Home
/
ZyXEL Communications
/
MES3500-24
/
User Manual

ZyXEL Communications MES3500-24, User Manual

Share

Page: 215 / 349

ZyXEL Communications MES3500-24 User Manual Download Page 215

Chapter 26 IP Source Guard

MES3500-24/24F User’s Guide

215

Trusted ports are connected to DHCP servers or other switches. The Switch discards DHCP packets
from trusted ports only if the rate at which DHCP packets arrive is too high. The Switch learns
dynamic bindings from trusted ports.

Note: The Switch will drop all DHCP requests if you enable DHCP snooping and there are

no trusted ports.

Untrusted ports are connected to subscribers. The Switch discards DHCP packets from untrusted
ports in the following situations:

• The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
• The source MAC address and source IP address in the packet do not match any of the current

bindings.

• The packet is a RELEASE or DECLINE packet, and the source MAC address and source port do not

match any of the current bindings.

• The rate at which DHCP packets arrive is too high.

26.1.1.2 DHCP Snooping Database

The Switch stores the binding table in volatile memory. If the Switch restarts, it loads static
bindings from permanent memory but loses the dynamic bindings, in which case the devices in the
network have to send DHCP requests again. As a result, it is recommended you configure the DHCP
snooping database.

The DHCP snooping database maintains the dynamic bindings for DHCP snooping and ARP
inspection in a file on an external TFTP server. If you set up the DHCP snooping database, the
Switch can reload the dynamic bindings from the DHCP snooping database after the Switch
restarts.

You can configure the name and location of the file on the external TFTP server. The file has the
following format:

Figure 110

DHCP Snooping Database File Format

The <initial-checksum> helps distinguish between the bindings in the latest update and the
bindings from previous updates. Each binding consists of 72 bytes, a space, and another checksum
that is used to validate the binding when it is read. If the calculated checksum is not equal to the
checksum in the file, that binding and all others after it are ignored.

<initial-checksum>

TYPE DHCP-SNOOPING

VERSION 1

BEGIN

<binding-1> <checksum-1>

<binding-2> <checksum-1-2>

...

...

<binding-n> <checksum-1-2-..-n>

END

«
...
213
214
215
216
217
...
»

Summary of Contents for MES3500-24

Page 1: ...zyxel com MES3500 24 24F Layer 2 Management Switch Copyright 2011 ZyXEL Communications Corporation Firmware Version 4 00 Edition 1 12 2011 Default Login Details IP Address http 192 168 1 1 User Name a...

Page 2: ......

Page 3: ...e web configurator Related Documentation Web Configurator Online Help The embedded Web Help contains descriptions of individual screens and supplementary information Command Reference Guide The Comman...

Page 4: ...ER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A...

Page 5: ...is device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Euro...

Page 6: ...Safety Warnings MES3500 24 24F User s Guide 6...

Page 7: ...VLAN 97 Static MAC Forward Setup 114 Static Multicast Forward Setup 116 Filtering 120 Spanning Tree Protocol 122 Bandwidth Control 141 Broadcast Storm Control 144 Mirroring 146 Link Aggregation 148 Po...

Page 8: ...ents Overview MES3500 24 24F User s Guide 8 DHCP 276 Maintenance 283 Access Control 290 Diagnostic 312 Syslog 313 Cluster Management 316 MAC Table 322 ARP Table 325 Configure Clone 327 Troubleshooting...

Page 9: ...Q VLAN Application Examples 25 1 1 5 IPv6 Support 25 1 2 Ways to Manage the Switch 26 1 3 Good Habits for Managing the Switch 26 Chapter 2 Hardware Installation and Connection 27 2 1 Installation Scen...

Page 10: ...50 5 2 Configuring Switch Management IP Address 51 Chapter 6 Tutorials 53 6 1 How to Use DHCP Snooping on the Switch 53 6 2 How to Use DHCP Relay on the Switch 56 6 2 1 DHCP Relay Tutorial Introducti...

Page 11: ...Setup 95 Chapter 9 VLAN 97 9 1 Introduction to IEEE 802 1Q Tagged VLANs 97 9 1 1 Forwarding Tagged and Untagged Frames 97 9 2 Automatic VLAN Registration 98 9 2 1 GARP 98 9 2 2 GVRP 98 9 3 Port VLAN T...

Page 12: ...1 4 Multiple RSTP 124 13 1 5 Multiple STP 124 13 2 Spanning Tree Protocol Status Screen 127 13 3 Spanning Tree Configuration 127 13 4 Configure Rapid Spanning Tree Protocol 128 13 5 Rapid Spanning Tr...

Page 13: ...2 1x Authentication 156 18 1 2 MAC Authentication 157 18 2 Port Authentication Configuration 158 18 2 1 Activate IEEE 802 1x Security 159 18 2 2 Guest VLAN 160 18 2 3 Activate MAC Authentication 162 C...

Page 14: ...23 4 Configuring VLAN Stacking 182 23 4 1 Port based Q in Q 183 23 4 2 Selective Q in Q 184 Chapter 24 Multicast 186 24 1 Multicast Overview 186 24 1 1 IP Multicast Addresses 186 24 1 2 IGMP Filterin...

Page 15: ...spection Overview 216 26 2 IP Source Guard 218 26 3 IP Source Guard Static Binding 218 26 4 DHCP Snooping 220 26 5 DHCP Snooping Configure 222 26 5 1 DHCP Snooping Port Configure 224 26 5 2 DHCP Snoop...

Page 16: ...tate 250 31 2 The PPPoE Screen 251 31 3 PPPoE Intermediate Agent 251 31 3 1 PPPoE IA Per Port 253 31 3 2 PPPoE IA Per Port Per VLAN 254 31 3 3 PPPoE IA for VLAN 256 Chapter 32 Error Disable 257 32 1 C...

Page 17: ...HCP Configuration Options 276 36 2 DHCP Status 276 36 3 DHCP Relay 277 36 3 1 DHCP Relay Agent Information 277 36 3 2 Configuring DHCP Global Relay 278 36 3 3 Global DHCP Relay Configuration Example 2...

Page 18: ...oduction to HTTPS 303 38 9 HTTPS Example 304 38 9 1 Internet Explorer Warning Messages 304 38 9 2 Mozilla Firefox Warning Messages 307 38 9 3 The Main Screen 308 38 10 Service Port Access Control 309...

Page 19: ...ARP Works 325 43 2 The ARP Table Screen 326 Chapter 44 Configure Clone 327 44 1 Configure Clone 327 Chapter 45 Troubleshooting 329 45 1 Power Hardware Connections and LEDs 329 45 2 Switch Access and L...

Page 20: ...Table of Contents MES3500 24 24F User s Guide 20...

Page 21: ...21 PART I User s Guide...

Page 22: ...22...

Page 23: ...o be managed via Telnet any terminal emulator program on the console port or third party SNMP management See Chapter 46 on page 333 for a full list of software features available on the Switch This se...

Page 24: ...multiple servers at a single location Figure 2 Bridging Application 1 1 3 High Performance Switching Example The Switch is ideal for connecting two networks that need high bandwidth In the following...

Page 25: ...used by all ports in the same VLAN as the server In the following figure only ports that need access to the server need to be part of VLAN 1 Ports can belong to other VLAN groups too Figure 4 Shared S...

Page 26: ...ent allows you to manage multiple switches through one switch called the cluster manager See Chapter 41 on page 316 1 3 Good Habits for Managing the Switch Do the following things regularly to make th...

Page 27: ...the Switch is clean and dry 2 Set the Switch on a smooth level surface strong enough to support the weight of the Switch and the connected cables Make sure there is a power outlet nearby 3 Make sure t...

Page 28: ...nstalling the unit 2 3 2 Attaching the Mounting Brackets to the Switch 1 Position a mounting bracket on one side of the Switch lining up the four screw holes on the bracket with the screw holes on the...

Page 29: ...o the Switch on one side of the rack lining up the two screw holes on the bracket with the screw holes on the side of the rack Figure 6 Mounting the Switch on a Rack 2 Using a 2 Philips screwdriver in...

Page 30: ...el of the Switch Figure 7 MES3500 24 Front Panel AC Model Figure 8 MES3500 24 Front Panel DC Model Figure 9 MES3500 24F Front Panel AC Model Fast Ethernet Ports Dual Personality Interfaces Console Por...

Page 31: ...Mbps RJ 45 Fast Ethernet Ports MES3500 24 Connect these ports to a computer a hub an Ethernet switch or router 24 100 Mbps Fast SFP Slots MES3500 24F Use transceivers in these slots for fiber optic o...

Page 32: ...the peer Ethernet port does not support auto negotiation or turns off this feature the Switch determines the connection speed by detecting the signal on the cable and using half duplex mode When the S...

Page 33: ...s to install a mini GBIC transceiver SFP module 1 Insert the transceiver into the slot with the exposed section of PCB board facing down 2 Press the transceiver firmly until it clicks into place 3 The...

Page 34: ...ing procedures to connect the Switch to a power source after you have installed it Note Check the power supply requirements in Chapter 46 on page 333 and make sure you are using an appropriate power s...

Page 35: ...on the power supply 4 Connect one end of a power wire to the Switch s 48V input pin and tighten the captive screw 5 Connect the other end of the power wire to the negative terminal on the power suppl...

Page 36: ...otal of four sensors may be connected to the Signal connector in this way using the remaining signal input pins 3 Insert the alarm connector into the Signal slot Figure 16 Connecting a Sensor to the S...

Page 37: ...tem is on and functioning properly Blinking The system is rebooting and performing self diagnostic tests Off The power is off or the system is not ready malfunctioning ALM Red On A hardware failure is...

Page 38: ...itting receiving to from a 1000 Mbps Ethernet network On The link to a 1000 Mbps Ethernet network is up Amber Blinking The system is transmitting receiving to from a 10 Mbps or a 100 Mbps Ethernet net...

Page 39: ...r Firefox 2 0 and later versions The recommended screen resolution is 1024 by 768 pixels In order to use the web configurator you need to allow Web browser pop up windows from your device Web pop up b...

Page 40: ...ed a time server nor manually entered a time and date in the General Setup screen Figure 18 Web Configurator Login 4 Click OK to view the first web configurator screen 4 3 The Web Configurator Layout...

Page 41: ...iguration file from which the Switch booted from and it stays the same even if the Switch s power is turned off See Section 37 3 on page 284 for information on saving your settings to a specific confi...

Page 42: ...age out Filtering This link takes you to a screen to set up filtering rules Spanning Tree Protocol This link takes you to screens where you can configure the RSTP MRSTP MSTP to prevent network loops B...

Page 43: ...en where you can block traffic between ports in a VLAN on the Switch IP Application Static Routing This link takes you to a screen where you can configure static routes A static route defines how the...

Page 44: ...t when the Switch s power is turned off Click the Save link in the upper right hand corner of the web configurator to save your configuration to nonvolatile memory Nonvolatile memory refers to the Swi...

Page 45: ...uration file replaces the current configuration file with the factory default configuration file This means that you will lose all previous configurations and the speed of the console port will be res...

Page 46: ...fter you finish a management session for security reasons Figure 22 Web Configurator Logout Screen 4 8 Help The web configurator s online help has descriptions of individual screens and some supplemen...

Page 47: ...Chapter 4 The Web Configurator MES3500 24 24F User s Guide 47...

Page 48: ...Chapter 4 The Web Configurator MES3500 24 24F User s Guide 48...

Page 49: ...or the initial setup Create a VLAN Set port VLAN ID Configure the Switch IP management address 5 1 1 Creating a VLAN VLANs confine broadcast frames to the VLAN group in which the port s belongs You ca...

Page 50: ...nce the VLAN2 network is connected to port 1 on the Switch select Fixed to configure port 1 to be a permanent member of the VLAN only 4 To ensure that VLAN unaware devices such as computers and hubs c...

Page 51: ...hen click the VLAN Port Setting link 2 Enter 2 in the PVID field for port 1 and click Apply to save your changes back to the run time memory Settings in the run time memory are lost when the Switch s...

Page 52: ...Basic Setting IP Setup in the navigation panel 4 Configure the related fields in the IP Setup screen 5 For the VLAN2 network enter 192 168 2 1 as the IP address and 255 255 255 0 as the subnet mask 6...

Page 53: ...server A connected to port 5 to assign IP addresses to all devices in VLAN 100 Create a VLAN containing ports 5 6 and 7 Connect a computer M to the Switch s port which is not in VLAN 100 Note For rela...

Page 54: ...s 5 6 and 7 in the VLAN by selecting Fixed in the Control field as shown Deselect Tx Tagging because you don t want outgoing traffic to contain this VLAN tag Click Add 3 Go to Advanced Application VLA...

Page 55: ...ify VLAN 100 as the DHCP VLAN as shown Click Apply 5 Click the Port link at the top right corner 6 The DHCP Snooping Port Configure screen appears Select Trusted in the Server Trusted state field for...

Page 56: ...r port 6 or 7 The computer should be able to get an IP address from the DHCP server If you put the DHCP server on port 6 or 7 the computer will not able to get an IP address 10 To check if DHCP snoopi...

Page 57: ...the system name VLAN ID and port number in the DHCP request Client A connects to the Switch s port 2 in VLAN 102 6 2 2 Creating a VLAN Follow the steps below to configure port 2 as a member of VLAN 1...

Page 58: ...N Group ID field 5 Select Fixed to configure port 2 to be a permanent member of this VLAN 6 Clear the TX Tagging check box to set the Switch to remove VLAN tags before sending 7 Click Add to save the...

Page 59: ...per right corner of the web configurator to save your configuration permanently 6 2 3 Configuring DHCP Relay Follow the steps below to enable DHCP relay on the Switch and allow the Switch to add relay...

Page 60: ...nt A s IP address If it did not receive the IP address 172 16 1 18 make sure 1 Client A is connected to the Switch s port 2 in VLAN 102 2 You configured the correct VLAN ID port number and system name...

Page 61: ...are as follows 6 3 1 Configuring Switch A 1 Click Advanced Application PPPoE Intermediate Agent Select Active then click Apply Click Port on the top of the screen Table 6 Settings in this Tutorial SWI...

Page 62: ...port 5 and enter userC as Circuit id and 00134900000A as Remote id Select Trusted for port 12 and then leave the other fields empty Click Apply Then Click Intermediate Agent on the top of the screen 3...

Page 63: ...ver are in VLAN 1 in this example Click Apply 5 Then select Yes to enable PPPoE IA in VLAN 1 and also select Circuit id and Remote id to allow the Switch to add these two strings to frames tagged with...

Page 64: ...Guide 64 1 Click Advanced Application PPPoE Intermediate Agent Select Active then click Apply Click Port on the top of the screen 2 Select Trusted for ports 11 and 12 and then click Apply Then Click I...

Page 65: ...Click VLAN on the top of the screen 4 Enter 1 for both Start VID and End VID Click Apply 5 Then select Yes to enable PPPoE IA in VLAN 1 and also select Circuit id and Remote id to allow the Switch to...

Page 66: ...equests over 100 packets per second received on a port You also want the Switch to wait for a period of time 10 minutes before resuming the port automatically after the problem s are gone Loop guard a...

Page 67: ...rt to apply the setting to all ports Then click Apply 3 Click Advanced Application Errdisable Errdisable Detect select Active for cause ARP and inactive port as the mode Then click Apply 4 Click Advan...

Page 68: ...t to ports 1 2 or 3 to a guest VLAN 200 for example before they can authenticate with the authentication server In this guest VLAN clients can surf the Internet through the default gateway attached to...

Page 69: ...Advanced Application VLAN Static VLAN 4 In the Static VLAN screen select ACTIVE enter a descriptive name VLAN 200 for example in the Name field and enter 200 in the VLAN Group ID field 5 Select Fixed...

Page 70: ...t when the Switch s power is turned off 8 Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen 9 Enter 200 in the PVID field for ports 1 2...

Page 71: ...he upper right corner of the web configurator to save your configuration permanently 6 5 2 Enabling IEEE 802 1x Port Authentication Follow the steps below to enable port authentication to validate acc...

Page 72: ...the first Active checkbox to enable 802 1x authentication on the Switch Select the Active checkboxes for ports 1 to 8 to turn on 802 1x authentication on the selected ports Click Apply 6 5 3 Enabling...

Page 73: ...icate on each of these port 5 in this example Click Apply 3 Click the Save link in the upper right corner of the web configurator to save your configuration permanently Clients that attach to port 1 2...

Page 74: ...ports 2 3 and 4 6 6 1 Creating a VLAN Follow the steps below to configure port 2 3 4 and 25 as a member of VLAN 123 1 Access the web configurator through the Switch s port which is not in VLAN 123 2 G...

Page 75: ...Tagging check box to set the Switch to remove VLAN tags before sending frames out of these ports 7 Click Add to save the settings to the run time memory Settings in the run time memory are lost when...

Page 76: ...he frames are forwarded to the VLAN group that the tag defines 10 Click Apply to save your changes back to the run time memory 11 Click the Save link in the upper right corner of the web configurator...

Page 77: ...the VLAN ID field Click Add 3 Click the Save link in the upper right corner of the web configurator to save your configuration permanently Ports 2 3 and 4 in this VLAN will be added to the isolated p...

Page 78: ...Chapter 6 Tutorials MES3500 24 24F User s Guide 78...

Page 79: ...79 PART II Technical Reference...

Page 80: ...80...

Page 81: ...home page and port details screens 7 1 Overview The home screen of the web configurator displays a port statistical summary with links to each port showing statistical details 7 2 Port Status Summary...

Page 82: ...s the STP state of the port see Section 13 1 on page 122 for more information If STP is disabled this field displays FORWARDING if the link is up otherwise it displays STOP LACP This fields displays w...

Page 83: ...7 Status Port Details The following table describes the labels in this screen Table 8 Status Port Details LABEL DESCRIPTION Port Info Port NO This field displays the port number you are viewing Name T...

Page 84: ...shows the number of good multicast packets received Broadcast This field shows the number of good broadcast packets received Pause This field shows the number of 802 3x Pause packets received TX Colli...

Page 85: ...1023 This field shows the number of packets including bad packets received that were between 512 and 1023 octets in length 1024 1518 This field shows the number of packets including bad packets receiv...

Page 86: ...om an external server when you turn on your Switch The real time is then displayed in the Switch logs The Switch Setup screen allows you to set up and configure global Switch features The IP Setup scr...

Page 87: ...to the location of the temperature sensors on the Switch printed circuit board Current This shows the current temperature at this sensor MAX This field displays the maximum temperature measured at th...

Page 88: ...e service protocol that your timeserver uses Not all time servers support all protocols so you may have to use trial and error to find a protocol that works The main differences between them are the t...

Page 89: ...mples Daylight Saving Time starts in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the U...

Page 90: ...ed to all ports on other switches A and C including the isolated ports Smart isolation allows you to prevent isolated ports on different switches from transmitting traffic to each other After you enab...

Page 91: ...ing Switch Setup The following table describes the labels in this screen Table 11 Basic Setting Switch Setup LABEL DESCRIPTION VLAN Type Choose 802 1Q or Port Based The VLAN Setup screen changes depen...

Page 92: ...given the default priority of the ingress port Use the next fields to configure the priority level to physical queue mapping The Switch has eight physical queues that you can map to the 8 priority le...

Page 93: ...oing traffic 8 6 1 Management IP Addresses The Switch needs an IP address for it to be managed over the network The factory default in band IP address is 192 168 1 1 The subnet mask specifies the netw...

Page 94: ...rt cannot access the device To access the Switch make sure the port that you are connected to is a member of Management VLAN Apply Click Apply to save your changes to the Switch s run time memory The...

Page 95: ...BEL DESCRIPTION Port This is the port index number Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row first to set the comm...

Page 96: ...ows buffer memory causing packet discards and frame losses Flow Control is used to regulate transmission of signals to match the bandwidth of the receiving port The Switch uses IEEE802 3x flow control...

Page 97: ...t The remaining twelve bits define the VLAN ID giving a possible maximum number of 4 096 VLANs Note that user priority and VLAN ID are independent of each other A frame with VID VLAN Identifier of nul...

Page 98: ...it VLAN groups beyond the local Switch Please refer to the following table for common IEEE 802 1Q VLAN terminology Table 14 IEEE 802 1Q VLAN Terminology VLAN PARAMETER TERM DESCRIPTION VLAN Type Perma...

Page 99: ...wever with VLAN Trunking enabled on a port s in each intermediary switch you only need to create VLAN groups in the end devices A and B C D and E automatically allow frames with VLAN group tags 1 and...

Page 100: ...is is the number of VLANs configured on the Switch The Number of Search Results This is the number of VLANs that match the searching criteria and display in the list below This field displays only whe...

Page 101: ...IPTION VLAN Status Click this to go to the VLAN Status screen VID This is the VLAN identification number that was configured in the Static VLAN screen Port Number This column displays the ports that a...

Page 102: ...up for identification purposes This name consists of up to 64 printable characters spaces are allowed VLAN Group ID Enter the VLAN ID for this static entry the valid range is between 1 and 4094 Port T...

Page 103: ...ory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Clear Click Clear to start configuring the screen again VID This field displays the ID number of the VLAN...

Page 104: ...o all the ports as soon as you make them Ingress Check If this check box is selected for a port the Switch discards incoming frames for VLANs that do not include this port in its member set Clear this...

Page 105: ...ly That is video services receive the highest priority and data the lowest Figure 39 Subnet Based VLAN Application Example 9 7 Configuring Subnet Based VLAN Click Subnet Based VLAN in the VLAN Port Se...

Page 106: ...hese changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Active Check this box to...

Page 107: ...iority than ARP traffic when they go through the uplink port to a backbone switch C Figure 41 Protocol Based VLAN Application Example Add Click Add to save your changes to the Switch s run time memory...

Page 108: ...d VLAN Ethernet type Use the drop down list box to select a predefined protocol to be included in this protocol based VLAN or select Others and type the protocol number in hexadecimal notation For exa...

Page 109: ...fying this protocol based VLAN Click on any of these numbers to edit an existing protocol based VLAN Active This field shows whether the protocol based VLAN is active or not Port This field shows whic...

Page 110: ...d VLANs require allowed outgoing ports to be defined for each port Therefore if you wish to allow two subscriber ports to talk to each other for example between conference rooms in a hotel you must de...

Page 111: ...or Port Isolated from the drop down list depending on your VLAN and VLAN security requirements If VLAN members need to communicate directly with each other then select All Connected Select Port Isola...

Page 112: ...hapter 9 VLAN MES3500 24 24F User s Guide 112 The following screen shows users on a port based port isolated VLAN configuration Figure 45 Advanced Application VLAN Port Based VLAN Setup Port Isolation...

Page 113: ...at is a port through which a data packet enters If you wish to allow two subscriber ports to talk to each other you must define the ingress port for both ports The numbers in the top row denote the in...

Page 114: ...e MAC address table Static MAC addresses do not age out When you set up static MAC address rules you are setting static MAC addresses for a port This may reduce the need for broadcasting Static MAC ad...

Page 115: ...or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afres...

Page 116: ...e Static multicast addresses do not age out Static multicast forwarding allows you the administrator to forward multicast frames to a member without the member having to join the group first If a mult...

Page 117: ...ames being forwarded to ports 2 and 3 within VLAN group 4 Figure 47 No Static Multicast Forwarding Figure 48 Static Multicast Forwarding to A Single Port Figure 49 Static Multicast Forwarding to Multi...

Page 118: ...the VLAN group here If you don t have a specific target VLAN enter 1 Port Enter the port s where frames with destination MAC address that matched the entry above are forwarded You can enter multiple p...

Page 119: ...a identified VLAN group to which frames containing the specified multicast MAC address will be forwarded Delete Click Delete to remove the selected entry from the summary table Cancel Click Cancel to...

Page 120: ...PTION Active Make sure to select this check box to activate your rule You may temporarily deactivate a rule without deleting it by deselecting this check box Name Type a descriptive name up to 32 prin...

Page 121: ...the factory defaults Index This field displays the index number of the rule Click an index number to change the settings Active This field displays Yes when the rule is activated and No when is it de...

Page 122: ...eing backwards compatible with STP only aware bridges In RSTP topology change information is directly propagated throughout the network from the device that generates the topology change In STP a long...

Page 123: ...en established all bridges listen for Hello BPDUs Bridge Protocol Data Units transmitted from the root bridge If a bridge does not get a Hello BPDU after a predefined interval Max Age the bridge assum...

Page 124: ...s belong to which spanning tree Note Each port can belong to one STP tree only 13 1 5 Multiple STP Multiple Spanning Tree Protocol IEEE 802 1s is backwards compatible with STP RSTP and addresses the l...

Page 125: ...ifferent spanning trees in the network Thus traffic from the two VLANs travel on different paths The following figure shows the network example using MSTP Figure 54 MSTP Network Example 13 1 5 2 MST R...

Page 126: ...y to a region Thus an MSTI does not span across MST regions The following figure shows an example where there are two MST regions Regions 1 and 2 have 2 spanning tree instances Figure 55 MSTIs in Diff...

Page 127: ...Protocol This screen differs depending on which STP mode RSTP MRSTP or MSTP you configure on the Switch This screen is described in detail in the section that follows the configuration section for ea...

Page 128: ...ed Application Spanning Tree Protocol Configuration LABEL DESCRIPTION Spanning Tree Mode You can activate one of the STP modes on the Switch Select Rapid Spanning Tree Multiple Rapid Spanning Tree or...

Page 129: ...LAN If it is a root port a new root port is selected from among the switch ports attached to the network The allowed range is 6 to 40 seconds Forwarding Delay This is the maximum time in seconds a sw...

Page 130: ...vigation panel to save your changes to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 28 Advanced Application Spanning Tree Pro...

Page 131: ...port states Note The listening state does not exist in RSTP Cost to Bridge This is the path cost from the root port on this Switch to the root switch Port ID This is the priority and number of the po...

Page 132: ...tion about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwise temporary...

Page 133: ...ble 31 Advanced Application Spanning Tree Protocol Status MRSTP LABEL DESCRIPTION Configuration Click Configuration to specify which STP mode you want to activate Click MRSTP to edit MRSTP settings on...

Page 134: ...and number of the port on the Switch through which this Switch must communicate with the root of the Spanning Tree Topology Changed Times This is the number of times the spanning tree has been reconfi...

Page 135: ...de 135 13 8 Configure Multiple Spanning Tree Protocol To configure MSTP click MSTP in the Advanced Application Spanning Tree Protocol screen See Section 13 1 5 on page 124 for more information on MSTP...

Page 136: ...eive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a blocking state otherwis...

Page 137: ...ecides which port should be disabled when more than one port forms a loop in the Switch Ports with a higher priority numeric value are disabled first The allowed range is between 0 and 255 and the def...

Page 138: ...rt by port basis Note Changes in this row are copied to all the ports as soon as you make them Edge Select this check box to configure a port as an edge port when it is directly attached to a computer...

Page 139: ...n the Switch CST This section describes the Common Spanning Tree settings Bridge Root refers to the base of the spanning tree the root bridge Our Bridge is this Switch This Switch may also be the root...

Page 140: ...e spanning tree was last reconfigured Instance These fields display the MSTI to VLAN mapping In other words which VLANs run on each spanning tree instance Instance This field displays the MSTI ID VLAN...

Page 141: ...guaranteed bandwidth for the incoming traffic flow on a port The Peak Information Rate PIR is the maximum bandwidth allowed for the incoming traffic flow on a port when there is no network congestion...

Page 142: ...s and then make adjustments on a port by port basis Note Changes in this row are copied to all the ports as soon as you make them Ingress Rate Active Select this check box to activate commit rate limi...

Page 143: ...y The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cance...

Page 144: ...econd the subsequent packets are discarded Enable this feature to reduce broadcast multicast and or DLF packets in your network You can specify limits for each packet type on each port Click Advanced...

Page 145: ...ives per second Multicast pkt s Select this option and specify how many multicast packets the port receives per second DLF pkt s Select this option and specify how many destination lookup failure DLF...

Page 146: ...s screen to select a monitor port and specify the traffic flow to be copied to the monitor port Figure 68 Advanced Application Mirroring The following table describes the labels in this screen Table 3...

Page 147: ...mirror the traffic on a port Direction Specify the direction of the traffic to mirror by selecting from the drop down list box Choices are Egress outgoing Ingress incoming and Both Apply Click Apply t...

Page 148: ...ensures increased network stability and control over the trunk groups on your Switch See Section 17 6 on page 154 for a static port trunking example 17 2 Dynamic Link Aggregation The Switch adheres t...

Page 149: ...KEY PORT PRIORITY PORT NUMBER 0000 00 00 00 00 00 00 0000 00 0000 Table 39 Link Aggregation ID Peer Switch SYSTEM PRIORITY MAC ADDRESS KEY PORT PRIORITY PORT NUMBER 0000 00 00 00 00 00 00 0000 00 000...

Page 150: ...rce MAC address dst mac means the Switch distributes traffic based on the packet s destination MAC address src dst mac means the Switch distributes traffic based on a combination of the packet s sourc...

Page 151: ...dvanced Application Link Aggregation Link Aggregation Setting The following table describes the labels in this screen Table 41 Advanced Application Link Aggregation Link Aggregation Setting LABEL DESC...

Page 152: ...addresses Select src ip to distribute traffic based on the packet s source IP address Select dst ip to distribute traffic based on the packet s destination IP address Select src dst ip to distribute...

Page 153: ...ESCRIPTION Link Aggregation Control Protocol Note Do not configure this screen unless you want to enable dynamic link aggregation Active Select this checkbox to enable Link Aggregation Control Protoco...

Page 154: ...ges in this row are copied to all the ports as soon as you make them LACP Timeout Timeout is the time interval between the individual port exchanges of LACP packets in order to check that the peer por...

Page 155: ...gregation Setting In this screen activate trunk group T1 select the traffic distribution algorithm used by this group and select the ports that should belong to this group as shown in the figure below...

Page 156: ...col to validate users See Section 25 1 2 on page 202 for more information on configuring your RADIUS server settings Note If you enable IEEE 802 1x authentication and MAC authentication on the same po...

Page 157: ...1x Authentication Process 18 1 2 MAC Authentication MAC authentication works in a very similar way to IEEE 802 1x authentication The main difference is that the Switch does not prompt the client for l...

Page 158: ...rt authentication first activate the port authentication method s you want to use both on the Switch and the port s then configure the RADIUS server settings in the AAA Radius Server Setup screen To a...

Page 159: ...w only if you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to a...

Page 160: ...enter his or her username and password to stay connected to the port Reauth period Specify the length of time required to pass before a client has to re enter his or her username and password to stay...

Page 161: ...you want to make some settings the same for all ports Use this row first to set the common settings and then make adjustments on a port by port basis Note Changes in this row are copied to all the por...

Page 162: ...correct credential they are all put in the guest VLAN Once the first user who did authentication logs out or disconnects from the port rest of the users are blocked until a user does the authenticati...

Page 163: ...lient fails MAC authentication its MAC address is learned by the MAC address table with a status of denied The timeout period you specify here is the time the MAC address entry stays in the MAC addres...

Page 164: ...ividual ports other than the sum cannot exceed 16K For maximum port security enable this feature disable MAC address learning and configure static MAC address es for a port It is not recommended you d...

Page 165: ...k box to enable the port security feature on this port The Switch forwards packets whose MAC address es is in the MAC address table on this port Packets with no matching MAC address es are dropped Cle...

Page 166: ...h as the source address destination address source port number destination port number or incoming port number For example you can configure a classifier to select traffic from the same protocol port...

Page 167: ...ow to configure a layer 2 classifier VLAN Select Any to classify traffic from any VLAN or select the second option and specify the source VLAN ID in the field provided Priority Select Any to classify...

Page 168: ...e IP Address Address Prefix Enter a source IP address in dotted decimal notation Specify the address prefix by entering the number of ones in the subnet mask Socket Number Note You must select either...

Page 169: ...Active This field displays Yes when the rule is activated and No when it is deactivated Name This field displays the descriptive name for this rule This is for identification purposes only Rule This...

Page 170: ...nfiguring a classifier that identifies all traffic from MAC address 00 50 ba ad 4f 81 on port 2 Figure 84 Classifier Example After you have configured a classifier you can configure a policy to define...

Page 171: ...ry flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going 21 1 2 DSCP and Per Hop Behavior DiffServ defines a new DS Differenti...

Page 172: ...RIPTION Active Select this option to enable the policy Name Enter a descriptive name for identification purposes Classifier s This field displays the active classifier s you configure in the Classifie...

Page 173: ...ated queue Select Replace the 802 1p priority field with the IP TOS value and send the packet to priority queue to replace the packet s 802 1p priority field with the value you set in the TOS field Th...

Page 174: ...ing table describes the labels in this screen Table 52 Policy Summary Table LABEL DESCRIPTION Index This field displays the policy index number Click an index number to edit the policy Active This fie...

Page 175: ...de 175 21 4 Policy Example The figure below shows an example Policy screen where you configure a policy to limit bandwidth on a traffic flow classified using the Example classifier refer to Section 20...

Page 176: ...st When that queue empties traffic on the next highest priority queue Q6 is transmitted until Q6 empties and then traffic is transmitted on Q5 and so on If higher priority queues never empty then traf...

Page 177: ...looping fashion until a queue is empty Weighted Round Robin Scheduling WRR uses the same algorithm as round robin scheduling but services queues based on their priority and queue weight the number you...

Page 178: ...e in the Weight field Queues with larger weights get more guaranteed bandwidth than queues with smaller weights Weighted Round Robin Scheduling services queues on a rotating basis based on their queue...

Page 179: ...up to 4 094 customer VLANs This allows a service provider to provide different service based on specific VLANs for many different customers A service provider s customers may require a range of VLANs...

Page 180: ...switching Select Access Port for ingress ports on the service provider s edge devices 1 and 2 in the VLAN stacking example figure The incoming frame is treated as untagged so a second VLAN tag outer V...

Page 181: ...n the Switch then the Switch will not add the tag Priority refers to the IEEE 802 1p standard that allows the service provider to prioritize traffic based on the class of service CoS the customer has...

Page 182: ...d Select Access Port to have the Switch add the SP TPID tag to all incoming frames received on this port Select Access Port for ingress ports at the edge of the service provider s network Select Tunne...

Page 183: ...begin configuring this screen afresh Table 57 Advanced Application VLAN Stacking continued LABEL DESCRIPTION Table 58 Advanced Application VLAN Stacking Port based QinQ LABEL DESCRIPTION Port The port...

Page 184: ...ame Enter a descriptive name up to 32 printable ASCII characters for identification purposes Port The port number identifies the port you are configuring CVID Enter a customer VLAN ID the inner VLAN t...

Page 185: ...tomer VLAN ID in the incoming packets SPVID This is the service provider s VLAN ID that adds to the packets from the subscribers Priority This is the service provider s priority level in the packets D...

Page 186: ...oses see the IANA website for more information 24 1 2 IGMP Filtering With the IGMP filtering feature you can control which IGMP groups a subscriber on a port can join This allows you to control the di...

Page 187: ...es not learn multicast group membership of any VLANs other than those explicitly added as an IGMP snooping VLAN 24 2 Multicast Status Click Advanced Applications Multicast to display the screen as sho...

Page 188: ...hat are members of that group Querier Select this option to allow the Switch to send IGMP General Query messages to the VLANs with the multicast hosts attached Host Timeout Specify the time from 1 to...

Page 189: ...ost connected to this port Normal Leave Enter an IGMP normal leave timeout value from 200 to 6 348 800 in miliseconds Select this option to have the Switch use this timeout to update the forwarding ta...

Page 190: ...connected to an IGMP multicast router or server The Switch forwards IGMP join or leave packets to an IGMP query port Select Auto to have the Switch use the port as an IGMP query port if the port recei...

Page 191: ...witch can learn up to 16 VLANs including up to five VLANs you configured in the MVR screen For example if you have configured one multicast VLAN in the MVR screen you can only specify up to 15 VLANs i...

Page 192: ...ulticast Setting IGMP Filtering Profile Add Click Add to insert the entry in the summary table below and save your changes to the Switch s run time memory The Switch loses these changes if it is turne...

Page 193: ...ame and specify a different IP multicast address range Start Address Type the starting multicast IP address for a range of multicast IP addresses that you want to belong to the IGMP filter profile End...

Page 194: ...mpatible mode the Switch does not send any IGMP reports In this case you must manually configure the forwarding settings on the multicast devices in the multicast VLAN 24 6 3 How MVR Works The followi...

Page 195: ...m the forwarding table Figure 98 MVR Multicast Television Example 24 7 General MVR Configuration Use the MVR screen to create multicast VLANs and select the receiver port s and a source port for each...

Page 196: ...tion purposes Multicast VLAN ID Enter the VLAN ID 1 to 4094 of the multicast VLAN 802 1p Priority Select a priority level 0 7 with which the Switch replaces the priority in outgoing IGMP control packe...

Page 197: ...outgoing frames transmitted Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigat...

Page 198: ...to Section 24 1 1 on page 186 for more information on IP multicast addresses End Address Enter the ending IP multicast address of the multicast group in dotted decimal notation Enter the same IP addr...

Page 199: ...VLAN 1 are able to receive the traffic Figure 101 MVR Configuration Example To configure the MVR settings on the Switch create a multicast group in the MVR screen and set the receiver and source ports...

Page 200: ...o the subscribers configure multicast group settings in the Group Configuration screen The following figure shows an example where two multicast groups News and Movie are configured for the multicast...

Page 201: ...itch itself or it can use an external server to authorize a large number of users Accounting is the process of recording what a user is doing The Switch can use an external server to track when users...

Page 202: ...Switch First configure your authentication and accounting server settings RADIUS TACACS or both and then set up the authentication priority activate authorization and configure accounting settings Cl...

Page 203: ...the second RADIUS server Select round robin to alternate between the RADIUS servers that it sends authentication requests to Timeout Specify the amount of time in seconds that the Switch waits for an...

Page 204: ...erver Index This is a read only number representing a RADIUS accounting server entry IP Address Enter the IP address of an external RADIUS accounting server in dotted decimal notation UDP Port The def...

Page 205: ...h tries to authenticate with the first configured TACACS server if the TACACS server does not respond then the Switch tries to authenticate with the second TACACS server Select round robin to alternat...

Page 206: ...nds that the Switch waits for an accounting request response from the TACACS server Index This is a read only number representing a TACACS accounting server entry IP Address Enter the IP address of an...

Page 207: ...Switch management Configure the access privilege of accounts via commands see the Ethernet Switch CLI Reference Guide for local authentication The TACACS and RADIUS are external servers Before you sp...

Page 208: ...er Active Select this to activate authorization for a specified event types Method Select whether you want to use RADIUS or TACACS for authorization of specific types of events RADIUS is the only meth...

Page 209: ...r users authenticating via the RADIUS server Mode The Switch supports two modes of recording login events Select start stop to have the Switch send information to the accounting server when a user beg...

Page 210: ...ed on the RADIUS server This section lists the RADIUS attributes supported by the Switch Table 70 Supported VSAs FUNCTION ATTRIBUTE Ingress Bandwidth Assignment Vendor Id 890 Vendor Type 1 Vendor data...

Page 211: ...erver when performing authentication 25 3 1 1 Attributes Used for Authenticating Privilege Access User Name the format of the User Name attribute is enab where is the privilege level 1 14 User Passwor...

Page 212: ...that they are sent the difference between Console and Telnet SSH Exec events is that the Telnet SSH events utilize the Calling Station Id attribute Table 72 RADIUS Attributes Exec Events via Console...

Page 213: ...74 RADIUS Attributes Exec Events via Console ATTRIBUTE START INTERIM UPDATE STOP User Name NAS IP Address NAS Port Class Called Station Id Calling Station Id NAS Identifier NAS Port Type Acct Status...

Page 214: ...rd consists of the following features Static bindings Use this to create static bindings in the binding table DHCP snooping Use this to filter unauthorized DHCP packets on the network and to build the...

Page 215: ...Switch restarts it loads static bindings from permanent memory but loses the dynamic bindings in which case the devices in the network have to send DHCP requests again As a result it is recommended yo...

Page 216: ...configure this setting for each source VLAN This setting is independent of the DHCP relay settings Chapter 36 on page 276 26 1 1 4 Configuring DHCP Snooping Follow these steps to configure DHCP snoopi...

Page 217: ...port or an untrusted port for ARP inspection This setting is independent of the trusted untrusted setting for DHCP snooping You can also specify the maximum rate at which the Switch receives ARP pack...

Page 218: ...n one static binding If you try to create a static binding with the same MAC address and VLAN Table 75 IP Source Guard LABEL DESCRIPTION Index This field displays a sequential number for each binding...

Page 219: ...to create the specified static binding or to update an existing one Cancel Click this to reset the values above based on the last selected static binding or if not applicable to clear the fields abov...

Page 220: ...IP Source Guard DHCP Snooping Figure 114 DHCP Snooping The following table describes the labels in this screen Table 77 DHCP Snooping LABEL DESCRIPTION Database Status This section displays the curren...

Page 221: ...updated the DHCP snooping database unsuccessfully Last failed reason This field displays the reason the Switch updated the DHCP snooping database unsuccessfully This section displays historical infor...

Page 222: ...bindings the Switch ignored because the lease time had already expired Unsupported vlans This field displays the number of bindings the Switch ignored because the VLAN ID does not exist anymore Last...

Page 223: ...guish between DHCP requests from different VLAN Select Disable if you do not want the Switch to forward DHCP packets to a specific VLAN Database If Timeout interval is greater than Write delay interva...

Page 224: ...Switch to load it You can use this to load dynamic bindings from a different DHCP snooping database than the one specified in Agent URL When the Switch loads dynamic bindings from a DHCP snooping data...

Page 225: ...nected to subscribers and the Switch discards DHCP packets from untrusted ports in the following situations The packet is a DHCP server packet for example OFFER ACK or NACK The source MAC address and...

Page 226: ...to DHCP requests that it broadcasts to the DHCP VLAN if specified or VLAN You can specify the DHCP VLAN in the DHCP Snooping Configure screen See Section 26 5 on page 222 Information Select this to h...

Page 227: ...and click Delete to remove the specified entry Delete Click this to remove the selected entries Cancel Click this to clear the Delete check boxes above Table 81 ARP Inspection Status continued LABEL D...

Page 228: ...us table Click Apply to remove all the log messages that were generated by ARP packets and that have not been sent to the syslog server yet Total number of logs This field displays the number of log m...

Page 229: ...ing with the same MAC address and VLAN ID static deny An ARP packet was discarded because it violated a static binding with the same MAC address and VLAN ID deny An ARP packet was discarded because th...

Page 230: ...re dropped due to unavailable buffer Click Clearing log status table in the ARP Inspection Log Status screen to clear the log and reset this counter See Section 26 6 2 on page 228 Syslog rate Type the...

Page 231: ...trusted ports Limit Rate and Burst Interval settings have no effect on trusted ports Rate pps Specify the maximum rate 1 2048 packets per second at which the Switch receives ARP packets from each port...

Page 232: ...splays the VLAN ID of each VLAN in the range specified above If you configure the VLAN the settings are applied to all VLANs Enabled Select Yes to enable ARP inspection on the VLAN Select No to disabl...

Page 233: ...problems on the edge of your network This can occur when a port is connected to a Switch that is in a loop state Loop state occurs as a result of human error It happens when two ports on a switch are...

Page 234: ...rd enabled port N on switch A sending a probe packet P to switch B Since switch B is in loop state the probe packet P returns to port N on A The Switch then shuts down port N to ensure that the rest o...

Page 235: ...anced Application Loop Guard LABEL DESCRIPTION Active Select this option to enable loop guard on the Switch The Switch generates syslog internal log messages as well as SNMP traps when it shuts down a...

Page 236: ...y The Switch loses these changes if it is turned off or loses power so use the Save link on the top navigation panel to save your changes to the non volatile memory when you are done configuring Cance...

Page 237: ...nabled the Switch forwards the tagged packets according to its VLAN tag that do not match an entry in the VLAN mapping table If the incoming packets are untagged the Switch adds a PVID based on the VL...

Page 238: ...he setting the same for all ports Use this row first and then make adjustments on a port by port basis Changes in this row are copied to all the ports as soon as you make them Active Select this check...

Page 239: ...level that replaces the customer priority level in the tagged packets or adds to the untagged packets Add Click Add to insert the entry in the summary table below and save your changes to the Switch s...

Page 240: ...Chapter 28 VLAN Mapping MES3500 24 24F User s Guide 240...

Page 241: ...customer switches A B and C in the following figure connected through the service provider s network The edge switch encapsulates layer 2 protocol packets with a specific MAC address before sending t...

Page 242: ...er 2 protocol tunneling modes Access and Tunnel The Access port is an ingress port on the service provider s edge device 1 or 2 in Figure 133 on page 242 and connected to a customer switch A or B Inco...

Page 243: ...acing the destination MAC address in the packets Note The MAC address can be either a unicast MAC address or multicast MAC address If you use a unicast MAC address make sure the MAC address does not e...

Page 244: ...ption to have the Switch send LACP packets to a peer to dynamically creates and manages trunk groups UDLD Select this option to have the Switch send UDLD packets to a peer s port it connected to monit...

Page 245: ...ow agent then creates sFlow data and sends it to an sFlow collector The sFlow collector is a server that collects and analyzes sFlow datagram An sFlow datagram includes packet header input and output...

Page 246: ...on volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Port This field displays the port number Use this row to make the setting the same for all...

Page 247: ...o allow incoming traffic if the collector is behind a firewall Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power...

Page 248: ...This field displays IP address of the sFlow collector UDP Port This field displays port number the Switch uses to send sFlow datagram to the collector Delete Check the rule s that you want to remove i...

Page 249: ...oE Active Discovery Initialization and PADR PPPoE Active Discovery Request packets from PPPoE clients This tag is defined in RFC 2516 and has the following format for this feature The Tag_Type is 0x01...

Page 250: ...long to VLAN 123 31 1 2 2 WT 101 Default Circuit ID Syntax If you do not configure a Circuit ID string for a specific VLAN on a port or for a specific port and disable the flexible Circuit ID syntax i...

Page 251: ...ed to subscribers If a PADI PADR or PADT packet is sent from a PPPoE client and received on an untrusted port the Switch adds a vendor specific tag to the packet and then forwards it to the trusted po...

Page 252: ...over this That means if you also want to configure PPPoE IA Per Port or Per Port Per VLAN setting leave the fields here empty and configure circuit id and remote id in the Per Port or Per Port Per VLA...

Page 253: ...escribes the labels in this screen Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the...

Page 254: ...untrusted port Circuit id Enter a string of up to 63 ASCII characters that the Switch adds into the Agent Circuit ID sub option for PPPoE discovery packets received on this port Spaces are allowed Th...

Page 255: ...tings are applied to all VLANs Use this row to make the setting the same for all VLANs Use this row first and then make adjustments on a VLAN by VLAN basis Note Changes in this row are copied to all t...

Page 256: ...ck Apply to display the specified range of VLANs in the section below VID This field displays the VLAN ID of each VLAN in the range specified above If you configure the VLAN the settings are applied t...

Page 257: ...lows you to limit the rate of ARP BPDU and IGMP packets to be delivered to the CPU on a port This enhances the CPU efficiency and protects against potential DoS attacks or errors from other network s...

Page 258: ...figuration Use this screen to limit the maximum number of control packets ARP BPDU and or IGMP that the Switch can receive or transmit on a port Click the Click Here link next to CPU protection in the...

Page 259: ...you make them Rate Limit pkt s Enter a number from 0 to 256 to specify how many control packets this port can receive or transmit per second 0 means no rate limit You can configure the action that th...

Page 260: ...rt rate limitation The Switch drops the additional control packets the port has to handle in every one second Apply Click Apply to save your changes to the Switch s run time memory The Switch loses th...

Page 261: ...nter the number of seconds from 30 to 2592000 for the time interval Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses p...

Page 262: ...ys in the promiscuous port list A promiscuous port can communicate with any port in the same VLAN An isolated port can communicate with the promiscuous port s only Note You can have up to one private...

Page 263: ...Add to insert the entry in the summary table below and save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the...

Page 264: ...Chapter 33 Private VLAN MES3500 24 24F User s Guide 264...

Page 265: ...h the default gateway The Switch can also use static routes to send data to a server or device that is not reachable through the default gateway for example when sending SNMP traps or using ping to te...

Page 266: ...the gateway The gateway is an immediate neighbor of your Switch that will forward the packet to the destination The gateway must be a router on the same segment as your Switch Metric The metric repres...

Page 267: ...lays the subnet mask for this destination Gateway Address This field displays the IP address of the gateway The gateway is an immediate neighbor of your Switch that will forward the packet to the dest...

Page 268: ...ffServ defines a new DS Differentiated Services field to replace the Type of Service ToS field in the IP header The DS field contains a 6 bit DSCP field which can define up to 64 service levels and th...

Page 269: ...ets are admitted to the network The PIR is greater than or equal to the CIR CIR and PIR values are based on the guaranteed and maximum bandwidth respectively as negotiated between a service provider a...

Page 270: ...w can only be marked with an equal or higher packet loss priority Packets marked red high packet loss priority continue to be red without evaluation against the PIR or CIR Packets marked yellow can on...

Page 271: ...Switch Port This field displays the index number of a port on the Switch Settings in this row apply to all ports Use this row only if you want to make some settings the same for all ports Use this row...

Page 272: ...high loss priority colored packets Mode Select color blind to have the Switch treat all incoming packets as uncolored All incoming packets are evaluated against the CIR and PIR Select color aware to t...

Page 273: ...o the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 108 IP Application DiffServ 2 rate 3 Color Marker continued LABEL DESCRIPTION...

Page 274: ...erv DSCP Setting Green This field displays the DSCP value to use for packets with low packet loss priority in this profile Yellow This field displays the DSCP value to use for packets with medium pack...

Page 275: ...ication number To set the IEEE 802 1p priority mapping select the priority level from the drop down list box Apply Click Apply to save your changes to the Switch s run time memory The Switch loses the...

Page 276: ...s If there is already a DHCP server on your network then you can configure the Switch as a DHCP relay agent When the Switch receives a request from a computer on your network it contacts the DHCP serv...

Page 277: ...the requests The DHCP server can then provide an IP address based on this information Please refer to RFC 3046 for more details The DHCP Relay Agent Information feature adds an Agent Information fiel...

Page 278: ...ion Relay Agent Information Select the Option 82 check box to have the Switch add information slot number port number and VLAN ID to client DHCP requests that it relays to a DHCP server Information Th...

Page 279: ...es the DHCP clients in both domains Figure 161 Global DHCP Relay Network Example Configure the DHCP Relay screen as shown Make sure you select the Option 82 check box to set the Switch to send additio...

Page 280: ...ion Relay Agent Information Select the Option 82 check box to have the Switch add information slot number port number and VLAN ID to client DHCP requests that it relays to a DHCP server Information Th...

Page 281: ...1 100 Requests from the academic buildings VLAN 2 are sent to the other DHCP server with an IP address of 172 16 10 100 Figure 164 DHCP Relay for Two VLANs For the example network configure the VLAN...

Page 282: ...Chapter 36 DHCP MES3500 24 24F User s Guide 282...

Page 283: ...re Upgrade Click Click Here to go to the Firmware Upgrade screen Restore Configuration Click Click Here to go to the Restore Configuration screen Backup Configuration Click Click Here to go to the Bac...

Page 284: ...dress of your computer to be in the same subnet as that of the default Switch IP address 192 168 1 1 37 3 Save Configuration Click Config 1 to save the current configuration settings permanently to Co...

Page 285: ...uploaded to the current image See Section 37 8 on page 287 for more information about images and uploading firmware to a different image Be sure to upload the correct model firmware as uploading the...

Page 286: ...atically renamed when you restore using this screen 37 7 Backup a Configuration File Backing up your Switch configurations allows you to create various snap shots of your device from which you may res...

Page 287: ...0 and ras 1 You can switch from one to the other by using the boot image index command where index is 1 ras 0 or 2 ras 1 See the CLI Reference Guide for more information about using commands The syst...

Page 288: ...computer and renames it to config cfg See Table 117 on page 287 for more information on filename conventions 7 Enter quit to exit the ftp prompt 37 8 3 GUI based FTP Clients The following table descri...

Page 289: ...7 Maintenance MES3500 24 24F User s Guide 289 The IP address es in the Remote Management screen does not match the client IP address If it does not match the Switch will disconnect the FTP session imm...

Page 290: ...tion on disabling multi login 38 2 The Access Control Main Screen Click Management Access Control in the navigation panel to display the main screen as shown Figure 172 Management Access Control 38 3...

Page 291: ...ents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns res...

Page 292: ...ch The OIDs beginning with 1 3 6 1 4 1 890 1 5 8 57 are specific to the MES3500 24F switch Table 120 SNMP System Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION coldstart coldStart 1 3 6 1 6 3 1 1 5 1...

Page 293: ...30 4 1 This trap is sent when an error is detected on a port such as a loop occurs or the rate limit for specific control packets is exceeded errdisableRecoveryTrap 1 3 6 1 4 1 890 1 5 8 68 130 4 2 1...

Page 294: ...due to incorrect user name and or password RADIUSNotReachableEventOn 1 3 6 1 4 1 890 1 5 8 68 27 2 1 1 3 6 1 4 1 890 1 5 8 57 27 2 1 This trap is sent when there is no response message from the RADIU...

Page 295: ...57 36 2 2 This trap is sent when the MRSTP topology changes MSTPTopologyChange 1 3 6 1 4 1 890 1 5 8 68 107 70 2 1 3 6 1 4 1 890 1 5 8 57 107 70 2 This trap is sent when the MSTP root switch changes...

Page 296: ...ote SNMP version 2c is backwards compatible with SNMP version 1 Get Community Enter the Get Community string which is the password for the incoming Get and GetNext requests from the management station...

Page 297: ...to the non volatile memory when you are done configuring Cancel Click Cancel to begin configuring this screen afresh Table 125 Management Access Control SNMP continued LABEL DESCRIPTION Table 126 Man...

Page 298: ...rol SNMP Trap Group continued LABEL DESCRIPTION Table 127 Management Access Control SNMP User LABEL DESCRIPTION User Information Note Use the username and password of the login accounts you specify in...

Page 299: ...tem configuration including the management of administrator accounts readwrite Members of this group have read and write rights meaning that the user can create and edit the MIBs on the Switch except...

Page 300: ...trator account with the admin user name You cannot change the default administrator user name Only the administrator has read write access Old Password Type the existing system password 1234 is the de...

Page 301: ...etween two hosts over an unsecured network Figure 178 SSH Communication Example Apply Click Apply to save your changes to the Switch s run time memory The Switch loses these changes if it is turned of...

Page 302: ...ds the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2...

Page 303: ...transferred data authentication one party can identify the other party and data integrity you know if data has been changed It relies upon certificates public keys and private keys HTTPS on the Switch...

Page 304: ...ere Switch IP Address is the IP address or domain name of the Switch you wish to access 38 9 1 Internet Explorer Warning Messages 38 9 1 1 Internet Explorer 6 When you attempt to access the Switch HTT...

Page 305: ...icate may display If that is the case click Continue to this website not recommended to proceed to the web configurator login screen Figure 182 Security Certificate Warning Internet Explorer 7 or 8 Af...

Page 306: ...r 38 Access Control MES3500 24 24F User s Guide 306 Click Install Certificate and follow the on screen instructions to install the certificate in your browser Figure 184 Certificate Internet Explorer...

Page 307: ...2 Mozilla Firefox Warning Messages When you attempt to access the Switch HTTPS server a This Connection is Unstructed screen may display If that is the case click I Understand the Risks and then the...

Page 308: ...tion to proceed to the web configurator login screen Figure 186 Security Alert Mozilla Firefox 38 9 3 The Main Screen After you accept the certificate and enter the login username and password the Swi...

Page 309: ...r 7 or 8 denotes a secure connection Figure 187 Example Lock Denoting a Secure Connection 38 10 Service Port Access Control Service Access Control allows you to decide what services you may use to acc...

Page 310: ...ch Service Port For Telnet SSH FTP HTTP or HTTPS services you may change the default service port by typing the new port number in the Server Port field If you change the default port number then you...

Page 311: ...ient set Clear the check box if you wish to temporarily disable the set without deleting it Start Address End Address Configure the IP address range of trusted computers from which you can manage this...

Page 312: ...llowing table describes the labels in this screen Table 131 Management Diagnostic LABEL DESCRIPTION System Log Click Display to display a log of events in the multi line text box Click Clear to empty...

Page 313: ...message has a facility and severity level The syslog facility identifies a file in the syslog server Refer to the documentation of your syslog program for details The following table describes the sy...

Page 314: ...setting Logging Type This column displays the names of the categories of logs that the device can generate Active Select this option to set the device to generate logs for the corresponding category F...

Page 315: ...umber the more critical the logs are Add Click Add to save your changes to the Switch s run time memory The Switch loses these changes if it is turned off or loses power so use the Save link on the to...

Page 316: ...with one another In the following example switch A in the basement is the cluster manager and the other switches on the upper floors of the building are cluster members Figure 193 Clustering Applicat...

Page 317: ...switch s hardware MAC address The Number of Member This field displays the number of switches that make up this cluster The following fields describe the cluster member switches Index You can manage c...

Page 318: ...h through the cluster manager switch as shown in the following example Figure 196 Example Uploading Firmware to a Cluster Member Switch example example C ftp 192 168 1 1 Connected to 192 168 1 1 220 S...

Page 319: ...gurator password default is 1234 ls Enter this command to list the name of cluster member switch s firmware and configuration file 400AABB0B1 bin This is the name of the firmware file you want to uplo...

Page 320: ...SCRIPTION Clustering Manager Active Select Active to have this Switch become the cluster manager switch A cluster can only have one manager Other directly connected switches that are set to be cluster...

Page 321: ...in the Clustering Candidate list and then enter its web configurator password If that switch administrator changes the web configurator password afterwards then it cannot be managed from the Cluster M...

Page 322: ...mine how to forward frames See the following figure 1 The Switch examines a received frame and learns the port on which this source MAC address came 2 The Switch checks to see if the frame s destinati...

Page 323: ...tatic to display the MAC entries manually configured on the Switch Select MAC and enter a MAC address in the field provided to display a specified MAC entry Select VID and enter a VLAN ID in the field...

Page 324: ...ring entries These entries will then display only in the Filtering screen and the default filtering action is Discard source Cancel Click Cancel to change the fields back to their last saved values In...

Page 325: ...itch s ARP program looks in the ARP Table and if it finds the address sends it to the device If no entry is found for the IP address ARP broadcasts the request to all the devices on the LAN The Switch...

Page 326: ...IP address Select Port and enter a port number to remove the dynamic entries learned on the specified port Flush Click Flush to remove the ARP entries according to the condition you specified Cancel C...

Page 327: ...you can copy the settings of one port onto other ports 44 1 Configure Clone Cloning allows you to copy the basic and advanced settings from a source port to a destination port or ports Click Manageme...

Page 328: ...2 4 6 indicates that ports 2 4 and 6 are the destination ports 2 6 indicates that ports 2 through 6 are the destination ports Basic Setting Select which port settings you configured in the Basic Sett...

Page 329: ...th the Switch 3 Make sure the power adaptor or cord is connected to the Switch and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the Switch off and on in DC...

Page 330: ...AC DC models 6 If the problem continues contact the vendor 45 2 Switch Access and Login I forgot the IP address for the Switch 1 The default management IP address is 192 168 1 1 2 Use the console port...

Page 331: ...ess the Switch check the remote management settings to find out why the Switch does not respond to HTTP I can see the Login screen but I cannot log in to the Switch 1 Make sure you have entered the us...

Page 332: ...o check for unauthorized access to your Switch To avoid unauthorized access configure the secured client setting in the Management Access Control Remote Management screen for telnet HTTP and SSH see S...

Page 333: ...cations that use this service or the situations in which this service is used Table 142 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authenticat...

Page 334: ...rk environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING User Defined 1 Packet INternet Groper is a protocol that sends out ICMP ech...

Page 335: ...ote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller...

Page 336: ...Appendix A Common Services MES3500 24 24F User s Guide 336...

Page 337: ...em is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certi...

Page 338: ...duct on the ZyXEL home page to go to that product s page 3 Select the certification you wish to view from this page ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this p...

Page 339: ...horization number RMA Products must be returned Postage Prepaid It is recommended that the unit be insured when shipped Any returned products without proof of purchase or those with an out dated warra...

Page 340: ...ALIANO NEDERLANDS D claration de Produit Green Directive RoHS 2002 95 EC Dichiarazione Green Product Direttiva RoHS 2002 95 CE Productmilieuverklaring RoHS richtlijn 2002 95 EC Directive DEEE 2002 96...

Page 341: ...7 authentication and RADIUS 202 setup 207 authorization privilege levels 209 setup 207 auto crossover 32 automatic VLAN registration 98 B back up configuration file 286 basic settings 86 basic setup t...

Page 342: ...276 relay agent 276 relay example 281 setup 280 DHCP Dynamic Host Configuration Protocol 276 DHCP relay option 82 216 DHCP snooping 53 214 configuring 216 DHCP relay option 82 216 trusted ports 215 u...

Page 343: ...ardware overview 30 hello time 136 hops 136 HTTPS 303 certificates 303 implementation 303 public keys private keys 303 HTTPS example 304 I IEEE 802 1p priority 92 IEEE 802 1x activate 159 162 205 reau...

Page 344: ...233 how it works 234 port shut down 235 probe packet 234 loop guard vs STP 233 M MAC Media Access Control 87 MAC address 87 325 maximum number per port 165 MAC address learning 91 105 108 114 165 spec...

Page 345: ...See MSTP 122 Multiple STP 124 Multiple STP see MSTP 124 MVR 193 configuration 195 group configuration 197 network example 193 MVR Multicast VLAN Registration 193 N network applications 23 network man...

Page 346: ...ocols 106 108 isolate traffic 107 priority 106 108 PVID 97 104 PVID Priority Frame 97 Q QoS and classifier 166 queue weight 177 queuing 176 SPQ 177 WRR 177 queuing method 176 178 R rack mounting 27 RA...

Page 347: ...114 static multicast address 116 static multicast forwarding 116 static routes 267 static trunking example 154 Static VLAN 102 static VLAN control 102 tagging 103 status 81 link aggregation 149 port 8...

Page 348: ...UDLD 244 UniDirectional Link Detection see UDLD untrusted ports ARP inspection 217 DHCP snooping 215 PPPoE IA 251 user profiles 201 V Vendor Specific Attribute See VSA ventilation 27 VID 97 100 101 1...

Page 349: ...l based VLAN VLAN subnet based See subnet based VLANs 104 VSA 209 VT100 31 VTP 244 W warranty 338 note 339 web configurator 39 getting help 46 layout 40 login 39 logout 46 navigation panel 41 weight q...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands