STES2026 Layer 2 managed Ethernet Switch. Configuration Guide Manual VER:1.0.1

Transcription

1 STES2026 Layer 2 managed Ethernet Switch Configuration Guide Manual VER:1.0.1

2 About This Manual Release Notes This manual applies to STES2026 Ethernet Switch. Related Manuals The related manuals are listed in the following table. STES2026 Ethernet Switch Installation Manu STES2026 Ethernet Switch Configuration Guide Manu Intended Audience The manual is intended for the following readers: Network engineers Network administrators Customers who are familiar with network fundamentals Conventions The manual uses the following conventions: I. General conventions Convention Arial Arial Narrow Boldface Courier New Description Normal paragraphs are in Arial. Warnings, Cautions, Notes and Tips are in Arial Narrow. Headings are in Boldface. Terminal Display is in Courier New. II. Command conventions Convention Boldface Description The keywords of a command line are in Boldface.

3 italic Command arguments are in italic. [ ] Items (keywords or arguments) in square brackets [ ] are optional. { x y... } Alternative items are grouped in braces and separated by vertical bars. One is selected. [ x y... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. III. GUI conventions Convention Description < > Button names are inside angle brackets. For example, click the <OK> button. [ ] Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. IV. Keyboard operation Format <Key> <Key1+Key2> <Key1, Key2> Description Press the key with the key name inside angle brackets. For example, <Enter>, <Tab>, <Backspace>, or <A>. Press the keys concurrently. For example, <Ctrl+Alt+A> means the three keys should be pressed concurrently. Press the keys in turn. For example, <Alt, A> means the two keys should be pressed in turn. V. Mouse operation Action Click Double Click Drag Description Press the left button or right button quickly (left button bydefault). Press the left button twice continuously and quickly. Press and hold the left button and drag it to a certain position.

4 VI. Symbols Eye-catching symbols are also used in the manual to highlight the points worthy of special attention during the operation. They are defined as follows: Caution: Means reader be extremely careful during the operation. Note: Means a complementary description.

5 Chapter 1 Product Overview Product Overview Function Features... 1 Chapter 2 Logging in Switch Setting up Configuration Environment via the Console Port Setting up Configuration Environment through Telnet Connecting a PC to the Switch through Telnet Setting up Configuration Environment through web browser... 7 Chapter 3 Command Line Interface Command Line Interface Command Line configure mode Features and Functions of Command Line Online Help of Command Line Displaying Characteristics of Command Line History Command of Command Line Common Command Line Error Messages Editing Characteristics of Command Line Chapter 4 Basic Configuration Console Connection Navigating the Web Browser Interface Setting Console Baud Rate Creating user and setting password Setting system service Setting system contact/name/location information for SNMP Setting system management IP Address Setting default gateway Restore system to default configuration Reboot system Chapter 5 Port Configuration Ethernet Port Overview Ethernet Port Configuration Enabling/Disabling an Ethernet Port Setting the Duplex Attribute and speed of the Ethernet Port Enabling/Disabling Flow Control for the Ethernet Port Setting the Ethernet Port Broadcast Suppression Setting Port Mirroring Setting rate limits Chapter 6 Link Aggregation Configuration Overview Configuring a Link Aggregation... 33

6 Chapter 7 VLAN Configuration VLAN Overview Configuring VLAN Selecting VLAN mode Configuring 802.1Q VLAN Configuring port VALN Chapter 8 MAC Address Table Management MAC Address Table Management Overview MAC Address Table Configuration Setting MAC Address Aging Time Setting MAC binding Setting MAC filter Chapter 9 STP Configuration STP Overview Spanning-Tree Topology and BPDUs Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State How a Switch or Port Becomes the Root Switch or Root Port Spanning Tree and Redundant Connectivity Spanning-Tree Address Management Accelerated Aging to Retain Connectivity Configuring STP Features Configure the Bridge Priority for a Switch Configure the Time Parameters of a Switch Configure Port Priority Enable/Disable STP on the Device Enable/Disable STP on a Port Chapter 10 QoS Configuration Enabling/disabling queues service Setting the Queue Mode Chapter x Configuration x Overview x Standard Overview x System Architecture x Authentication Process Implement 802.1x on Ethernet Switch x Configuration Enabling/Disabling 802.1x Setting port authentication state Setting Supplicant Number on a Port... 72

7 Chapter 12 RADIUS Protocol Configuration RADIUS Protocol Overview Implementing RADIUS on Ethernet Switch Configuring RADIUS Protocol Enable/disable radius client service Setting radius client ip address Setting a Real-time Accounting Interval Setting IP Address of RADIUS Server Setting Port of RADIUS Server Setting RADIUS Packet Encryption Key Chapter 13 SNMP Configuration SNMP Overview SNMP Versions and Supported MIB Configure SNMP Setting Community Name Setting the Destination Address of Trap Setting Trap Parameters Chapter 14 IGMP Snooping Configuration IGMP Snooping Overview IGMP Snooping Principle Implement IGMP Snooping IGMP Snooping Configuration Enabling/Disabling IGMP Snooping Configuring Aging Time of Multicast Group Member IGMP Snooping Configuration Example Enable IGMP Snooping... 94

8 Chapter 1 Product Overview 1.1 Product Overview STES2026 Ethernet Switch is a type of box-shaped L2 wire speed Ethernet Switch, applied on the access layer of the medium- and small-sized enterprise networks, IP Metropolitan Area Network (MAN) and Ethernet residential areas 1.2 Function Features Table 1-1 Function features Features VLAN STP protocol Implementation Supports VLAN compliant with IEEE 802.1Q Standard Supports GARP VLAN Registration Protocol (GVRP) Supports port based VLAN Supports Spanning Tree Protocol (STP) Flow control Broadcast Suppression Multicast Link aggregation Features Mirror Supports IEEE 802.3x flow control (full-duplex) Supports back-pressure based flow control (half-duplex) Supports Broadcast Suppression Supports Internet Group Management Protocol Snooping (IGMP Snooping) Supports link aggregation Implementation Supports the port-based mirror Quality of Service (QoS) Security features Supports traffic classification Supports bandwidth control Supports queues of different priority on the port Queue scheduling: supports Strict Priority Queuing (SP), Weighted Round Robin (WRR), and SP+WRR Supports Multi-level user management and password protect Supports 802.1X authentication

9 Supports MAC binding and MAC filter. Management and Maintenance Loading and updating Supports Command Line Interface configuration Supports Local and remote configuration through Telnet on Ethernet port Supports SNMP management (SupportsRMON MIB Group 1, 2, 3 and 9) Supports PING Supports the remote maintenance via Telnet Supports to load and upgrade software via Xmodem.

10 Chapter 2 Logging in Switch 2.1 Setting up Configuration Environment via the Console Port Step 1: As shown in the figure below, to set up the local configuration environment, connect the serial port of a PC (or a terminal) to the Console port of the switch with the Console cable. Figure 2-1 Setting up the local configuration environment via the Console port Step 2: Run terminal emulator (such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X) on the Computer. Set the terminal communication parameters as follows: Set the baud rate to 9600, data bit to 8, parity check to none, stop bit to 1, flow control to none and select the terminal type as VT100.

11 Figure 2-2 Setting up new connection Figure 2-3 Configuring the port for connection

12 Figure 2-4 Setting communication parameters Step 3: The switch is powered on. Display self-test information of the switch and prompt you to press Enter to show the command line prompt such as switch>. Step 4: Input a command to configure the switch or view the operation state. Input a? for an immediate help. For details of specific commands, refer to the following chapters. 2.2 Setting up Configuration Environment through Telnet Connecting a PC to the Switch through Telnet After you have correctly configured IP address for an switch via Console port, you can telnet this switch and configure it. Step 1: Authenticate the Telnet user via the Console port before the user logs in by Telnet.

13 Step 2: To set up the configuration environment, connect the Ethernet port of the PC to that of the switch via the LAN. Figure 2-5 Setting up configuration environment through telnet Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to the PC port. Figure 2-6 Running Telnet Step 4: The terminal displays Login: and prompts the user to input the logon user name and password. After you input the correct user name and password, it displays the command line prompt (such as switch#). Step 5: Use the corresponding commands to configure the switch or to monitor the running state. Enter? to get the immediate help. For details of specific commands,refer to the following chapters.

14 2.3 Setting up Configuration Environment through web browser After you have correctly configured IP address for an switch via Console port, you can login this switch and configure it. This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). To access the web-browser interface you must first enter a user name and password. The default user name is admin and the default password is password.

15 Chapter 3 Command Line Interface Stephen Technologies Co.,Limited 3.1 Command Line Interface SPEED series switches provide a series of configuration commands and command line interfaces for configuring and managing the switch. The command line interface has the following characteristics: Local configuration via the Console port. Local or remote configuration via Telnet. Hierarchy command protection to avoid the unauthorized users accessing switch. Enter a? to get immediate online help. Provide network testing commands, such as Ping, to fast troubleshoot the network. Log in and manage other switch directly, using the Telnet command. Provide the function similar to Dos key to execute a history command. The command line interpreter searches for target not fully matching the keywords. It is ok for you to key in the whole keyword or part of it, as long as it is unique and not ambiguous. 3.2 Command Line configure mode The command line provides the following configure mode: Normal EXEC mode privileged EXEC mode Global configuration mode The following table describes the function features of different views and the ways to enter or quit. Table 3-1 Function feature of command configure mode. Command mode Function Prompt Command to enter Command to exit

16 Normal EXEC mode privileged EXEC mode Show the basic information about operation and statistics Show the basic information about operation and statistics Switch> Switch# Enter right user name and password Enter <enable> and right password exit Exit returns to normal EXEC mode Global configuration mode Configure system parameters Switch(config)# Key in config in user user configure mode Exit returns to user configure mode 3.3 Features and Functions of Command Line Online Help of Command Line The command line interface provides the following online help modes. Full help Partial help You can get the help information through these online help commands, which are described as follows. Input? in any configure mode to get all the commands in it and corresponding descriptions. switch#? clear Clear the screen. config Config system's setting. download Download file for software upgrade or load user config. exit Exit current mode and shift to previous mode. help Description of the interactive help system. history Config history command. kill Kill some unexpected things. logout Disconnect from switch and quit. ping Ping command to test if the net is correct. quit Disconnect from switch and quit. reboot Reboot the switch. remove Remove system configuration. sendmsg Send message to online user.

17 show Show running system information. telnet Telnet to other host or switch. terminal Set terminal line parameters. upload Upload file for software upgrade or upload user config. who Display who is connected to the switch. write Save current running configuration to flash. 1) Input a command with a? separated by a space. If this position is for keywords,all the keywords and the corresponding brief descriptions will be listed. switch(config)# port? speed Set port speed. state Set port state. type Set port type. 3) Input a command with a? separated by a space. If this position is for parameters,all the parameters and their brief descriptions will be listed. switch(config)# port speed Set port speed. state Set port state. add Add a port vlan. set Set a port vlan. delete Delete vlan entry. 4) Input a character string with a?, then all the commands with this character string as their initials will be listed. switch(config)# a? arp Config system's setting.. 5) Input a command with a character string and?, then all the key words with this character string as their initials in the command will be listed. switch# show ve? version Display SPROS version.

18 6) Input the first letters of a keyword of a command and press <Tab> key. If no other keywords are headed by this letters, then this unique keyword will be displayed automatically Displaying Characteristics of Command Line Command line interface provides the following display characteristics: For users convenience, the instruction and help information can be displayed in both English and Chinese. For the information to be displayed exceeding one screen, pausing function is provided. In this case, users can have three choices, as shown in the table below. Table 3-2 Functions of displaying Key or Command Press <Q> when the display pauses Press any key when the display pauses Press <Enter> when the display pauses Function Stop displaying and executing command. Continue to display the next screen of information. Continue to display the next line of information History Command of Command Line Command line interface provides the function similar to that of DosKey. The commands entered by users can be automatically saved by the command line interface and you can invoke and execute them at any time later. History command buffer is defaulted as 10. That is, the command line interface can store 10 history commands for each user.the operations are shown in the table below. Table 3-3 Retrieving history command Operation Key Result Display history command history Display history command by user inputting Retrieve the previous history command Up cursor key <> or <Ctrl+P> command, if there is any.

19 Retrieve the next history command Down Down cursor key <> or <Ctrl+N> Retrieve the next history command, if there is any Common Command Line Error Messages All the input commands by users can be correctly executed, if they have passed the grammar check. Otherwise, error messages will be reported to users. The common error messages are listed in the following table. Table 3-4 Common command line error messages Error messages Causes Unrecognized command Cannot find the command. Cannot find the keyword. Wrong parameter type. The value of the parameter exceeds the range. Incomplete command Too many parameters Ambiguous command The input command is incomplete. Enter too many parameters. The parameters entered are not specific Editing Characteristics of Command Line Command line interface provides the basic command editing function and supports to edit multiple lines. A command cannot longer than 256 characters. See the table below. Table 3-5 Editing functions Key Function Common keys Insert from the cursor position and the cursor moves to the right, if the edition buffer still has free space.

20 Backspace Move the cursor a character backward Leftwards cursor key <> or <Ctrl+B> Move the cursor a character backward Rightwards cursor key <> or <Ctrl+F> Move the cursor a character forward Up cursor key <> or <Ctrl+P> Down cursor key <> or <Ctrl+N> Retrieve the history command. <Tab> Press <Tab> after typing the incomplete key word and the system will execute the partial help: If the key word matching the typed one is unique, the system will replace the typed one with the complete key word and display it in a new line; if there is not a matched key word or the matched key word is not unique, the system will do no modification but display the originally typed word in a new line.

21 Chapter 4 Basic Configuration Stephen Technologies Co.,Limited 4.1 Console Connection The CLI program provides two different command levels normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level. Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1. To initiate your console connection, press <Enter>. The User Access Verification procedure starts. 2. At the <Login:> prompt, enter admin. 3. At the Password prompt, direct press enter (The default password not set.) 4. The session is opened and the CLI displays the switch> prompt indicating you have access at the Normal Exec level. 5. At the switch> prompt,enter enable. 6. At the Password prompt, direct press enter (The default password not set.) 7. The session is opened and the CLI displays the switch# prompt indicating you have access at the Privileged Exec level. 4.2 Navigating the Web Browser Interface To connect to the switch, use the URL: where a.b.c.d is the IP address assigned to the switch After the connection is established with the switch, the browser will display the login screen as shown in Figure 4-1:

22 Figure 4-1 User Authentication Window On entering a valid password and user name, WEB management interface will be presented to the user as shown in Figure 4-2:

23 Figure 4-2 WEB Management Interface The navigation tree displayed on the left side of the browser window should be used for choosing appropriate configuration screens. It is organized into folders for configuration of different features supported by the switch. The right side of the browser window shows the corresponding configuration screens. 4.3 Setting Console Baud Rate I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set console baud rate.

24 Command Purpose Step 1 config terminal Enter global configuration mode. Stephen Technologies Co.,Limited Step 2 serial speed rate Setting console baud rate. Rate : By default,rate is Step 3 exit Return to privileged EXEC mode. Step 4 show serial Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click Switch Information, Serial Configuration, Select Baud Rate, then click Apply. 4.4 Creating user and setting password When you create new user,the default user is deleted automatically. Beginning in privileged EXEC mode, follow these steps to create user and set password. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 user add user-name login-password login-password Create user and set login password.

25 login-password Step 3 Step 4 Step 5 user login-password user-name <CR> Input new login password for user abc please. New Password: Confirm Password: user enable-password user-name <CR> Input new enable password for user abc please. New Password: Confirm Password: user role user-name {NORMA ADMIN enable-password enable-password} (optional) Change login password. (optional) Set or change enable password. (optional) Change user access level. Step 6 exit Return to privileged EXEC mode. Step 7 user list Verify your entries. Step 8 write (Optional) Save your entries in the configuration file. 4.5 Setting system service The system provide SNMP telnet and webserver services, you can enable or disable these service. Beginning in privileged EXEC mode, follow these steps to set system service. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 service snmp {enable disable } Step 3 service telnet {enable disable } Step 4 webserver service {enable disable} Step 5 Enabling/disabling SNMP service. Enabling/disabling telnet service. Enabling/disabling webserver service. When webserver service enabled, you can management the switch through WEB. webserver password reset (optional) Reset web password to default. By default the web login user name is admin, login password is password. You can change the password through WEB.

26 Step 6 exit Return to privileged EXEC mode. Step 7 show services Verify your entries. Step 8 write (Optional) Save your entries in the configuration file. 4.6 Setting system contact/name/location information for SNMP I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set system contact/name/location information. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 system contact string Setting system contact information for SNMP. Step 3 system name string Setting system name for SNMP. Step 4 system location string Setting system location information for SNMP. Step 5 exit Return to privileged EXEC mode. Step 6 show system config Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click Switch Information, System Configuration, Specify System Name System Location System Contact Product Name, then click Apply.

27 4.7 Setting system management IP Address I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set system management IP address. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 Ip address ip-addrss mask Setting system management IP address. By default the management IP address is Step 3 exit Return to privileged EXEC mode. Step 4 show ip address Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click Switch information, Switch Configuration, Specify IP Address and subnet mask then

28 click Apply. 4.8 Setting default gateway I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set system management IP address. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 gateway ip-addrss Setting system management IP address. Step 3 exit Return to privileged EXEC mode. Step 4 show gateway Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click Switch information, Switch Configuration, Specify gateway Address then click Apply.

29 4.9 Restore system to default configuration you can use remove command to resume the startup-configuration to default configuration, after that you must reboot the system. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to restore system to default configuration. Command Purpose Step 1 remove Save your entries in the configuration file. Step 2 reboot Reboot the system. II. WEB configuration: Click Switch Information, Switch Configuration, Specify Reset(reset factory default), then click Apply.

30 4.10 Reboot system I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to restart the system. Command Purpose Step 1 reboot Reboot the system. II. WEB configuration: Click Switch Information, Switch Configuration, Specify Reset (reset), then click Apply.

31 Chapter 5 Port Configuration Stephen Technologies Co.,Limited 5.1 Ethernet Port Overview STES2026 Ethernet Switches provides 24 10/100Mbps electrical ports and two Gigabit optical ports. The 10/100Mbps electrical ports support MDI/MDI-X auto-sensing and can work in half duplex, full duplex or auto-negotiation mode. They can negotiate with other network devices to choose optimum duplex mode and speed. The Gigabit optical ports work in Gigabit full duplex mode, which need not configuring. 5.2 Ethernet Port Configuration Ethernet port configuration includes: Enabling/disabling an Ethernet port Setting the duplex attribute for the Ethernet port Setting speed for the Ethernet port Setting the Ethernet port broadcast suppression ratio Setting port mirror Setting rate Limits Enabling/Disabling an Ethernet Port The following command can be used for disabling or enabling the port. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to enable an Ethernet port. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 port state port-number enable Enable an Ethernet port.

32 Step 3 exit Return to privileged EXEC mode. Step 4 show port port-number Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, the port is enabled. To disable a port, use port state port-number disable global configuration command. II. WEB configuration: Click Port Controls, Select Port, Specify State, then click Apply Setting the Duplex Attribute and speed of the Ethernet Port To configure a port to send and receive data packets at the same time, set it to full-duplex. To configure a port to either send or receive data packets at a time, set it to half-duplex. If the port has been set to auto-negotiation mode, the local and peer ports will automatically negotiate about the duplex mode. You can use the following command to set the speed on the Ethernet port. If the speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate about the port speed.

33 I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to setting the duplex attribute and speed of the Ethernet port. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 Step 3 port speed portnumber {100f 100h 10f 10h Auto} port speed portnumber {1000f 1000h 100f 100h 10f 10h Auto} Setting the duplex attribute and speed for fast Ethernet port Setting the duplex attribute and speed for Gigabit Ethernet port Step 4 exit Return to privileged EXEC mode. Step 5 show port port-number Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. Note that, 10/100Mbps electrical Ethernet port can operate in full-duplex, half-duplex or auto-negotiation mode. The Gigabit electrical Ethernet port can operate in full duplex,half duplex or auto-negotiation mode. When the port operates at 1000Mbps, the duplex mode can be set to full (full duplex) or auto (auto-negotiation). The optical 100M/Gigabit Ethernet ports work in full duplex mode, which need not configuring. The port defaults the auto (auto-negotiation) mode. Note that, the 10/100Mbps electrical Ethernet port can operate at 10Mbps and 100Mbps as per different requirements. The electrical Gigabit Ethernet port can operate at 10Mbps, 100Mbps, or 1000Mbps as per different requirements. However in half duplex mode, the port cannot operate at 1000Mbps. The 100M optical Ethernet port supports 100Mbps; the Gigabit optical Ethernet port supports1000mbps, which need not configuring. By default, the speed of the port is in auto mode. II. WEB configuration: Click Port Controls, Select Port, Specify Set Speed, then click Apply.

34 5.2.3 Enabling/Disabling Flow Control for the Ethernet Port After enabling flow control in both the local and the peer switch, if congestion occurs in the local switch, the switch will inform its peer to pause packet sending. Once the peer switch receives this message, it will pause packet sending, and vice versa. In this way, packet loss is reduced effectively. The flow control function of the Ethernet port can be enabled or disabled through the following command. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to enable flow control for the Ethernet port. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 l2-control port port-number flow-control enable back-pressure enable Enable Ethernet port flow control. When a port works on full state, flow control use 802.3x mode. When a port works on half state, flow control use back pressure mode. Step 3 exit Return to privileged EXEC mode. Step 4 show control flow Verify your entries.

35 Step 5 write (Optional) Save your entries in the configuration file. To disable flow control, use the l2-control port port-number flow-control disable back-pressure disable global configuration command. II. WEB configuration: Click Port Controls, Select Port, Specify Flow Control and Back Pressure state, then click Apply Setting the Ethernet Port Broadcast Suppression You can use the following commands to restrict the broadcast traffic. Once the broadcas traffic exceeds the value set by the user, the system will maintain an appropriate broadcas packet number by discarding the overflow traffic, so as to suppress broadcas storm, avoid suggestion and ensure the normal service. The parameter is taken the maximum wire speed ratio of the broadcast traffic allowed on the port. The smaller of the ratio is, the smaller the broadcas traffic is allowed. I. CLI configuration:

36 Beginning in privileged EXEC mode, follow these steps to Set the Ethernet Port Broadcast Suppression. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 misc broadcast filter-mode Setting Broadcast Suppression {five-percent ten-percent fifteen-percent twenty-percent twenty-five-percent disable} Step 3 exit Return to privileged EXEC mode. Step 4 show control rate Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click Misc Settings, Specify Broadcast Storm Filter Mode, then click Apply Setting Port Mirroring Port mirroring duplicates data on the monitored port to the designated monitoring port, for purpose of data analysis and supervision. The switch supports multiple-to-one mirroring, that is, you can duplicate packets from multiple ports to a monitoring port.

37 I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set port mirroring. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 mirror analysis-port port-number Step 3 mirror monitored-port port-list Step 4 mirror mirror-mode {both ingress egress disable} Set target port Setting source port. Setting mirror mode. Step 5 exit Return to privileged EXEC mode. Step 6 show mirror all Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. To delete mirror source port, use no mirror monitored-port global configuration command. To delete target port,use no mirror analysis-port global configuration command. Note: Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. All mirror sessions have to share the same destination port. When mirroring port traffic, the target port must be included in the same VLAN as the source port. II. WEB configuration: Click Port Mirroring, Specify Mirror-Mode Analysis-port and Monitored-Port, then click Apply.

38 5.2.6 Setting rate limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or outof the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity. Non-conforming traffic is dropped, conforming traffic is forwarded without any changes. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set rate limits. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 traffic-limit port port-number Setting rate limits. ingress {number default} [egress {number default}] Step 4 exit Return to privileged EXEC mode. Step 5 show traffic-limit port port-number Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. II. WEB configuration:

39 Click Port Controls, Select Port, Specify Ingress Bandwidth and Egress Bandwidth, then click Apply.

40 Chapter 6 Link Aggregation Configuration 6.1 Overview Link aggregation means aggregating several ports together to implement the outgoing/incoming payload balance among the member ports and enhance the connection reliability. In terms of load sharing, link aggregation may be load sharing aggregation and non-load sharing aggregation. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to seven One switch can support up to seven aggregation groups, with each group containing a maximum of four ports. 6.2 Configuring a Link Aggregation When configuring Link aggregation, you may not be able to link switches of different types, depending on the manufacturer s implementation. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to configure a link aggregation. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 channel-group add group-number port-list Configure a statically link aggregation. Group-number range is 1 to 7. Port-list is member, format is port-number+ m, such as 01m. Step 3 exit Return to privileged EXEC mode. Step 4 show channel-group Verify your entries. Step 5 write (Optional) Save your entries in the configuration file.

41 To delete a trunk, use the channel-group delete group-number global configuration command. II. WEB configuration: Click Channel Group, Enter TrunkID, Specify channel group port member, then click Apply.

42 Chapter 7 VLAN Configuration Stephen Technologies Co.,Limited 7.1 VLAN Overview Virtual Local Area Network (VLAN) groups the devices of a LAN logically but not physically into segments to implement the virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions. Through VLAN technology, network managers can logically divide the physical LAN into different broadcast domains. Every VLAN contains a group of workstations with the same demands. The workstations of a VLAN do not have to belong to the same physical LAN segment. With VLAN technology, the broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, therefore, it is very helpful in controlling network traffic, saving device investment, simplifying network management and improving security. 7.2 Configuring VLAN VLAN configuration includes: Selecting VLAN mode Configuring 802.1Q VLAN Configuring port VLAN. As same time, the switch only selects one VLAN mode Selecting VLAN mode This switch support 802.1Q VALN port-based VLAN, you can use the following command to select VLAN mode. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to select VLAN mode.

43 Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 vlan mode set { 8021q port disable } Selecting VLAN mode. Stephen Technologies Co.,Limited Disable indicate the switch runs no VLAN mode. Step 3 exit Return to privileged EXEC mode. Step 4 show vlan mode Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click VLAN Mode, Specify Vlan Mode State, then click Apply Configuring 802.1Q VLAN Configuring 802.1Q VLAN include: Creating/deleting a VLAN. Setting pvid range. Setting VLAN port pvid. Specifying or removing a VALN port. You can use the following command to configure a VLAN. I. CLI configuration:

44 Beginning in privileged EXEC mode, follow these steps to configure a VLAN. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 vlan static add vid vid port-list Create a VLAN. Vid:1~4096 Port-list: port-number+u m, u indicate untag port and m indicate tag port vlan pvid-range { } Vlan port pvid port-number pvid vlan static set vid vid port-list Setting pvid range, as same time pvid is only one of these value range. Note: If you change pvid range, you must confirm the new pvid range include all VLAN ID of vlan existed Setting VLAN port pvid Modifying an exist VLAN. Port-list: port-number+u m -, u indicate untag port m indicate tag port and - indicate remove a port from the VLAN. Step 3 exit Return to privileged EXEC mode. Step 4 show vlan table Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Creating VLAN and Setting PVID range Click 802.1q-based Vlan, Static VLAN Configuration, Specify PVID-RANGE, Enter VID, Specify VLAN port, then click Apply.

45 Setting VLAN port pvid Click 802.1q-based Vlan, VLAN/GVRP Port, Select Port, Specify PVID, then click Apply Configuring port VALN Configuring port VLAN include: Creating/deleting a port VLAN.

46 Modifying an exist port VLAN. You can use the following command to configuring port VALN. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to configuring port VALN. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 port-vlan add vid vid port-list Step 3 port-vlan set vid vid port-list Creating port VLAN. Port-list: port-number+m -, m indicate the port is a VLAN member and - indicate not a VLAN member. Step 4 exit Return to privileged EXEC mode. Step 5 show port-vlan table Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. To delete a port VLAN, use the port-vlan delete vid vid global configuration command. II. WEB configuration: Click Port-based Vlan, Enter VID, Specify VLAN port, then click Apply.

47 Chapter 8 MAC Address Table Management 8.1 MAC Address Table Management Overview An Ethernet Switch maintains a MAC address table for fast forwarding packets. A table entry includes the MAC address of a device and the port ID of the Ethernet switch connected to it. The dynamic entries (not configured manually) are learned by the Ethernet switch. The Ethernet switch learns a MAC address in the following way: after receiving a data frame from a port (assumed as port A), the switch analyzes its source MAC address (assumed as MAC_SOURCE) and considers that the packets destined at MAC_SOURCE can be forwarded via the port A. If the MAC address table contains the MAC_SOURCE, the switch will update the corresponding entry, otherwise, it will add the new MAC address (and the corresponding forwarding port) as a new entry to the table. The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts those packets whose addresses are not contained in the table. The network device will respond after receiving a broadcast packet and the response contains the MAC address of the device, which will then be learned and added into the MAC address table by the Ethernet switch. The consequent packets destined the same MAC address can be forwarded directly thereafter.

48 Figure 8-1 The Ethernet switch forwards packets with MAC address table The Ethernet switch also provides the function of MAC address aging. If the switch receives no packet for a period of time, it will delete the related entry from the MAC address table. However, this function takes no effect on the static MAC addresses. 8.2 MAC Address Table Configuration MAC address table management includes: Set MAC Address Aging Time. Set MAC binding. Set MAC filter Setting MAC Address Aging Time The setting of an appropriate aging time can effectively implement the function of MAC address aging. Too long or too short aging time set by subscribers will cause the problem that the Ethernet switch broadcasts a great mount of data packets without MAC addresses, which

49 will affect the switch operation performance. If aging time is set too long, the Ethernet switch will store a great number of out-of-date MAC address tables. This will consume MAC address table resources and the switch will not be able to update MAC address table according to the network change. If aging time is set too short, the Ethernet switch may delete valid MAC address table. You can use the following commands to set the MAC address aging time for the system. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set MAC aging time. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 fdb agingtime seconds Setting MAC aging time. Seconds: range is 300 to 765. By default seconds is 300. Step 3 exit Return to privileged EXEC mode. Step 4 show port-vlan table Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click Switch Information, Switch Configuration, Specify Mac Aging Time, then click Apply.

50 8.2.2 Setting MAC binding Administrators can disable system learn MAC auto and manually add, modify, or delete the entries in MAC address table according to the actual needs. Setting MAC binding include: Disabling learn MAC auto. Add static MAC. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to disable MAC learning auto. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 fdb mac_learning disable port port-number Disable Ethernet port MAC learning auto. fdb add static mac-address Add static MAC entry. port port-number [vlanid vlan-id] Step 3 exit Return to privileged EXEC mode.

51 Step 4 show fdb mac_learning Verify your entries. show fdb static [port port-number] Verify your entries. Stephen Technologies Co.,Limited Step 5 write (Optional) Save your entries in the configuration file. To enable learning MAC auto, use the fdb mac_learning enable port port-number global configuration command. To delete static MAC, use the fdb delete static mac-address [vlanid vlan-id] global configuration command. II. WEB configuration: Disabling learn MAC auto Click Ports Controls, Select Port, Specify Learning state, then click Apply. Setting static MAC table Click Static&Filter MAC Table, Static MAC Table, Specify MAC Address Port Number VID, then click Apply.

52 8.2.3 Setting MAC filter I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set MAC filter. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 fdb add filter mac-address [vlanid vid] Setting MAC filter. Step 3 exit Return to privileged EXEC mode. Step 4 show fdb filter Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click Static&Filter MAC Table, Filter MAC Table, Specify MAC Address VID, then click Apply.

53 Stephen Technologies Co.,Limited

54 Chapter 9 STP Configuration Stephen Technologies Co.,Limited 9.1 STP Overview The switch supports STP (spanning tree protocol).stp is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments. The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by assigning a role to each port based on the role of the port in the active topology: Root A forwarding port elected for the spanning-tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root port in the spanning tree Backup A blocked port in a loopback configuration Switches that have ports with these assigned roles are called root or designated switches. Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path. Switches send and receive spanning-tree frames,called bridge protocol data units (BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-free path. BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment. When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value represents the location of a port in the network topology

55 and how well it is located to pass traffic. The path cost value represents the media speed. 9.2 Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. The spanning-tree path cost to the root switch. The port identifier (port priority and MAC address) associated with each Layer 2 interface. When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology. Each configuration BPDU contains this information: The unique bridge ID of the switch that the sending switch identifies as the root switch The spanning-tree path cost to the root The bridge ID of the sending switch Message age The identifier of the sending interface Values for the hello, forward delay, and max-age protocol timers When a switch receives a configuration BPDU that contains superior information (lower bridge ID,lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the switch, the switch also forwards it with an updated message to all attached LANs for which it is the designated switch. If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port, it discards the BPDU. If the switch is a designated switch for the LAN from which the inferior BPDU was received, it sends that LAN a BPDU containing the up-to-date information stored for that port. In this way, inferior information is discarded, and superior information is propagated on the network. A BPDU exchange results in these actions: One switch in the network is elected as the root switch (the logical center of the spanning-tree topology in a switched network). In a switch stack, one stack member is elected as the stack root switch. The stack root switch contains the outgoing root port (Switch 1), as shown in Figure 8-1.

56 For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is elected as the root switch. If all switches are configured with the default priority (32768), the switch with the lowest MAC address in the VLAN becomes the root switch. The switch priority value occupies the most significant bits of the bridge ID, as shown in Table 8-1. A root port is selected for each switch (except the root switch). This port provides the best path (lowest cost) when the switch forwards packets to the root switch. When selecting the root port on a switch stack, spanning tree follows this sequence: Selects the lowest root bridge ID Selects the lowest path cost to the root switch Selects the lowest designated bridge ID Selects the lowest designated path cost Selects the lowest port ID Only one outgoing port on the root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 9-1. The shortest distance to the root switch is calculated for each switch based on the path cost. A designated switch for each LAN segment is selected. The designated switch incurs the lowest pathcost when forwarding packets from that LAN to the root switch. The port through which the designated switch is attached to the LAN is called the designated port.

57 Figure 9-1 Spanning-Tree Port States in a Switch Stephen Technologies Co.,Limited All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. 9.3 Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have as many different bridge IDs as VLANs configured on it. Each VLAN on the switch has a unique 8-byte bridge ID. The two most-significant bytes are used for the switch priority, and the remaining six bytes are derived from the switch MAC address. The switch supports the 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID. As shown in Table 9-1, the two bytes previously used for the switch priority are reallocated into a 4-bit priority value and a 12-bit extended system ID value equal to the VLAN ID. Table 9-1 Switch Priority Value and Extended System ID Spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree MAC address to make the bridge ID unique for each VLAN. Because the switch stack appears as a single switch to the rest of the network, all switches in the stack use the same bridge ID for a given spanning tree. If the stack master fails, the stack members recalculate their bridge IDs of all running spanning trees based on the new MAC address of the new stack master. Support for the extended system ID affects how you manually configure the root switch, the secondary root switch, and the switch priority of a VLAN. For example, when you change the switch priority value,you change the probability that the switch will be elected as the root switch. Configuring a higher value decreases the probability; a lower value increases the probability.

58 9.4 Spanning-Tree Interface States Stephen Technologies Co.,Limited Propagation delays can occur when protocol information passes through a switched LAN. As a result,topology changes can take place at different times and at different places in a switched network. When an interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops. Interfaces must wait for new topology information to propagate through the switched LAN before starting to forward frames. They must allow the frame lifetime to expire for forwarded frames that have used the old topology. Each Layer 2 interface on a switch using spanning tree exists in one of these states: Blocking The interface does not participate in frame forwarding. Listening The first transitional state after the blocking state when the spanning tree decides that the interface should participate in frame forwarding. Learning The interface prepares to participate in frame forwarding. Forwarding The interface forwards frames. Disabled The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port. An interface moves through these states: From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 9-2 illustrates how an interface moves through the states.

59 Figure 9-2 Spanning-Tree Interface States Stephen Technologies Co.,Limited When you power up the switch, spanning tree is enabled by default, and every interface in the switch,vlan, or network goes through the blocking state and the transitory states of listening and learning.spanning tree stabilizes each interface at the forwarding or blocking state. When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: 1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3. In the learning state, the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. 4. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state,where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch. If there is only one switch in the network, no exchange occurs, the forward-delay timer expires, and the interface moves to the listening state. An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding. An interface in the listening state performs these functions:

60 Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding. The interface enters the learning state from the listening state. An interface in the learning state performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs these functions: Receives and forwards frames received on the interface Forwards frames switched from another interface Learns addresses Receives BPDUs Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree.an interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Does not receive BPDUs

61 9.5 How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 9-3, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch. By increasing the priority (lowering the numerical value) of the idealswitch so that it becomes the root switch, you force a spanning-tree recalculation to form a new topology with the ideal switch as the root. Figure 9-3 Spanning-Tree Topology When the spanning-tree topology is calculated based on default parameters, the path between source and destination end stations in a switched network might not be ideal. For instance, connecting higher-speed links to an interface that has a higher number than the root port can cause a root-port change. The goal is to make the fastest link the root port. For example, assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B (a 10/100 link) is the root port. Network traffic might be more efficient over the Gigabit Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new root port. 9.6 Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 9-4. Spanning tree

62 automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled. If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Figure 9-4 Spanning Tree and Redundant Connectivity You can also create redundant links between switches by using Channel groups. 9.7 Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C to 0x0180C , to be used by different bridge protocols. These addresses are static addresses that cannot be removed. Regardless of the spanning-tree state, each switch in the stack receives but does not forward packets destined for addresses between 0x0180C and 0x0180C200000F. If spanning tree is enabled, the CPU on each switch in the stack receives packets destined for 0x0180C and 0x0180C If spanning tree is disabled, each switch in the stack forwards those packets as unknown multicast addresses. 9.8 Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes, the default setting of the mac address-table aging-time global configuration command. However, a spanning-tree reconfiguration can cause many station locations to change. Because these stations could be

63 unreachable for 5 minutes or more during a reconfiguration, the address-aging time is accelerated so that station addresses can be dropped from the address table and then relearned. The accelerated aging is the same as the forward-delay parameter value when the spanning tree reconfigures. 9.9 Configuring STP Features These sections describe how to configure spanning-tree features: Configure the Bridge priority for a switch Configure the time parameters of a switch Configure the priority of a port Enable/disable STP on the device Enable/disable STP on a port Configure the Bridge Priority for a Switch Whether a switch can be elected as the spanning tree root depends on its Bridge priority. The switch configured with a smaller Bridge priority is more likely to become the root. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to configure the Bridge priority for a switch. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 spanning-tree bridge Configure the Bridge priority of the Designated priority priority bridge. Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree bridge Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. Note:

64 For priority, the range is 1 to 65535; the default is The lower the number, the more likely the switch will be chosen as the root switch. Caution: In the process of spanning tree root election, of two or more switches with the lowest Bridge priorities, the one has a smaller MAC address will be elected as the root. II. WEB configuration: Click Spanning Tree, Spanning Tree Bridge Parameters, Specify Priority, then click Apply Configure the Time Parameters of a Switch The switch has three time parameters, Forward Delay, Hello Time, and Max Age.Forward Delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. However, the configuration BPDU recalculated cannot be immediately propagated throughout the network. The temporary loops may occur if the new root port and designated port forward data right after being elected.

65 Therefore the protocol adopts a state transition mechanism. It takes a Forward Delay interval for the root port and designated port to transit from the learning state to forwarding state. The Forward Delay guarantees a period of time during which the new configuration BPDU can be propagated throughout the network. The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault. Max Age specifies when the configuration BPDU will expire. The switch will discard the expired configuration BPDU. You can use the following command to configure the time parameters for the switch. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to configure the Bridge priority for a switch. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 Step 3 Step 4 spanning-tree bridge forward centiseconds spanning-tree bridge hellotime centiseconds spanning-tree bridge maxage centiseconds Configure Forward Delay on the switch. For forward delay, the range is 400 to 3000; the default is Configure Hello Time on the switch. For hello time, the range is 100 to 1000; the default is 200. Configure Max Age on the switch. For Max Age, the range is 10 to ; the default is Step 5 exit Return to privileged EXEC mode. Step 6 show spanning-tree bridge Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. Caution: The Forward Delay configured on a switch depends on the switching network diameter.generally, the Forward Delay is supposed to be longer when the network diameter is longer. Note that too short a Forward Delay may redistribute some redundant routes

66 temporarily, while too long a Forward Delay may prolong the network connection resuming. The default value is recommended. A suitable Hello Time ensures the switch to detect the link fault on the network but occupy moderate network resources. The default value is recommended. If you set too long a Hello Time, when there is packet dropped over a link, the switch may consider it as link fault and the network device will recalculate the spanning tree accordingly.however, for too short a Hello Time, the switch frequently sends configuration BPDU,which adds its burden and wastes the network resources. Too short a Max Age may cause the network device frequently calculate the spanning tree and mistake the congestion as link fault. However, if the Max Age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which will weaken the auto-adaptation capacity of the network. The default value is recommended. To avoid frequent network flapping, the values of Hello Time, Forward Delay and Maximum Age should guarantee the following formulas equal. 2 * (forward-delay - 1seconds) >= maximum-age maximum-age >= 2 * (hello seconds) You are recommended to use the stp root primary command to specify the network diameter and Hello Time of the switching network, thus MSTP will automatically calculate and give the rather desirable values. II. WEB configuration: Click Spanning Tree, Spanning Tree Bridge Parameters, Specify Hello Time Forward Delay Max Age, then click Apply.

67 9.9.4 Configure Port Priority If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to configure the port priority. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 spanning-tree port port-number priority priority Configure port priority For priority, the range is 1 to 255; the default is 128. Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree bridge Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration:

68 Click Spanning Tree, Spanning Tree Port Parameters, Select Port, Specify Priority, then click Apply Enable/Disable STP on the Device You can use the following command to enable STP on the device. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to enable stp on the device. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 system span enable Enable STP on a device Step 3 exit Return to privileged EXEC mode. Step 4 show system config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable STP on a device, use ssystem span disable global configuration command.

69 Only if STP has been enabled on the device will other STP configurations take effect. By default, STP is disabled. II. WEB configuration: Click Spanning Tree, Spanning Tree State, Specify Spanning Tree Protocol state, then click Apply Enable/Disable STP on a Port You can use the following command to enable/disable STP on a port. You may disable STP on some Ethernet ports of a switch to spare them from spanning tree calculation. This is a measure to flexibly control STP operation and save the CPU resources of the switch. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to enable stp on a port. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 spanning-tree port Enable STP on a device port-number enable Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree ports Verify your entries. Step 5 write (Optional) Save your entries in the configuration file.

70 To disable STP on a port, use spanning-tree port port-number disable global configuration command. Note that redundant route may be generated after STP is disabled. By default, STP is enabled on all the ports after it is enabled on the device. II. WEB configuration: Click Spanning Tree, Spanning Tree Port Parameters, Select Port, Specify Enable, then click Apply.

71 Chapter 10 QoS Configuration Stephen Technologies Co.,Limited Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with two priority queues for each port. Data packets in a port s high-priority queue will be transmitted before those in the lower-priority queues. You can set the priority for each interface, and configure the mapping of frame priority tags to the switch s priority queues Enabling/disabling queues service The following command can be used to enable/disable queues service. I. WEB configuration: Click Switch Information, Switch Configuration, Specify Traffic Classes state, then click Apply Setting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a

72 higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set the Queue mode. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 traffic-policy running-mode Setting the Queue running mode. { strict-priority weight-round-ratio [high-weight high-weight low-weight low-weight] fcfs-queue } Step 3 exit Return to privileged EXEC mode. Step 4 show traffic-policy all Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. Note: High-weight + low-weight must less than 7. I. WEB configuration: Click Misc Settings, Quality of Service, Specify Running-Mode and Setting High-weight and Low-weight value, Specify QoS Policy, then click Apply.

73 Stephen Technologies Co.,Limited

74 Chapter x Configuration Stephen Technologies Co.,Limited x Overview x Standard Overview IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control protocol. IEEE issued it in 2001 and suggested the related manufacturers should use the protocol as the standard protocol for LAN user access authentication. The 802.1x originated from the IEEE standard, which is the standard for wireless LAN user access. The initial purpose of 802.1x was to implement the wireless LAN user access authentication. Since its principle is commonly applicable to all the LANs complying with the IEEE 802 standards, the protocol finds wide application in wired LANs.In the LANs complying with the IEEE 802 standards, the user can access the devices and share the resources in the LAN through connecting the LAN access control device like the LAN Switch. However, in telecom access, commercial LAN (a typical example is the LAN in the office building) and mobile office etc., the LAN providers generally hope to control the user s access. In these cases, the requirement on the above-mentioned Port Based Network Access Control originates. As the name implies, Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device. If the user s device connected to the port can pass the authentication, the user can access the resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It equals that the user is physically disconnected x defines port based network access control protocol and only defines the point-to-point connection between the access device and the access port. The port can be either physical or logical. The typical application environment is as follows: Each physical port of the LAN Switch only connects to one user workstation (based on the physical port) and the wireless LAN access environment defined by the IEEE standard (based on the logical port), etc.

75 x System Architecture The system using the 802.1x is the typical C/S (Client/Server) system architecture. It contains three entities, which are illustrated in the following figure: Supplicant System,Authenticator System and Authentication Sever System. The LAN access control device needs to provide the Authenticator System of 802.1x.The devices at the user side such as the computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client provided by CHIMA (or by Microsoft Windows XP). The 802.1x Authentication Sever system normally stays in the carrier s AAA center. Authenticator and Authentication Sever exchange information through EAP (Extensible Authentication Protocol) frames. The Supplicant and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is to be encapsulated in the packets of other AAA upper layer protocols (e.g. RADIUS) so as to go through the complicated network to reach the Authentication Server. Such procedure is called EAP Relay. There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection state. The user can access and share the network resources any time through the ports.the Controlled Port will be in connecting state only after the user passes the authentication. Then the user is allowed to access the network resources. Figure x system architecture

76 x Authentication Process 802.1x configures EAP frame to carry the authentication information. The Standard defines the following types of EAP frames: EAP-Packet: Authentication information frame, used to carry the authentication information. EAPoL-Start: Authentication originating frame, actively originated by the Supplicant. EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state. EAPoL-Key: Key information frame, supporting to encrypt the EAP packets. EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard Forum (ASF). The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant and the Authenticator. The EAP-Packet information is re-encapsulated by the Authenticator System and then transmitted to the Authentication Server System. The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator x provides an implementation solution of user ID authentication. However, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure RADIUS or local authentication so as to assist 802.1x to implement the user ID authentication Implement 802.1x on Ethernet Switch SPEED Series Ethernet Switches not only support the port access authentication method regulated by 802.1x, but also extend and optimize it in the following way: Support to connect several End Stations in the downstream via a physical port. The access control (or the user authentication method) can be based on MAC address. In this way, the system becomes much securer and easier to manage x Configuration The Main 802.1x configuration includes: Enabling/Disabling 802.1x Setting port authentication state Setting maximum number of users via each port

77 Enabling/Disabling 802.1x The following command can be used to enable/disable the 802.1x on globally. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to enable/disable 802.1x. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 dot1x system-auth-control Enable 802.1x. enable Step 3 exit Return to privileged EXEC mode. Step 4 show dot1x Verify your entries. system-auth-control Step 5 write (Optional) Save your entries in the configuration file. To disable 802.1x,use dot1x system-auth-control disable global configuration command. II. WEB configuration: Click 802.1x Authentication, 802.1x Authentication, Specify 802.1x Authenticate Service state, then click Apply.

78 Setting port authentication state The following command can be used to set port authentication state. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set port authentication state. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 dot1x ports port-list Set port authentication state. Port-list: format is port-number+ m/- ; m indicate member, - indicate not a member. Step 3 exit Return to privileged EXEC mode. Step 4 show dot1x ports Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click 802.1x Authentication, 802.1x Authentication, Specify 802.1x Authenticate Ports status, then click Apply.

79 Setting Supplicant Number on a Port The following commands are used for setting number of users allowed by 802.1x on specified port. When no port is specified, all the ports accept the same number of supplicants. Beginning in privileged EXEC mode, follow these steps to set maximum number of users via each port. I. CLI configuration: Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 dot1x multiple-host-num Set maximum number of users via each port. number Number range is 1 to 256. Step 3 exit Return to privileged EXEC mode. Step 4 show dot1x ports Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click 802.1x Authentication, 802.1x Authentication, Specify 802.1x Authenticate Ports status, then click Apply.

80 Chapter 12 RADIUS Protocol Configuration 12.1 RADIUS Protocol Overview I. What is RADIUS Remote Authentication Dial-In User Service, RADIUS for short, is a kind of distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments requiring both high security and remote user access. For example, it is often used for managing a large number of scattering dial-in users who use serial ports and modems. RADIUS system is the important auxiliary part of Network Access Server (NAS). After RADIUS system is started, if the user wants to have right to access other network or consume some network resources through connection to NAS (dial-in access server in PSTN environment or Ethernet switch with access function in Ethernet environment), NAS, namely RADIUS client end, will transmit user AAA request to the RADIUS server.radius server has a user database recording all the information of user authentication and network service access. When receiving user s request from NAS, RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS. Here, NAS controls supplicant and corresponding connections, while RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS. NAS and RADIUS exchange the information with UDP packets. During the interaction,both sides encrypt the packets with keys before uploading user configuration information (like password etc.) to avoid being intercepted or stolen. II. RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication. The operation process is as follows: First, the user send request message (the client username and encrypted password is included in the message ) to RADIUS server. Second, the user will receive from RADIUS server various kinds of response messages in which the ACCEPT message indicates that the user has passed the authentication, and the REJECT message indicates that the user has not passed the

81 authentication and needs to input username and password again, otherwise he will be rejected to access Implementing RADIUS on Ethernet Switch By now, we understand that in the above-mentioned RADIUS framework, SPEED Series Ethernet Switches, serving as the user access device or NAS, is the client end of RADIUS. In other words, the RADIUS concerning client-end is implemented on SPEED Series Ethernet Switches Configuring RADIUS Protocol RADIUS protocol configuration includes: Enable/disable radius client service Setting radius client ip address Setting a real-time accounting interval Setting IP Address of RADIUS Server Setting Port Number of RADIUS Server Setting RADIUS packet encryption key Enable/disable radius client service I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to enable radius client service. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 radiusclient service enable Enable radius client service. Step 3 exit Return to privileged EXEC mode. Step 4 show radiusclient service Verify your entries. Step 5 write (Optional) Save your entries in the configuration file.

82 To disable radius client service,use radiusclient service disable global configuration command. II. WEB configuration: Click 802.1x Authentication, Radius Client, Specify Radius service state, then click Apply Setting radius client ip address I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to setting radius client ip address. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 radiusclient ipaddress Setting radius client ip address. ip-address Ip-address is vlan interface ip address. Step 3 exit Return to privileged EXEC mode. Step 4 show radiusclient ipaddress Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration:

83 Click 802.1x Authentication, Radius Client, Specify Client IP address, then click Apply Setting a Real-time Accounting Interval To implement real-time accounting, it is necessary to set a real-time accounting interval.after the attribute is set, NAS will transmit the accounting information of online users to the RADIUS server regularly. You can use the following command to set a real-time accounting interval. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to setting a real-time accounting interval. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 radiusclient accounting interval minutes Setting a real-time accounting interval. Minutes must be same as radius server setting. When minutes is set to 0,the radius client does not sent update message to radius server. Step 3 exit Return to privileged EXEC mode. Step 4 show radiusclient accounting interval Verify your entries. Step 5 write (Optional) Save your entries in the configuration file.

84 II. WEB configuration: Click 802.1x Authentication, Radius Client, Specify Client accounting intervlal, then click Apply Setting IP Address of RADIUS Server Set IP addresses for the RADIUS servers, including primary/second authentication/authorization servers and accounting servers. You can use the following commands to configure the IP address for RADIUS servers. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to setting ip address for radius server. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 radiusserver master_ipaddress ip-address Step 3 radiusserver slave_ipaddress ip-address Step 4 show radiusserver master_ipaddress Setting ip address for master radius server. (optional) Setting ip address for slave radius server Verify your entries.

85 Step 5 show radiusserver slave_ipaddress Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. By default, all the IP addresses of primary/second authentication/authorization and accounting servers are II. WEB configuration: Click 802.1x Authentication, Radius Server, Specify Master Server address and Slave Radius Server address, then click Apply Setting Port of RADIUS Server Set port for the RADIUS servers, including primary/second authentication/authorization servers and accounting servers. You can use the following commands to configure the port number for RADIUS servers.

86 I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to setting port for radius server. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 radiusserver master_port authentication-port account-port Step 3 radiusserver slave_port authentication-port account-port Step 4 show radiusserver master_port Setting port for master radius server. (optional) Setting port for slave radius server Verify your entries. Step 5 show radiusserver slave_port Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click 802.1x Authentication, Radius Server, Specify Master Server Authenticate port Master Server Account port and Slave Server Authenticate port Slave Server Account port, then click Apply.

87 Setting RADIUS Packet Encryption Key RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet through setting the encryption key.only when the keys are identical can both ends to accept the packets from each other end and give response. You can use the following commands to set the encryption key for RADIUS packets. II. WEB configuration: Beginning in privileged EXEC mode, follow these steps to setting radius packet encryption key. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 Step 3 radiusserver master_key string radiusserver slave_key string Setting encryption key for master radius server. (optional) Setting encryption key for slave radius server

88 Step 4 show radiusserver master_key Verify your entries. Stephen Technologies Co.,Limited Step 5 show radiusserver slave_key Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. By default, the keys of RADIUS authentication/authorization and accounting packets are all test. II. WEB configuration: Click 802.1x Authentication, Radius Server, Specify Master Server Authenticate key and Slave Server Authenticate key, then click Apply.

89 Chapter 13 SNMP Configuration Stephen Technologies Co.,Limited 13.1 SNMP Overview By far, the Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way,network administrators can easily search and modify the information on any node on the network. In the meantime, they can locate faults promptly and implement the fault diagnosis, capacity planning and report generating. SNMP adopts the polling mechanism and provides the most basic function set. It is most applicable to the small-sized, fast-speed and low-cost environment. It only requires the unverified transport layer protocol UDP; and is thus widely supported by many other products. In terms of structure, SNMP can be divided into two parts, namely, Network Management Station and Agent. Network Management Station is the workstation for running the client program. At present, the commonly used NM platforms include Sun NetManager and IBM NetView. Agent is the server software operated on network devices. Network Management Station can send GetRequest, GetNextRequest and SetRequest messages to the Agent. Upon receiving the requests from the Network Management Station, Agent will perform Read or Write operation according to the message types, generate and return the Response message to Network Management Station. On the other hand, Agent will send Trap message on its own initiative to the Network Management Station to report the events whenever the device encounters any abnormalities such as new device found and restart SNMP Versions and Supported MIB To uniquely identify the management variables of a device in SNMP messages, SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree.a tree node represents a managed object, as shown in the figure below. Thus the object can be identified with the unique path starting from the root.

90 Figure 13-1 Architecture of the MIB tree The MIB (Management Information Base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers { }. The number string is the Object Identifier of the managed object. The current SNMP Agent of Ethernet switch supports SNMP V1, V2C and V3. The MIBs supported are listed in the following table. Table 13-1 MIBs supported by the Ethernet Switch MIB attribute MIB content References Public MIB MIB II based on TCP/IP network device RFC1213 BRIDGE MIB RMON MIB RFC1493 RFC2675 RFC2819 Ethernet MIB RFC2665 Private MIB VLAN MIB Device management

91 13.3 Configure SNMP Stephen Technologies Co.,Limited The main configuration of SNMP includes: Set community Name Set the Destination Address of Trap Set Trap parameters Setting Community Name SNMP V1 and SNMPV2C adopt the community name authentication scheme. The SNMP message incompliant with the community name accepted by the device will be discarded. SNMP Community is named with a character string, which is called Community Name. The various communities can have read-only or read-write access mode. The community with read-only authority can only query the device information, whereas the community with read-write authority can also configure the device. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set Community Name. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 snmp community set index string {read-only read-write } Set community string. Index: range is 1 to 8. Step 3 exit Return to privileged EXEC mode. Step 4 show snmp community Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete community string,use snmp community delete index global configuration command. II. WEB configuration: Click SNMP Management, Community Configuration, Select Entry, Specify Community String and Access mode, then click Apply.

92 Setting the Destination Address of Trap You can use the following commands to set or delete the destination address of the trap. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set the Destination Address of Trap. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 snmp traps host host-number hostaddr ip-address [port udp-port] Set the destination address of trap. Host-number: range is 1 to 3. Step 3 exit Return to privileged EXEC mode. Step 4 show snmp traps Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. II. WEB configuration: Click SNMP Management, Trap Target Configuration, Select Entry, Specify Transport Address and Timeout, then click Apply.

93 Setting Trap Parameters You can use the following commands to set trap parameters. I. CLI configuration: Beginning in privileged EXEC mode, follow these steps to set trap parameters. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 snmp traps parameters Set trap parameters. index mpmodel {v1 v2c v3} securemodel {v1 v2c usm} securename string securelevel {AuthNoPriv AuthPriv noauthnopriv } Step 3 exit Return to privileged EXEC mode. Step 4 show snmp traps Verify your entries. Step 5 write (Optional) Save your entries in the configuration file.

94 II. WEB configuration: Click SNMP Management, Trap Target Configuration, Select Entry, Specify MP Model Security Model Security Level, then click Apply.

95 Chapter 14 IGMP Snooping Configuration 14.1 IGMP Snooping Overview IGMP Snooping Principle IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on the Layer 2 Ethernet switch and it is used for multicast group management and control. IGMP Snooping runs on the link layer. When receiving the IGMP messages transmitted between the host and router, the Layer 2 Ethernet switch uses IGMP Snooping to analyze the information carried in the IGMP messages. If the switch hears IGMP host report message from an IGMP host, it will add the host to the corresponding multicast table. If the switch hears IGMP leave message from an IGMP host, it will remove the host from the corresponding multicast table. The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2. And then it can forward the multicast packets transmitted from the upstream router according to the MAC multicast address table. When IGMP Snooping is disabled, the packets are multicast on Layer 2. See the following figure:

96 Figure 14-6 Multicast packet transmission without IGMP Snooping When IGMP Snooping runs, the packets are not broadcast on Layer 2. See the following figure: Figure 13-7 Multicast packet transmission when IGMP Snooping runs

97 Implement IGMP Snooping I. Related concepts of IGMP Snooping To facilitate the description, this section first introduces some related switch concepts of IGMP Snooping: Router Port: The port of the switch, directly connected to the multicast router. Multicast member port: The port connected to the multicast member. The multicast member refers to a host joined a multicast group. MAC multicast group: The multicast group is identified with MAC multicast address and maintained by the Ethernet switch. Router port aging time: Time set on the router port aging timer. If the switch has not received any IGMP general query message before the timer times out, it considers the port no longer as a router port. Multicast group member port aging time: When a port joins an IP multicast group, the aging timer of the port will begin timing. The multicast group member port aging time is set on this aging timer. If the switch has not received any IGMP report message before the timer times out, it transmits IGMP specific query message to the port. Maximum response time: When the switch transmits IGMP specific query message to the multicast member port, the Ethernet switch starts a response timer, which times before the response to the query. If the switch has not received any IGMP report message before the timer times out, it will remove the port from the multicast member ports II. Implement Layer 2 multicast with IGMP Snooping The Ethernet switch runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address. To implement IGMP Snooping, the Layer 2 Ethernet switch processes different IGMP messages in the way illustrated in the figure below:

98 Figure 14-8 Implement IGMP Snooping 1) IGMP general query message: Transmitted by the multicast router to the multicast group members to query which multicast group contains member. When an IGMP general query message arrives at a router port, the Ethernet switch will reset the aging timer of the port. When a port other than a router port receives the IGMP general query message, the Ethernet switch will notify the multicast router that a port is ready to join a multicast group and starts the aging timer for the port. 2) IGMP specific query message: Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member. When received IGMP specific query message, the switch only transmits the specific query message to the IP multicast group which is queried. 3) IGMP report message: Transmitted from the host to the multicast router and used for applying to a multicast group or responding to the IGMP query message. When received the IGMP report message, the switch checks if the MAC multicast group, corresponding to the IP multicast group the packet is ready to join exists. If the corresponding MAC multicast group does not exist, the switch only notifies the router that a member is ready to join a multicast group, creates a new MAC multicast group, adds the port received the message to the group, starts the port aging timer, and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table, and meanwhile creates an IP multicast group and adds the port

99 received the report message to it. If the corresponding MAC multicast group exists but does not contains the port received the report message, the switch adds the port into the multicast group and starts the port aging timer. And then the switch checks if the corresponding IP multicast group exists. If it does not exist, the switch creates a new IP multicast group and adds the port received the report message to it. If it exists, the switch adds the port to it. If the MAC multicast group corresponding to the message exists and contains the port received the message, the switch will only reset the aging timer of the port. 4) IGMP leave message: Transmitted from the multicast group member to the multicast router to notify that a router host left the multicast group. When received a leave message of an IP multicast group, the Ethernet switch transmits the specific query message concerning that group to the port received the message, in order to check if the host still has some other member of this group and meanwhile starts a maximum response timer. If the switch has not receive any report message from the multicast group, the port will be removed from the corresponding MAC multicast group. If the MAC multicast group does not have any member, the switch will notify the multicast router to remove it from the multicast tree IGMP Snooping Configuration The main IGMP Snooping configuration includes: Enabling/disabling IGMP Snooping Configuring the aging time of multicast group member port Among the above configuration tasks, enabling IGMP Snooping is required, while others are optional for your requirements Enabling/Disabling IGMP Snooping You can use the following commands to enable/disable IGMP Snooping to control whether MAC multicast forwarding table is created and maintained on Layer 2.

100 Beginning in privileged EXEC mode, follow these steps to enable IGMP snooping. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 sys igmp-snooping enable Enable IGMP Snooping Step 3 exit Return to privileged EXEC mode. Step 4 show system config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable IGMP snooping, use sys igmp-snooping disable global configuration command. By default, IGMP Snooping is disabled Configuring Aging Time of Multicast Group Member This task is to manually set the aging time of the multicast group member port. If the switch receives no multicast group report message during the member port aging time, it will transmit the specific query message to that port and starts a maximum response timer. Beginning in privileged EXEC mode, follow these steps to configure Aging Time of Multicast Group Member. Command Purpose Step 1 config terminal Enter global configuration mode. Step 2 igmp-snooping timeout Configure aging time seconds Step 3 exit Return to privileged EXEC mode. Step 4 how igmp-snooping timeout Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, the aging time of the multicast member is 300 seconds.

101 14..3 IGMP Snooping Configuration Example Stephen Technologies Co.,Limited Enable IGMP Snooping I. Networking requirements To implement IGMP Snooping on the switch, first enable it. The switch is connected with the router via the router port, and with user PC through the non-router ports. II. Networking diagram Figure 14-9 IGMP Snooping configuration networking III. Configuration procedure # Enable IGMP snooping on switch switch(config)#system igmp-snooping enable