GS2200-24 Intelligent Layer 2 GbE Switch Default Login Details IP Address http://192.168.1.1 User Name admin Password 1234 Firmware Version 3.90 Edition 1, 6/2009 www.zyxel.
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the Switch using the web configurator. Related Documentation • Command Line Interface (CLI) Reference Guide The Command Reference Guide explains how to use the Command-Line Interface (CLI) and CLI commands to configure the Switch. • Web Configurator Online Help The embedded Web Help contains descriptions of individual screens and supplementary information.
About This User's Guide • Download Library Search for the latest product updates and documentation from this link. Read the Tech Doc Overview to find out how to efficiently use the User Guide, Quick Start Guide and Command Line Interface Reference Guide in order to better understand how to use your product. • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations. Syntax Conventions • The GS2200-24 may be referred to as the “Switch”, the “device”, the “system” or the “product” in this User’s Guide.
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The Switch icon is not an exact representation of your device.
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Do not obstruct the device ventillation slots as insufficient airflow may harm your device. • Connect ONLY suitable accessories to the device.
Safety Warnings 8 GS2200-24 User’s Guide
Contents Overview Contents Overview Introduction and Hardware ................................................................................................... 23 Getting to Know Your Switch ..................................................................................................... 25 Hardware Installation and Connection ....................................................................................... 31 Hardware Panels .....................................................................
Contents Overview DHCP ..................................................................................................................................... 261 Management ......................................................................................................................... 269 Maintenance ............................................................................................................................ 271 Access Control .........................................................
Table of Contents Table of Contents About This User's Guide .......................................................................................................... 3 Document Conventions............................................................................................................ 5 Safety Warnings........................................................................................................................ 7 Contents Overview .......................................................
Table of Contents 3.2.4 Power Connector ....................................................................................................... 39 3.3 LEDs .................................................................................................................................. 40 Part II: Basic Configuration................................................................... 41 Chapter 4 The Web Configurator ...........................................................................................
Table of Contents Chapter 8 Basic Setting .......................................................................................................................... 71 8.1 Overview .............................................................................................................................. 71 8.2 What You Can Do ................................................................................................................ 71 8.3 System Information 8.4 General Setup ......................
Table of Contents 10.1 Overview .......................................................................................................................... 107 10.2 What You Can Do ............................................................................................................ 107 10.3 Configuring Static MAC Forwarding ........................................................................... 107 Chapter 11 Static Multicast Forward Setup ........................................................
Table of Contents 14.1 Bandwidth Control Overview .......................................................................................... 139 14.2 What You Can Do ............................................................................................................ 139 14.3 Bandwidth Control Setup ................................................................................................. 140 Chapter 15 Broadcast Storm Control ..................................................................
Table of Contents Chapter 20 Classifier................................................................................................................................ 169 20.1 Overview .......................................................................................................................... 169 20.2 What You Can Do ............................................................................................................ 169 20.3 What You Need to Know .....................................
Table of Contents 24.2 What You Can Do ............................................................................................................ 193 24.3 What You Need to Know ................................................................................................. 193 24.3.1 IP Multicast Addresses ........................................................................................... 194 24.3.2 IGMP Snooping ....................................................................................
Table of Contents 26.12.1 DHCP Snooping Overview ................................................................................... 235 26.12.2 ARP Inspection Overview .................................................................................... 238 Chapter 27 Loop Guard............................................................................................................................ 241 27.1 Overview .........................................................................................
Table of Contents 31.3 What You Need to Know ................................................................................................. 261 31.3.1 DHCP Modes ........................................................................................................ 261 31.3.2 DHCP Configuration Options ................................................................................. 262 31.3.3 DHCP Relay ....................................................................................................
Table of Contents 33.9 Technical Reference ........................................................................................................ 287 33.9.1 About SNMP ......................................................................................................... 288 33.9.2 SSH Overview ........................................................................................................ 293 33.9.3 Introduction to HTTPS ..........................................................................
Table of Contents 39.2 Configure Clone .............................................................................................................. 321 Part VI: Troubleshooting & Product Specifications ......................... 323 Chapter 40 Troubleshooting.................................................................................................................... 325 40.1 Power, Hardware Connections, and LEDs ...................................................................... 325 40.
Table of Contents 22 GS2200-24 User’s Guide
P ART I Introduction and Hardware Getting to Know Your Switch (25) Hardware Installation and Connection (31) Hardware Panels (35) 23
CHAPTER 1 Getting to Know Your Switch 1.1 Introduction This chapter introduces the main features and applications of the Switch. The Switch is a layer-2 standalone Ethernet switch with additional layer-2, layer3, and layer-4 features suitable for Ethernets. The Switch has twenty-four 10/ 100/1000 Mbps Ethernet ports. It also has four GbE dual personality interfaces with each interface comprising one mini-GBIC slot and one 100/1000 Mbps RJ-45 port, with either port or slot active at a time.
Chapter 1 Getting to Know Your Switch In this example, all computers can share high-speed applications on the server. To expand the network, simply add more networking devices such as switches, routers, computers, print servers etc. Figure 1 Backbone Application 1.1.2 Bridging Example In this example, the Switch connects different company departments (RD and Sales) to the corporate backbone. It can alleviate bandwidth contention and eliminate server and network bottlenecks.
Chapter 1 Getting to Know Your Switch 1.1.3 High Performance Switching Example The Switch is ideal for connecting two networks that need high bandwidth. In the following example, use trunking to connect these two networks. Switching to higher-speed LANs such as ATM (Asynchronous Transmission Mode) is not feasible for most people due to the expense of replacing all existing Ethernet cables and adapter cards, restructuring your network and complex maintenance.
Chapter 1 Getting to Know Your Switch Shared resources such as a server can be used by all ports in the same VLAN as the server. In the following figure only ports that need access to the server need to be part of VLAN 1. Ports can belong to other VLAN groups too. Figure 4 Shared Server Using VLAN Example 1.2 Ways to Manage the Switch Use any of the following methods to manage the Switch. • Web Configurator. This is recommended for everyday management of the Switch using a (supported) web browser.
Chapter 1 Getting to Know Your Switch • Write down the password and put it in a safe place. • Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the Switch to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the Switch.
Chapter 1 Getting to Know Your Switch 30 GS2200-24 User’s Guide
CHAPTER 2 Hardware Installation and Connection 2.1 Installation Scenarios This chapter shows you how to install and connect the Switch. The Switch can be placed on a desktop or rack-mounted on a standard EIA rack. Use the rubber feet in a desktop installation and the brackets in a rack-mounted installation. Note: For proper ventilation, allow at least 4 inches (10 cm) of clearance at the front and 3.4 inches (8 cm) at the back of the Switch. This is especially important for enclosed rack installations.
Chapter 2 Hardware Installation and Connection 2.3.1 Rack-mounted Installation Requirements • Two mounting brackets. • Eight M3 flat head screws and a #2 Philips screwdriver. • Four M5 flat head screws and a #2 Philips screwdriver. Failure to use the proper screws may damage the unit. 2.3.1.1 Precautions • Make sure the rack will safely support the combined weight of all the equipment it contains. • Make sure the position of the Switch does not make the rack unstable or topheavy.
Chapter 2 Hardware Installation and Connection 2.3.3 Mounting the Switch on a Rack 1 Position a mounting bracket (that is already attached to the Switch) on one side of the rack, lining up the two screw holes on the bracket with the screw holes on the side of the rack. Figure 6 Mounting the Switch on a Rack 2 Using a #2 Philips screwdriver, install the M5 flat head screws through the mounting bracket holes into the rack.
Chapter 2 Hardware Installation and Connection 34 GS2200-24 User’s Guide
CHAPTER 3 Hardware Panels 3.1 Overview This chapter describes the front panel and rear panel of the Switch and shows you how to make the hardware connections. 3.2 Front Panel The following figure shows the front panel of the Switch. Figure 7 Front Panel LEDs Console Port Ethernet Ports Dual Personality Interfaces The following table describes the port labels on the front panel.
Chapter 3 Hardware Panels Table 1 Front Panel Connections (continued) LABEL DESCRIPTION Four Dual Personality Interfaces Each interface has one 1000BASE-T RJ-45 port and one Small Form-Factor Pluggable (SFP) slot (also called a mini-GBIC slot), with one port or transceiver active at a time. Console Port • Four 100/1000 Mbps RJ-45 Ports: Connect these ports to high-bandwidth backbone network Ethernet switches using 1000BASE-T compatible Category 5/5e/6 copper cables.
Chapter 3 Hardware Panels ports. This means that if a mini-GBIC slot and the corresponding GbE port are connected at the same time, the GbE port will be disabled. When auto-negotiation is turned on, an Ethernet port negotiates with the peer automatically to determine the connection speed and duplex mode. If the peer Ethernet port does not support auto-negotiation or turns off this feature, the Switch determines the connection speed by detecting the signal on the cable and using half duplex mode.
Chapter 3 Hardware Panels • Connection speed: 1 Gigabit per second (Gbps) 3.2.3.1 Transceiver Installation Use the following steps to install a mini-GBIC transceiver (SFP module). 1 Insert the transceiver into the slot with the exposed section of PCB board facing down. 2 Press the transceiver firmly until it clicks into place. 3 The Switch automatically detects the installed transceiver. Check the LEDs to verify that it is functioning properly. 4 Close the transceiver’s latch (latch styles vary).
Chapter 3 Hardware Panels 3 Pull the transceiver out of the slot. Figure 10 Removing the Fiber Optic Cables Figure 11 Opening the Transceiver’s Latch Example Figure 12 Transceiver Removal Example 3.2.4 Power Connector Note: Make sure you are using the correct power source as shown on the panel. To connect power to the Switch, insert the female end of the power cord to the AC power receptacle on the front panel. Connect the other end of the supplied power cord to a power outlet.
Chapter 3 Hardware Panels 3.3 LEDs After you connect the power to the Switch, view the LEDs to ensure proper functioning of the Switch and as an aid in troubleshooting. Table 2 LED Descriptions LED COLOR STATU S DESCRIPTION PWR Green On The system is turned on. Off The system is off or has failed. On The system is on and functioning properly. Blinking The system is rebooting and performing self-diagnostic tests. Off The power is off or the system is not ready/ malfunctioning.
P ART II Basic Configuration The Web Configurator (43) Initial Setup Example (51) System Status and Port Statistics (65) Basic Setting (71) 41
CHAPTER 4 The Web Configurator 4.1 Overview This section introduces the configuration and functions of the web configurator. The web configurator is an HTML-based management interface that allows easy Switch setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels. In order to use the web configurator you need to allow: • Web browser pop-up windows from your device.
Chapter 4 The Web Configurator 3 The login screen appears. The default username is admin and associated default password is 1234. The date and time display as shown if you have not configured a time server nor manually entered a time and date in the General Setup screen. Figure 13 Web Configurator: Login 4 Click OK to view the first web configurator screen. 4.3 The Status Screen The Status screen is the first screen that displays when you access the web configurator.
Chapter 4 The Web Configurator A - Click the menu items to open submenu links, and then click on a submenu link to open the screen in the main window. B, C, D, E - These are quick links which allow you to perform certain tasks no matter which screen you are currently working in. B - Click this link to save your configuration into the Switch’s nonvolatile memory. Nonvolatile memory is the configuration of your Switch that stays the same even if the Switch’s power is turned off.
Chapter 4 The Web Configurator The following table describes the links in the navigation panel. Table 4 Navigation Panel Links LINK DESCRIPTION Basic Settings System Info This link takes you to a screen that displays general system information. General Setup This link takes you to a screen where you can configure general identification information about the Switch. Switch Setup This link takes you to a screen where you can set up global Switch parameters such as VLAN type, GARP and priority queues.
Chapter 4 The Web Configurator Table 4 Navigation Panel Links (continued) LINK DESCRIPTION VLAN Stacking This link takes you to screens where you can configure VLAN stacking. Multicast This link takes you to screens where you can configure various multicast features, IGMP snooping and create multicast VLANs. AAA This link takes you to a screen where you can configure authentication, authorization services via external servers.
Chapter 4 The Web Configurator 4.3.1 Change Your Password After you log in for the first time, it is recommended you change the default administrator password. Click Management > Access Control > Logins to display the next screen. Figure 15 Change Administrator Login Password 4.4 Saving Your Configuration When you are done modifying the settings in a screen, click Apply to save your changes back to the run-time memory. Settings in the run-time memory are lost when the Switch’s power is turned off.
Chapter 4 The Web Configurator 4.5 Switch Lockout You could block yourself (and all others) from managing the Switch if you do one of the following: 1 Delete the management VLAN (default is VLAN 1). 2 Delete all port-based VLANs with the CPU port as a member. The “CPU port” is the management port of the Switch. 3 Filter all traffic to the CPU port. 4 Disable all ports. 5 Misconfigure the text configuration file. 6 Forget the password and/or IP address.
Chapter 4 The Web Configurator 2 Disconnect and reconnect the Switch’s power to begin a session. When you reconnect the Switch’s power, you will see the initial screen. 3 When you see the message “Press any key to enter Debug Mode within 3 seconds ...” press any key to enter debug mode. 4 Type atlc after the “Enter Debug Mode” message. 5 Wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal.
CHAPTER 5 Initial Setup Example 5.1 Overview This chapter shows how to set up the Switch for an example network. The following lists the configuration steps for the initial setup: • Create a VLAN • Set port VLAN ID • Configure the Switch IP management address 5.1.1 Creating a VLAN VLANs confine broadcast frames to the VLAN group in which the port(s) belongs. You can do this with port-based VLAN or tagged static VLAN with fixed port members.
Chapter 5 Initial Setup Example 1 Click Advanced Application > VLAN in the navigation panel and click the Static VLAN link. 2 In the Static VLAN screen, select ACTIVE, enter a descriptive name in the Name field and enter 2 in the VLAN Group ID field for the VLAN2 network. Note: The VLAN Group ID field in this screen and the VID field in the IP Setup screen refer to the same VLAN ID.
Chapter 5 Initial Setup Example 5.1.2 Setting Port VID Use PVID to add a tag to incoming untagged frames received on that port so that the frames are forwarded to the VLAN group that the tag defines. In the example network, configure 2 as the port VID on port 1 so that any untagged frames received on that port get sent to VLAN 2. Figure 18 Initial Setup Network Example: Port VID 1 Click Advanced Applications > VLAN in the navigation panel. Then click the VLAN Port Setting link.
Chapter 5 Initial Setup Example 5.2 Configuring Switch Management IP Address The default management IP address of the Switch is 192.168.1.1. You can configure another IP address in a different subnet for management purposes. The following figure shows an example. Figure 19 Initial Setup Example: Management IP Address 54 1 Connect your computer to any Ethernet port on the Switch. Make sure your computer is in the same subnet as the Switch. 2 Open your web browser and enter 192.168.1.
CHAPTER 6 Tutorials 6.1 Overview This chapter provides some examples of using the web configurator to set up and use the Switch. The tutorials include: • How to Use DHCP Snooping on the Switch • How to Use DHCP Relay on the Switch 6.2 How to Use DHCP Snooping on the Switch You only want DHCP server A connected to port 5 to assign IP addresses to all devices in VLAN network (V). Create a VLAN containing ports 5, 6 and 7. Connect a computer M to the Switch for management.
Chapter 6 Tutorials Table 5 Tutorial: Settings in this Tutorial HOST PORT CONNECTED VLAN PVID DHCP SNOOPING PORT TRUSTED DHCP Client (B) 6 1 and 100 100 No DHCP Client (C) 7 1 and 100 100 No 1 Access the Switch through http://192.168.1.1 by default. Log into the Switch by entering the username (default: admin) and password (default: 1234). 2 Go to Advanced Application > VLAN > Static VLAN, and create a VLAN with ID of 100.
Chapter 6 Tutorials 3 Go to Advanced Application > VLAN > VLAN Port Setting, and set the PVID of the ports 5, 6 and 7 to 100. This tags untagged incoming frames on ports 5, 6 and 7 with the tag 100. Figure 22 Tutorial: Tag Untagged Frames 4 Go to Advanced Application > IP Source Guard > DHCP snooping > Configure, activate and specify VLAN 100 as the DHCP VLAN as shown. Click Apply.
Chapter 6 Tutorials 5 Click the Port link at the top right corner. 6 The DHCP Snooping Port Configure screen appears. Select Trusted in the Server Trusted state field for port 5 because the DHCP server is connected to port 5. Keep ports 6 and 7 Untrusted because they are connected to DHCP clients. Click Apply.
Chapter 6 Tutorials 8 Click Save at the top right corner of the web configurator to save the configuration permanently. 9 Connect your DHCP server to port 5 and a computer (as DHCP client) to either port 6 or 7. The computer should be able to get an IP address from the DHCP server. If you put the DHCP server on port 6 or 7, the computer will not able to get an IP address.
Chapter 6 Tutorials on the system name, VLAN ID and port number in the DHCP request. Client A connects to the Switch’s port 2 in VLAN 102. Figure 27 Tutorial: DHCP Relay Scenario DHCP Server 192.168.2.3 Port 2 PVID=102 A VLAN 102 172.16.1.18 6.3.2 Creating a VLAN Follow the steps below to configure port 2 as a member of VLAN 102. 1 Access the web configurator through the Switch’s management port. 2 Go to Basic Setting > Switch Setup and set the VLAN type to 802.1Q.
Chapter 6 Tutorials 3 Click Advanced Application > VLAN > Static VLAN. 4 In the Static VLAN screen, select ACTIVE, enter a descriptive name (VALN 102 for example) in the Name field and enter 102 in the VLAN Group ID field. 5 Select Fixed to configure port 2 to be a permanent member of this VLAN. 6 Clear the TX Tagging check box to set the Switch to remove VLAN tags before sending. 7 Click Add to save the settings to the run-time memory.
Chapter 6 Tutorials 8 Click the VLAN Status link in the Static VLAN screen and then the VLAN Port Setting link in the VLAN Status screen. Figure 30 Tutorial: Click the VLAN Port Setting Link 9 Enter 102 in the PVID field for port 2 to add a tag to incoming untagged frames received on that port so that the frames are forwarded to the VLAN group that the tag defines. 10 Click Apply to save your changes back to the run-time memory.
Chapter 6 Tutorials 11 Click the Save link in the upper right corner of the web configurator to save your configuration permanently. 6.3.3 Configuring DHCP Relay Follow the steps below to enable DHCP relay on the Switch and allow the Switch to add relay agent information (such as the VLAN ID) to DHCP requests. 1 Click IP Application > DHCP and then the Global link to open the DHCP Relay screen. 2 Select the Active check box. 3 Enter the DHCP server’s IP address (192.168.2.
Chapter 6 Tutorials 64 1 Client A is connected to the Switch’s port 2 in VLAN 102. 2 You configured the correct VLAN ID, port number and system name for DHCP relay on both the DHCP server and the Switch. 3 You clicked the Save link on the Switch to have your settings take effect.
CHAPTER 7 System Status and Port Statistics 7.1 Overview This chapter describes the system status (web configurator home page) and port details screens. The home screen of the web configurator displays a port statistical summary with links to each port showing statistical details. 7.2 What You Can Do • Use the Port Status Sumary screen (Section 7.3 on page 66) to view the port statistics. • Use the Port Details screen (Section 7.3.1 on page 67) to display individual port statistics.
Chapter 7 System Status and Port Statistics 7.3 Port Status Summary To view the port statistics, click Status in all web configurator screens to display the Status screen as shown next. Figure 33 Status The following table describes the labels in this screen. Table 6 Status LABEL DESCRIPTION Port This identifies the Ethernet port. Click a port number to display the Port Details screen (refer to Figure 34 on page 67).
Chapter 7 System Status and Port Statistics Table 6 Status (continued) LABEL DESCRIPTION Rx KB/s This field shows the number of kilobytes per second received on this port. Up Time This field shows the total amount of time in hours, minutes and seconds the port has been up. Clear Counter Enter a port number and then click Clear Counter to erase the recorded statistical information for that port, or select Any to clear statistics for all ports. 7.3.
Chapter 7 System Status and Port Statistics The following table describes the labels in this screen. Table 7 Status: Port Details LABEL DESCRIPTION Port Info Port NO. This field displays the port number you are viewing. Name This field displays the name of the port. Link This field displays the speed (either 10M for 10Mbps, 100M for 100Mbps or 1000M for 1000Mbps) and the duplex (F for full duplex or H for half duplex). It also shows the cable type (Copper or Fiber).
Chapter 7 System Status and Port Statistics Table 7 Status: Port Details (continued) LABEL DESCRIPTION Excessiv e This is a count of packets for which transmission failed due to excessive collisions. Excessive collision is defined as the number of maximum collisions before the retransmission count is reset. Late This is the number of times a late collision is detected, that is, after 512 bits of the packets have already been transmitted.
Chapter 7 System Status and Port Statistics 70 GS2200-24 User’s Guide
CHAPTER 8 Basic Setting 8.1 Overview This chapter describes how to configure the System Info, General Setup, Switch Setup, IP Setup and Port Setup screens. The System Info screen displays general Switch information (such as firmware version number). The General Setup screen allows you to configure general Switch identification information. The General Setup screen also allows you to set the system time manually or get the current time and date from an external server when you turn on your Switch.
Chapter 8 Basic Setting 8.3 System Information In the navigation panel, click Basic Setting > System Info to display the screen as shown. You can check the firmware version number. Figure 35 Basic Setting > System Info The following table describes the labels in this screen. Table 8 Basic Setting > System Info LABEL DESCRIPTION System Name This field displays the descriptive name of the Switch for identification purposes. Product Model This field displays the product model of the Switch.
Chapter 8 Basic Setting Table 8 Basic Setting > System Info (continued) LABEL DESCRIPTION Fan Speed (RPM) A properly functioning fan is an essential component (along with a sufficiently ventilated, cool operating environment) in order for the device to stay within the temperature threshold. Each fan has a sensor that is capable of detecting and reporting if the fan speed falls below the threshold shown. Current This field displays this fan's current speed in Revolutions Per Minute (RPM).
Chapter 8 Basic Setting 8.4 General Setup Use this screen to configure general settings such as the system name and time. Click Basic Setting > General Setup in the navigation panel to display the screen as shown. Figure 36 Basic Setting > General Setup The following table describes the labels in this screen. Table 9 Basic Setting > General Setup 74 LABEL DESCRIPTION System Name Choose a descriptive name for identification purposes.
Chapter 8 Basic Setting Table 9 Basic Setting > General Setup (continued) LABEL DESCRIPTION Use Time Server when Bootup Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to use trial and error to find a protocol that works. The main differences between them are the time format. When you select the Daytime (RFC 867) format, the Switch displays the day, month, year and time with no time zone adjustment.
Chapter 8 Basic Setting Table 9 Basic Setting > General Setup (continued) LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Daylight Saving Time. The time field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time.
Chapter 8 Basic Setting 8.6 Switch Setup Screen Click Basic Setting > Switch Setup in the navigation panel to display the screen as shown. The VLAN setup screens change depending on whether you choose 802.1Q or Port Based in the VLAN Type field in this screen. Refer to Chapter 9 on page 87 for more information on VLAN. Figure 37 Basic Setting > Switch Setup The following table describes the labels in this screen. Table 10 Basic Setting > Switch Setup LABEL DESCRIPTION VLAN Type Choose 802.
Chapter 8 Basic Setting Table 10 Basic Setting > Switch Setup (continued) LABEL DESCRIPTION Leave All Timer Leave All Timer sets the duration of the Leave All Period timer for GVRP in milliseconds. Each port has a single Leave All Period timer. Leave All Timer must be larger than Leave Timer. Priority Queue Assignment IEEE 802.1p defines up to eight separate traffic types by inserting a tag into a MAC-layer frame that contains bits to define class of service.
Chapter 8 Basic Setting 8.7.1 Management IP Addresses The Switch needs an IP address for it to be managed over the network. The factory default IP address is 192.168.1.1. The subnet mask specifies the network number portion of an IP address. The factory default subnet mask is 255.255.255.0. You can configure up to 64 IP addresses which are used to access and manage the Switch from the ports belonging to the pre-defined VLAN(s). Note: You must configure a VLAN first.
Chapter 8 Basic Setting The following table describes the labels in this screen. Table 11 Basic Setting > IP Setup LABEL DESCRIPTION Domain Name Server DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. Enter a domain name server IP address in order to be able to use a domain name instead of an IP address.
Chapter 8 Basic Setting Table 11 Basic Setting > IP Setup (continued) LABEL DESCRIPTION Default Gateway This field displays the IP address of the default gateway. Delete Check the management IP addresses that you want to remove in the Delete column, then click the Delete button. Cancel Click Cancel to clear the selected check boxes in the Delete column. 8.8 Port Setup Use this screen to configure Switch port settings.
Chapter 8 Basic Setting The following table describes the labels in this screen. Table 12 Basic Setting > Port Setup LABEL DESCRIPTION Port This is the port index number. * Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis. Note: Changes in this row are copied to all the ports as soon as you make them.
Chapter 8 Basic Setting Table 12 Basic Setting > Port Setup (continued) LABEL DESCRIPTION 802.1p Priority This priority value is added to incoming frames without a (802.1p) priority queue tag. See Priority Queue Assignment in Table 10 on page 77 for more information. Apply Click Apply to save your changes to the Switch’s run-time memory.
Chapter 8 Basic Setting 84 GS2200-24 User’s Guide
P ART III Advanced Layer 2 Protocol Tunneling (245) VLAN (87) Static MAC Forward Setup (107) Filtering (115) Spanning Tree Protocol (117) Bandwidth Control (139) Broadcast Storm Control (143) Mirroring (147) Link Aggregation (151) Port Authentication (161) Port Security (165) Classifier (169) Policy Rule (175) Queuing Method (181) VLAN Stacking (185) Multicast (193) AAA (201) IP Source Guard (215) Loop Guard (241) 85
CHAPTER 9 VLAN 9.1 Overview This chapter shows you how to configure 802.1Q tagged and port-based VLANs. The type of screen you see here depends on the VLAN Type you selected in the Switch Setup screen. 9.2 What You Can Do • Use the VLAN Status screen (Section 9.4 on page 91) to view all VLAN groups. • Use the VLAN Detail screen (Section 9.4.1 on page 92) to view detailed port settings and status of the VLAN group. • Use the Static VLAN screen (Section 9.5 on page 93) to configure and view 802.
Chapter 9 VLAN dynamically through GVRP. The VLAN ID associates a frame with a specific VLAN and provides the information that switches need to process the frame across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier, residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control Information, starts after the source address field of the Ethernet frame).
Chapter 9 VLAN LAN. GARP is a protocol that provides a generic mechanism for protocols that serve a more specific application, for example, GVRP. 9.3.4.1 GARP Timers Switches join VLANs by making a declaration. A declaration is made by issuing a Join message using GARP. Declarations are withdrawn by issuing a Leave message. A Leave All message terminates all registrations. GARP timers set declaration timeout values. 9.3.
Chapter 9 VLAN 9.3.6 Port VLAN Trunking Enable VLAN Trunking on a port to allow frames belonging to unknown VLAN groups to pass through that port. This is useful if you want to set up VLAN groups on end devices without having to configure the same VLAN groups on intermediary devices. Refer to the following figure. Suppose you want to create VLAN groups 1 and 2 (V1 and V2) on devices A and B.
Chapter 9 VLAN 9.4 VLAN Status Click Advanced Application > VLAN from the navigation panel to display the VLAN Status screen as shown next. Figure 42 Advanced Application > VLAN: VLAN Status The following table describes the labels in this screen. Table 14 Advanced Application > VLAN: VLAN Status LABEL DESCRIPTION VLAN Search by VID Enter an existing VLAN ID number(s) (separated by a comma) and click Search to display only the specified VLAN(s) in the list below.
Chapter 9 VLAN 9.4.1 VLAN Details Use this screen to view detailed port settings and status of the VLAN group. Click on an index number in the VLAN Status screen to display VLAN details. Figure 43 Advanced Application > VLAN > VLAN Detail The following table describes the labels in this screen. Table 15 Advanced Application > VLAN > VLAN Detail LABEL DESCRIPTION VLAN Status Click this to go to the VLAN Status screen.
Chapter 9 VLAN 9.5 Configure a Static VLAN Use this screen to configure and view 802.1Q VLAN parameters for the Switch. To configure a static VLAN, click Static VLAN in the VLAN Status screen to display the screen as shown next. Figure 44 Advanced Application > VLAN > Static VLAN The following table describes the related labels in this screen. Table 16 Advanced Application > VLAN > Static VLAN LABEL DESCRIPTION ACTIVE Select this check box to activate the VLAN settings.
Chapter 9 VLAN Table 16 Advanced Application > VLAN > Static VLAN (continued) LABEL DESCRIPTION * Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis. Note: Changes in this row are copied to all the ports as soon as you make them. Control Select Normal for the port to dynamically join this VLAN group using GVRP. This is the default selection.
Chapter 9 VLAN 9.6 Configure VLAN Port Settings Use the VLAN Port Setting screen to configure the static VLAN (IEEE 802.1Q) settings on a port. Click the VLAN Port Setting link in the VLAN Status screen. Figure 45 Advanced Application > VLAN > VLAN Port Setting The following table describes the labels in this screen.
Chapter 9 VLAN Table 17 Advanced Application > VLAN > VLAN Port Setting (continued) LABEL DESCRIPTION * Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis. Note: Changes in this row are copied to all the ports as soon as you make them.
Chapter 9 VLAN For example, an ISP (Internet Services Provider) may divide different types of services it provides to customers into different IP subnets. Traffic for voice services is designated for IP subnet 172.16.1.0/24, video for 192.168.1.0/24 and data for 10.1.1.0/24. The Switch can then be configured to group incoming traffic based on the source IP subnet of incoming frames. You configure a subnet based VLAN with priority 6 and VID of 100 for traffic received from IP subnet 172.16.1.
Chapter 9 VLAN Note: Subnet based VLAN applies to un-tagged packets and is applicable only when you use IEEE 802.1Q tagged VLAN. Figure 47 Advanced Application > VLAN > VLAN Port Setting > Subnet Based VLAN The following table describes the labels in this screen. Table 18 Advanced Application > VLAN > VLAN Port Setting > Subnet Based VLAN Setup LABEL DESCRIPTION Active Check this box to activate this subnet based VLANs on the Switch.
Chapter 9 VLAN Table 18 Advanced Application > VLAN > VLAN Port Setting > Subnet Based VLAN Setup (continued) LABEL DESCRIPTION VID Enter the ID of a VLAN with which the untagged frames from the IP subnet specified in this subnet based VLAN are tagged. This must be an existing VLAN which you defined in the Advanced Applications > VLAN screens. Priority Select the priority level that the Switch assigns to frames belonging to this VLAN.
Chapter 9 VLAN traffic from port 6 and 7 will be in another group and have higher priority than ARP traffic, when they go through the uplink port to a backbone switch C. Figure 48 Protocol Based VLAN Application Example 9.8.1 Configuring Protocol Based VLAN Click Protocol Based VLAN in the VLAN Port Setting screen to display the configuration screen as shown. Note: Protocol-based VLAN applies to un-tagged packets and is applicable only when you use IEEE 802.1Q tagged VLAN.
Chapter 9 VLAN The following table describes the labels in this screen. Table 19 Advanced Application > VLAN > VLAN Port Setting > Protocol Based VLAN Setup LABEL DESCRIPTION Active Check this box to activate this protocol based VLAN. Port Type a port to be included in this protocol based VLAN. This port must belong to a static VLAN in order to participate in a protocol based VLAN. See Chapter 9 on page 87 for more details on setting up VLANs.
Chapter 9 VLAN 9.9 Port-based VLAN Setup Port-based VLANs are VLANs where the packet forwarding decision is based on the destination MAC address and its associated port. Port-based VLANs require allowed outgoing ports to be defined for each port. Therefore, if you wish to allow two subscriber ports to talk to each other, for example, between conference rooms in a hotel, you must define the egress (an egress port is an outgoing port, that is, a port through which a data packet leaves) for both ports.
Chapter 9 VLAN 9.9.1 Configure a Port-based VLAN Select Port Based as the VLAN Type in the Basic Setting > Switch Setup screen and then click Advanced Application > VLAN from the navigation panel to display the next screen.
Chapter 9 VLAN Figure 51 Port Based VLAN Setup (Port Isolation) 104 GS2200-24 User’s Guide
Chapter 9 VLAN The following table describes the labels in this screen. Table 20 Port Based VLAN Setup label Description Setting Wizard Choose All connected or Port isolation. All connected means all ports can communicate with each other, that is, there are no virtual LANs. All incoming and outgoing ports are selected. This option is the most flexible but also the least secure. Port isolation means that each port can only communicate with the CPU management port and cannot communicate with each other.
Chapter 9 VLAN 1 Activate this protocol based VLAN. 2 Type the port number you want to include in this protocol based VLAN. Type 1. 3 Give this protocol-based VLAN a descriptive name. Type IP-VLAN. 4 Select the protocol. Leave the default value IP. 5 Type the VLAN ID of an existing VLAN. In our example we already created a static VLAN with an ID of 5. Type 5. 6 Leave the priority set to 0 and click Add.
CHAPTER 10 Static MAC Forward Setup 10.1 Overview This chapter discusses how to configure forwarding rules based on MAC addresses of devices on your network. Use these screens to configure static MAC address forwarding. 10.2 What You Can Do Use the Static MAC Forwarding screen (Section 10.3 on page 107) to assign static MAC addresses for a port. 10.3 Configuring Static MAC Forwarding A static MAC address is an address that has been manually entered in the MAC address table.
Chapter 10 Static MAC Forward Setup Click Advanced Application > Static MAC Forwarding in the navigation panel to display the configuration screen as shown. Figure 53 Advanced Application > Static MAC Forwarding The following table describes the labels in this screen. Table 21 Advanced Application > Static MAC Forwarding LABEL DESCRIPTION Active Select this check box to activate your rule. You may temporarily deactivate a rule without deleting it by clearing this check box.
Chapter 10 Static MAC Forward Setup Table 21 Advanced Application > Static MAC Forwarding (continued) LABEL DESCRIPTION Port This field displays the port where the MAC address shown in the next field will be forwarded. Delete Click Delete to remove the selected entry from the summary table. Cancel Click Cancel to clear the Delete check boxes.
Chapter 10 Static MAC Forward Setup 110 GS2200-24 User’s Guide
CHAPTER 11 Static Multicast Forward Setup 11.1 Overview This chapter discusses how to configure forwarding rules based on multicast MAC addresses of devices on your network. Use these screens to configure static multicast address forwarding. 11.2 What You Can Do Use the Static Multicast Forward Setup screen (Section 11.4 on page 112) to configure rules to forward specific multicast frames, such as streaming or control frames, to specific port(s). 11.
Chapter 11 Static Multicast Forward Setup connected to port 3. Figure 56 shows frames being forwarded to ports 2 and 3 within VLAN group 4. Figure 54 No Static Multicast Forwarding Figure 55 Static Multicast Forwarding to A Single Port Figure 56 Static Multicast Forwarding to Multiple Ports 11.4 Configuring Static Multicast Forwarding Use this screen to configure rules to forward specific multicast frames, such as streaming or control frames, to specific port(s).
Chapter 11 Static Multicast Forward Setup Click Advanced Application > Static Multicast Forwarding to display the configuration screen as shown. Figure 57 Advanced Application > Static Multicast Forwarding The following table describes the labels in this screen. Table 22 Advanced Application > Static Multicast Forwarding LABEL DESCRIPTION Active Select this check box to activate your rule. You may temporarily deactivate a rule without deleting it by clearing this check box.
Chapter 11 Static Multicast Forward Setup Table 22 Advanced Application > Static Multicast Forwarding (continued) LABEL DESCRIPTION Active This field displays whether a static multicast MAC address forwarding rule is active (Yes) or not (No). You may temporarily deactivate a rule without deleting it. Name This field displays the descriptive name for identification purposes for a static multicast MAC address-forwarding rule.
CHAPTER 12 Filtering 12.1 Overview This chapter discusses MAC address port filtering. Filtering means sifting traffic going through the Switch based on the source and/or destination MAC addresses and VLAN group (ID). 12.2 What You Can Do Use the Filtering screen (Section 12.3 on page 115) to create rules for traffic going through the Switch. 12.3 Configure a Filtering Rule Use this screen to create rules for traffic going through the Switch.
Chapter 12 Filtering The following table describes the related labels in this screen. Table 23 Advanced Application > Filtering LABEL DESCRIPTION Active Make sure to select this check box to activate your rule. You may temporarily deactivate a rule without deleting it by deselecting this check box. Name Type a descriptive name (up to 32 printable ASCII characters) for this rule. This is for identification only.
CHAPTER 13 Spanning Tree Protocol 13.1 Overview The Switch supports Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP) as defined in the following standards. • IEEE 802.1D Spanning Tree Protocol • IEEE 802.1w Rapid Spanning Tree Protocol • IEEE 802.1s Multiple Spanning Tree Protocol The Switch also allows you to set up multiple STP configurations (or trees). Ports can then be assigned to the trees. 13.
Chapter 13 Spanning Tree Protocol 13.3 What You Need to Know (R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a switch to interact with other (R)STP compliant switches in your network to ensure that only one path exists between any two stations on the network. The Switch uses IEEE 802.
Chapter 13 Spanning Tree Protocol For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN. 13.3.2 How STP Works After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops.
Chapter 13 Spanning Tree Protocol In the following example, there are two RSTP instances (MRSTP 1 and MRSTP2) on switch A. To set up MRSTP, activate MRSTP on the Switch and specify which port(s) belong to which spanning tree. Note: Each port can belong to one STP tree only. Figure 59 MRSTP Network Example 13.3.5 Multiple STP Multiple Spanning Tree Protocol (IEEE 802.
Chapter 13 Spanning Tree Protocol 13.4 Spanning Tree Protocol Status Screen The Spanning Tree Protocol status screen changes depending on what standard you choose to implement on your network. Click Advanced Application > Spanning Tree Protocol to see the screen as shown. Figure 60 Advanced Application > Spanning Tree Protocol This screen differs depending on which STP mode (RSTP, MRSTP or MSTP) you configure on the Switch.
Chapter 13 Spanning Tree Protocol The following table describes the labels in this screen. Table 26 Advanced Application > Spanning Tree Protocol > Configuration LABEL DESCRIPTION Spanning Tree Mode You can activate one of the STP modes on the Switch. Select Rapid Spanning Tree, Multiple Rapid Spanning Tree or Multiple Spanning Tree. See Section 13.1 on page 117 for background information on STP. Apply Click Apply to save your changes to the Switch’s run-time memory.
Chapter 13 Spanning Tree Protocol The following table describes the labels in this screen. Table 27 Advanced Application > Spanning Tree Protocol > RSTP LABEL DESCRIPTION Status Click Status to display the RSTP Status screen (see Figure 63 on page 124). Active Select this check box to activate RSTP. Clear this checkbox to disable RSTP. Note: You must also activate Rapid Spanning Tree in the Advanced Application > Spanning Tree Protocol > Configuration screen to enable RSTP on the Switch.
Chapter 13 Spanning Tree Protocol Table 27 Advanced Application > Spanning Tree Protocol > RSTP (continued) LABEL DESCRIPTION Active Select this check box to activate RSTP on this port. Priority Configure the priority for each port here. Priority decides which port should be disabled when more than one port forms a loop in a switch. Ports with a higher priority numeric value are disabled first. The allowed range is between 0 and 255 and the default value is 128.
Chapter 13 Spanning Tree Protocol The following table describes the labels in this screen. Table 28 Advanced Application > Spanning Tree Protocol > Status: RSTP LABEL DESCRIPTION Configuration Click Configuration to specify which STP mode you want to activate. Click RSTP to edit RSTP settings on the Switch. Bridge Root refers to the base of the spanning tree (the root bridge). Our Bridge is this switch. This Switch may also be the root bridge.
Chapter 13 Spanning Tree Protocol 13.8 Configure Multiple Rapid Spanning Tree Protocol To configure MRSTP, click MRSTP in the Advanced Application > Spanning Tree Protocol screen. See Section 13.1 on page 117 for more information on MRSTP. Figure 64 Advanced Application > Spanning Tree Protocol > MRSTP The following table describes the labels in this screen.
Chapter 13 Spanning Tree Protocol Table 29 Advanced Application > Spanning Tree Protocol > MRSTP (continued) LABEL DESCRIPTION Bridge Priority Bridge priority is used in determining the root switch, root port and designated port. The switch with the highest priority (lowest numeric value) becomes the STP root switch. If all switches have the same priority, the switch with the lowest MAC address will then become the root switch. Select a value from the drop-down list box.
Chapter 13 Spanning Tree Protocol Table 29 Advanced Application > Spanning Tree Protocol > MRSTP (continued) LABEL DESCRIPTION Tree Select which STP tree configuration this port should participate in. Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the nonvolatile memory when you are done configuring.
Chapter 13 Spanning Tree Protocol Table 30 Advanced Application > Spanning Tree Protocol > Status: MRSTP LABEL DESCRIPTION Hello Time (second) This is the time interval (in seconds) at which the root switch transmits a configuration message. The root bridge determines Hello Time, Max Age and Forwarding Delay. Max Age (second) This is the maximum time (in seconds) the Switch can wait without receiving a configuration message before attempting to reconfigure.
Chapter 13 Spanning Tree Protocol 13.10 Configure Multiple Spanning Tree Protocol To configure MSTP, click MSTP in the Advanced Application > Spanning Tree Protocol screen. See Section 13.3.5 on page 120 for more information on MSTP.
Chapter 13 Spanning Tree Protocol The following table describes the labels in this screen. Table 31 Advanced Application > Spanning Tree Protocol > MSTP LABEL DESCRIPTION Status Click Status to display the MSTP Status screen (see Figure 67 on page 133). Active Select this to activate MSTP on the Switch. Clear this to disable MSTP on the Switch. Note: You must also activate Multiple Spanning Tree in the Advanced Application > Spanning Tree Protocol > Configuration screen to enable MSTP on the Switch.
Chapter 13 Spanning Tree Protocol Table 31 Advanced Application > Spanning Tree Protocol > MSTP (continued) LABEL DESCRIPTION Bridge Priority Set the priority of the Switch for the specific spanning tree instance. The lower the number, the more likely the Switch will be chosen as the root bridge within the spanning tree instance.
Chapter 13 Spanning Tree Protocol Table 31 Advanced Application > Spanning Tree Protocol > MSTP (continued) LABEL DESCRIPTION Delete Check the rule(s) that you want to remove in the Delete column and then click the Delete button. Cancel Click Cancel to begin configuring this screen afresh. 13.11 Multiple Spanning Tree Protocol Status Click Advanced Application > Spanning Tree Protocol in the navigation panel to display the status screen as shown next. See Section 13.3.
Chapter 13 Spanning Tree Protocol The following table describes the labels in this screen. Table 32 Advanced Application > Spanning Tree Protocol > Status: MSTP LABEL DESCRIPTION Configuration Click Configuration to specify which STP mode you want to activate. Click MSTP to edit MSTP settings on the Switch. CST This section describes the Common Spanning Tree settings. Bridge Root refers to the base of the spanning tree (the root bridge). Our Bridge is this switch.
Chapter 13 Spanning Tree Protocol Table 32 Advanced Application > Spanning Tree Protocol > Status: MSTP LABEL DESCRIPTION Internal Cost This is the path cost from the root port in this MST instance to the regional root switch. Port ID This is the priority and number of the port on the Switch through which this Switch must communicate with the root of the MST instance. 13.12 Technical Reference This section provides technical background information on the topics discussed in this chapter. 13.12.
Chapter 13 Spanning Tree Protocol With MSTP, VLANs 1 and 2 are mapped to different spanning trees in the network. Thus traffic from the two VLANs travel on different paths. The following figure shows the network example using MSTP. Figure 69 MSTP Network Example A VLAN 1 VLAN 2 B 13.12.2 MST Region An MST region is a logical grouping of multiple network devices that appears as a single device to the rest of the network. Each MSTP-enabled device can only belong to one MST region.
Chapter 13 Spanning Tree Protocol The following figure shows an example where there are two MST regions. Regions 1 and 2 have 2 spanning tree instances. Figure 70 MSTIs in Different Regions 13.12.4 Common and Internal Spanning Tree (CIST) A CIST represents the connectivity of the entire network and it is equivalent to a spanning tree in an STP/RSTP. The CIST is the default MST instance (MSTID 0). Any VLANs that are not members of an MST instance are members of the CIST.
Chapter 13 Spanning Tree Protocol 138 GS2200-24 User’s Guide
CHAPTER 14 Bandwidth Control 14.1 Bandwidth Control Overview This chapter shows you how you can cap the maximum bandwidth using the Bandwidth Control screen. Bandwidth control means defining a maximum allowable bandwidth for incoming and/or out-going traffic flows on a port. 14.2 What You Can Do Use the Bandwidth Control screen (Section 14.3 on page 140) to limit the bandwidth for traffic going through the Switch.
Chapter 14 Bandwidth Control 14.3 Bandwidth Control Setup Click Advanced Application > Bandwidth Control in the navigation panel to bring up the screen as shown next. Figure 72 Advanced Application > Bandwidth Control The following table describes the related labels in this screen. Table 33 Advanced Application > Bandwidth Control LABEL DESCRIPTION Active Select this check box to enable bandwidth control on the Switch. Port This field displays the port number.
Chapter 14 Bandwidth Control Table 33 Advanced Application > Bandwidth Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the nonvolatile memory when you are done configuring. Cancel Click Cancel to reset the fields.
Chapter 14 Bandwidth Control 142 GS2200-24 User’s Guide
CHAPTER 15 Broadcast Storm Control 15.1 Overview This chapter introduces and shows you how to configure the broadcast storm control feature. Broadcast storm control limits the number of broadcast, multicast and destination lookup failure (DLF) packets the Switch receives per second on the ports. When the maximum number of allowable broadcast, multicast and/or DLF packets is reached per second, the subsequent packets are discarded.
Chapter 15 Broadcast Storm Control 15.3 Broadcast Storm Control Setup Click Advanced Application > Broadcast Storm Control in the navigation panel to display the screen as shown next. Figure 73 Advanced Application > Broadcast Storm Control The following table describes the labels in this screen. Table 34 Advanced Application > Broadcast Storm Control LABEL DESCRIPTION Active Select this check box to enable traffic storm control on the Switch. Clear this check box to disable this feature.
Chapter 15 Broadcast Storm Control Table 34 Advanced Application > Broadcast Storm Control (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the nonvolatile memory when you are done configuring. Cancel Click Cancel to reset the fields.
Chapter 15 Broadcast Storm Control 146 GS2200-24 User’s Guide
CHAPTER 16 Mirroring 16.1 Overview This chapter discusses port mirroring setup screens. Port mirroring allows you to copy a traffic flow to a monitor port (the port you copy the traffic to) in order that you can examine the traffic from the monitor port without interference. 16.2 What You Can Do Use the Mirroring screen (Section 16.3 on page 148) to select a monitor port and specify the traffic flow to be copied to the monitor port.
Chapter 16 Mirroring 16.3 Port Mirroring Setup Click Advanced Application > Mirroring in the navigation panel to display the Mirroring screen. Use this screen to select a monitor port and specify the traffic flow to be copied to the monitor port. Figure 74 Advanced Application > Mirroring The following table describes the labels in this screen. Table 35 Advanced Application > Mirroring LABEL DESCRIPTION Active Select this check box to activate port mirroring on the Switch.
Chapter 16 Mirroring Table 35 Advanced Application > Mirroring (continued) LABEL DESCRIPTION Mirrored Select this option to mirror the traffic on a port. Direction Specify the direction of the traffic to mirror by selecting from the drop-down list box. Choices are Egress (outgoing), Ingress (incoming) and Both. Apply Click Apply to save your changes to the Switch’s run-time memory.
Chapter 16 Mirroring 150 GS2200-24 User’s Guide
CHAPTER 17 Link Aggregation 17.1 Overview This chapter shows you how to logically aggregate physical links to form one logical, higher-bandwidth link. Link aggregation (trunking) is the grouping of physical ports into one logical higher-capacity link. You may want to trunk ports if for example, it is cheaper to use multiple lower-speed links than to under-utilize a high-speed, but more costly, single-port link. However, the more ports you aggregate then the fewer available ports you have.
Chapter 17 Link Aggregation 17.3.1 Dynamic Link Aggregation The Switch adheres to the IEEE 802.3ad standard for static and dynamic (LACP) port trunking. The IEEE 802.3ad standard describes the Link Aggregation Control Protocol (LACP) for dynamically creating and managing trunk groups. When you enable LACP link aggregation on a port, the port can automatically negotiate with the ports at the remote end of a link to establish trunk groups.
Chapter 17 Link Aggregation 17.4 Link Aggregation Status Click Advanced Application > Link Aggregation in the navigation panel. The Link Aggregation Status screen displays by default. See Section 17.1 on page 151 for more information. Figure 75 Advanced Application > Link Aggregation Status The following table describes the labels in this screen.
Chapter 17 Link Aggregation Table 38 Advanced Application > Link Aggregation Status (continued) LABEL DESCRIPTION Criteria This shows the outgoing traffic distribution algorithm used in this trunk group. Packets from the same source and/or to the same destination are sent over the same link within the trunk. src-mac means the Switch distributes traffic based on the packet’s source MAC address. dst-mac means the Switch distributes traffic based on the packet’s destination MAC address.
Chapter 17 Link Aggregation 17.5 Link Aggregation Setting Click Advanced Application > Link Aggregation > Link Aggregation Setting to display the screen shown next. See Section 17.1 on page 151 for more information on link aggregation. Figure 76 Advanced Application > Link Aggregation > Link Aggregation Setting The following table describes the labels in this screen.
Chapter 17 Link Aggregation Table 39 Advanced Application > Link Aggregation > Link Aggregation Setting LABEL DESCRIPTION Criteria Select the outgoing traffic distribution type. Packets from the same source and/or to the same destination are sent over the same link within the trunk. By default, the Switch uses the src-dst-mac distribution type. If the Switch is behind a router, the packet’s destination or source MAC address will be changed.
Chapter 17 Link Aggregation 17.6 Link Aggregation Control Protocol Click Advanced Application > Link Aggregation > Link Aggregation Setting > LACP to display the screen shown next. See Section 17.3.1 on page 152 for more information on dynamic link aggregation. Figure 77 Advanced Application > Link Aggregation > Link Aggregation Setting > LACP The following table describes the labels in this screen.
Chapter 17 Link Aggregation Table 40 Advanced Application > Link Aggregation > Link Aggregation Setting > LACP (continued) LABEL DESCRIPTION System Priority LACP system priority is a number between 1 and 65,535. The switch with the lowest system priority (and lowest port number if system priority is the same) becomes the LACP “server”. The LACP “server” controls the operation of LACP setup. Enter a number to set the priority of an active port using Link Aggregation Control Protocol (LACP).
Chapter 17 Link Aggregation 1 Make your physical connections - make sure that the ports that you want to belong to the trunk group are connected to the same destination. The following figure shows ports 2-5 on switch A connected to switch B. Figure 78 Trunking Example - Physical Connections B A 2 Configure static trunking - Click Advanced Application > Link Aggregation > Link Aggregation Setting.
Chapter 17 Link Aggregation 160 GS2200-24 User’s Guide
CHAPTER 18 Port Authentication 18.1 Overview This chapter describes the IEEE 802.1x authentication method. Port authentication is a way to validate access to ports on the Switch to clients based on an external server (authentication server). The Switch supports the following method for port authentication: • IEEE 802.1x2 - An authentication server validates access to a port based on a username and password provided by the user. 18.2 What You Can Do • Use the Port Authentication screen (Section 18.
Chapter 18 Port Authentication When the client provides the login credentials, the Switch sends an authentication request to a RADIUS server. The RADIUS server validates whether this client is allowed access to the port. Figure 80 IEEE 802.1x Authentication Process 1 New Connection 2 Login Info Request 3 Login Credentials 4 Authentication Request 5 Authentication Reply Session Granted/Denied 18.
Chapter 18 Port Authentication 18.5 Activate IEEE 802.1x Security Use this screen to activate IEEE 802.1x security. In the Port Authentication screen click 802.1x to display the configuration screen as shown. Figure 82 Advanced Application > Port Authentication > 802.1x The following table describes the labels in this screen. Table 41 Advanced Application > Port Authentication > 802.1x LABEL DESCRIPTION Active Select this check box to permit 802.1x authentication on the Switch.
Chapter 18 Port Authentication Table 41 Advanced Application > Port Authentication > 802.1x (continued) 164 LABEL DESCRIPTION Active Select this to permit 802.1x authentication on this port. You must first allow 802.1x authentication on the Switch before configuring it on each port. Reauthenticati on Specify if a subscriber has to periodically re-enter his or her username and password to stay connected to the port.
CHAPTER 19 Port Security 19.1 Overview This chapter shows you how to set up port security. Port security allows only packets with dynamically learned MAC addresses and/or configured static MAC addresses to pass through a port on the Switch. The Switch can learn up to 16K MAC addresses in total with no limit on individual ports other than the sum cannot exceed 16K. For maximum port security, enable this feature, disable MAC address learning and configure static MAC address(es) for a port.
Chapter 19 Port Security 19.3 Port Security Setup Click Advanced Application > Port Security in the navigation panel to display the screen as shown. Figure 83 Advanced Application > Port Security The following table describes the labels in this screen. Table 42 Advanced Application > Port Security 166 LABEL DESCRIPTION Port List Enter the number of the port(s) (separated by a comma) on which you want to enable port security and disable MAC address learning.
Chapter 19 Port Security Table 42 Advanced Application > Port Security (continued) LABEL DESCRIPTION * Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a port-by-port basis. Note: Changes in this row are copied to all the ports as soon as you make them. Active Select this check box to enable the port security feature on this port.
Chapter 19 Port Security 168 GS2200-24 User’s Guide
CHAPTER 20 Classifier 20.1 Overview This chapter introduces and shows you how to configure the packet classifier on the Switch. It also discusses Quality of Service (QoS) and classifier concepts as employed by the Switch. 20.2 What You Can Do Use the Classifier screen (Section 20.4 on page 170) to define the classifiers and view a summary of the classifier configuration. After you define the classifier, you can specify actions (or policy) to act upon the traffic that matches the rules. 20.
Chapter 20 Classifier 2 Configure policy rules to define actions to be performed on a classified traffic flow (refer to Chapter 21 on page 175 to configure policy rules). 20.4 Configuring the Classifier Use the Classifier screen to define the classifiers. After you define the classifier, you can specify actions (or policy) to act upon the traffic that matches the rules. To configure policy rules, refer to Chapter 21 on page 175.
Chapter 20 Classifier The following table describes the labels in this screen. Table 43 Advanced Application > Classifier LABEL DESCRIPTION Active Select this option to enable this rule. Name Enter a descriptive name for this rule for identifying purposes. Layer 2 Specify the fields below to configure a layer 2 classifier. Ethernet Type Select an Ethernet type or select Other and enter the Ethernet type number in hexadecimal value. Refer to Table 45 on page 173 for information.
Chapter 20 Classifier Table 43 Advanced Application > Classifier (continued) LABEL Socket Number DESCRIPTION Note: You must select either UDP or TCP in the IP Protocol field before you configure the socket numbers. Select Any to apply the rule to all TCP/UDP protocol port numbers or select the second option and enter a TCP/UDP protocol port number. Refer to Table 47 on page 173 for more information.
Chapter 20 Classifier The following table shows some other common Ethernet types and the corresponding protocol number. Table 45 Common Ethernet Types and Protocol Numbers ETHERNET TYPE PROTOCOL NUMBER IP ETHII 0800 X.75 Internet 0801 NBS Internet 0802 ECMA Internet 0803 Chaosnet 0804 X.25 Level 3 0805 XNS Compat 0807 Banyan Systems 0BAD BBN Simnet 5208 IBM SNA 80D5 AppleTalk AARP 80F3 In the Internet Protocol there is a field, called “Protocol”, to identify the next level protocol.
Chapter 20 Classifier 20.5 Classifier Example The following screen shows an example where you configure a classifier that identifies all traffic from MAC address 00:50:ba:ad:4f:81 on port 2. After you have configured a classifier, you can configure a policy (in the Policy screen) to define action(s) on the classified traffic flow.
CHAPTER 21 Policy Rule 21.1 Policy Rules Overview This chapter shows you how to configure policy rules. A classifier distinguishes traffic into flows based on the configured criteria (refer to Chapter 20 on page 169 for more information). A policy rule ensures that a traffic flow gets the requested treatment in the network. 21.2 What You Can Do Use the Policy screen (Section 21.3 on page 175) to enable the policy and display the active classifier(s) you configure in the Classifier screen. 21.
Chapter 21 Policy Rule Click Advanced Applications > Policy Rule in the navigation panel to display the screen as shown. Figure 87 Advanced Application > Policy Rule The following table describes the labels in this screen. Table 48 Advanced Application > Policy Rule LABEL DESCRIPTION Active Select this option to enable the policy. Name Enter a descriptive name for identification purposes. Classifier(s) This field displays the active classifier(s) you configure in the Classifier screen.
Chapter 21 Policy Rule Table 48 Advanced Application > Policy Rule (continued) LABEL DESCRIPTION Rate Limit You can configure the desired bandwidth available to a traffic flow. Traffic that exceeds the maximum bandwidth allocated (in cases where the network is congested) is dropped. Bandwidth Specify the bandwidth in kilobit per second (Kbps). Enter a number between 64 and 1000000. Action Specify the action(s) the Switch takes on the associated classified traffic flow.
Chapter 21 Policy Rule Table 48 Advanced Application > Policy Rule (continued) LABEL DESCRIPTION Add Click Add to inset the entry to the summary table below and save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring. Cancel Click Cancel to reset the fields back to your previous configuration.
Chapter 21 Policy Rule 21.4 Policy Example The figure below shows an example Policy screen where you configure a policy to limit bandwidth on a traffic flow classified using the Example classifier (refer to Section 20.5 on page 174).
Chapter 21 Policy Rule 180 GS2200-24 User’s Guide
CHAPTER 22 Queuing Method 22.1 Overview This chapter introduces the queuing methods supported. Queuing is used to help solve performance degradation when there is network congestion. Use the Queuing Method screen to configure queuing algorithms for outgoing traffic. See also Priority Queue Assignment in Switch Setup and 802.1p Priority in Port Setup for related information. 22.2 What You Can Do Use the Queueing Method screen (Section 22.4 on page 183) set priorities for the queues of the Switch.
Chapter 22 Queuing Method 22.3.2 Weighted Fair Queuing Weighted Fair Queuing is used to guarantee each queue's minimum bandwidth based on its bandwidth weight (portion) (the number you configure in the Weight field) when there is traffic congestion. WFQ is activated only when a port has more traffic than it can handle. Queues with larger weights get more guaranteed bandwidth than queues with smaller weights.
Chapter 22 Queuing Method 22.4 Configuring Queuing Click Advanced Application > Queuing Method in the navigation panel. Figure 90 Advanced Application > Queuing Method The following table describes the labels in this screen. Table 50 Advanced Application > Queuing Method LABEL DESCRIPTION Port This label shows the port you are configuring. * Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports.
Chapter 22 Queuing Method Table 50 Advanced Application > Queuing Method (continued) LABEL DESCRIPTION Method Select SPQ (Strictly Priority Queuing), WFQ (Weighted Fair Queuing) or WRR (Weighted Round Robin). Strictly Priority Queuing services queues based on priority only. When the highest priority queue empties, traffic on the next highest-priority queue begins. Q7 has the highest priority and Q0 the lowest.
CHAPTER 23 VLAN Stacking 23.1 Overview This chapter shows you how to configure VLAN stacking on your Switch. See the chapter on VLANs for more background information on Virtual LAN. A service provider can use VLAN stacking (also known as Q-in-Q) to allow it to distinguish multiple customers VLANs, even those with the same (customerassigned) VLAN ID, within its network. 23.2 What You Can Do • Use the VLAN Stacking screen (Section 23.
Chapter 23 VLAN Stacking 23.4 Configuring VLAN Stacking Click Advanced Application > VLAN Stacking to display the screen as shown. Figure 91 Advanced Application > VLAN Stacking The following table describes the labels in this screen. Table 51 Advanced Application > VLAN Stacking LABEL DESCRIPTION Active Select this checkbox to enable VLAN stacking on the Switch.
Chapter 23 VLAN Stacking Table 51 Advanced Application > VLAN Stacking (continued) LABEL DESCRIPTION * Settings in this row apply to all ports. Use this row only if you want to make some settings the same for all ports. Use this row first to set the common settings and then make adjustments on a portby-port basis. Note: Changes in this row are copied to all the ports as soon as you make them. Role Select Access Port for ingress ports at the edge of the service provider's network.
Chapter 23 VLAN Stacking Click the SVLAN link in the VLAN Stacking screen. Figure 92 Advanced Application > VLAN Stacking > SVLAN The following table describes the labels in this screen. Table 52 Advanced Application > VLAN Stacking > SVLAN LABEL DESCRIPTION SVLAN ID Enter a service provider's VLAN ID (from 1 to 4094) that should be carried in the incoming frames received on a Tunnel Port.
Chapter 23 VLAN Stacking distinguish customer A and tag 48 to distinguish customer B at edge device 1 and then stripping those tags at edge device 2 as the data frames leave the network. Figure 93 VLAN Stacking Example 23.6.2 VLAN Stacking Port Roles Each port can have three VLAN stacking “roles”, Access Port and Tunnel Port (the latter is for Gigabit ports only). • Select Access Port for ingress ports on the service provider's edge devices (1 and 2 in the VLAN stacking example figure).
Chapter 23 VLAN Stacking Note: When you enable VLAN stacking on the Switch, the Access Port and Tunnel Port should be in the same customer VLAN (static VLAN) to communicate with each other. 23.6.3 VLAN Tag Format A VLAN tag (service provider VLAN stacking or customer IEEE 802.1Q) consists of the following three fields. Table 53 VLAN Tag Format TPID Priority VID TPID (Tag Protocol Identifier) is a standard Ethernet type code identifying the frame and indicates that whether the frame carries IEEE 802.
Chapter 23 VLAN Stacking Table 54 Single and Double Tagged 802.11Q Frame Format Untagged Ethernet frame IEEE 802.1Q customer tagged frame Doubletagged frame DA SA SP TPID DA SA Len/ Etype Data FCS DA SA TPID Priority VID Len/ Etype Data FCS Priority VID TPID Priority VID Len/ Etype Data FCS Table 55 802.1Q Frame DA Destination Address Priority 802.
Chapter 23 VLAN Stacking 192 GS2200-24 User’s Guide
CHAPTER 24 Multicast 24.1 Overview This chapter shows you how to configure various multicast features. Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender to 1 recipient) or Broadcast (1 sender to everybody on the network). Multicast delivers IP packets to just a group of hosts on the network. IGMP (Internet Group Management Protocol) is a network-layer protocol used to establish membership in a multicast group - it is not used to carry user data.
Chapter 24 Multicast 24.3.1 IP Multicast Addresses In IPv4, a multicast address allows a device to send packets to a specific group of hosts (multicast group) in a different subnetwork. A multicast IP address represents a traffic receiving group, not individual receiving devices. IP addresses in the Class D range (224.0.0.0 to 239.255.255.255) are used for IP multicasting. Certain IP multicast numbers are reserved by IANA for special purposes (see the IANA web site for more information). 24.3.
Chapter 24 Multicast 24.4 Multicast Status Click Advanced Applications > Multicast to display the screen as shown. This screen shows the multicast group information. See Section 24.1 on page 193 for more information on multicasting. Figure 94 Advanced Application > Multicast The following table describes the labels in this screen. Table 56 Advanced Application > Multicast Status LABEL DESCRIPTION Index This is the index number of the entry. VID This field displays the multicast VLAN ID.
Chapter 24 Multicast 24.5 Multicast Setting Click Advanced Applications > Multicast > Multicast Setting link to display the screen as shown. See Section 24.1 on page 193 for more information on multicasting. Figure 95 Advanced Application > Multicast > Multicast Setting The following table describes the labels in this screen. Table 57 Advanced Application > Multicast > Multicast Setting 196 LABEL DESCRIPTION IGMP Snooping Use these settings to configure IGMP Snooping.
Chapter 24 Multicast Table 57 Advanced Application > Multicast > Multicast Setting (continued) LABEL DESCRIPTION 802.1p Priority Select a priority level (0-7) to which the Switch changes the priority in outgoing IGMP control packets. Otherwise, select No-Change to not replace the priority. Unknown Multicast Frame Specify the action to perform when the Switch receives an unknown multicast frame. Select Drop to discard the frame(s). Select Flooding to send the frame(s) to all ports.
Chapter 24 Multicast Table 57 Advanced Application > Multicast > Multicast Setting (continued) LABEL DESCRIPTION Max Group Num. Enter the number of multicast groups this port is allowed to join. Throttling IGMP throttling controls how the Switch deals with the IGMP reports when the maximum number of the IGMP groups a port can join is reached. Select Deny to drop any new IGMP join report received on this port until an existing multicast forwarding table entry is aged out.
Chapter 24 Multicast screen as shown. See Section 24.3.3 on page 194 for more information on IGMP Snooping VLAN. Figure 96 Advanced Application > Multicast > Multicast Setting > IGMP Snooping VLAN The following table describes the labels in this screen. Table 58 Advanced Application > Multicast > Multicast Setting > IGMP Snooping VLAN LABEL DESCRIPTION Mode Select auto to have the Switch learn multicast group membership information of any VLANs automatically.
Chapter 24 Multicast Table 58 Advanced Application > Multicast > Multicast Setting > IGMP Snooping VLAN (continued) 200 LABEL DESCRIPTION Add Click Add to insert the entry in the summary table below and save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring.
CHAPTER 25 AAA 25.1 Overview This chapter describes how to configure authentication and authorization settings on the Switch. The external servers that perform authentication and authorization functions are known as AAA servers. The Switch supports RADIUS (Remote Authentication DialIn User Service, see Section 25.3.2 on page 202) and TACACS+ (Terminal Access Controller Access-Control System Plus, see Section 25.3.2 on page 202) as external authentication and authorization servers.
Chapter 25 AAA 25.3 What You Need to Know Authentication is the process of determining who a user is and validating access to the Switch. The Switch can authenticate users who try to log in based on user accounts configured on the Switch itself. The Switch can also use an external authentication server to authenticate a large number of users Authorization is the process of determining what a user is allowed to do. Different user accounts may have higher or lower privilege levels associated with them.
Chapter 25 AAA 25.4 AAA Screens The AAA screens allow you to enable authentication and authorization or both of them on the Switch. First, configure your authentication server settings (RADIUS, TACACS+ or both) and then set up the authentication priority, activate authorization. Click Advanced Application > AAA in the navigation panel to display the screen as shown. Figure 98 Advanced Application > AAA 25.5 RADIUS Server Setup Use this screen to configure your RADIUS server settings. See Section 25.3.
Chapter 25 AAA Click on the RADIUS Server Setup link in the AAA screen to view the screen as shown. Figure 99 Advanced Application > AAA > RADIUS Server Setup The following table describes the labels in this screen. Table 60 Advanced Application > AAA > RADIUS Server Setup LABEL DESCRIPTION Authentication Server Use this section to configure your RADIUS authentication settings. Mode This field is only valid if you configure multiple RADIUS servers.
Chapter 25 AAA Table 60 Advanced Application > AAA > RADIUS Server Setup (continued) LABEL DESCRIPTION IP Address Enter the IP address of an external RADIUS server in dotted decimal notation. UDP Port The default port of a RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so. Shared Secret Specify a password (up to 32 alphanumeric characters) as the key to be shared between the external RADIUS server and the Switch.
Chapter 25 AAA 25.6 TACACS+ Server Setup Use this screen to configure your TACACS+ server settings. See Section 25.3.2 on page 202 for more information on TACACS+ servers. Click on the TACACS+ Server Setup link in the AAA screen to view the screen as shown. Figure 100 Advanced Application > AAA > TACACS+ Server Setup The following table describes the labels in this screen.
Chapter 25 AAA Table 61 Advanced Application > AAA > TACACS+ Server Setup (continued) LABEL DESCRIPTION Timeout Specify the amount of time in seconds that the Switch waits for an authentication request response from the TACACS+ server. If you are using index-priority for your authentication and you are using two TACACS+ servers then the timeout value is divided between the two TACACS+ servers.
Chapter 25 AAA 25.7 AAA Setup Use this screen to configure authentication and authorization settings on the Switch. Click on the AAA Setup link in the AAA screen to view the screen as shown.
Chapter 25 AAA The following table describes the labels in this screen. Table 62 Advanced Application > AAA > AAA Setup LABEL DESCRIPTION Authentication Use this section to specify the methods used to authenticate users accessing the Switch. Privilege Enable These fields specify which database the Switch should use (first, second and third) to authenticate access privilege level for administrator accounts (users for Switch management).
Chapter 25 AAA Table 62 Advanced Application > AAA > AAA Setup (continued) LABEL DESCRIPTION Active Select this to activate authorization for a specified event types. Method Select whether you want to use RADIUS or TACACS+ for authorization of specific types of events. RADIUS is the only method for IEEE 802.1x authorization. Apply Click Apply to save your changes to the Switch’s run-time memory.
Chapter 25 AAA The following table describes the VSAs supported on the Switch.
Chapter 25 AAA 25.8.2 Supported RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are data used to define specific authentication elements in a user profile, which is stored on the RADIUS server. This appendix lists the RADIUS attributes supported by the Switch. Refer to RFC 2865 for more information about RADIUS attributes used for authentication. This section lists the attributes used by authentication functions on the Switch.
Chapter 25 AAA - This value is set to Ethernet(15) on the Switch.
Chapter 25 AAA 214 GS2200-24 User’s Guide
CHAPTER 26 IP Source Guard 26.1 Overview Use IP source guard to filter unauthorized DHCP and ARP packets in your network. IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and ARP packets in your network. A binding contains these key attributes: • MAC address • VLAN ID • IP address • Port number When the Switch receives a DHCP or ARP packet, it looks up the appropriate MAC address, VLAN ID, IP address, and port number in the binding table.
Chapter 26 IP Source Guard • Use the DHCP VLAN Configure screen (Section 26.7.2 on page 225) to enable DHCP snooping on each VLAN and to specify whether or not the Switch adds DHCP relay agent option 82 information to DHCP requests that the Switch relays to a DHCP server for each VLAN. • Use the ARP Inspection Status screen (Section 26.8 on page 227) to look at the current list of MAC address filters that were created because the Switch identified an unauthorized ARP packet.
Chapter 26 IP Source Guard between authorized and unauthorized packets in the network. The Switch learns the bindings by snooping DHCP packets (dynamic bindings) and from information provided manually by administrators (static bindings). To open this screen, click Advanced Application > IP Source Guard. Figure 102 IP Source Guard The following table describes the labels in this screen. Table 65 IP Source Guard LABEL DESCRIPTION Index This field displays a sequential number for each binding.
Chapter 26 IP Source Guard new static binding replaces the original one. To open this screen, click Advanced Application > IP Source Guard > Static Binding. Figure 103 IP Source Guard Static Binding The following table describes the labels in this screen. Table 66 IP Source Guard Static Binding LABEL DESCRIPTION MAC Address Enter the source MAC address in the binding. IP Address Enter the IP address assigned to the MAC address in the binding. VLAN Enter the source VLAN ID in the binding.
Chapter 26 IP Source Guard Table 66 IP Source Guard Static Binding (continued) LABEL DESCRIPTION Port This field displays the port number in the binding. If this field is blank, the binding applies to all ports. Delete Select this, and click Delete to remove the specified entry. Cancel Click this to clear the Delete check boxes above. 26.6 DHCP Snooping Use this screen to look at various statistics about the DHCP snooping database.
Chapter 26 IP Source Guard The following table describes the labels in this screen. Table 67 DHCP Snooping LABEL DESCRIPTION Database Status This section displays the current settings for the DHCP snooping database. You can configure them in the DHCP Snooping Configure screen. See Section 26.7 on page 222. Agent URL This field displays the location of the DHCP snooping database.
Chapter 26 IP Source Guard Table 67 DHCP Snooping (continued) LABEL DESCRIPTION Successful transfers This field displays the number of times the Switch read bindings from or updated the bindings in the DHCP snooping database successfully. Failed transfers This field displays the number of times the Switch was unable to read bindings from or update the bindings in the DHCP snooping database.
Chapter 26 IP Source Guard Table 67 DHCP Snooping (continued) LABEL DESCRIPTION Parse failures This field displays the number of bindings the Switch has ignored because the Switch was unable to understand the binding in the DHCP binding database. Expired leases This field displays the number of bindings the Switch has ignored because the lease time had already expired. Unsupported vlans This field displays the number of bindings the Switch has ignored because the VLAN ID does not exist anymore. 26.
Chapter 26 IP Source Guard The following table describes the labels in this screen. Table 68 DHCP Snooping Configure LABEL DESCRIPTION Active Select this to enable DHCP snooping on the Switch. You still have to enable DHCP snooping on specific VLAN and specify trusted ports. Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not succeed. DHCP Vlan Select a VLAN ID if you want the Switch to forward DHCP packets to DHCP servers on a specific VLAN.
Chapter 26 IP Source Guard Table 68 DHCP Snooping Configure (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the Switch’s run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the non-volatile memory when you are done configuring. Cancel Click this to reset the values in this screen to their last-saved values. 26.7.
Chapter 26 IP Source Guard The following table describes the labels in this screen. Table 69 DHCP Snooping Port Configure LABEL DESCRIPTION Port This field displays the port number. If you configure the * port, the settings are applied to all of the ports. Server Trusted state Select whether this port is a trusted port (Trusted) or an untrusted port (Untrusted).
Chapter 26 IP Source Guard open this screen, click Advanced Application > IP Source Guard > DHCP Snooping > Configure > VLAN. Figure 107 DHCP Snooping VLAN Configure The following table describes the labels in this screen. Table 70 DHCP Snooping VLAN Configure LABEL DESCRIPTION Show VLAN Use this section to specify the VLANs you want to manage in the section below. Start VID Enter the lowest VLAN ID you want to manage in the section below.
Chapter 26 IP Source Guard 26.8 ARP Inspection Status Use this screen to look at the current list of MAC address filters that were created because the Switch identified an unauthorized ARP packet. When the Switch identifies an unauthorized ARP packet, it automatically creates a MAC address filter to block traffic from the source MAC address and source VLAN ID of the unauthorized ARP packet. To open this screen, click Advanced Application > IP Source Guard > ARP Inspection.
Chapter 26 IP Source Guard Table 71 ARP Inspection Status (continued) LABEL DESCRIPTION Cancel Click this to clear the Delete check boxes above. Change Pages Click Previous or Next to show the previous/next screen if all status information cannot be seen in one screen. 26.9 ARP Inspection VLAN Status Use this screen to look at various statistics about ARP packets in each VLAN. To open this screen, click Advanced Application > IP Source Guard > ARP Inspection > VLAN Status.
Chapter 26 IP Source Guard Table 72 ARP Inspection VLAN Status LABEL DESCRIPTION Reply This field displays the total number of ARP Reply packets received from the VLAN since the Switch last restarted. Forwarded This field displays the total number of ARP packets the Switch forwarded for the VLAN since the Switch last restarted. Dropped This field displays the total number of ARP packets the Switch discarded for the VLAN since the Switch last restarted. 26.
Chapter 26 IP Source Guard Table 73 ARP Inspection Log Status (continued) LABEL DESCRIPTION Num Pkts This field displays the number of ARP packets that were consolidated into this log message. The Switch consolidates identical log messages generated by ARP packets in the log consolidation interval into one log message. You can configure this interval in the ARP Inspection Configure screen. See Section 26.11 on page 230. Reason This field displays the reason the log message was generated.
Chapter 26 IP Source Guard settings for the ARP inspection log. To open this screen, click Advanced Application > IP Source Guard > ARP Inspection > Configure. Figure 111 ARP Inspection Configure The following table describes the labels in this screen. Table 74 ARP Inspection Configure LABEL DESCRIPTION Active Select this to enable ARP inspection on the Switch. You still have to enable ARP inspection on specific VLAN and specify trusted ports.
Chapter 26 IP Source Guard Table 74 ARP Inspection Configure (continued) LABEL Syslog rate DESCRIPTION Enter the maximum number of syslog messages the Switch can send to the syslog server in one batch. This number is expressed as a rate because the batch frequency is determined by the Log Interval. You must configure the syslog server (Chapter 35 on page 303) to use this. Enter 0 if you do not want the Switch to send log messages generated by ARP packets to the syslog server.
Chapter 26 IP Source Guard ARP packets on each untrusted port. To open this screen, click Advanced Application > IP Source Guard > ARP Inspection > Configure > Port. Figure 112 ARP Inspection Port Configure The following table describes the labels in this screen. Table 75 ARP Inspection Port Configure LABEL DESCRIPTION Port This field displays the port number. If you configure the * port, the settings are applied to all of the ports.
Chapter 26 IP Source Guard Table 75 ARP Inspection Port Configure (continued) LABEL Burst interval (seconds) DESCRIPTION The burst interval is the length of time over which the rate of ARP packets is monitored for each port. For example, if the rate is 15 pps and the burst interval is 1 second, then the Switch accepts a maximum of 15 ARP packets in every one-second interval. If the burst interval is 5 seconds, then the Switch accepts a maximum of 75 ARP packets in every five-second interval.
Chapter 26 IP Source Guard Table 76 ARP Inspection VLAN Configure (continued) LABEL DESCRIPTION VID This field displays the VLAN ID of each VLAN in the range specified above. If you configure the * VLAN, the settings are applied to all VLANs. Enabled Select Yes to enable ARP inspection on the VLAN. Select No to disable ARP inspection on the VLAN. Log Specify when the Switch generates log messages for receiving ARP packets from the VLAN.
Chapter 26 IP Source Guard Trusted ports are connected to DHCP servers or other switches. The Switch discards DHCP packets from trusted ports only if the rate at which DHCP packets arrive is too high. The Switch learns dynamic bindings from trusted ports. Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not succeed. Untrusted ports are connected to subscribers.
Chapter 26 IP Source Guard read. If the calculated checksum is not equal to the checksum in the file, that binding and all others after it are ignored. 26.12.1.3 DHCP Relay Option 82 Information The Switch can add information to DHCP requests that it does not discard. This provides the DHCP server more information about the source of the requests.
Chapter 26 IP Source Guard 26.12.2 ARP Inspection Overview Use ARP inspection to filter unauthorized ARP packets on the network. This can prevent many kinds of man-in-the-middle attacks, such as the one in the following example. Figure 115 Example: Man-in-the-middle Attack A B X In this example, computer B tries to establish a connection with computer A. Computer X is in the same broadcast domain as computer A and intercepts the ARP request for computer A.
Chapter 26 IP Source Guard 26.12.2.2 Trusted vs. Untrusted Ports Every port is either a trusted port or an untrusted port for ARP inspection. This setting is independent of the trusted/untrusted setting for DHCP snooping. You can also specify the maximum rate at which the Switch receives ARP packets on untrusted ports. The Switch does not discard ARP packets on trusted ports for any reason.
Chapter 26 IP Source Guard 240 GS2200-24 User’s Guide
CHAPTER 27 Loop Guard 27.1 Overview This chapter shows you how to configure the Switch to guard against loops on the edge of your network. Loop guard allows you to configure the Switch to shut down a port if it detects that packets sent out on that port loop back to the Switch. While you can use Spanning Tree Protocol (STP) to prevent loops in the core of your network. STP cannot prevent loops that occur on the edge of your network. Figure 116 Loop Guard vs. STP STP Loop Guard Refer to Section 27.
Chapter 27 Loop Guard 27.3 What You Need to Know Loop guard is designed to handle loop problems on the edge of your network. This can occur when a port is connected to a Switch that is in a loop state. Loop state occurs as a result of human error. It happens when two ports on a switch are connected with the same cable. When a switch in loop state sends out broadcast messages the messages loop back to the switch and are re-broadcast again and again causing a broadcast storm.
Chapter 27 Loop Guard returns to port N on A. The Switch then shuts down port N to ensure that the rest of the network is not affected by the switch in loop state. Figure 118 Loop Guard - Probe Packet B A P P N The Switch also shuts down port N if the probe packet returns to switch A on any other port. In other words loop guard also protects against standard network loops. The following figure illustrates three switches forming a loop. A sample path of the loop guard probe packet is also shown.
Chapter 27 Loop Guard Note: The loop guard feature can not be enabled on the ports that have Spanning Tree Protocol (RSTP, MRSTP or MSTP) enabled. Figure 120 Advanced Application > Loop Guard The following table describes the labels in this screen. Table 77 Advanced Application > Loop Guard LABEL DESCRIPTION Active Select this option to enable loop guard on the Switch. The Switch generates syslog, internal log messages as well as SNMP traps when it shuts down a port via the loop guard feature.
CHAPTER 28 Layer 2 Protocol Tunneling 28.1 Overview This chapter shows you how to configure layer 2 protocol tunneling on the Switch. Layer 2 protocol tunneling (L2PT) is used on the service provider's edge devices. 28.2 What You Can Do Use the Layer 2 Protocol Tunnel screen (Section 28.4 on page 247) to enable layer 2 protocol tunneling on the Switch and specify a MAC address with which the Switch uses to encapsulate the layer 2 protocol packets by replacing the destination MAC address in the packets.
Chapter 28 Layer 2 Protocol Tunneling layer 2 protocol packets with a specific MAC address before sending them across the service provider’s network to other edge switches. Figure 121 Layer 2 Protocol Tunneling Network Scenario A C Service Provider's Network STP STP 1 CDP 2 CDP VTP VTP B In the following example, if you enable L2PT for STP, you can have switches A, B, C and D in the same spanning tree, even though switch A is not directly connected to switches B, C and D.
Chapter 28 Layer 2 Protocol Tunneling • The Tunnel port is an egress port at the edge of the service provider's network and connected to another service provider’s switch. Incoming encapsulated layer 2 protocol packets received on a tunnel port are decapsulated and sent to an access port. 28.4 Configuring Layer 2 Protocol Tunneling Click Advanced Application > Layer 2 Protocol Tunneling in the navigation panel to display the screen as shown.
Chapter 28 Layer 2 Protocol Tunneling The following table describes the labels in this screen. Table 78 Advanced Application > Layer 2 Protocol Tunneling LABEL DESCRIPTION Active Select this to enable layer 2 protocol tunneling on the Switch. Destination MAC Address Specify a MAC address with which the Switch uses to encapsulate the layer 2 protocol packets by replacing the destination MAC address in the packets. Note: The MAC address can be either a unicast MAC address or multicast MAC address.
Chapter 28 Layer 2 Protocol Tunneling Table 78 Advanced Application > Layer 2 Protocol Tunneling (continued) LABEL DESCRIPTION Mode Select Access to have the Switch encapsulate the incoming layer 2 protocol packets and forward them to the tunnel port(s). Select Access for ingress ports at the edge of the service provider's network. Note: You can enable L2PT services for STP, LACP, VTP, CDP, UDLD, and PAGP on the access port(s) only.
Chapter 28 Layer 2 Protocol Tunneling 250 GS2200-24 User’s Guide
P ART IV IP Application Static Route (253) Differentiated Services (257) DHCP (261) 251
CHAPTER 29 Static Route 29.1 Overview This chapter shows you how to configure static routes. The Switch uses IP for communication with management computers, for example using HTTP, Telnet, SSH, or SNMP. Use IP static routes to have the Switch respond to remote management stations that are not reachable through the default gateway.
Chapter 29 Static Route 29.2 What You Can Do Use the Static Routing screen (Section 29.3 on page 254) to activate/deactivate this static route. 29.3 Configuring Static Routing Click IP Application > Static Routing in the navigation panel to display the screen as shown. Figure 125 IP Application > Static Routing The following table describes the related labels you use to create a static route.
Chapter 29 Static Route Table 79 IP Application > Static Routing (continued) LABEL DESCRIPTION Metric The metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be between 1 and 15. In practice, 2 or 3 is usually a good number.
Chapter 29 Static Route 256 GS2200-24 User’s Guide
CHAPTER 30 Differentiated Services 30.1 Overview This chapter shows you how to configure Differentiated Services (DiffServ) on the Switch. Quality of Service (QoS) is used to prioritize source-to-destination traffic flows. All packets in the flow are given the same priority. You can use CoS (class of service) to give different priorities to different packet types.
Chapter 30 Differentiated Services 30.3.1 DSCP and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (ToS) field in the IP header. The DS field contains a 6-bit DSCP field which can define up to 64 service levels and the remaining 2 bits are defined as currently unused (CU). The following figure illustrates the DS field.
Chapter 30 Differentiated Services traffic flow are more likely to be dropped when congestion occurs than the packets in the Platinum traffic flow as they move across the DiffServ network. Figure 127 DiffServ Network A P G S B P - Platinum G - Gold S - Silver B - Bronze S G P P S G P P S B B 30.4 Activating DiffServ Activate DiffServ to apply marking rules or IEEE 802.1p priority mapping on the Switch. Click IP Application > DiffServ in the navigation panel to display the screen as shown.
Chapter 30 Differentiated Services 30.5 DSCP-to-IEEE 802.1p Priority Settings You can configure the DSCP to IEEE 802.1p mapping to allow the Switch to prioritize all traffic based on the incoming DSCP value according to the DiffServ to IEEE 802.1p mapping table. The following table shows the default DSCP-to-IEEE802.1p mapping. Table 81 Default DSCP-IEEE 802.1p Mapping DSCP VALUE 0 – 7 8 – 15 16 – 23 24 – 31 32 – 39 40 – 47 48 – 55 56 – 63 IEEE 802.1p 1 2 0 3 4 5 6 7 30.5.
CHAPTER 31 DHCP 31.1 DHCP Overview This chapter shows you how to configure the DHCP feature. DHCP (Dynamic Host Configuration Protocol RFC 2131 and RFC 2132) allows individual computers to obtain TCP/IP configuration at start-up from a server. You can configure the Switch as a DHCP server or a DHCP relay agent. When configured as a server, the Switch provides the TCP/IP configuration for the clients.
Chapter 31 DHCP computer on your network, it contacts the DHCP server for the necessary IP information, and then relays the assigned information back to the computer. 31.3.2 DHCP Configuration Options The DHCP configuration on the Switch is divided into Global and VLAN screens. The screen you should use for configuration depends on the DHCP services you want to offer the DHCP clients on your network.
Chapter 31 DHCP The following describes the DHCP relay information that the Switch sends to the DHCP server: Table 83 Relay Agent Information FIELD LABELS DESCRIPTION Slot ID (1 byte) This value is always 0 for stand-alone switches. Port ID (1 byte) This is the port that the DHCP client is connected to. VLAN ID (2 bytes) This is the VLAN that the port belongs to. Information (up to 64 bytes) This optional, read-only field is set according to system name set in Basic Settings > General Setup. 31.
Chapter 31 DHCP 31.5 Configuring DHCP Global Relay Configure global DHCP relay in the DHCP Relay screen. Click IP Application > DHCP in the navigation panel and click the Global link to display the screen as shown. Figure 131 IP Application > DHCP > Global The following table describes the labels in this screen. Table 85 IP Application > DHCP > Global LABEL DESCRIPTION Active Select this check box to enable DHCP relay. Remote Enter the IP address of a DHCP server in dotted decimal notation.
Chapter 31 DHCP 31.5.1 Global DHCP Relay Configuration Example The following figure shows a network example where the Switch is used to relay DHCP requests for the VLAN1 and VLAN2 domains. There is only one DHCP server that services the DHCP clients in both domains. Figure 132 Global DHCP Relay Network Example DHCP Server: 192.168.1.100 VLAN1 VLAN2 Configure the DHCP Relay screen as shown.
Chapter 31 DHCP Note: You must set up a management IP address for each VLAN that you want to configure DHCP settings for on the Switch. See Section 8.7 on page 78 for information on how to set up management IP addresses for VLANs. Figure 134 IP Application > DHCP > VLAN The following table describes the labels in this screen. Table 86 IP Application > DHCP > VLAN LABEL DESCRIPTION VID Enter the ID number of the VLAN to which these DHCP settings apply. Remote DHCP Server 1 ..
Chapter 31 DHCP Table 86 IP Application > DHCP > VLAN (continued) LABEL DESCRIPTION Type This field displays the DHCP mode (Relay). DHCP Status For DHCP relay configuration, this field displays the first remote DHCP server IP address. Delete Select the configuration entries you want to remove and click Delete to remove them. Cancel Click Cancel to clear the Delete check boxes. 31.6.1 Example: DHCP Relay for Two VLANs The following example displays two VLANs (VIDs 1 and 2) for a campus network.
Chapter 31 DHCP For the example network, configure the VLAN Setting screen as shown.
P ART V Management Maintenance (271) Access Control (279) Diagnostic (301) Syslog (303) Cluster Management (307) MAC Table (315) ARP Table (319) Configure Clone (321) 269
CHAPTER 32 Maintenance 32.1 Overview This chapter explains how to configure the screens that let you maintain the firmware and configuration files. 32.2 What You Can Do • Use the Maintenance screen (Section 32.3 on page 271) to upload the latest firmware. • Use the Firmware Upgrade screen (Section 32.4 on page 274) to upload the latest firmware. • Use the Restore Configuration screen (Section 32.5 on page 274) to upload a stored device configuration file.
Chapter 32 Maintenance The following table describes the labels in this screen. Table 87 Management > Maintenance LABEL DESCRIPTION Current This field displays which configuration (Configuration 1 or Configuration 2) is currently operating on the Switch. Firmware Upgrade Click Click Here to go to the Firmware Upgrade screen. Restore Configurati on Click Click Here to go to the Restore Configuration screen. Backup Configurati on Click Click Here to go to the Backup Configuration screen.
Chapter 32 Maintenance 3 In the web configurator, click the Save button in the top of the screen to make the changes take effect. If you want to access the Switch web configurator again, you may need to change the IP address of your computer to be in the same subnet as that of the default Switch IP address (192.168.1.1). 32.3.2 Save Configuration Click Config 1 to save the current configuration settings permanently to Configuration 1 on the Switch.
Chapter 32 Maintenance 32.4 Firmware Upgrade Use the following screen to upgrade your Switch to the latest firmware. Make sure you have downloaded (and unzipped) the correct model firmware and version to your computer before uploading to the device. Be sure to upload the correct model firmware as uploading the wrong model firmware may damage your device. Click Management > Maintenance > Firmware Upgrade to view the screen as shown next.
Chapter 32 Maintenance Type the path and file name of the configuration file you wish to restore in the File Path text box or click Browse to locate it. After you have specified the file, click Restore. "config" is the name of the configuration file on the Switch, so your backup configuration file is automatically renamed when you restore using this screen. 32.6 Backup a Configuration File Use this screen to save and store your current device settings.
Chapter 32 Maintenance 32.7 Technical Reference This section provides technical background information on the topics discussed in this chapter. 32.7.1 FTP Command Line This section shows some examples of uploading to or downloading files from the Switch using FTP commands. First, understand the filename conventions. 32.7.2 Filename Conventions The configuration file (also known as the romfile or ROM) contains the factory default settings in the screens such as password, Switch setup, IP Setup, and so on.
Chapter 32 Maintenance Be sure to upload the correct model firmware as uploading the wrong model firmware may damage your device. 32.7.3 FTP Command Line Procedure 1 Launch the FTP client on your computer. 2 Enter open, followed by a space and the IP address of your Switch. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”). 5 Enter bin to set transfer mode to binary.
Chapter 32 Maintenance General Commands for GUI-based FTP Clients (continued) COMMAND DESCRIPTION Initial Remote Directory Specify the default remote directory (path). Initial Local Directory Specify the default local directory (path). 32.7.5 FTP Restrictions FTP will not work when: • FTP service is disabled in the Service Access Control screen. • The IP address(es) in the Remote Management screen does not match the client IP address.
CHAPTER 33 Access Control 33.1 Overview This chapter describes how to control access to the Switch. A console port and FTP are allowed one session each, Telnet and SSH share nine sessions, up to five Web sessions (five different user names and passwords) and/ or limitless SNMP access control sessions are allowed.
Chapter 33 Access Control 33.3 The Access Control Main Screen Use this screen to display the main screen. Click Management > Access Control in the navigation panel to display the main screen as shown. Figure 143 Management > Access Control 33.4 Configuring SNMP Use this screen to configure your SNMP settings. Click Management > Access Control > SNMP to view the screen as shown.
Chapter 33 Access Control The following table describes the labels in this screen. Table 90 Management > Access Control > SNMP LABEL DESCRIPTION General Setting Use this section to specify the SNMP version and community (password) values. Version Select the SNMP version for the Switch. The SNMP version on the Switch must match the version on the SNMP manager. Choose SNMP version 2c (v2c), SNMP version 3 (v3) or both (v3v2c). Note: SNMP version 2c is backwards compatible with SNMP version 1.
Chapter 33 Access Control Table 90 Management > Access Control > SNMP (continued) LABEL Security Level DESCRIPTION Select whether you want to implement authentication and/or encryption for SNMP communication from this user. Choose: • • • noauth -to use the username as the password string to send to the SNMP manager. This is equivalent to the Get, Set and Trap Community in SNMP v2c. This is the lowest security level. auth - to implement an authentication algorithm for SNMP messages sent by this user.
Chapter 33 Access Control 33.5 Configuring SNMP Trap Group Use the Trap Group screen to specify the types of SNMP traps that should be sent to each SNMP manager. Click Management > Access Control > SNMP > Trap Group to view the screen as shown. Figure 145 Management > Access Control > SNMP > Trap Group The following table describes the labels in this screen.
Chapter 33 Access Control 33.6 Setting Up Login Accounts Use this screen to assign which users can access the Switch via web configurator at any one time. Up to five people (one administrator and four non-administrators) may access the Switch via web configurator at any one time. • An administrator is someone who can both view and configure Switch changes. The username for the Administrator is always admin. The default administrator password is 1234.
Chapter 33 Access Control The following table describes the labels in this screen. Table 92 Management > Access Control > Logins LABEL DESCRIPTION Administrator This is the default administrator account with the “admin” user name. You cannot change the default administrator user name. Only the administrator has read/write access. Old Password Type the existing system password (1234 is the default password when shipped). New Password Enter your new system password.
Chapter 33 Access Control later). Click Management > Access Control > Service Access Control to view the screen as shown. Figure 147 Management > Access Control > Service Access Control The following table describes the fields in this screen. Table 93 Management > Access Control > Service Access Control LABEL DESCRIPTION Services Services you may use to access the Switch are listed here. Active Select this option for the corresponding services that you want to allow to access the Switch.
Chapter 33 Access Control You can specify a group of one or more “trusted computers” from which an administrator may use a service to manage the Switch. Click Access Control to return to the Access Control screen. Figure 148 Management > Access Control > Remote Management The following table describes the labels in this screen. Table 94 Management > Access Control > Remote Management LABEL DESCRIPTION Entry This is the client set index number.
Chapter 33 Access Control 33.9.1 About SNMP Simple Network Management Protocol (SNMP) is an application layer protocol used to manage and monitor TCP/IP-based devices. SNMP is used to exchange management information between the network management system (NMS) and a network element (NE). A manager station can manage and monitor the Switch through the network via SNMP version one (SNMPv1), SNMP version 2c or SNMP version 3. The next figure illustrates an SNMP management operation.
Chapter 33 Access Control SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: Table 95 SNMP Commands COMMAND DESCRIPTION Get Allows the manager to retrieve an object variable from the agent. GetNext Allows the manager to retrieve the next object variable from a table or list within an agent.
Chapter 33 Access Control An OID (Object ID) that begins with “1.3.6.1.4.1.890.1.5.8” is defined in private MIBs. Otherwise, it is a standard MIB OID. Table 96 SNMP System Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION coldstart coldStart 1.3.6.1.6.3.1.1.5.1 This trap is sent when the Switch is turned on. warmstart warmStart 1.3.6.1.6.3.1.1.5.2 This trap is sent when the Switch restarts. : 1.3.6.1.4.1.890.1.5.8.55.2 5.2.
Chapter 33 Access Control Table 97 SNMP InterfaceTraps OPTION OBJECT LABEL OBJECT ID DESCRIPTION linkup linkUp 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up. LinkDownEventClear : This trap is sent when the 1.3.6.1.4.1.890.1.5.8.55.25 Ethernet link is up. .2.2 linkDown 1.3.6.1.6.3.1.1.5.3 LinkDownEventOn : This trap is sent when the 1.3.6.1.4.1.890.1.5.8.55.25 Ethernet link is down. .2.1 AutonegotiationFailedEv entOn : This trap is sent when an 1.3.6.1.4.1.890.1.5.8.55.
Chapter 33 Access Control Table 98 AAA Traps OPTION OBJECT LABEL authenticatio authenticationFailure n OBJECT ID DESCRIPTION 1.3.6.1.6.3.1.1.5.5 This trap is sent when authentication fails due to incorrect user name and/or password. AuthenticationFailureEven : This trap is sent when tOn 1.3.6.1.4.1.890.1.5.8.55.2 authentication fails due to 5.2.1 incorrect user name and/or password. RADIUSNotReachableEve ntOn : This trap is sent when there is 1.3.6.1.4.1.890.1.5.8.55.
Chapter 33 Access Control Table 100 SNMP Switch Traps OPTION OBJECT LABEL OBJECT ID DESCRIPTION stp STPNewRoot 1.3.6.1.2.1.17.0.1 This trap is sent when the STP root switch changes. MRSTPNewRoot : 1.3.6.1.4.1.890.1.5.8.55.3 2.2.1 This trap is sent when the MRSTP root switch changes. MSTPNewRoot : 1.3.6.1.4.1.890.1.5.8.55.1 07.70.1 This trap is sent when the MSTP root switch changes. STPTopologyChange 1.3.6.1.2.1.17.0.2 This trap is sent when the STP topology changes.
Chapter 33 Access Control to provide secure encrypted communication between two hosts over an unsecured network. Figure 150 SSH Communication Example 33.9.2.1 How SSH works The following table summarizes how a secure connection is established between two remote hosts. Figure 151 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key.
Chapter 33 Access Control 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 33.9.2.
Chapter 33 Access Control 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the Switch’s WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the Switch’s WS (web server). Figure 152 HTTPS Implementation Note: If you disable HTTP in the Service Access Control screen, then the Switch blocks all HTTP connection attempts. 33.9.3.
Chapter 33 Access Control You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the web configurator login screen; if you select No, then web configurator access is blocked. Figure 153 Security Alert Dialog Box (Internet Explorer) example Netscape Navigator Warning Messages When you attempt to access the Switch HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate.
Chapter 33 Access Control Select Accept this certificate permanently to import the Switch’s certificate into the SSL client.
Chapter 33 Access Control 33.9.3.2 The Main Screen After you accept the certificate and enter the login username and password, the Switch main screen appears. The lock displayed in the bottom right of the browser status bar denotes a secure connection.
Chapter 33 Access Control 300 GS2200-24 User’s Guide
CHAPTER 34 Diagnostic 34.1 Overview This chapter explains the Diagnostic screen. Use the Diagnostic screen (Section 34.2 on page 301) to check system logs, ping IP addresses or perform port tests. 34.2 Diagnostic Click Management > Diagnostic in the navigation panel to open this screen. Use this screen to check system logs, ping IP addresses or perform port tests.
Chapter 34 Diagnostic The following table describes the labels in this screen. Table 101 Management > Diagnostic LABEL DESCRIPTION System Log Click Display to display a log of events in the multi-line text box. Click Clear to empty the text box and reset the syslog entry. IP Ping Type the IP address of a device that you want to ping in order to test a connection. Click Ping to have the Switch ping the IP address (in the field to the left).
CHAPTER 35 Syslog 35.1 Overview This chapter explains the syslog screens. The syslog protocol allows devices to send event notification messages across an IP network to syslog servers that collect the event messages. A syslog-enabled device can generate a syslog message and send it to a syslog server. Syslog is defined in RFC 3164. The RFC defines the packet format, content and system log related information of syslog messages. Each syslog message has a facility and severity level.
Chapter 35 Syslog 35.3 Syslog Setup Use this screen to configure the device’s system logging settings. Click Management > Syslog in the navigation panel to display this screen. The syslog feature sends logs to an external syslog server. Figure 158 Management > Syslog The following table describes the labels in this screen.
Chapter 35 Syslog 35.4 Syslog Server Setup Click Management > Syslog > Syslog Server Setup to view the screen as shown next. Use this screen to configure a list of external syslog servers. Figure 159 Management > Syslog > Syslog Server Setup The following table describes the labels in this screen. Table 104 Management > Syslog > Syslog Server Setup LABEL DESCRIPTION Active Select this check box to have the device send logs to this syslog server.
Chapter 35 Syslog 306 GS2200-24 User’s Guide
CHAPTER 36 Cluster Management 36.1 Overview This chapter introduces cluster management. Cluster Management allows you to manage switches through one Switch, called the cluster manager. The switches must be directly connected and be in the same VLAN group so as to be able to communicate with one another. Table 105 ZyXEL Clustering Management Specifications Maximum number of cluster members 24 Cluster Member Models Must be compatible with ZyXEL cluster management implementation.
Chapter 36 Cluster Management In the following example, switch A in the basement is the cluster manager and the other switches on the upper floors of the building are cluster members. Figure 160 Clustering Application Example 36.2 What You Can Do • Use the Cluster Management screen (Section 36.3 on page 308) to view the role of the Switch within the cluster and to access a cluster member switch’s web configurator. • Use the Clustering Management Configuration screen (Section 36.
Chapter 36 Cluster Management Note: A cluster can only have one manager. Figure 161 Management > Cluster Management: Status The following table describes the labels in this screen. Table 106 Management > Cluster Management: Status LABEL DESCRIPTION Status This field displays the role of this Switch within the cluster.
Chapter 36 Cluster Management 36.4 Clustering Management Configuration Use this screen to configure clustering management. Click Management > Cluster Management > Configuration to display the next screen. Figure 162 Management > Cluster Management > Configuration The following table describes the labels in this screen. Table 107 Management > Cluster Management > Configuration LABEL DESCRIPTION Clustering Manager 310 Active Select Active to have this Switch become the cluster manager switch.
Chapter 36 Cluster Management Table 107 Management > Cluster Management > Configuration (continued) LABEL DESCRIPTION VID This is the VLAN ID and is only applicable if the Switch is set to 802.1Q VLAN. All switches must be directly connected and in the same VLAN group to belong to the same cluster. Switches that are not in the same VLAN group are not visible in the Clustering Candidates list. This field is ignored if the Clustering Manager is using Portbased VLAN.
Chapter 36 Cluster Management 36.5 Technical Reference This section provides technical background information on the topics discussed in this chapter. 36.5.1 Cluster Member Switch Management Go to the Clustering Management Status screen of the cluster manager switch and then select an Index hyperlink from the list of members to go to that cluster member switch's web configurator home page.
Chapter 36 Cluster Management 36.5.1.1 Uploading Firmware to a Cluster Member Switch You can use FTP to upload firmware to a cluster member switch through the cluster manager switch as shown in the following example. Figure 164 Example: Uploading Firmware to a Cluster Member Switch C:\>ftp 192.168.1.1 Connected to 192.168.1.1. 220 Switch FTP version 1.0 ready at Thu Jan 1 00:58:46 1970 User (192.168.0.
Chapter 36 Cluster Management 314 GS2200-24 User’s Guide
CHAPTER 37 MAC Table 37.1 Overview This chapter introduces the MAC Table screen. The MAC Table screen (a MAC table is also known as a filtering database) shows how frames are forwarded or filtered across the Switch’s ports. It shows what device MAC address, belonging to what VLAN group (if any) is forwarded to which port(s) and whether the MAC address is dynamic (learned by the Switch) or static (manually entered in the Static MAC Forwarding screen). 37.
Chapter 37 MAC Table • If the Switch has already learned the port for this MAC address, but the destination port is the same as the port it came in on, then it filters the frame. Figure 165 MAC Table Flowchart 37.4 Viewing the MAC Table Use this screen to check whether the MAC address is dynamic or static. Click Management > MAC Table in the navigation panel to display the following screen.
Chapter 37 MAC Table The following table describes the labels in this screen. Table 109 Management > MAC Table LABEL DESCRIPTION Condition Select one of the buttons and click Search to only display the data which matches the criteria you specified. Select All to display any entry in the MAC table of the Switch. Select Static to display the MAC entries manually configured on the Switch. Select MAC and enter a MAC address in the field provided to display a specified MAC entry.
Chapter 37 MAC Table 318 GS2200-24 User’s Guide
CHAPTER 38 ARP Table 38.1 Overview This chapter introduces ARP Table. Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network. An IP (version 4) address is 32 bits long. In an Ethernet LAN, MAC addresses are 48 bits long. The ARP Table maintains an association between each MAC address and its corresponding IP address. 38.
Chapter 38 ARP Table 38.3 Viewing the ARP Table Use the ARP table to view IP-to-MAC address mapping(s). Click Management > ARP Table in the navigation panel to open the following screen. Figure 167 Management > ARP Table The following table describes the labels in this screen. Table 110 Management > ARP Table 320 LABEL DESCRIPTION Index This is the ARP Table entry number. IP Address This is the learned IP address of a device connected to a Switch port with corresponding MAC address below.
CHAPTER 39 Configure Clone 39.1 Overview This chapter shows you how you can copy the settings of one port onto other ports. Use the Configure Clone screen (Section 39.2 on page 321) to copy the basic and advanced settings from a source port to a destination port or ports. 39.2 Configure Clone Cloning allows you to copy the basic and advanced settings from a source port to a destination port or ports. Click Management > Configure Clone to open the following screen.
Chapter 39 Configure Clone The following table describes the labels in this screen. Table 111 Management > Configure Clone LABEL DESCRIPTION Source/ Destination Enter the source port under the Source label. This port’s attributes are copied. Port Enter the destination port or ports under the Destination label. These are the ports which are going to have the same attributes as the source port. You can enter individual ports separated by a comma or a range of ports by using a dash.
P ART VI Troubleshooting & Product Specifications Troubleshooting (325) Product Specifications (329) 323
CHAPTER 40 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • Switch Access and Login • Switch Configuration 40.1 Power, Hardware Connections, and LEDs The Switch does not turn on. None of the LEDs turn on. 1 Make sure you are using the power adaptor or cord included with the Switch.
Chapter 40 Troubleshooting 1 Make sure you understand the normal behavior of the LED. See Section 3.3 on page 40. 2 Check the hardware connections. See Section 40.1 on page 325. 3 Inspect your cables for damage. Contact the vendor to replace any damaged cables. 4 Disconnect and re-connect the power adaptor or cord to the Switch. 5 If the problem continues, contact the vendor. 40.2 Switch Access and Login I forgot the IP address for the Switch. 1 The default IP address is 192.168.1.1.
Chapter 40 Troubleshooting • If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the Switch. 2 Check the hardware connections, and make sure the LEDs are behaving as expected. See Section 3.3 on page 40. 3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. 4 Make sure your computer is in the same subnet as the Switch.
Chapter 40 Troubleshooting In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). I cannot see some of Advanced Application submenus at the bottom of the navigation panel. The recommended screen resolution is 1024 by 768 pixels. Adjust the value in your computer and then you should see the rest of Advanced Application submenus at the bottom of the navigation panel.
CHAPTER 41 Product Specifications The following tables summarize the Switch’s hardware and firmware features. Table 112 Hardware Specifications SPECIFICATION DESCRIPTION Dimensions Standard 19” rack mountable 440 mm (W) x 173 mm (D) x 43 mm (H) Weight 2.5 kg Power Specification 100-240 VAC, 50/60HZ 0.6 A Max.
Chapter 41 Product Specifications Table 112 Hardware Specifications Fan Design Fanless Fuse Specification 250 VAC, T2A Table 113 Firmware Specifications 330 FEATURE DESCRIPTION Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Administrator User Name admin Default Password 1234 Number of Login Accounts Configurable on the Switch 4 management accounts configured on the Switch.
Chapter 41 Product Specifications Table 113 Firmware Specifications FEATURE DESCRIPTION Queuing Queuing is used to help solve performance degradation when there is network congestion. The following scheduling services are supported: Strict Priority Queuing (SPQ) Weighted Round Robin (WRR), and Weighted Fair Queuing (WFQ). This allows the Switch to maintain separate queues for packets from each individual source or flow and prevent a source from monopolizing the bandwidth.
Chapter 41 Product Specifications Table 113 Firmware Specifications FEATURE DESCRIPTION Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, CLI or an FTP/TFTP tool to put it on the Switch. Note: Only upload firmware for your specific model! Configuration Backup & Restoration Make a copy of the Switch’s configuration and put it back on the Switch later if you decide you want to revert back to an earlier configuration.
Chapter 41 Product Specifications Table 114 Feature Specifications (continued) VLAN Port-based VLAN 802.1Q tag-based VLAN number of VLAN: 4K, 1000 static maximum GVRP for dynamic registration Double tagging for VLAN stacking, 64-entry maximum Private VLAN for port isolation Protocol-Based VLAN. IP subnet based VLAN Link Aggregation IEEE 802.
Chapter 41 Product Specifications Table 114 Feature Specifications (continued) AAA Support RADIUS and TACACS+ Security Static MAC address filtering Static MAC address forwarding MAC Freeze IEEE 802.1x port-based authentication Limiting number of dynamic MAC addresses per port SSH v1/v2 SSL Multiple RADIUS servers Multiple TACACS+ servers 802.1X VLAN and bandwidth assignment.
Chapter 41 Product Specifications Table 115 Standards Supported (continued) STANDARD DESCRIPTION RFC 3046 DHCP Relay RFC 3164 Syslog RFC 3376 Internet Group Management Protocol, Version 3 RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMP v3) RFC 3580 RADIUS - Tunnel Protocol Attribute IEEE 802.1ab Link Layer Discovery Protocol (LLDP) IEEE 802.1ag Connectivity Fault Management (CFM) IEEE 802.1x Port Based Network Access Control IEEE 802.
Chapter 41 Product Specifications 336 GS2200-24 User’s Guide
P ART VII Appendices and Index Changing a Fuse (339) Common Services (341) Legal Information (345) Index (349) 337
APPENDIX A Changing a Fuse This appendix shows you how to remove and install fuses for the Switch. If you use a fuse other than an included fuse, make sure it matches the fuse specifications in the chapter on product specifications. Removing a Fuse Disconnect all power from the Switch before you begin this procedure. 1 Remove the power cord from the Switch. 2 See the product specifications for the location of the fuse. Use a small flat-head screwdriver to carefully pry out the fuse housing.
Appendix A Changing a Fuse 340 GS2200-24 User’s Guide
APPENDIX B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/ code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix B Common Services Table 116 Commonly Used Services (continued) 342 NAME PROTOCOL PORT(S) DESCRIPTION ESP (IPSEC_TUNNEL) User-Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP TCP 20 TCP 21 File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.
Appendix B Common Services Table 116 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). PPTP TCP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.
Appendix B Common Services Table 116 Commonly Used Services (continued) 344 NAME PROTOCOL PORT(S) DESCRIPTION TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.
APPENDIX C Legal Information Copyright Copyright © 2009 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix C Legal Information • This device must accept any interference received, including interference that may cause undesired operations. FCC Warning This device has been tested and found to comply with the limits for a Class A digital switch, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment.
Appendix C Legal Information Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
Appendix C Legal Information 348 GS2200-24 User’s Guide
Index Index Numerics auto-crossover 37 automatic VLAN registration 88 802.
Index cloning a port See port cloning cluster management 307 and switch passwords 311 cluster manager 307, 310 cluster member 307, 311 cluster member firmware upgrade 313 network example 308 setup 310 specification 307 status 308 switch models 307 VID 311 web configurator 312 cluster manager 307 cluster member 307 Common and Internal Spanning Tree, See CIST 137 configuration 255 change running config 273 configuration file 49 backup 275 restore 49, 274 saving 273 configuration, saving 48 configuration 264
Index command example 276 hardware monitor 72 filename convention, configuration configuration file names 276 hardware overview 35 filtering 115 rules 115 HTTPS 295 certificates 295 implementation 295 public keys, private keys 295 filtering database, MAC table 315 firmware 72 upgrade 274, 313 flow control 82 back pressure 82 IEEE802.3x 82 hello time 131 hops 131 HTTPS example 296 humidity 329 forwarding delay 131 I frames tagged 96 untagged 96 IEEE 802.
Index IP setup 78 IP source guard 215, 216 ARP inspection 216, 238 DHCP snooping 216, 235 static bindings 216 IP subnet mask 80 login account Administrator 284 non-administrator 284 login accounts 284 configuring via web configurator 284 multiple 284 number of 284 login password 285 L L2PT 245 access port 246 CDP 245 configuration 247 encapsulation 245 LACP 246 MAC address 245 mode 246 overview 245 PAgP 246 point to point 246 STP 245 tunnel port 246 UDLD 246 VTP 245 LACP 152, 248 system priority 158 timeo
Index max age 131 hops 131 MDIX (Media Dependent Interface Crossover) 37 MIB and SNMP 288 supported MIBs 289 MIB (Management Information Base) 288 N network applications 25 network management system (NMS) 288 NTP (RFC-1305) 75 P mirroring ports 147 monitor port 148 PAGP 248 mounting brackets 32 MRSTP status 128 password 48 administrator 285 MST ID 136 PHB (Per-Hop Behavior) 258 MST Instance, See MSTI 136 ping, test connection 302 MST region 136 policy 176, 178 and classifier 176 and DiffServ 175
Index port VLAN trunking 90 port-based VLAN 102 all connected 105 port isolation 105 settings wizard 105 ports diagnostics 302 mirroring 147 speed/duplex 82 standby 152 RADIUS 201, 202 advantages 202 and port authentication 202 and tunnel protocol attribute 211 Network example 201 server 202 settings 203 setup 203 Rapid Spanning Tree Protocol, See RSTP.
Index communities 281 management model 288 manager 288 MIB 289 network components 288 object variables 288 protocol operations 289 security 282 setup 280, 283 version 3 289 versions supported 288 SNMP traps 289, 290, 291, 293 setup 283 supported 291 Spanning Tree Protocol, See STP.
Index current 75 time zone 75 Time (RFC-868) 75 time server 75 time service protocol 75 format 75 TPID 190 trademarks 345 transceiver MultiSource Agreement (MSA) 37 transceivers 37 installation 38 removal 38 traps destination 281 trunk group 151 trunking 151, 332 example 158 trusted ports ARP inspection 239 DHCP snooping 236 tunnel protocol attribute, and RADIUS 211 acceptable frame type 96 automatic registration 88 ID 87 IGMP snooping 194 ingress filtering 95 introduction 76, 87 number of VLANs 91 port nu
Index W warranty 347 note 347 web configurator 43 getting help 50 home 44 login 43 logout 50 navigation panel 45 weight, queuing 182 Weighted Round Robin Scheduling (WRR) 182 WRR (Weighted Round Robin Scheduling) 182 Z ZyNOS (ZyXEL Network Operating System) 276 GS2200-24 User’s Guide 357
Index 358 GS2200-24 User’s Guide
