ZyXEL Communications ES-3124-4F Switch Support Notes

ZyXEL ES-3100 Series

(ES-3124/ES-3124PWR/ES-3148/ES-3124-4F)

Ethernet Switch

Support Notes

Version 3.60

September 2006

ES-3100 Series Switch Support Notes

INDEX

How to manage & maintain your Switch?

Firmware Upgrade

Restore a Configuration File

Backing Up a Configuration File

Load Factory Defaults

Physical Switch connection

Connecting two switches via Fiber Channel

General Networking

DHCP option 82 (Relay Agent Information Option)

Separating a physical network into many virtual networks

Introduction to Virtual LAN

Port Based Virtual LAN

Setting up Port Based VLAN

IEEE 802.1Q Tag-based VLAN

Setting up Tag-based VLAN

Setting up VLAN Trunking

How to configure GVRP

IP Multicasting

IGMP Snooping

Multicast VLAN Registration (MVR)

To ring a network by building reducdent links and connections between Switch

Introduction to Spanning Tree Protocol

How does Spanning Tree Protocol Work?

Switching security

MAC freeze

Setting up 802.1x Radius Authentication

Classifier & Policy Rule (ACL)

Centralized Management

Introduction of SNMPc and NetAtlas

*NetAtlas v1.00 supported ES-3124 / ES-3124PWR

*NetAtlas v1.03 and newer releases will support ES-3148 and some new features with ES-3124/ ES-3124PWR

Cluster Management -- iStacking

Remote Monitoring (RMON)

FAQ

What is the default setting of the IP parameters?

What is the default login Name and Password of the Web

Configuration?

How to access the Switch through the console port?

2

All contents copyright (c) 2006 ZyXEL Communications Corporation.


What is default login password of the console, telnet, and FTP?

How to change the password?

How to access the Command Line Interface?

If I forgot the Switch password, how can I reset the password to default?

How do I configure an IP address?

Is Online Help available on the Web GUI?

How to restart device from Web?

How to check the current running firmware version?

Is the mini GBIC transceiver hot-swappable?

What is so called "Dual-Personality interface" in Ethernet Switching?

Remaining:

Some demonstration in this support note may not use the exact model that you are using. However, their functions and settings work the same way.


3


How to manage & maintain your Switch?

Firmware Upgrade

From Web GUI:

1. Download (and unzipped) the correct model firmware to your computer.

2. Click Management and then Maintenance in the navigator panel to bring up the following screen.

3. Click on the “Click Here” link of the Firmware Upgrade to bring up the following screen.

4. Browse the firmware located or type in the path into the “File Path” field.

5. Click on the Upgrade button.

4


From Console Port:



2. Connect to the console port and open the Terminal Emulation Software.

3. Restarting the switch to enter the debug mode via the terminal.

5. Use X-modem protocol to transfer (Send File) the firmware.

6. Enter “ATGO” to restart the switch after done uploading the firmware.

From Command Line FTP:


2. Launch the FTP client on your PC to login to Switch. (From the command prompt, type “ftp <Switch IP>”

3. Press “Enter” for the User name

4. Enter password to get the ftp prompt.

5. Enter “bin” to set transfer mode to binary.

6. Use “put” to transfer the firmware from the computer to the switch, for example: “put firmware.bin ras” transfers the firmware on your computer

(firmware.bin) to the switch and renames it “ras”.

7. Enter “quit” to exit the ftp prompt.


5

Restore a Configuration File


From Web GUI:


2. Click on the “Click Here” link of the Restore Configuration to bring up the following screen.

3. Browse to locate the file with the file name or type in the path and the file name into the “File Path” field.

4. Click on the Restore button.



6



2. Restarting the Switch to enter the debug mode via the terminal.

4. Use X-modem protocol to transfer (Send File) the firmware.

5. Enter “ATGO” to restart the Switch after done uploading the configuration file.



2. Launch the FTP client on your PC to login to Switch. (From the command prompt, type “ftp <Switch IP>”.




6. Use “put” to transfer the the configuration file from the computer to the switch, for example: “put comfig.rom rom-0” transfers the firmware on your computer (config.rom) to the switch and renames it “rom-0”.



7


Backing Up a Configuration File

From Web GUI:


2. Click on the “Click Here” link of the Backup Configuration to bring up the following screen.

3. Click on the “Backup” button to bring up the File Download dialog. Then, clicking on the Save button to backup the configuration rom file to a proper location.



2. Restarting the Switch to enter the debug mode via the terminal.

8



4. Use X-modem protocol to transfer (Receive File) the firmware.

5. Enter “ATGO” to restart the Switch after done uploading the configuration file.



2. Launch the FTP client on your PC to login Switch. (From the command prompt, type “ftp <Switch IP>”




6. Use “get” to transfer the firmware from the computer to the switch, for example: “get rom-0 config.rom” transfers the firmware on your computer

(config.rom) to the switch and renames it “config.rom”.



9

Load Factory Defaults


From Web GUI:


2. Click on the “Click Here” button of the Load Factory Defaults to bring up the following screen.

3. A dialog pops up with the message “Are you sure you want to load factory defaults?”.

4. Click OK to go to the following dialog.

5. Click on the OK button. Now, all switch configurations has been reset to the factory defaults and the system will be restarted.

6. Please note that the switch IP address is now 192.168.1.1.



2. Type in the correct password to bring up the prompt.

Type “erase run” to load the factory default configurations.

10


Physical Switch connection


How to connect two switches via Fiber Channel

Your Switch may come with one or many mini-Gb ports. ZyXEL offers Small

Form-factor Pluggable (SFP) transceivers for Gigabit Ethernet and Fiber

Channel applications. These small, modular optical interface transceivers offer a convenient and cost effective solution for the adoption of Gigabit Ethernet and Fiber Channel in data center, campus, metropolitan area access, ring networks, and storage area networks. It supports full duplex Gigabit speeds and hot-pluggable feature.

Scenario

In this scenario, two Switch with mini-Gb port connected together via its mini-GB Port with a LC/LC Fiber cable (62.5/125MM). PC “Alpha” is connected to the Switch on the left and another PC “Delta” is connected to the Switch on the right via the RJ45 Port (Cat 5 cable).

What you need here to complete this scenario: z ZyXEL Switch with Mini-GB port x2

(note: Each ES-3100 Series Switch comes with 2 Mini-GB Port) z SFP-SX Transceiver x2 z LC/LC Fiber Cable (62.5/125MM) x1

11



Here is the photo of the SFP-SX Transceiver & the LC/LC Fiber Cable.

Steps to complete this scenario

1. Find both Mini-GB ports on your Switch first.


12


2. Get one transceiver and plug it into the Mini-GB Port of your Switch

3. Plug another transceiver into the Mini-GB Port of the other Switch

13



4. Remove both side of the protection cap from the LC/LC Fiber Cable.

5. Plug the LC/LC Fiber Cable into the transceivers on both Switch.

If you connected the cable correctly, the LED of the “LINK” will light up.


14


6. Now, connect the first PC “Alpha” to the Switch on the left and the second

PC “Delta” to the Switch on the right via the regular Ethernet cable.

7. Set the NICs in both computers to the same IP Domain.

(ex, PC “Alpha” :192.168.1.4/24; PC “Delta” : 192.168.1.5/24)

8. From PC “Alpha”, PING PC “Delta” at 192.168.1.5

9. From PC “Delta”, PING PC” Alpha” at 192.168.1.4

10. Now you can confirm that the network connection between these two

Switch is up and running.


15

General Networking


DHCP Relay Option 82 Application

ISP may want to limit the number of IP address or deliver some specific IP addresses according to certain Switch port, VLAN ID and option 82 string.

They can easily to achieve this with DHCP Relay Option 82 feature and a

DHCP server supporting Option 82 function.

Network

DHCP

Server

192.168.1.99

Port 25

Ethernet Port

DHCP Client


16


How to set up DHCP Relay Option 82 Environment

Here, we will set up an environment to allow a PC to get DHCP IP address in specific IP pool according to its Switch port, VLAN ID and the option 82 string.

In this case, we are using GS-3012 for the demonstration. PC is behind 25 th

Switch port and the option 82 string is a string “GS-3012”. We use the IP

Commander as DHCP server. Its IP is 192.168.1.99 and the IP pool is between

192.168.1.201 and 192.168.1.203 for VID=1, Switch port=25 and the option 82 string is “GS-3012”.

1. Switch (GS-3012) settings

Click IP Application, DHCP Relay in the navigation panel to display configuration screen as shown. You will see the DHCP Relay setup page. Active the DHCP relay and Option 82 function. Also, click Information to make “GS-3012” as the

Option 82 string. Information is READ ONLY here and it is the same as the host name of the Switch.

Now we can connect PC to the 25 th SWITCH port. Please see former applications for detailed settings.

17



3. IP Commander settings

Open IP Commander. Right click “IP commander and then click “connect new

server”.

Input the DHCP IP address or domain name and click “ok”. Our IP is

192.168.1.99.


18


Input user name and password. The default user name is “administrator” and password is “incognito”.


19


It will bring up the following screen, please make sure that your DHCP is in

“online” status. Then click “wizard” in the top tool bars and select “rule

wizard”.


20


Give a name and description to the new rule.


21


Assign a range of IP addresses or just one IP address to this rule. In our case, we set the IP pool from 192.168.1.201 to 192.168.1.203.

After input IP pool, we select “DHCP Option” in Keywords combobox.


22


After select the “DHCP Option”, it will pop up “Add DHCP Option Rule” dialog.

Select “option 82 Relay Agent Information”, sub-option 1, binary data. For port

25, VLAN 1, “GS-3012”, please key in “0019000147532d33303132” as the key value and click OK. Please note that the first 2 bytes define port number, the second 2 bytes is VLAN ID and the other bytes are the Option 82 string.


23


After you finish above step, you will see the following figure.


24


Then pop up the following screen and you can just press Next button.

Then you can add DHCP template (option) such as gateway, DNS server and so on.


25


Here we use “192.168.1.1” as gateway IP address of DHCP client PC.


26


You can apply DDNS service to DHCP server or not.

The rule creation has been finished.


27


After finishing all above procedures, your PC will get the IP address

192.168.1.201 when you send a DHCP request.


28


Separating a physical network into many virtual networks

What is Virtual LAN?

• VLAN Overview

A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Stations on a logical network belong to one group called VLAN Group. A station can belong to more than one group.

The stations on the same VLAN group can communicate with each other. With

VLAN, a station cannot directly talk to or hear from stations that are not in the same VLAN group(s); the traffic must first go through a router.

In MTU or IP-DSLAM applications, VLAN is vital in providing isolation and security among the subscribers. When properly configured, VLAN prevents one subscriber from accessing the network resources of another on the same

LAN, thus a user will not see the printers and hard disks of another user in the same building.

VLAN also increases network performance by limiting broadcasts to a smaller and more manageable logical broadcast domain. A VLAN group is a broadcast domain. In traditional Layer-2 switched environments, all broadcast packets go to each and every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain.

There are two most popular VLAN implementations, Port-based VLAN and

IEEE 802.1q Tagged VLAN. ES-3100 series supports both VLAN implementations. The most difference between both VLAN implementations is

Tagged VLAN can across Layer-2 switch but Port-based VLAN cannot.

• Port-based VLAN

Port-based VLANs are VLANs where the packet forwarding decision is based on the destination MAC address and its associated port. You must define

29


ES-3100 Series Switch Support Notes outgoing ports allowed for each port when using port-based VLANs.

Note that VLAN only governs the outgoing traffic, in the other word, it is unidirectional.

Therefore, if you wish to allow two subscriber ports to talk to each other, e.g., between conference rooms in a hotel, you must define the egress (outgoing port) for both ports. An egress port is an outgoing port, that is, a port through which a data packet leaves.

There are 5 hosts (Host A, B, C, D and E) connected to a 5-port layer-2 switch which supported port-based VLAN.

Case 1: Host A and Host B can talk to each other, because they are in the same VLAN group. But Host A and Host B can't talk to Host C, D, and E.

Port-based VLAN definition:

•

•

Egress port for port 1: port 2


Case 2: There are 3 VLAN groups in the physical network. Host A and Host B can talk to each other; they are in the same VLAN group 1. Host B and Host C are in VLAN group 2. Host A, Host D and Host E are in VLAN group 3.


30


Port-based VLAN definition:

•

•

•

•

•

Egress port for port 1: port 2, port 4, port 5

Egress port for port 2: port 1, port 3




• Port-based VLAN across different switch

Port-based VLAN is specific only to the switch on which it was created. Definitely,

Port-based VLAN can't across different switches. As the following network diagram shown in most MTU case, for the sake of security, subscribers are isolated with each other except for the gateway. There are two switches, Switch-2 and Switch-3, supported port-based VLAN and uplink to a none-port-based VLAN switch, Switch-1.


31


For Switch-2, port 1, port 2, and port 3 are allowed to communicate back and forth with uplink port 4, but not with other ports.

•

•

•

Switch-2 VLAN 1 member port: port 1 and port 4



For Switch-3, port 2, port 3, and port 4 are allowed to communicate back and forth with uplink port 1, but not with other ports.

•

•

•




Host A can't talk to Host B due to the port-based VLAN in Switch-2, and Host C can't talk to Host D due to the port-based VLAN in Switch-3. But both Switch-2 and

Switch-3 uplink to the none VLAN Switch-1. Host A and Host B will talk to Host C and

Host D via the none VLAN switch because port-based VLAN can't across different switches.

To achieve the security between different switches, you must put another port-based

VLAN switch for the uplink. Each port on the uplink switch also should be separated into different VLAN, except for the port to the gateway. So subscribers only can talk to the gateway for Internet access but not communicate with each other.


32


For Switch-1, port 1, port2, and port 3 are allowed to communicate back and forth with uplink port 4, but not with other ports.

•

•

•




How to configure Port-Based VLAN

Port-based VLANs are VLANs where the packet forwarding decision is based on the destination MAC address and its associated port.


33

Scenario


In this scenario, Port Based VLAN is used to separate one physical Switch into two smaller logical Switches. Port 1~4 and 9, 10 are in one group. And Port

5~10 are in another group. Port-based VLANs are specific only to the switch on which they were created.


34


Configuring your Switch to fulfill this scenario (GUI)

1. Connect port 1 with a PC or Notebook via the RJ45 Cable.

2. By default the MGMT IP on every port is 192.168.1.1/24

3. Set your NIC to 192.168.1.2/24

4. Open an Internet browser such as IE and give http://192.168.1.1

on the URL.

5. By default you will need to put “admin” as the username and “1234” as the password.

6. After you login successfully, you will see a similar screen like below.

7. First, we need to tell the Switch to run VLAN as port based instead of

802.1q based. In order to do so, we first click on the “Basic Setting”, then “Switch Setup”; on your right screen the VLAN Type, choose “Port

Based” instead of “802.1Q”, and click “Apply” to save your changes.


35


8. Now, you need to tell the Switch how you are going to separate the physical Switch into some logical small Switches. Thus, we click

“Advanced Application” then “VLAN”. On the right screen, check the boxes to suit your need. In this case, we need to make port 1~4 and port 9, 10 in a group in order for them to communicate in both ways.

And port 5~10 in another group but these two groups cannot talk with each others. Here we also logically defined Port 9 and Port 10 as the uplink ports. Therefore, both groups can pass data to Port 9 and Port

10. In another word, these two ports belong to both of the groups on the same time. Please confirm if your setting looks similar to below.


36


9. Finally, you can now verify your result. If everything works fine, PC A can ping PC B and PC Z. But it cannot ping PC C or PC D. On the same time, this should work vice versa.

10. For example,

PC A: 192.168.1.4/24

PC B: 192.168.1.5/24

PC C: 192.168.1.6/24

PC D: 192.168.1.7/24

PC Z: 192.168.1.99/24

11. PING PC B from PC A (Should work)


37


12. PING PC Z from PC A (Should work)

13. PING PC C from PC A (Should NOT work)


38


Configuring your Switch to fulfill this scenario (CLI)

1. Connect the Switch Console port with your PC or Notebook.

2. Open your Terminal program.(Ex, Hyper Terminal in Windows

System)

3. Make sure that your port settings are bps:9600

Data bits:8

Parity: None

Stop bits:1

Flow control: None:

4. After you connected successfully, give the correct user name and password.

5. Put “en” or “enable” to go into the privileged mode. Then put “config” to go into the configuration mode.

6. Put the following commands to setup Port Based VLAN on your Switch in this


39

scenario.


7. When all of the above are done, do not forget to give the “write memory” command under the enable mode to save your configuration.

What is IEEE 802.1Q Tag-based VLAN?

• Tag-based VLAN Overview

Regarding IEEE 802.1Q standard, Tag-based VLAN uses an extra tag in the MAC header to identify the VLAN membership of a frame across bridges. This tag is used for VLAN and QoS (Quality of Service) priority identification. The VLANs can be created statically by hand or dynamically through GVRP. The VLAN ID associates a frame with a specific VLAN and provides the information that switches need to

40


ES-3100 Series Switch Support Notes process the frame across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier, residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control

Information, starts after the source address field of the Ethernet frame).

•

•

•

•

TPID: TPID has a defined value of 8100 in hex. When a frame has the

EtherType equal to 8100, this frame carries the tag IEEE 802.1Q / 802.1P.

Priority: The first three bits of the TCI define user priority, giving eight (2^3) priority levels. IEEE 802.1P defines the operation for these 3 user priority bits.

CFI: Canonical Format Indicator is a single-bit flag, always set to zero for

Ethernet switches. CFI is used for compatibility reason between Ethernet type network and Token Ring type network. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port.

VID: VLAN ID is the identification of the VLAN, which is basically used by the standard 802.1Q. It has 12 bits and allows the identification of 4096 (2^12)

VLANs. Of the 4096 possible VIDs, a VID of 0 is used to identify priority frames and value 4095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094.

Note that user priority and VLAN ID are independent of each other. A frame with VID (VLAN Identifier) of null (0) is called a priority frame, meaning that only the priority level is significant and the default VID of the ingress port is given as the VID of the frame.

41



• How 802.1Q VLAN works

According to the VID information in the tag, the switch forward and filter the frames among ports. These ports with same VID can communicate with each other. IEEE 802.1Q VLAN function contains the following three tasks, Ingress

Process, Forwarding Process and Egress Process.

1. Ingress Process:

Each port is capable of passing tagged or untagged frames. Ingress Process identifies if the incoming frames contain tag, and classifies the incoming frames belonging to a VLAN . Each port has its own Ingress rule. If Ingress rule accept tagged frames only, the switch port will drop all incoming non-tagged frames. If

Ingress rule accept all frame type, the switch port simultaneously allow the incoming tagged and untagged frames:

•

•

When a tagged frame is received on a port, it carries a tag header that has a explicit VID. Ingress Process directly pass the tagged frame to Forwarding

Process.

An untagged frame doesn't carry any VID to which it belongs. When a

42


ES-3100 Series Switch Support Notes untagged frame is received, Ingress Process insert a tag contained the PVID into the untagged frame. Each physical port has a default VID called PVID

(Port VID). PVID is assigned to untagged frames or priority tagged frames

(frames with null (0) VID) received on this port.

After Ingress Process, all frames have 4-bytes tag and VID information, and then go to Forwarding Process.

2. Forwarding Process:

The Forwarding Process decides to forward the received frames according to the Filtering Database. If you want to allow the tagged frames can be forwarded to certain port, this port must be the egress port of this VID. The egress port is an outgoing port for the specified VLAN, that is, frames with specified VID tag can go through this port. The Filtering Database stores and organizes VLAN registration information useful for switching frames to and from switch ports. It consists of static registration entries (Static VLAN or

SVLAN table) and dynamic registration entries (Dynamic VLAN or DVLAN table). SVLAN table is manually added and maintained by the administrator.

DVLAN table is automatically learned via GVRP protocol, and can't be created and upgraded by the administrator.

The VLAN entries in Filtering Database have the following information:

1. VID: VLAN ID

2. Port: The switch port number

3. Ad Control: Registration administration control. There are 3 type of ad control, including forbidden registration, fixed registration and normal registration.

43



•

•

•

Forbidden registration: This port is forbidden to be the egress port of specified VID..

Fixed registration: While ad control is fixed registration, it means this is a static registration entry. This port is the egress port of the specified VID (a member port of the specified VLAN). The frames with specified VID tag can go through this port.

Normal registration: While ad control is normal registration, it means this is a dynamic registration entry. The forwarding decision is depended on Dynamic VLAN table.

4. Egress tag Control: This information is used for Egress Process. The value may be tagged or untagged. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before frame leaves the egress port.

VID Port Ad Control Tag Control

10 3 UnTag

Filtering Database

VID Egress Port

10 1

10 2

20 3

Dynamic VLAN (DVLAN) table

3. Egress Process:

The Egress Process decides if the outgoing frames but be sent tagged or untagged. The Egress Process refers to the egress tag control information in

44



Filtering Database. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before frame leaves the egress port.

How to connect two switches using VLAN?

I want to make VLAN on two layer 2 switches, and I want to connect first switch to second switch with trunk port. There will be 5 VLAN on first Switch and there will be 7 VLAN on second switch. Trunk port will be port 25 on both switches as well. I made VLAN s on both switch, but I did not find trunk options on both switches. How can I use Port 25 as trunk port?

The scenario is described as below:

Where the configurations of VLAN in this two switches are:

VLAN 2, 3, 4, 5, 6, 7, 8 on switch A

VLAN 2, 3, 4, 5, 6 on switch B

Configuration of VLAN on switch A


45


-------------------------------------

2. Configuration of VLAN on switch B

Answer:

-------------------------------------

In switch A, add port 25 in each VLAN

VID:101 (port 1,2,3,"25 TAG")

VID:102 (port 4,5,6,,"25 TAG")

VID:103 (port 7,8,9,10,"25 TAG")

VID:104 (port 23,24,"25 TAG")

VID:105 (port 11,12,13,14,"25 TAG")

VID:106 (port 15,16,17,"25 TAG")

VID:107 (port 18,19.20,21,"25 TAG")

-------------------------------------

In switch B, add port 25 in each VLAN

VID:101 (port 1,2,3,,4,"25 TAG")


46

VID:102 (port 6,7,8,9,10,"25 TAG")


VID:103 (port 11,12,13,14,"25 TAG")

VID:104 (port 15,16,17,18,"25 TAG")

VID:105 (port 19,20,21,23,22"25 TAG)

Clients in same VLAN on both switches can communicate each other.

PVID: z Set PVID on switch 1

Port 1, 2, 3 : 101

Port 4, 5, 6 : 102

Port 7, 8, 9, 10 : 103

Port 23, 24: 104

Port 11, 12, 13, 14: 105

Port 15, 16, 17: 106

Port 18, 19, 20, 21: 107 port 25: PVID=any z Set PVID on switch 2:

Port 1, 2, 3, 4 : 101

Port 6, 7, 8, 9, 10, : 102

Port 11, 12, 13, 14, : 103

Port 15, 16, 17, 18: 104

Port 19, 20, 21, 22, 23: 105

Port 25:PVID=any


47

Setting up VLAN Trunking


With the benefit of deploying VLAN trunking, we can connect two switches by a port that is configured as VLAN trunking port. PC1 with each VLAN tag frames from switch 1 can communicate with PC2 with another VLAN tag frames in switch 2 via VLAN trunking port. In our example, we set up port 5 in switch 1 as the VLAN Trunking port while in switch 2, we set up port 10 as the VLAN

Trunking port.

In the switch 1, the configuration is:


48


In the switch 2, the configuration is

In the switch 1, we set port 2 as VLAN 2 untag


49


In the switch 2, we set port 6 as VLAN 2 untag.

The switch 1 IP address: 192.168.1.31

The switch 2 IP address: 192.168.1.21

After the configuration, we can observe that in the switch 1, the PC

1

running on port 2 can find the PC

2

running on port 6 in the switch 2.


50

How to configure GVRP?


Description:

In this scenario, PCs belong to different divisions within a single corporation can not communicate with each other, and we leave some ports of switches for GVRP-aware PC and others for VLAN-unaware PC. So network administrator can manage and configure VLAN smartly based on different devices and requirements. For switches on floor 1 and 2, PC connecting to port 3 joins VLAN 10 statically; PC connecting to port 4 joins VLAN 20 statically; and PCs connecting to port 1&2 can join VLAN 10/20/30 which determined by its configuration on GVRP-aware NIC dynamically. For switch on basement,

PC connecting to port 1 joins VLAN 30 while PC connecting to port 3 can join

VLAN10/20/30 dynamically. Please Note: all clients connecting to switches in this scenario should be located in the same subnet (in this example, the subnet is 192.168.1.0/24)

How to configure this scenario:

1. For Switch A on Floor 2:

51



Please enter VLAN setting under Advanced Application menu and click “static

VLAN” to bring up the following screen, adding VLAN 10: port 3, fixed, untag;

port 23, fixed, Tx tagging”.

Add VLAN 20 to this switch, VLAN 20: port 4, fixed, untag; port 23, fixed, Tx tagging.

Please click VLAN port setting to bring up the following screen, setup PVID 10

for port 3, PVID 20 for port 4, and enable GVRP on the top of the screen and port 1, port 2, port 23.

52



2. For Switch B on Floor 1:

Please follow the same steps to adding VLAN 10: port 3, fixed, untag; port

23, fixed, Tx tagging; port 24, fixed, Tx tagging”.

Add VLAN 20 to this switch, VLAN 20: port 4, fixed, untag; port 23, fixed, Tx tagging; port 24, fixed, Tx tagging.


53


Please click VLAN port setting to bring up the following screen, setup PVID 10

for port 3, PVID 20 for port 4, and enable GVRP on the top of the screen and port 1, port 2, port 23, port 24.

3. For Switch C on Basement:

Please set static VLAN 10: port 23, fixed, untag.


54


Please set static VLAN 20: port 23, fixed, untag.

Please add VLAN 30: port 1, fixed, untag; port23, fixed, untag; port 24,

fixed, Tx tagging.


55


Please setup PVID 30 for port 1 and enable GVRP on port 3 and port 24.

Then, this scenario is done here.


56

IP Multicasting


How to setup IGMP snooping in your switch?

Figure 1: IGMP and IGMP snooping

IGMP snooping is designed for application with deployment of multicast traffic.

It operates on the underlying IGMP mechanism where a layer two switch passively listens to the IGMP Query, Report and Leave (IGMP version 2) packets transmitted between the IGMP router and clients and collects passing

IGMP messages. After that, the switch records the message’s group registration information, and configures multicasting information accordingly. If the multicast group information is unknown (not recorded on the switch), the switch discards that multicast traffic. Only the registered clients that join the group will receive multicast stream from the IGMP router. Thus this significantly reduces the multicast traffic forwarded down to the clients.

Another advantage of IGMP snooping is to allow the intermediate switch to learn multicast group information without manually configuring switches.

57



Configuration of IGMP snooping by web

In this example, we enable the IGMP function on the GS-4024 (an IGMP router) to connect to a multimedia server. Also, we enable IGMP snooping function on the ES-3124 or other ZyXEL L2 Switch to connect to the multimedia clients.

Figure 2: IGMP snooping Example

Step one : In the GS-4024, click the IP Application, select IGMP where,

IGMP function can be enabled and we can select either IGMP-v1 or IGMP-v2.

Figure 3: IGMP Setup


58


Step two : In the L2 Switch, click Basic Setting and then Switch Setup where we can enable IGMP snooping function with WEB-GUI.

Figure 4: IGMP Snooping Setup

Configuration of IGMP and IGMP snooping by CLI

Step one: Enable IGMP function

In the configure mode

GS-4024(config)# router igmp

Step two: Enable IGMP snooping


59

In the configure mode of CLI,


L2Switch(config)# igmp-snooping

Step three: Display the IGMP Status

In the exec mode of CLI

GS-4024# show router igmp

Step Four: Display the IGMP snooping Status

In the exec mode of CLI

L2Switch# show igmp-snooping

______________________________________________________________

Note: One thing needs to be mentioned is that in the IGMP router, we do not need to enable IGMP snooping function.


60

Overview of MVR


MVR refers to Multicast VLAN Registration that enables a media server to transmit multicast stream in a single multicast VLAN while clients receiving multicast VLAN stream can reside in different VLANs. Clients in different

VLANs intend to join or leave the multicast group simply by sending the IGMP

Join/leave message to a receiver port. The receiver port belongs to one of the multicast group can receive multicast stream from media server. In the Figure

1, without support of MVR, the Multicast stream from media server and subscriber must reside in the same VLAN. For each VLAN, A media server is required to transmit multicast stream once and totally, media server transmits 6 times. In the Figure 2, on the contrary, with MVR, a media server is required to transmit multicast traffic once to clients in different VLANs.

Figure 1


61

Figure 2


MVR Mode

Dynamic Mode

If we select the dynamic mode in MVR setting, IGMP report message transmitted from the receiver port will be forwarded to a multicast router through its source port. Multicast router knows which multicast groups exist on which interface dynamically.

Compatible mode

If we select the dynamic mode in MVR setting, IGMP report message transmitted from the receiver port will not be transmitted to a multicast router.

Multicast router must be statically configured.

Operation Mode

Join Operation

A subscriber sends an IGMP report message to the switch to join the appropriate multicast. Whether IGMP report matches the switch

62


ES-3100 Series Switch Support Notes configured multicast MAC address. If matches, the switch CPU modifies the hardware address table to include this receiver port and

VLAN as a forwarding destination of the MVLAN

Leave Operation

Subscriber sends an IGMP leave message to the switch to leave the multicast. The switch CPU sends an IGMP group-specific query through the receiver port VLAN. If there is another subscriber in the

VLAN, subscriber must respond within the max response time. If there is no subscriber, the switch eliminates this receiver port.

Immediate Leave Operation

Subscriber sends an IGMP leave message to the switch to leave the multicast. Subscribers do not need to wait the switch CPU to send an

IGMP group-specific query through the receiver port VLAN. The switch will immediately eliminate this receiver port.


63


Scenario of MVR

In the following section, we will provide an example to illustrate how to configure MVR. In this scenario, the media stream from the media servers will be transmitted from port 24 of GS-4024 (as an IGMP Router) to ES-3124 (L2 edge Switch) and GS-4012F.(work as L2 edge Switch). On Switch ES-3124 and GS4012F, we enabled the MVR function to allocate the multicast traffic from GS-4024 to separate VLAN hosts located on ES-3124 and GS-4012F.

Moreover, we created a dummy ip interface for the multicast VLAN (VLAN100) on GS-4024. VLAN100 will be the Multicast VLAN in this scenario.

Illustration of this scenario


64


Configuration via Web [GS-4024]

1. First of all, you need to create all those IP domains on the GS-4024 Switch.

Once you completed those VLANs, your VLAN status should looks like the same as below.

2. Below are their related PVID settings.


65


3. Right after the VLAN, you should add the IP domains to the related VLANs.

4. Since this GS-4024 works as an IGMP Router, you need to enable IGMP

V2 on the multicast ip interface (which is the dummy interface). Please notice that since GS-4024 works here as an IGMP Router, you cannot enable IGMP Snooping on the same time because IGMP Snooping is a L2 feature.


66


Here we have done everything we need on the IGMP Router <GS-4024>.


67


Configuration via Web [ES-3124]

1. At the very beginning, you can create your MVR VLAN First (which is

VLAN100). To create this multicast VLAN, we do it in another way. First, access to the GUI of your Switch. Then click “Advanced Application” on the left and choose “Multicast”. Finally, you should click MVR on the right frame to setup your Multicast VLAN.

2. Give a name to this Multicast VLAN following by its VLAN ID. Active this

VLAN; Pick port 1 and 2 as the receiver ports; Pick port 27 and 28 as the

Source Port. In this scenario, we need to make the source ports remain the

VLAN “tag”. Thus, we come out the following setting. Click “add” to create this VLAN. When the VLAN is set, we keep going and click “Group

Configuration” on the upper right corner to create our Multicast Groups.


68


3. First of all, please choose the Multicast VLAN ID that we just created

(which is VLAN100). Then give a name to this group, as long as you can understand. Place the range of Multicast groups here with the start address and End address. Finally, click “Add” to create this group. (In this scenario, we use 224.10.10.0 ~ 224.10.10.50)

4. At this point we go back to the “Multicast Setting” page, enable “IGMP

Snooping” here. (Since MVR needs IGMP Snooping). For Unknown

Multicast Frame, we prefer “Drop” here in order to avoid any Multicast

Video with no subscriber. (No body joining that multicast group).


69


5. Right after that you will need to create all other non-Multicast VLANs on this

Switch. Once you completed those VLANs, your VLAN status should looks like the same as below.



70


Here we have done everything we need on the Edge Switch <ES-3124>.


71


Configuration via Web [GS-4012F]

1. At the very beginning, you can create your MVR VLAN First (which is

VLAN100). To create this multicast VLAN, we do it in another way. First, access to the GUI of your Switch. Then click “Advanced Application” on the left and choose “Multicast”. Finally, you should click MVR on the right frame to setup your Multicast VLAN.

2. Give a name to this Multicast VLAN following by its VLAN ID. Active this

VLAN; Pick port 11 as the receiver port; Pick port 9 and 10 as the Source

Port. In this scenario, we need to make the source port remains the VLAN

“tag”. Thus, we come out the following setting. Click “add” to create this

VLAN. When the VLAN is set, we keep going and click “Group

Configuration” on the upper right corner to create our Multicast Groups.


72


3. First of all, please choose the Multicast VLAN ID that we just created

(which is VLAN100). Then give a name to this group, as long as you can understand. Place the range of Multicast groups here with the start address and End address. Finally, click “Add” to create this group. (In this scenario, we use 224.10.10.0 ~ 224.10.10.50)

4. At this point we go back to the “Multicast Setting” page, enable “IGMP

Snooping” here. (Since MVR needs IGMP Snooping). For Unknown

Multicast Frame, we prefer “Drop” here in order to avoid any Multicast

73



Video with no subscriber. (No body joining that multicast group).

5. Right after that you will need to create all other non-Multicast VLANs on this

Switch. Once you completed those VLANs, your VLAN status should looks like the same as below.



74


Here we have done everything we need on the Edge Switch <GS-4012F>.


75


Configuration via CLI [GS-4024]

Connect the Switch Console port with your PC or Notebook.

8. Open your Terminal program.(Ex, Hyper Terminal in Windows System)


Data bits:8

Parity: None

Stop bits:1

Flow control: None:



Issue the following commands to setup your Switch in this scenario.

To Create VLAN2 with its related IP domain: vlan 2

name server

normal 1,3-24

fixed 2

forbidden ""

untagged 2

ip address 192.168.2.1 255.255.255.0 exit

To Create VLAN100 (Multicast VLAN) with its related IP domain (the dummy interface): vlan 100

name MVR

normal 1-23

fixed 24

76


forbidden ""


untagged ""

ip address 111.111.111.111 255.255.255.0 exit


name 101

normal 1-10,12-23

fixed 11,24

forbidden ""

untagged 11

ip address 192.168.101.1 255.255.255.0 exit


name 102

normal 1-11,13-23

fixed 12,24

forbidden ""

untagged 12

ip address 192.168.102.1 255.255.255.0 exit


name 109

normal 1-8,10-23

fixed 9,24

forbidden ""

untagged 9

ip address 192.168.109.1 255.255.255.0 exit


77


name 110

normal 1-9,11-23

fixed 10,24

forbidden ""

untagged 10

ip address 192.168.110.1 255.255.255.0 exit

To enable IGMP Routing: router igmp exit

To set PVID of Port 2: interface port-channel 2

pvid 2 exit


pvid 109 exit


pvid 110 exit

To set PVID of Port 11: interface port-channel 11

pvid 101 exit

To set PVID of Port 12: interface port-channel 12

pvid 102 exit


78



To enable IGMP v2 on the dummy IP interface: interface route-domain 111.111.111.111/24

ip igmp v2 exit


79


Configuration via CLI [ES-3124]




Data bits:8

Parity: None

Stop bits:1

Flow control: None:




To Setup VLAN 101: vlan 101 name Data normal 2-27 fixed 1,28 forbidden "" untagged 1 exit

To Setup VLAN 102: vlan 102 name Data normal 1,3-27 fixed 2,28 forbidden ""

80


untagged 2 exit


To enable IGMP Sooping with unknown Multicast “Drop”: igmp-snooping igmp-snooping unknown-multicast-frame drop

To set PVID of Port 1: interface port-channel 1 pvid 101 exit


To create the MVR VLAN 100 with group information: mvr 100 source-port 27-28 receiver-port 1-2 name 100 tagged 27-28 group 224.10.10.0 start-address 224.10.10.0 end-address 224.10.10.50 exit


81


Configuration via CLI [GS-4012F]




Data bits:8

Parity: None

Stop bits:1

Flow control: None:




To Setup VLAN 109: vlan 109

name 109

normal 1-8,10,12

fixed 9,11

forbidden ""

untagged 9 exit

To Setup VLAN 110: vlan 110

name 110

normal 1-9,12

fixed 10-11

forbidden ""

untagged 10

82


ES-3100 Series Switch Support Notes exit

To enable IGMP Sooping with unknown Multicast “Drop”: igmp-snooping igmp-snooping unknown-multicast-frame drop



To create the MVR VLAN 100 with group information: mvr 100

source-port 11

receiver-port 9-10

name 100

tagged 11

group 100 start-address 224.10.10.0 end-address 224.10.10.50 exit


83


To ring a network by building reducdent links and connections between Switch

What is Spanning Tree Protocol

• Spanning Tree Overview

Spanning-Tree Protocol (STP) is a Layer 2 protocol designed to run on bridges and switches. The specification for STP is defined in IEEE 802.1d. The main purpose of STP is to ensure that you do not run into a loop situation when you have redundant paths in your network. STP detects/disables network loops and provides backup links between switches or bridges. It allows the device to interact with other STP compliant devices in your network to ensure that only one path exists between any two stations on the network.

The redundant topology without STP will cause the following problem:

1. Broadcast storm:

Without Spanning Tree loop avoidance mechanism, each switch will endlessly flood broadcast packets to all ports. This situation is called broadcast storm.

1. When Host sends a broadcast frame, like an ARP request to Router, the frame will be received by Switch A.

2. Switch the destination MAC address field (broadcast

FF:FF:FF:FF:FF:FF) in the frame and determine to flood it onto

Segment B.

3. When the broadcast frame arrives at Switch B, Switch will repeat above process, flood it to Segment A.

4. The broadcast frame will endlessly travel around the loop network even Router has already received this frame.


84


2. Filtering Database Instability:

When multiple copies of a frame arrive at different ports of a switch, the MAC entry instability in Filtering Database will occur.

1. Host sends an unicast frame to Router (source MAC address is

Host's MAC, destination MAC address is Router's MAC). Both

Switch A and Switch B will receive this frame and learn MAC address of Host on Port 2.

2. Switch A has not yet learned the MAC address of Router. So Switch

A will flood a copy of the received frame to Segment B.

3. When the copy of the frame from Switch A arrives at Switch B,

Switch B will remove the first entry (Host MAC address on Port 2) in

Filtering Database and add a new mapping of Host MAC address on Port 1. Switch B incorrectly learn Host MAC address on Port 1.

Switch B can't forward frames properly because the instability of mapping MAC address to Port.


85


How STP Works

Spanning Tree provide a loop-free network. When a switch supported STP recognize a loop in the network topology, it blocks one or more redundant ports. Spanning Tree Protocol continually explore the network, so when the network topology changes, STP automatically reconfigure switch ports to avoid the failure by blocking certain port.

Spanning tree algorithm aware switches (bridges) exchange configuration messages periodically. The configuration message is a multicast frame called

BPDU (Bridge Protocol Data Unit) or Hello message. According to BPDU, these STP aware will construct a loop free network with "tree" architecture.

STP operation is listed as the following:

1. Select a root bridge

Only one switch/ bridge can be selected as the root bridge in a given network.

All other decisions in the network, such as which port is blocked and which port is put in forwarding mode, are made regarding this root bridge. The root bridge is the "root" of the constructed "tree".

1. One of the important field included in the BPDU is the bridge ID.

Each bridge has unique bridge ID. The root bridge is the bridge

with the lowest bridge ID in the spanning tree network.

86



2. The bridge ID includes two parts, bridge priority (2 bytes) and bridge MAC address (6 bytes). The 802.1d default bridge priority is

32768. For example, a switch with default priority 32768 (8000 hex),

MAC address is 00:A0:C5:12:34:56, its bridge ID is

8000:00A0:C512:3456.

3. On the root bridge, all its ports are designated ports. Designated

ports are always in the forwarding state. While in forwarding state, a port can receive and send traffic.

2. Select a root port for the non-root bridge

For the non-root switch/bridge, there will be one root port. The root port is the port through which this non-root switch / bridge communicates with the root bridge (the "leaf" side of the "tree").

1. The root port is the port on the non-root bridge with the lowest path cost to the root bridge. The root port is normally in forwarding

state.

2. Path cost is the total cost of transmitting a frame on to a LAN through that port to bridge root. It is assigned according to the bandwidth of the link. The slower the media, the higher the cost.

Some of the path costs specified in the IEEE 802.1d specification are listed below.

Link Speed

4Mbps

10Mbps

16Mbps

100Mbps

1Gbps

10Gbps

Recommended

Cost

Recommended

Cost Range

250

100

62

19

100 to 1000

50 to 600

40 to 400

10 to 60

4

2

3 to 10

1 to 5

3. When multiple ports have the same path cost to root bridge, the

port with lowest port priority is selected as root port.

3. Select a designated port on each segment

87



For each LAN segment (collision domain), there is a designated port. The designated port has the lowest cost to the root bridge. Designated ports are normally in the forwarding state to forward and receive traffic to the segment. If more than one port in the segment have the same path cost, the port on which bridge has lowest bridge ID is selected as a designated port.

1. How STP works

After STP determines the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. STP-aware devices exchange Bridge Protocol

Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed.

Once a stable network topology has been established, all bridges listen for

Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology.

For example:

Switch A:

MAC = 00A0C5111111,

Priority = 32768

Switch B:

MAC = 00A0C5222222,

Priority = 32768

Switch C: MAC =

00A0C5333333

Priority = 1

Port 1 Port 2 Port 1 Port 2 Port 1

Cost 19 100 Cost 19 100 Cost 19

Priority 128 128 Priority 128 128 Priority 128


88


1. Switch A bridge ID = 8000:00A0:C511:1111, Switch B bridge ID =

8000:00A0:C522:2222, Switch C bridge ID =

0001:00A0:C533:3333. Switch C has the lowest bridge ID, so

Switch C is the root bridge. All ports of the root bridge are designated ports, so Port 1 is designated port.

2. For non-root bridge Switch A, Port 1 path cost to root bridge is 19,

Port 2 path cost is 119, 100 (Switch A Port 2) + 19 (Switch B Port 1).

For Switch B, Port 1 path cost is 19, Port 2 path cost is 119. Root port = Port 1 of Switch A and Switch B because it has the lowest path cost to the root bridge Switch C.

3. On Segment A, both Port 2 of Switch A and Switch B have the same path cost to root bridge. Since Switch A has lower bridge ID than Switch B, the designated port is selected on Switch A. So Port

2 of Switch A is designated port.

Blocking = Port 2 of Switch B, the non designated port on the segment.

Forwarding = All designated ports and root ports.


89

Switching security

MAC freeze


As an added protection against network intrusion attacks, ZyXEL has implemented the MAC Freeze feature on ES-2108 Series, ES-3124, ES-2024,

ES-3100 Series and ES-4024A. Security has been the focus of our Ethernet switch design. This feature will also be available for GS-4024, GS-4012F,

GS-3012 Series, GS-2024 and new switch models in future firmware releases.

With the MAC freeze feature enabled, dynamic MAC addresses on specified ports are stored in the static MAC address table. At the same time, MAC address learning is disabled on these ports thus denying network access for computers within unknown MAC addresses.

Without the MAC freeze function, any computer can access the network through a switch port. The port automatically learns the computer’s MAC address and stores that to the MAC address table.

Activate the MAC freeze function on a port by entering the port-security [port number] MAC-freeze command in the CLI.

The following figure shows an example where the MAC freeze feature is enabled on port 6. The switch automatically copies all dynamically learnt MAC address on port 6 to the static MAC address.

Figure 1: Enable MAC Freeze Example


90


You can display the Static MAC Address screen in the web configurator to view the copied MAC addresses.

Figure 2: Displaying MAC Addresses From MAC Freeze

After you enabled MAC freeze on port 6 using the CLI command, the switch automatically disables MAC address learning on that port. Display the Port

Security screen to verify this.

Figure 3: Disabled Automatic MAC Address Learning After MAC Freeze

91




92


Setting up 802.1x Radius Authentication.

Port-Authentication -- RADIUS settings:

Click Advanced Application, Port Authentication in the navigation panel to display configuration screen as shown. Click Enable

Authentication Server and set the RADIUS server IP address, UDP

port and shared Secret, which is the same as Radius server. Then click

Apply to make the settings take effect.

Click the 802.1x link to enter the 802.1x settings. Check the Enable

Authentication and click Apply button to enable 802.1x authentication.

Check Enable to turn on 802.1x authentication on that port. You can leave other settings as default values. Click Apply to save your changes.


93


RADIUS server setup

Click RADIUS, RADIUS SERVER in the navigation panel to display configuration screen as shown. You can use the default values or change the Authentication port, Shared Secret. Remember these values MUST be the as the settings of client.

Create User Account

Click RADIUS, USER ACCOUNT in the navigation panel to display configuration screen as shown. You can use the existed user account or create the new one by clicking Add New User button. Remember the client site MUST use the account in RADIUS server.

Windows XP(Supplicant) settings:

There are many supplicants we can choose like MeetingHouse Aegis client, Funk Odyssey client and Microsoft 802.1x client. We take Microsoft

94



802.1x client as an example here.

802.1x/MD5-challenge setup

Open the Local Area connection Properties, and then click

Authentication page. Check the Enable IEEE 802.1x authentication for

this network and select the MD5-challenge in EAP type combobox.

Please see the following figure.

When the 802.1x starts, it will prompt you to enter the user name and password. Please see the following figure.


95


After click the icon, there will be a dialog for entering the user name and password. Click ok after input the correct user name and password that are in the database of authentication server. The settings of client site are finished.


96


After finishing the above procedures, we can allow the authenticated port the access the server. If the switch port doesn’t be authenticated, the

PCs behind the port can’t access the network.


97


Setting up Classifier & Policy rule to perform Access

Control on your Switch

Introduction on ACL

ACL (Access Control List) is the name of a combination of Classifier and Policy

Rule. A classifier groups traffic into data flows according to specific criteria such as the source address, destination address, source port number, destination port number or incoming port number. For example, you can configure a classifier to select traffic from the same protocol port (such as

Telnet) to form a flow. A policy rule ensures that a traffic flow gets the requested treatment in the network. Please be advised that you must first configure a classifier in the Classifier screen before you configure a policy rule.

The relative weight of parameters in ACL

In the classifier, there are a lot of parameters that we can set. Each parameter holds a relative weight. This relative weight is meaningless unless there is a multiple match (or conflict) on the rules.

Here is the order of weight from lowest to the highest:

1. [ Source-port ]

2. [ Destination-port ]

3. [ Packet-format ]

4. [ Destination-mac ]

5. [ Source – mac ]

6. [ Priority ]

7. [ VLAN ID ]

8. [ Ethernet-type ]

9. [ DSCP ]

10. [ IP-Protocol ]

11. [ Source-IP ]

12. [ Destination-IP ]

13. [ Source – Socket ]

14. [ Destination – Socket ]

15. [ Establish Only ]

If you choose a combination of parameters as your rules, the rule with a

98


ES-3100 Series Switch Support Notes higher weight of parameter just gets the highest weight at all. For example, you have defined the first classifier to have “Source Port” plus “Source Socket” as your rule parameters; and your second classifier has only “Destination Socket” as your rule parameter; at this time, since “Destination Socket” has a relative high weight comparing to “Source Port” or “Source Socket”, thus the second classifier will have a higher weight.

The higher the weight a classifier has, the higher the priority its related policy rule can apply. A higher priority of policy rule can always overwrite a lower priority of policy rule.

ACCESS CONTROL ACL Flow Example

In general, access control is done by assigning a policy for traffic at-large and a specific policy for a subset. An example is if the network administrator wants to deny all IP traffic originated from the subnet 192.168.3.xx, except for

ICMP traffic. The ICMP traffic is a subset of generic IP traffic. To implement this policy, the ACL conflict resolution logic is required to handle this multiple matching scenario.

In this scenario, all IP traffic originating from the 192.168.3.xx subnet is discarded. This is implemented by the first rule, with the following:

• Layer 3 protocol type = IP

• IP source address = 192.168.3.0/24

Any packet matched is discarded as specified in ACTION—but if there is ICMP traffic originated from the 192.168.3.xx subnet, they should be forwarded. This is supported by the second rule, with the following:

• Layer 3 protocol type = IP

• Layer 4 protocol type = ICMP

• IP source address = 192.168.3.0/24

The action of the second rule is not to discard the packet (Do not drop the matching frame previously marked for dropping).

When two rules match a packet and the resulting actions are conflicting

(discard versus not-discard), a higher layer rule has priority over lower layer rule. In this case, the action of the second rule (Layer 4) is carried out because the first rule is only up to Layer 3.

99


QoS ACL Flow Example


Here is another scenario to help you understanding the flow of ACL. There are totally 4 rules.

First rule contains the following:

• When there is traffic from Layer 2 VLAN ID = 4094

Any matched packet will be set the Priority to 7

Second rule contains the following:

•When there is traffic from Layer 2 Source MAC address = 00:00:00:00:00:01


Third rule contains the following:

•When there is traffic from Layer 2 Source Port = 1


Fourth rule contains the following:

•When there is traffic from IP source address = 192.168.1.100/32


The above four rules are conflicting together since you can have traffic coming from port 1 and also come with a source IP address of 192.168.1.100.

When two or more rules match a packet and the resulting actions are conflicting (Set to different priority value), a higher layer rule has priority over lower layer rule. In this case, the action of the fourth rule (Layer 3) is carried out because the other rules are only up to Layer 2. Although VLAN, MAC, Port are all belonging to Layer two, their carrying out priority would be

VLAN>MAC>Port.

In conclusion, every parameter (or rule) in the packet header has a weight.

The deeper the parameter in the packet header, the higher the weight is.

Further more, the deeper parameter in the packet header has much more

100


higher weight than shallower parameters.



101

ACL Scenario


How should I configure if I only allow certain IP address on a certain port to forward its traffic but deny all others?

In the beginning, we need to set up the classifier to group traffic into data flows based on some such as source address, destination address, port number and packet format. In this example, we specify which format of the packet that the Switch applies its policy rules. We define three rules. Firstly, we define a classifier that is coming from port 2 and its source address is coming from 172.23.3.120; secondly, we specify a classifier that is based on port 2.

Finally we specify a classifier for ARP.

After the classification, we need to define the policy rule to ensure that the traffic gets the deserved treatment in the network. Here, we also define three policy rules. The first policy rule is to forward (do not drop the matching frame previously marked for dropping) only the traffic from port 2 and with the ip address of 172.23.3.120. The second policy rule is to discard all the traffic from port 2 on first classifier; and we apply the second policy rule on second classifier. Moreover, do not forget to apply a policy rule (do not drop the matching frame previously marked for dropping) for our last classifier.

The logic is like this. Since the first rule has a higher weight (layer 3 V.S. layer2) then the second rule and third rule, although the second rule says “drop all from port 2”, the first rule will overwrite the action of all other rules since rule one has the higher weight. Therefore, all other traffic from port 2 will be drop, but traffic coming from port 2 with 172.23.3.120 will be forward.


102


GUI configuration of classifier and policy rule.

Classifier 1


103

Classifier 2



104

Classifier 3



105

Policy Rule Configuration

Policy rule on Classifier 1


Policy rule on classifier 2


106




107


CLI configuration of classifier and policy rule.

Please logon to the Switch by either telnet, SSH or Console.

Step into the configuration mode and put the follow commands:

Classifier 1

Switch(config)# classifier AllPort2 source-port 2

Classifier 2

Switch(config)# classifier ARP ethernet-type arp source-port 2

Classifier 3

Switch(config)# classifier Port+IP ethernet-type ip source-port 2 source-ip

172.23.3.120

mask-bits 32


Switch(config)# policy AllowARP classifier ARP vlan 1 egress-port 1 priority 0 dscp 0 tos 0 bandwidth 0 outgoing-packet-format tagged out-of-profile-dscp 0 forward-action forward


Switch(config)# policy AllowPort2IP120 classifier Port+IP vlan 1 egress-port 1 priority 0 dscp 0 tos 0 bandwidth 0 outgoing-packet-format tagged out-of-profile-dscp 0 forward-action forward


Switch(config)# policy DropAllPort2 classifier AllPort2 vlan 1 egress-port 1 priority 0 dscp 0 tos 0 bandwidth 0 outgoing-packet-format tagged out-of-profile-dscp 0 forward-action drop


108

Verifying your result


Connect a PC “A” to the Switch on port2. Connect another PC “B” to the

Switch on port10 with IP 172.23.3.191. First set the IP of PC “A” to

172.23.3.120. At this time, PC “A” can ping PC “B”. However, if you set the IP of PC “A” to another IP besides 172.23.3.120, it can no longer ping PC “B”.


109

Centralized Management


Introduction of SNMPc and NetAtlas

With the number of network device increase, the demand to detect and respond to the network failure or external event in a very short time posts a great challenge to network administrator. How to easily manage and monitor network devices across networks becomes more and more important in network management.

Figure 1 presents main elements of the system architecture. Element

Management System (EMS), NetAtlas provides a centralized remote management platform and acts as SNMPc manager to perform network configuration, system management, event/alarm management, performance management and security for all ZyXEL’s Ethernet Switch solutions. SNMPc is network management software produced by Castle Rock that constantly probe the network element (NE) and collect information of those NE for EMS.

Underneath the EMS is Postgres SQL, the enterprise relational database system, provides query for EMS

Figure 1 System Architecture


110


Overview of SNMPc

The following diagram shows the main elements of SNMPc. SNMPc includes the following function

♦ Main Button Bar: Button and controls to execute commands quickly

♦ Edit Button Bar: Button to quickly insert map element

♦ Event Log Tool: Button display filtered event log entries

♦ View Window Area: Map View, Mib Tables and Mib Graph windows are displayed here.

♦ View Window Area: Map View, Mib Tables and Mib Graph windows.

Figure 2 Main elements of SNMPc


111


Overview of EMS

The following diagram illustrates the main elements in EMS. EMS contains the four main functions.

♦ Menu Shortcut Bar: The buttons execute common commands

♦ Device Panel: This is a graphical device display.

♦ Device List Panel: View devices in a tree structure. The colors of the device indicate the status of the devices. Green is working and Rd is no response from the device.

♦ System message Panel: View the alarm Status and port status of the selected switch.

Figure 3 Overview of EMS


112


Configuration of adding a new device via SNMPc

In the following example, we will illustrate how to get started with SNMPc and

Netatlas with adding a new device. Follow the procedures from Step 1 to Step

11.

Step 1: In the edit button bar shown in the Figure 4 where you may select the icon to insert a new element.

Figure 4 Adding a new Device


113


Add a new device

Step 2: In the map object properties, give the label name and enter the IP address of the selected device. In this example, we configure 172.23.3.11 as its IP address of your Switch as shown in Figure 5

Figure 5 Map Object Properties

Step 4: In the map object properties, select Access tab to set the parameters of Read Access Mode to SNMP V2c shown in Figure 6. Change the value of

114


Read Access Mode to SNMP V2c.

Figure 6 Read Access mode


Step 5: In the map object properties, select Access tab to set the parameters of Read /Write Access Mode to SNMP V2c shown in Figure 7. Change the value of Read/write Access Mode to SNMP V2c.

Figure 7 Read/Write Access Mode


115


Step 6: In the map object properties, select Access tab to set the parameters of Read community to public as shown in Figure 8.

Figure 8 Read Community


116


Step 7: In the map object propeies, select Access tab to set the parameters of

Read community to public in Figure 9. Change the value of Read//write

Community to Public.

Figure 9 Read/write Community

Step 8: In the Selection tool menu, Click the name of your Switch to manage the device.

Figure 10 Device Selection


117


Step 9: After the selection, a pop-up menu will display the NetAtlas switch manager diagram. Click the Switch Manager to enter the EMS Mapping shown in Figure 11

Figure 11 Device Selection

Step 10: In the EMS mapping, it display a logical hierarchy for the device. In the device list, you may see the devices are added in the Rootmap shown in

118


Figure 12.

Figure 12 Rootmap


Step 11: Click the your Switch to configure the device shown in Figure 13.

Figure 13 Device mapping


119


VLAN Configuration via EMS

In this section, we will give an example to illustrate how to use EMS to create a

VLAN2 in GS-4024. Here are the procedures.

Step 1: In the device panel list shown in Figure 12, right-click Configuration,

Switch Configuration and then Switch Setup tab as shown in Figure 12 and

Figure 13.

Step 2: Define the VLAN type, there are two types of VLAN, one is 802.1Q and the other is Port-based VLAN. Select 802.1Q as the VLAN type and click

Apply in the Figure 14.

Figure 12 Device panel list

Figure 13 Switch Configuration


120


Figure 14 Selecting a VLAN Type

After the VLAN type selection, a pop-up window indicates that you have finished the configuration. Then after we have defined the VLAN type to be the

802.1Q, go back to click the Configuration and then VLAN configuration in

121


Figure 15.

Figure 15 VLAN Configuration


Click the New button to create a new VLAN ID in Figure 16.

Figure 16 Creating a new VLAN ID

Selecting Egress ports and defines them to be tagged or untagged in Figure 17

Figure 17 Selecting the ports

122



For more information, reference the user guide of NetAtlas.


123


Cluster Management Overview

Cluster Management allows you to manage up to 24 switches through a single

IP to manage up to 24 switches simultaneously in the same broadcast domain and the same VLAN group ID. The cluster manager which can manage other switches is called the master device. The other terminology we use for cluster management is “istacking”.

• How Cluster Management works

Step 1:

1. HDAP Discover REQ

Cluster manager

(Master device)

Cluster member

(Slave device)

To discover the clustering members, the clustering Manager broadcasts a

HDAP (Host Discovery and Address assignment Protocol) Discover request.

Step 2:

2. HDAP Discover RSP

Cluster manager

(Master device)

Cluster member

(Slave device)

124



A clustering member listens on UDP port 263. When a clustering member receives a request with the matching signature, it answers with a HDAP

Discover Response. In the response, the clustering member provides identity information about itself.

Step 3:

3. HDAP_SET_ADDR_REQ

(Address set / Password challenge)

Cluster manager

(Master device)

Cluster member

(Slave device)

HDAP_SET_ADDR_REQ (Master device) packet request is used for a clustering manager to assign an IP address and subnet mask to a clustering member.

Step 4:

Cluster manager

(Master device)

4. HDAP_SET_ADDR_RSP

Cluster member

(Slave device)

HDPA_SET_ADDR_RSP (Slave device) packet response is for a clustering member to acknowledge a "Set Address" request. The hardware address uniquely identifies the sender of this response.

After the processes are done, the cluster master will be able to manage the

125


slave switch.


• How to set up Cluster Management in switch

Step 1:

Go to menu: “Management” Æ ”Cluster Management” Æ ”Clustering

Management Configuration”

In “Clustering Management Configuration” pages, check the “Active” check box to enable Cluster Manager.

In the middle of this page, there is a table shows all the clustering candidates which can be selected and added as the clustering members.

Step 2:


126


Select a device in the Clustering Candidate table and enter the password which is the admin password for the candidate device to add the clustering member.

Step 3:


127


Click on the index number to manage the selected clustering member.

Step 4:

In “Member Menu” pages, you can change any setting of the clustering member, except Cluster Management, Firmware Upgrade and Restore

Configuration.

Step 5:


128


Enter “Management”->”Cluster Management”->”Clustering Management

Status:” In “Clustering Management Status” pages, you can check the status for each member.

Step 6:

Enter “Management”->”Cluster Management”->”Clustering Management

Configuration:” In “Clustering Management Configuration” pages , by

129


ES-3100 Series Switch Support Notes checking the remove checkbox and then, click on the Remove button to remove a cluster member.


130


Overview of RMON

Remote Monitoring (RMON) is a standard monitoring specification that enables various network monitors and console systems to exchange network-monitoring data. RMON provides network administrators with more freedom in selecting network-monitoring probes and consoles with features that meet their particular networking needs.

RMON was originally developed to address the problem of managing LAN segments and remote sites from a central location. The RMON specification, which is an extension of the SNMP MIB, is a standard monitoring specification.

Within an RMON network monitoring data is defined by a set of statistics and functions and exchanged between various different monitors and console systems. Resultant data is used to monitor network utilization for network planning and performance-tuning, as well as assisting in network fault diagnosis.

RMON solutions are comprised of two components: a probe (or an agent or a monitor), and a client, usually a management station. Agents store network information within their RMON MIB and are normally found as embedded software on network hardware such as routers and switches although they can be a program running on a PC. Agents can only see the traffic that flows through them so they must be placed on each LAN segment or WAN link that is to be monitored. Clients, or management stations, communicate with the

RMON agent or probe, using SNMP to obtain and correlate RMON data.

Now, there are a number of variations to the RMON MIB. For example, the

Token Ring RMON MIB provides objects specific to managing Token Ring networks. The SMON MIB extends RMON by providing RMON analysis for switched networks.

RMON Groups

RMON delivers information in nine RMON groups of monitoring elements, each providing specific sets of data to meet common network-monitoring

131


ES-3100 Series Switch Support Notes requirements. Each group is optional so that vendors do not need to support all the groups within the Management Information Base (MIB). Some RMON groups require support of other RMON groups to function properly. Table 1 summarizes the nine monitoring groups specified in the RFC 1757 Ethernet

RMON MIB.

Table 1: RMON Monitoring Groups

RMON 1

MIB

Group

Function Elements

Statistics Contains statistics measured by the probe for each monitored interface on this device.

History Records periodic statistical samples from a network and stores for retrieval.

Alarm

Sample period, number of samples, items sampled.

Periodically takes statistical samples and compares them with set thresholds for events generation.

Includes the alarm table and requires the implementation of the event group.

Alarm type, interval, starting threshold, stop threshold.

Host

Packets dropped, packets sent, bytes sent (octets), broadcast packets, multicast packets, CRC errors, runts, giants, fragments, jabbers, collisions, and counters for packets ranging from

64 to 128, 128 to 256, 256 to 512, 512 to 1024, and 1024 to 1518 bytes.

Contains statistics associated with each host discovered on the network.

Host address, packets, and bytes received and transmitted, as well as broadcast, multicast, and error packets.

HostTopN Prepares tables that describe the top hosts.

Statistics, host(s), sample start and stop periods, rate base, duration.

132



Matrix Stores and retrieves statistics for conversations between sets of two addresses.

Source and destination address pairs and packets, bytes, and errors for each pair.

Filters

Packet

Capture

Enables packets to be matched by a filter

Bit-filter type (mask or not mask), filter expression (bit level), conditional equation for capturing expression (and, or not) to other filters. or events.

Enables packets to be captured after they flow through a channel.

Size of buffer for captured packets, full status (alarm), number of captured packets.

Events Controls the generation and notification of events from this device.

Event type, description, last time event sent

Groups of RMON MIB

The objects are arranged into the following groups:

Statistics

(iso(1).org(3).dod(6).internet(1).mgmt(2).mib-2(1).rmon(16).statistics(1))

History (1.3.6.1.2.1.16.2)

Alarm (1.3.6.1.2.1.16.3)

Hosts (1.3.6.1.2.1.16.4) hostTopN (1.3.6.1.2.1.16.5)

Matrix (1.3.6.1.2.1.16.6)

Filter (1.3.6.1.2.1.16.7)

Capture (1.3.6.1.2.1.16.8)

133


Event (1.3.6.1.2.1.16.9)


All groups in this MIB are optional. (MIB-II is mandatory)

Scenario

(ES-3100 Series supports RMON 1.2.3.9)

In this illustration, SNMPc Enterprise Edition Version 5.1.6c is installed on the PC. And this PC is defined as “RMON management console”. This PC can ping both ZyXEL ES-3148 (both Switch A & Switch B). And there are some probes / networking devices to generate the traffic to the ZyXEL Switches in order to verify the RMON result. Since the work flow and the technology of

RMON on the two switches are the same, only one of the ZyXEL ES-3148

Switch will be demonstrated at this time.

Since RMON is an extension of the SNMP, SNMP must be enabled first in the ZyXEL ES-3148. By default SNMP is enabled and it has set Community

(Get,Set,Trap) to “public”. And Trap Destination to 0.0.0.0; It is not mandatory to change the default value in order for SNMP & RMON to work. Therefore, modification is not necessary in this case.


134


In this scenario, we are going to monitor the Broadcast Packets by using the

RMON MIB. The following will demonstrate the steps to monitor the Broadcast

Packets by using SNMPc Enterprise Edition Version 5.1.6c.

1.

Methodology of Scenario Verification

1.Open your SNMPc program first, then pick the ZyXEL-3148 Switch (it is first named as device “root”) and give it the correct IP information to get the SNMP information. Also, you can rename it to whatever you want.

You can verify if your configuration is correct by using the “Poll

Object” option. Just right click our mouse on the ES-3148 icon and it is located inside the “Tools”.

135



2. Secondly, click on the “Mib” tab and expend the SNMP Mibs’ tree. You will find that there is an “rmon” group over there and again you can expend its sub-tree.


136


3. Right click the “etherStatsTable” and choose “View Table”


137


4. Find the interface or port that you are looking for. And you can look at the corresponding field and therefore find the value that you want to monitor.

In this case, we are looking for the Broadcast Packets.


138


Try to generate some broadcast traffic from the probe or your network device, then you should see the BroadcastPkts increasing.

5. In conclusion, if the Switch supports RMON, then you can get the values from the Switch in the RMON Group(s), otherwise, it will return 0 and always stays 0. Without the supporting of RMON, then it is impossible to monitor those elements in the RMON MIB

Group


139


FAQ

What is the default setting of the IP parameters?

IP address: 192.168.1.1

Subnet: 255.255.255.0

What is the default login Name and Password of the Web Configurator?

ID: admin

Password: 1234

How to access my SWITCH through the console port?

Connect the male 9-pin end of the console cable to the console port of the

Switch. Connect the female end to a serial port (COM1, COM2 or other COM port) of your computer, which has terminal emulation software configured to the follow parameters:

Terminal emulation: VT100

Baud rate: 9600 bps

Data bits: 8

Parity: none

Stop bit: 1

Flow control: none

What is default login password of the console, telnet, and FTP?

Password: 1234


140


How to change the password?

Web Configurator is the only place you can change the password. After you log in for the first time, it is recommended you change the default administrator password.

From Web Configurator: Click Advanced Application, Access Control, and then Logins to display the next screen.

From there you can change a new password.

How to access the Command Line Interface?

There are two ways to access the Command Line Interface. One is “Telnet to the switch” and another is “Connect a computer to the console port and use the terminal emulation software.” Please check “How to access the Switch through the console port?” to set up the parameters.

If you forget the password, how to reset the password to default?

If you forget the password, you will need to reload the factory default configuration. Please be aware that you will lose all previous configurations.

1. Connect the console cable to your computer and open the terminal emulation software.

141



2. Power off and then power on the Switch, and press any key to enter the debug mode when the screen shows “Press any key to enter Debug Mode within 3 seconds.”

3. Type “atlc” and press the enter key

4. When the message “starting XMODEM upload” appears, do XMODEM upload of the default rom file to the Switch

5. After it is done uploading the rom file successfully, type “atgo” to leave the debug mode.

6. The system will be restarted automatically. After the system is up, you should be able to log in with the default password “1234” and the IP address is now 192.168.1.1.

How do I configure an IP address?

From Web Configurator:

Click Basic Setting and then IP Setup to display the next screen.


142


Is Online Help available on the Web Configurator?

Yes, the Web Configurator’s Online Help is available. Clicking on the Help link will bring up a description of the online help of that screen.

How to restart device from Web?

1. Click Management and then Maintenance in the navigation panel to display the following screen.

2. Click on the “Click Here” button next to the Reboot System will restart the

Switch.

How to check the current running firmware version?

From console, issuing a command, “show system-information” will return the information of the firmware version installed on the switch.

Is the mini GBIC transceiver hot-swappable?

Yes, it is hot-swappable. You can change transceivers while the switch is

143


operating.


What is so called "Dual-Personality interface" in Ethernet Switching?

Dual-Personality GbE interface means that one 1000Base-T Copper port and one SFP port share the same physical interface. Only one of them can be used at one of a time. Dual-Personality interface is also called "Combo Port" in some cases.


144

ZyXEL Communications ES-3124-4F Switch Support Notes

ZyXEL ES-3100 Series

Ethernet Switch

Support Notes

How to manage & maintain your Switch?

Firmware Upgrade

Restore a Configuration File

Backing Up a Configuration File

Load Factory Defaults

Physical Switch connection

How to connect two switches via Fiber Channel

Scenario

Steps to complete this scenario

General Networking

DHCP Relay Option 82 Application

How to set up DHCP Relay Option 82 Environment

Separating a physical network into many virtual networks

What is Virtual LAN?

How to configure Port-Based VLAN

Scenario

Configuring your Switch to fulfill this scenario (GUI)

Configuring your Switch to fulfill this scenario (CLI)

What is IEEE 802.1Q Tag-based VLAN?

How to connect two switches using VLAN?

Setting up VLAN Trunking

How to configure GVRP?

IP Multicasting

How to setup IGMP snooping in your switch?

Configuration of IGMP snooping by web

Configuration of IGMP and IGMP snooping by CLI

Overview of MVR

MVR Mode

Operation Mode

Scenario of MVR

Configuration via Web [GS-4024]

Configuration via Web [ES-3124]

Configuration via Web [GS-4012F]

Configuration via CLI [GS-4024]

Configuration via CLI [ES-3124]

Configuration via CLI [GS-4012F]

To ring a network by building reducdent links and connections between Switch

What is Spanning Tree Protocol

How STP Works

Switching security

MAC freeze

Setting up 802.1x Radius Authentication.

Setting up Classifier & Policy rule to perform Access

Control on your Switch

ACL Scenario

GUI configuration of classifier and policy rule.

CLI configuration of classifier and policy rule.

Verifying your result

Centralized Management

Introduction of SNMPc and NetAtlas

Overview of SNMPc

Overview of EMS

Configuration of adding a new device via SNMPc

VLAN Configuration via EMS

Cluster Management Overview

Overview of RMON

RMON Groups

Groups of RMON MIB

Scenario

Methodology of Scenario Verification

FAQ

Related manuals

ZyXEL Communications

Dimension ES-3124PWR

ZyXEL Communications

ES-4024A

ZyXEL

ES-2024A

ES-3124PWR

ZyXEL

ES-3124

ZyXEL

ES-3124

Dimension ES-3148

ZyXEL Communications

1