
3. Configuration Example
4. Appendix: Default Parameters

1 Overview

GVRP (GARP VLAN Registration Protocol) is a GARP (Generic Attribute Registration Protocol) application that allows registration and deregistration of VLAN attribute values and dynamic VLAN creation.

Without GVRP operating, configuring the same VLAN on a network would require manual configuration on each device. As shown in Figure 1-1, Switch A, B and C are connected through trunk ports. VLAN 10 is configured on Switch A, and VLAN 1 is configured on Switch B and Switch C. Switch C can receive messages sent from Switch A in VLAN 10 only when the network administrator has manually created VLAN 10 on Switch B and Switch C.

Figure 1-1 VLAN Topology

Switch B

VLAN 10

Switch A

Switch C

The configuration may seem easy in this situation. However, for a larger or more complex network, such manual configuration would be time-consuming and fallible. GVRP can be used to implement dynamic VLAN configuration. With GVRP, the switch can exchange VLAN configuration information with the adjacent GVRP switches and dynamically create and manage the VLANs. This reduces VLAN configuration workload and ensures correct VLAN configuration.

Figure 1-2 GVRP Topology

Switch 3 Switch n

... ...

VLAN 10-20 VLAN 10-20

Switch 1

Switch 2

2 GVRP Configuration

To complete GVRP configuration, follow these steps:

1) Create a VLAN.
2) Enable GVRP globally.
3) Enable GVRP on each port and configure the corresponding parameters.

Configuration Guidelines

To dynamically create a VLAN on all ports in a network link, you must configure the same static VLAN on both ends of the link.

We call manually configured 802.1Q VLAN as static VLAN and VLAN created through GVRP as dynamic VLAN. Ports in a static VLAN can initiate the sending of GVRP registration message to other ports. And a port registers VLANs only when it receives GVRP messages. As the messages can only be sent from one GVRP participant to another, two-way registration is required to configure a VLAN on all ports in a link. To implement two-way registration, you need to manually configure the same static VLAN on both ends of the link.

As shown in the figure below, VLAN registration from Switch A to Switch C adds Port 2 to VLAN 2. And VLAN registration from Switch C to Switch A adds Port 3 to VLAN 2.

Figure 2-1

graph TD
    A["Switch A"] -->|Port 1 Port 4| B["Switch B"]
    B -->|Port 2| A
    B -->|Port 3| C["Switch C"]
    C -->|Port 4| A
    style A fill:#cce5ff,stroke:#333
    style B fill:#cce5ff,stroke:#333
    style C fill:#cce5ff,stroke:#333
    note right of B: "Dynamic VLAN 2"
    note right of C: "Static VLAN 2 Static VLAN 2"

Similarly, if you want to delete a VLAN from the link, two-way deregistration is required. You need to manually delete the static VLAN on both ends of the link.

2.1 Using the GUI

Choose the menu L2 FEATURES > VLAN > GVRP > GVRP Config to load the following page.

Figure 2-1 GVRP Config

Follow these steps to configure GVRP:

1) In the GVRP section, enable GVRP globally, then click Apply.
2) In the Port Config section, select one or more ports, set the status as Enable and configure the related parameters according to your needs.

Port Select the desired port for GVRP configuration. It is multi-optional.

Status Enable or disable GVRP on the port. By default, it is disabled.

Registration Mode

Select the GVRP registration mode for the port.

Normal: In this mode, the port can dynamically register and deregister VLANs, and transmit both dynamic and static VLAN registration information.

Fixed: In this mode, the port is unable to dynamically register and deregister VLANs, and can transmit only the static VLAN registration information.

Forbidden: In this mode, the port is unable to dynamically register and deregister VLANs, and can transmit only the information of VLAN 1.

LAG Displays the LAG the port is in.

3) Click Apply.

Note:

• The member port of an LAG follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.
  • The egress rule of the ports that are dynamically added to the VLAN is tagged.
  • The egress rule of the fixed ports should be tagged.
• When setting the timer values, make sure that the values are within the required range. The configuration value for LeaveAll timer should be greater than or equal to ten times the Leave timer value. The value for Leave timer should be greater than or equal to two times the Join timer value.

2.2 Using the CLI

Step 1 configure

Enter Global Configuration Mode.

Step 2 gvrp

Enable GVRP globally.

Step 7 show gvrp global

Verify the global configurations of GVRP.

Verify the GVRP configuration of the specified port or LAG.

Step 9 end

Return to privileged EXEC mode.

Step 10 copy running-config startup-config

Save the settings in the configuration file.

Note:

• The member port of an LAG follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.
  • The egress rule of the ports dynamically added to the VLAN is tagged.
  • The egress rule of the fixed port should be tagged.
• When setting the timer values, make sure that the values are within the required range. The configuration value for LeaveAll timer should be greater than or equal to ten times the Leave timer value. The value for Leave timer should be greater than or equal to two times the Join timer value.

The following example shows how to enable GVRP globally and on port 1/0/1, configure the GVRP registration mode as fixed and keep the values of timers as default:

Switch#configure

Switch(config)#gvrp

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#gvrp

Switch(config-if)#gvrp registration fixed

Switch(config-if)#show gvrp global

GVRP Global Status

Enabled

Switch(config-if)# show gvrp interface gigabitEthernet 1/0/1

Switch(config-if)#end

Switch#copy running-config startup-config

3 Configuration Example

3.1 Network Requirements

Department A and Department B of a company are connected using switches. Offices of one department are distributed on different floors. As shown in Figure 3-1, the network topology is complicated. Configuration of the same VLAN on different switches is required so that computers in the same department can communicate with each other.

Figure 3-1 Network Topology

graph TD
    A["Dept. A: VLAN 10"] --> B["Switch 1"]
    B --> C["Switch 5 Switch 6"]
    C --> D["..."]
    D --> E["Switch 3"]
    E --> F["Dept. A: VLAN 10"]
    F --> G["Switch 4"]
    G --> H["Dept. B: VLAN 20"]
    C --> I["Dept. B: VLAN 20"]
    C --> J["Dept. A: VLAN 10"]
    C --> K["Dept. A: VLAN 20"]

3.2 Configuration Scheme

To reduce manual configuration and maintenance workload, GVRP can be enabled to implement dynamic VLAN registration and update on the switches.

When configuring GVRP, please note the following:

■ The two departments are in separate VLANs. To make sure the switches only dynamically create the VLAN of their own department, you need to set the registration mode for ports on Switch 1-4 as Fixed to prevents dynamic registration and deregistration of VLANs and allow the port to transmit only the static VLAN registration information.
■ To configure dynamic VLAN creation on the other switches, set the registration mode of the corresponding ports as Normal to allow dynamic registration and deregistration of VLANs.

Demonstrated with T1600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

3.3 Using the GUI

GVRP configurations for Switch 3 are the same as Switch 1, and Switch 4 are the same as Switch 2. Other switches share similar configurations.

The following configuration procedures take Switch 1, Switch 2 and Switch 5 as examples.

■ Configurations for Switch 1

1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click Add to load the following page. Create VLAN 10 and add tagged port 1/0/1 to it. Click Create.

Figure 3-2 Create VLAN 10

2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply.

Figure 3-3 GVRP Configuration

3) Click Save the settings.

■ Configurations for Switch 2

1) Choose the menu L2 FEATURES > VLAN > 802.1Q VLAN > VLAN Config and click Add to load the following page. Create VLAN 20 and add tagged port 1/0/1 to it. Click Create.

Figure 3-4 Create VLAN 20

2) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select port 1/0/1, set Status as Enable, and set Registration Mode as Fixed. Keep the values of the timers as default. Click Apply.

Figure 3-5 GVRP Configuration

3) Click Save the settings.

■ Configurations for Switch 5

1) Choose the menu L2 FEATURES > VLAN > GVRP to load the following page. Enable GVRP globally, then click Apply. Select ports 1/0/1-3, set Status as Enable, and keep the Registration Mode and the values of the timers as default. Click Apply.

Figure 3-6 GVRP Configuration

2) Click Save the settings.

3.4 Using the CLI

GVRP configuration for Switch 3 is the same as Switch 1, and Switch 4 is the same as Switch 2. Other switches share similar configurations.

The following configuration procedures take Switch 1, Switch 2 and Switch 5 as examples.

■ Configurations for Switch 1

1) Enable GVRP globally.

Switch_1#configure

Switch_1(config)#gvrp

2) Create VLAN 10.

Switch_1(config)#vlan 10

Switch_1(config-vlan)#name Department_A

Switch_1(config-vlan)#exit

3) Add tagged port 1/0/1 to VLAN 10. Enable GVRP on the port and set the registration mode as Fixed.

Switch_1(config)#interface gigabitEthernet 1/0/1
Switch_1(config-if)#switchport general allowed vlan 10 tagged
Switch_1(config-if)#gvrp
Switch_1(config-if)#gvrp registration fixed
Switch_1(config-if)#end
Switch_1#copy running-config startup-config 

■ Configurations for Switch 2

1) Enable GVRP globally.

Switch_2#configure
Switch_2(config)#gvrp 

2) Create VLAN 20.

Switch_2(config)#vlan 20
Switch_2(config-vlan)#name Department_B
Switch_2(config-vlan)#exit 

3) Add tagged port 1/0/1 to VLAN 20. Enable GVRP on the port and set the registration mode as Fixed.

Switch_2(config)#interface gigabitEthernet 1/0/1
Switch_2(config-if)#switchport general allowed vlan 20 tagged
Switch_2(config-if)#gvrp
Switch_2(config-if)#gvrp registration fixed
Switch_2(config-if)#end
Switch_2#copy running-config startup-config 

■ Configurations for Switch 5

1) Enable GVRP globally.

Switch_5#configure
Switch_5(config)#gvrp 

2) Enable GVRP on ports 1/0/1-3.

Switch_5(config)#interface range gigabitEthernet 1/0/1-3
Switch_5(config-if-range)#gvrp
Switch_5(config-if-range)#end 

Switch_5#copy running-config startup-config

Verify the Configuration

Switch 1

Verify the global GVRP configuration:

Switch_1#show gvrp global

GVRP Global Status

Enabled

Verify GVRP configuration for port 1/0/1:

Switch_1#show gvrp interface

Switch 2

Verify the global GVRP configuration:

Switch_2#show gvrp global

GVRP Global Status

Enabled

Verify GVRP configuration for port 1/0/1:

Switch_2#show gvrp interface

Gi1/0/2 Disabled Normal 1000 20 60 N/A

...

Switch 5

Verify global GVRP configuration:

GVRP Global Status

Enabled

Verify GVRP configuration for ports 1/0/1-3:

Switch_5#show gvrp interface

...

4 Appendix: Default Parameters

Default settings of GVRP are listed in the following tables.

Table 4-1 Default Settings of GVRP

Part 12

Configuring Private VLAN

(Only for Certain Devices)

CHAPTERS

1. Overview
2. Private VLAN Configurations
3. Configuration Example
4. Appendix: Default Parameters

1 Overview

Note:

Private VLAN is only available on certain devices. To check whether your device supports this feature, refer to the actual web interface. If Private VLAN is available, there is L2 FEATURES > VLAN > Private VLAN in the menu structure.

Common large networks such as ISP networks generally isolate users by VLANs. However, with the increasing number of users, upper-layer devices have to create large amount of VLANs to manage all the users. According to IEEE 802.1Q protocol, each upper-layer device can create no more than 4094 VLANs, which means upper-layer devices in backbone networks will face shortage of VLANs. By creating primary VLAN and secondary VLAN, private VLAN is an effective solution to this problem.

Based on 802.1Q VLAN, private VLAN pairs a secondary VLAN with a primary VLAN. A primary VLAN can pair with more than one secondary VLANs to compose several private VLANs. In a private VLAN, Layer 2 isolation can be achieved between end users with secondary VLANs, while upper-layer devices only need to recognize primary VLANs, which solves the problem of VLAN shortage. Meanwhile, private VLAN resolves the conflicts triggered when users' need of VLANs is different from what the ISP can provide.

The network models of traditional VLAN and private VLAN are shown in Figure 1-1 and Figure 1-2 respectively. In the network model of traditional VLAN, isolation between users is achieved by creating VLAN2, VLAN3 and VLAN4. In this case, the upper-layer device, Switch A, needs to recognize 3 VLANs including VLAN2, VLAN3 and VLAN4.

Figure 1-1 Topology of Traditional VLAN

graph TD
    A["Switch A"] --> B["Switch B"]
    B --> C["VLAN2"]
    B --> D["VLAN3"]
    B --> E["VLAN4"]

If private VLAN is configured on Switch B, Switch A only needs to recognize primary VLAN, VLAN5; and end users can be isolated by secondary VLANs, VLAN2, VLAN3 and VLAN4, saving VLAN resources for Switch A.

Figure 1-2 Topology of Private VLAN

graph TD
    SwitchA["Switch A"] --> SwitchB["Switch B"]
    SwitchB --> VLAN5["VLAN5"]
    SwitchB --> VLAN2["VLAN2"]
    SwitchB --> VLAN3["VLAN3"]
    SwitchB --> VLAN4["VLAN4"]
    SwitchB --> VLAN5b["VLAN5"]
    SwitchB --> VLAN3b["VLAN3"]
    SwitchB --> VLAN4b["VLAN4"]

2 Private VLAN Configurations

2.1 Using the GUI

Note:

If you need to create a private VLAN with existing VLANs, delete all member ports of the existing VLANs before creating the private VLAN.

Choose the menu L2 FEATURES > VLAN > Private VLAN and click + Add to load the following page.

Figure 2-1 Configuring Private VLAN

1) Enter the IDs of Primary VLAN and Secondary VLAN, and select Secondary VLAN Type.

2) Select promiscuous ports and host ports to be added to the private VLAN.

3) Click Create.

Note:

When configuring the up-link port, you only need to add the port to one private VLAN and set the port type as Promiscuous. The switch will automatically add the port to private VLANs with the same primary VLAN.

2.2 Using the CLI

2.2.1 Creating Private VLAN

Note:

If you need to create a private VLAN with existing VLANs, delete all member ports of the existing VLANs before creating the private VLAN.

Follow these steps to create Private VLAN:

Step 1 configure

Enter global configuration mode.