ZyXEL Communications ES-3124-4F User Manual

Download

ZyXEL ES-3100 Series

(ES-3124/ES-3124PWR/ES-3148/ES-3124-4F)

Ethernet Switch

Support Notes

Version 3.60

September 2006

ES-3100 Series Switch Support Notes

INDEX

How to manage & maintain your Switch?

Firmware Upgrade Restore a Configuration File Backing Up a Configuration File Load Factory Defaults

Physical Switch connection

Connecting two switches via Fiber Channel

General Networking

DHCP option 82 (Relay Agent Information Option)

Separating a physical network into many virtual networks

Introduction to Virtual LAN Port Based Virtual LAN Setting up Port Based VLAN IEEE 802.1Q Tag-based VLAN Setting up Tag-based VLAN Setting up VLAN Trunking How to configure GVRP

IP Multicasting

IGMP Snooping Multicast VLAN Registration (MVR)

To ring a network by building reducdent links and connections between Switch

Introduction to Spanning Tree Protocol How does Spanning Tree Protocol Work?

Switching security

MAC freeze Setting up 802.1x Radius Authentication Classifier & Policy Rule (ACL)

Centralized Management

Introduction of SNMPc and NetAtlas *NetAtlas v1.00 supported ES-3124 / ES-3124PWR *NetAtlas v1.03 and newer releases will support ES-3148 and some new features with ES-3124/ ES-3124PWR Cluster Management -- iStacking Remote Monitoring (RMON)

FAQ

What is the default setting of the IP parameters?

What is the default login Name and Password of the Web Configuration? How to access the Switch through the console port?

ES-3100 Series Switch Support Notes

What is default login password of the console, telnet, and FTP? How to change the password? How to access the Command Line Interface? If I forgot the Switch password, how can I reset the password to default? How do I configure an IP address? Is Online Help available on the Web GUI? How to restart device from Web? How to check the current running firmware version? Is the mini GBIC transceiver hot-swappable? What is so called "Dual-Personality interface" in Ethernet Switching?

Remaining: Some demonstration in this support note may not use the exact model that you are using. However, their functions and settings work the same way.

ES-3100 Series Switch Support Notes

How to manage & maintain your Switch?

Firmware Upgrade

From Web GUI:

1. Download (and unzipped) the correct model firmware to your computer.

2. Click Management and then Maintenance in the navigator panel to bring

up the following screen.

3. Click on the “Click Here” link of the Firmware Upgrade to bring up the

following screen.

4. Browse the firmware located or type in the path into the “File Path” field.

5. Click on the Upgrade button.

ES-3100 Series Switch Support Notes

From Console Port:

1. Download (and unzipped) the correct model firmware to your computer.

2. Connect to the console port and open the Terminal Emulation Software.

3. Restarting the switch to enter the debug mode via the terminal.

4. Enter “ATUR”.

5. Use X-modem protocol to transfer (Send File) the firmware.

6. Enter “ATGO” to restart the switch after done uploading the firmware.

From Command Line FTP:

1. Download (and unzipped) the correct model firmware to your computer.

2. Launch the FTP client on your PC to login to Switch. (From the command

prompt, type “ftp <Switch IP>”

3. Press “Enter” for the User name

4. Enter password to get the ftp prompt.

5. Enter “bin” to set transfer mode to binary.

6. Use “put” to transfer the firmware from the computer to the switch, for

example: “put firmware.bin ras” transfers the firmware on your computer

(firmware.bin) to the switch and renames it “ras”.

7. Enter “quit” to exit the ftp prompt.

ES-3100 Series Switch Support Notes

Restore a Configuration File

From Web GUI:

1. Click Management and then Maintenance in the navigator panel to bring

up the following screen.

2. Click on the “Click Here” link of the Restore Configuration to bring up the

following screen.

3. Browse to locate the file with the file name or type in the path and the file

name into the “File Path” field.

4. Click on the Restore button.

From Console Port:

1. Connect to the console port and open the Terminal Emulation Software.

ES-3100 Series Switch Support Notes

2. Restarting the Switch to enter the debug mode via the terminal.

3. Enter “ATLC”

4. Use X-modem protocol to transfer (Send File) the firmware.

5. Enter “ATGO” to restart the Switch after done uploading the configuration

file.

From Command Line FTP:

1. Download (and unzipped) the correct model firmware to your computer.

2. Launch the FTP client on your PC to login to Switch. (From the command

prompt, type “ftp <Switch IP>”.

3. Press “Enter” for the User name

4. Enter password to get the ftp prompt.

5. Enter “bin” to set transfer mode to binary.

6. Use “put” to transfer the the configuration file from the computer to the

switch, for example: “put comfig.rom rom-0” transfers the firmware on your

computer (config.rom) to the switch and renames it “rom-0”.

7. Enter “quit” to exit the ftp prompt.

ES-3100 Series Switch Support Notes

Backing Up a Configuration File

From Web GUI:

1. Click Management and then Maintenance in the navigator panel to bring

up the following screen.

2. Click on the “Click Here” link of the Backup Configuration to bring up the

following screen.

3. Click on the “Backup” button to bring up the File Download dialog. Then,

clicking on the Save button to backup the configuration rom file to a proper

location.

From Console Port:

1. Connect to the console port and open the Terminal Emulation Software.

2. Restarting the Switch to enter the debug mode via the terminal.

3. Enter “ATTD”

ES-3100 Series Switch Support Notes

4. Use X-modem protocol to transfer (Receive File) the firmware.

5. Enter “ATGO” to restart the Switch after done uploading the configuration

file.

From Command Line FTP:

1. Download (and unzipped) the correct model firmware to your computer.

2. Launch the FTP client on your PC to login Switch. (From the command

prompt, type “ftp <Switch IP>”

3. Press “Enter” for the User name

4. Enter password to get the ftp prompt.

5. Enter “bin” to set transfer mode to binary.

6. Use “get” to transfer the firmware from the computer to the switch, for

example: “get rom-0 config.rom” transfers the firmware on your computer

(config.rom) to the switch and renames it “config.rom”.

7. Enter “quit” to exit the ftp prompt.

ES-3100 Series Switch Support Notes

Load Factory Defaults

From Web GUI:

1. Click Management and then Maintenance in the navigator panel to bring

up the following screen.

2. Click on the “Click Here” button of the Load Factory Defaults to bring up

the following screen.

3. A dialog pops up with the message “Are you sure you want to load factory

defaults?”.

4. Click OK to go to the following dialog.

5. Click on the OK button. Now, all switch configurations has been reset to

the factory defaults and the system will be restarted.

6. Please note that the switch IP address is now 192.168.1.1.

From Console Port:

1. Connect to the console port and open the Terminal Emulation Software.

2. Type in the correct password to bring up the prompt.

Type “erase run” to load the factory default configurations.

ES-3100 Series Switch Support Notes

Physical Switch connection

How to connect two switches via Fiber Channel

Your Switch may come with one or many mini-Gb ports. ZyXEL offers Small

Form-factor Pluggable (SFP) transceivers for Gigabit Ethernet and Fiber

Channel applications. These small, modular optical interface transceivers offer

a convenient and cost effective solution for the adoption of Gigabit Ethernet

and Fiber Channel in data center, campus, metropolitan area access, ring

networks, and storage area networks. It supports full duplex Gigabit speeds and hot-pluggable feature.

Scenario

In this scenario, two Switch with mini-Gb port connected together via its

mini-GB Port with a LC/LC Fiber cable (62.5/125MM). PC “Alpha” is connected

to the Switch on the left and another PC “Delta” is connected to the Switch on

the right via the RJ45 Port (Cat 5 cable).

What you need here to complete this scenario:

z ZyXEL Switch with Mini-GB port x2

(note: Each ES-3100 Series Switch comes with 2 Mini-GB Port)

z SFP-SX Transceiver x2 z LC/LC Fiber Cable (62.5/125MM) x1

ES-3100 Series Switch Support Notes

Here is the photo of the SFP-SX Transceiver & the LC/LC Fiber Cable.

Steps to complete this scenario

1. Find both Mini-GB ports on your Switch first.

ES-3100 Series Switch Support Notes

2. Get one transceiver and plug it into the Mini-GB Port of your Switch

3. Plug another transceiver into the Mini-GB Port of the other Switch

ES-3100 Series Switch Support Notes

4. Remove both side of the protection cap from the LC/LC Fiber Cable.

5. Plug the LC/LC Fiber Cable into the transceivers on both Switch.

If you connected the cable correctly, the LED of the “LINK” will light up.

ES-3100 Series Switch Support Notes

6. Now, connect the first PC “Alpha” to the Switch on the left and the second

PC “Delta” to the Switch on the right via the regular Ethernet cable.

7. Set the NICs in both computers to the same IP Domain.

(ex, PC “Alpha” :192.168.1.4/24; PC “Delta” : 192.168.1.5/24)

8. From PC “Alpha”, PING PC “Delta” at 192.168.1.5

9. From PC “Delta”, PING PC” Alpha” at 192.168.1.4

10. Now you can confirm that the network connection between these two

Switch is up and running.

ES-3100 Series Switch Support Notes

General Networking

DHCP Relay Option 82 Application

ISP may want to limit the number of IP address or deliver some specific IP

addresses according to certain Switch port, VLAN ID and option 82 string.

They can easily to achieve this with DHCP Relay Option 82 feature and a

DHCP server supporting Option 82 function.

Network

DHCP

Server

192.168.1.99

Ethernet Port

Port 25

DHCP Client

ES-3100 Series Switch Support Notes

How to set up DHCP Relay Option 82 Environment

Here, we will set up an environment to allow a PC to get DHCP IP address in

specific IP pool according to its Switch port, VLAN ID and the option 82 string.

In this case, we are using GS-3012 for the demonstration. PC is behind 25th

Switch port and the option 82 string is a string “GS-3012”. We use the IP

Commander as DHCP server. Its IP is 192.168.1.99 and the IP pool is between

192.168.1.201 and 192.168.1.203 for VID=1, Switch port=25 and the option 82

string is “GS-3012”.

1. Switch (GS-3012) settings

Click IP Application, DHCP Relay in the navigation panel to display configuration

screen as shown. You will see the DHCP Relay setup page. Active

the DHCP relay

and Option 82 function. Also, click Information to make “GS-3012” as the

Option 82 string. Information is READ ONLY here and it is the same as the

host name of the Switch.

Now we can connect PC to the 25th SWITCH port. Please see former

applications for detailed settings.

ES-3100 Series Switch Support Notes

3. IP Commander settings

Open IP Commander. Right click “IP commander and then click “connect new

server”.

Input the DHCP IP address or domain name and click “ok”. Our IP is

192.168.1.99.

ES-3100 Series Switch Support Notes

Input user name and password. The default user name is “administrator” and

password is “incognito”.

ES-3100 Series Switch Support Notes

It will bring up the following screen, please make sure that your DHCP is in

“online” status. Then click “wizard” in the top tool bars and select “rule

wizard”.

ES-3100 Series Switch Support Notes

Give a name and description to the new rule.

ES-3100 Series Switch Support Notes

Assign a range of IP addresses or just one IP address to this rule. In our case,

we set the IP pool from 192.168.1.201 to 192.168.1.203.

After input IP pool, we select “DHCP Option” in Keywords combobox.

ES-3100 Series Switch Support Notes

After select the “DHCP Option”, it will pop up “Add DHCP Option Rule” dialog.

Select “option 82 Relay Agent Information”, sub-option 1, binary data. For port

25, VLAN 1, “GS-3012”, please key in “0019000147532d33303132” as the key

value and click OK. Please note that the first 2 bytes define port number, the

second 2 bytes is VLAN ID and the other bytes are the Option 82 string.

ES-3100 Series Switch Support Notes

After you finish above step, you will see the following figure.

ES-3100 Series Switch Support Notes

Then pop up the following screen and you can just press Next button.

Then you can add DHCP template (option) such as gateway, DNS server and

so on.

ES-3100 Series Switch Support Notes

Here we use “192.168.1.1” as gateway IP address of DHCP client PC.

ES-3100 Series Switch Support Notes

You can apply DDNS service to DHCP server or not.

The rule creation has been finished.

ES-3100 Series Switch Support Notes

After finishing all above procedures, your PC will get the IP address

192.168.1.201 when you send a DHCP request.

ES-3100 Series Switch Support Notes

Separating a physical network into many virtual networks

What is Virtual LAN?

• VLAN Overview

A VLAN (Virtual Local Area Network) allows a physical network to be

partitioned into multiple logical networks. Stations on a logical network belong

to one group called VLAN Group. A station can belong to more than one group.

The stations on the same VLAN group can communicate with each other. With

VLAN, a station cannot directly talk to or hear from stations that are not in the

same VLAN group(s); the traffic must first go through a router.

In MTU or IP-DSLAM applications, VLAN is vital in providing isolation and

security among the subscribers. When properly configured, VLAN prevents

one subscriber from accessing the network resources of another on the same

LAN, thus a user will not see the printers and hard disks of another user in the

same building.

VLAN also increases network performance by limiting broadcasts to a smaller

and more manageable logical broadcast domain. A VLAN group is a broadcast

domain. In traditional Layer-2 switched environments, all broadcast packets go

to each and every individual port. With VLAN, all broadcasts are confined to a

specific broadcast domain.

There are two most popular VLAN implementations, Port-based VLAN and

IEEE 802.1q Tagged VLAN. ES-3100 series supports both VLAN

implementations. The most difference between both VLAN implementations is

Tagged VLAN can across Layer-2 switch but Port-based VLAN cannot.

• Port-based VLAN

Port-based VLANs are VLANs where the packet forwarding decision is based

on the destination MAC address and its associated port. You must define

ES-3100 Series Switch Support Notes

outgoing ports allowed for each port when using port-based VLANs. Note that VLAN

only governs the outgoing traffic, in the other word, it is unidirectional.

Therefore, if you wish to allow two subscriber ports to talk to each other, e.g.,

between conference rooms in a hotel, you must define the egress (outgoing

port) for both ports. An egress port is an outgoing port, that is, a port through

which a data packet leaves.

There are 5 hosts (Host A, B, C, D and E) connected to a 5-port layer-2 switch

which supported port-based VLAN.

Case 1: Host A and Host B can talk to each other, because they are in the

same VLAN group. But Host A and Host B can't talk to Host C, D, and E.

Port-based VLAN definition:

• Egress port for port 1: port 2

• Egress port for port 2: port 1

Case 2: There are 3 VLAN groups in the physical network. Host A and Host B

can talk to each other; they are in the same VLAN group 1. Host B and Host C

are in VLAN group 2. Host A, Host D and Host E are in VLAN group 3.

ES-3100 Series Switch Support Notes

Port-based VLAN definition:

• Egress port for port 1: port 2, port 4, port 5

• Egress port for port 2: port 1, port 3

• Egress port for port 3: port 2

• Egress port for port 4: port 1, port 5

• Egress port for port 5: port 1, port 4

• Port-based VLAN across different switch

Port-based VLAN is specific only to the switch on which it was created. Definitely,

Port-based VLAN can't across different switches. As the following network diagram

shown in most MTU case, for the sake of security, subscribers are isolated with each

other except for the gateway. There are two switches, Switch-2 and Switch-3,

supported port-based VLAN and uplink to a none-port-based VLAN switch, Switch-1.

ES-3100 Series Switch Support Notes

For Switch-2, port 1, port 2, and port 3 are allowed to communicate back and forth

with uplink port 4, but not with other ports.

• Switch-2 VLAN 1 member port: port 1 and port 4

• Switch-2 VLAN 2 member port: port 2 and port 4

• Switch-2 VLAN 3 member port: port 3 and port 4

For Switch-3, port 2, port 3, and port 4 are allowed to communicate back and forth

with uplink port 1, but not with other ports.

• Switch-3 VLAN 1 member port: port 2 and port 1

• Switch-3 VLAN 2 member port: port 3 and port 1

• Switch-2 VLAN 3 member port: port 4 and port 1

Host A can't talk to Host B due to the port-based VLAN in Switch-2, and Host C can't

talk to Host D due to the port-based VLAN in Switch-3. But both Switch-2 and

Switch-3 uplink to the none VLAN Switch-1. Host A and Host B will talk to Host C and

Host D via the none VLAN switch because port-based VLAN can't across different

switches.

To achieve the security between different switches, you must put another port-based

VLAN switch for the uplink. Each port on the uplink switch also should be separated

into different VLAN, except for the port to the gateway. So subscribers only can talk to

the gateway for Internet access but not communicate with each other.

ES-3100 Series Switch Support Notes

For Switch-1, port 1, port2, and port 3 are allowed to communicate back and forth with

uplink port 4, but not with other ports.

• Switch-1 VLAN 1 member port: port 1 and port 4

• Switch-1 VLAN 2 member port: port 2 and port 4

• Switch-1 VLAN 3 member port: port 3 and port 4

How to configure Port-Based VLAN

Port-based VLANs are VLANs where the packet forwarding decision is based

on the destination MAC address and its associated port.

ES-3100 Series Switch Support Notes

Scenario

In this scenario, Port Based VLAN is used to separate one physical Switch into

two smaller logical Switches. Port 1~4 and 9, 10 are in one group. And Port

5~10 are in another group. Port-based VLANs are specific only to the switch

on which they were created.

ES-3100 Series Switch Support Notes

Configuring your Switch to fulfill this scenario (GUI)

1. Connect port 1 with a PC or Notebook via the RJ45 Cable.

2. By default the MGMT IP on every port is 192.168.1.1/24

3. Set your NIC to 192.168.1.2/24

4. Open an Internet browser such as IE and give http://192.168.1.1 on

the URL.

5. By default you will need to put “admin” as the username and “1234” as

the password.

6. After you login successfully, you will see a similar screen like below.

7. First, we need to tell the Switch to run VLAN as port based instead of

802.1q based. In order to do so, we first click on the “Basic Setting”,

then “Switch Setup”; on your right screen the VLAN Type, choose “Port

Based” instead of “802.1Q”, and click “Apply” to save your changes.

ES-3100 Series Switch Support Notes

8. Now, you need to tell the Switch how you are going to separate the

physical Switch into some logical small Switches. Thus, we click

“Advanced Application” then “VLAN”. On the right screen, check the

boxes to suit your need. In this case, we need to make port 1~4 and

port 9, 10 in a group in order for them to communicate in both ways.

And port 5~10 in another group but these two groups cannot talk with

each others. Here we also logically defined Port 9 and Port 10 as the

uplink ports. Therefore, both groups can pass data to Port 9 and Port

10. In another word, these two ports belong to both of the groups on

the same time. Please confirm if your setting looks similar to below.

ES-3100 Series Switch Support Notes

9. Finally, you can now verify your result. If everything works fine, PC A

can ping PC B and PC Z. But it cannot ping PC C or PC D. On the

same time, this should work vice versa.

10. For example,

PC A: 192.168.1.4/24

PC B: 192.168.1.5/24

PC C: 192.168.1.6/24

PC D: 192.168.1.7/24

PC Z: 192.168.1.99/24

11. PING PC B from PC A (Should work)

ES-3100 Series Switch Support Notes

12. PING PC Z from PC A (Should work)

13. PING PC C from PC A (Should NOT work)

ES-3100 Series Switch Support Notes

Configuring your Switch to fulfill this scenario (CLI)

1. Connect the Switch Console port with your PC or Notebook.

2. Open your Terminal program.(Ex, Hyper Terminal in Windows

System)

3. Make sure that your port settings are

bps:9600

Data bits:8

Parity: None

Stop bits:1

Flow control: None:

4. After you connected successfully, give the correct user name and

password.

5. Put “en” or “enable” to go into the privileged mode. Then put “config” to

go into the configuration mode.

6. Put the following commands to setup Port Based VLAN on your Switch

in this

ES-3100 Series Switch Support Notes

scenario.

7. When all of the above are done, do not forget to give the “write

memory” command under the enable mode to save your configuration.

What is IEEE 802.1Q Tag-based VLAN?

• Tag-based VLAN Overview

Regarding IEEE 802.1Q standard, Tag-based VLAN uses an extra tag in the MAC

header to identify the VLAN membership of a frame across bridges. This tag is used

for VLAN and QoS (Quality of Service) priority identification. The VLANs can be

created statically by hand or dynamically through GVRP. The VLAN ID associates a

frame with a specific VLAN and provides the information that switches need to

ES-3100 Series Switch Support Notes

process the frame across the network. A tagged frame is four bytes longer than an

untagged frame and contains two bytes of TPID (Tag Protocol Identifier, residing

within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control

Information, starts after the source address field of the Ethernet frame).

• TPID: TPID has a defined value of 8100 in hex. When a frame has the

EtherType equal to 8100, this frame carries the tag IEEE 802.1Q / 802.1P.

• Priority: The first three bits of the TCI define user priority, giving eight (2^3)

priority levels. IEEE 802.1P defines the operation for these 3 user priority bits.

• CFI: Canonical Format Indicator is a single-bit flag, always set to zero for

Ethernet switches. CFI is used for compatibility reason between Ethernet type

network and Token Ring type network. If a frame received at an Ethernet port

has a CFI set to 1, then that frame should not be forwarded as it is to an

untagged port.

• VID: VLAN ID is the identification of the VLAN, which is basically used by the

standard 802.1Q. It has 12 bits and allows the identification of 4096 (2^12)

VLANs. Of the 4096 possible VIDs, a VID of 0 is used to identify priority

frames and value 4095 (FFF) is reserved, so the maximum possible VLAN

configurations are 4,094.

Note that user priority and VLAN ID are independent of each other. A frame

with VID (VLAN Identifier) of null (0) is called a priority frame, meaning that

only the priority level is significant and the default VID of the ingress port is

given as the VID of the frame.

ES-3100 Series Switch Support Notes

• How 802.1Q VLAN works

According to the VID information in the tag, the switch forward and filter the

frames among ports. These ports with same VID can communicate with each

other. IEEE 802.1Q VLAN function contains the following three tasks, Ingress

Process, Forwarding Process and Egress Process.

1. Ingress Process:

Each port is capable of passing tagged or untagged frames. Ingress Process

identifies if the incoming frames contain tag, and classifies the incoming frames

belonging to a VLAN. Each port has its own Ingress rule. If Ingress rule accept

tagged frames only, the switch port will drop all incoming non-tagged frames. If

Ingress rule accept all frame type, the switch port simultaneously allow the incoming

tagged and untagged frames:

• When a tagged frame is received on a port, it carries a tag header that has a

explicit VID. Ingress Process directly pass the tagged frame to Forwarding

Process.

• An untagged frame doesn't carry any VID to which it belongs. When a

ES-3100 Series Switch Support Notes

untagged frame is received, Ingress Process insert a tag contained the PVID

into the untagged frame. Each physical port has a default VID called PVID

(Port VID). PVID is assigned to untagged frames or priority tagged frames

(frames with null (0) VID) received on this port.

After Ingress Process, all frames have 4-bytes tag and VID information, and

then go to Forwarding Process.

2. Forwarding Process:

The Forwarding Process decides to forward the received frames according to

the Filtering Database. If you want to allow the tagged frames can be

forwarded to certain port, this port must be the egress port of this VID. The

egress port is an outgoing port for the specified VLAN, that is, frames with

specified VID tag can go through this port. The Filtering Database stores and

organizes VLAN registration information useful for switching frames to and

from switch ports. It consists of static registration entries (Static VLAN or

SVLAN table) and dynamic registration entries (Dynamic VLAN or DVLAN

table). SVLAN table is manually added and maintained by the administrator.

DVLAN table is automatically learned via GVRP protocol, and can't be created

and upgraded by the administrator.

The VLAN entries in Filtering Database have the following information:

1. VID: VLAN ID

2. Port: The switch port number

3. Ad Control: Registration administration control. There are 3 type of ad

control, including forbidden registration, fixed registration and normal

registration.

ES-3100 Series Switch Support Notes

• Forbidden registration: This port is forbidden to be the egress

port of specified VID..

• Fixed registration: While ad control is fixed registration, it means

this is a static registration entry. This port is the egress port of the

specified VID (a member port of the specified VLAN). The frames

with specified VID tag can go through this port.

• Normal registration: While ad control is normal registration, it

means this is a dynamic registration entry. The forwarding

decision is depended on Dynamic VLAN table.

4. Egress tag Control: This information is used for Egress Process. The

value may be tagged or untagged. If the value is tagged, the outgoing

frame on the egress port is tagged. If the value is untagged, the tag will be

removed before frame leaves the egress port.

VID Port Ad Control Tag Control

10 1 Forbidden Tag

10 2 Fixed Tag

10 3 Normal UnTag

20 1 Fixed Tag

20 5 Fixed UnTag

Filtering Database

VID Egress Port

10 1

10 2

20 3

Dynamic VLAN (DVLAN) table

3. Egress Process:

The Egress Process decides if the outgoing frames but be sent tagged or

untagged. The Egress Process refers to the egress tag control information in

ES-3100 Series Switch Support Notes

Filtering Database. If the value is tagged, the outgoing frame on the egress

port is tagged. If the value is untagged, the tag will be removed before frame

leaves the egress port.

How to connect two switches using VLAN?

I want to make VLAN on two layer 2 switches, and I want to connect first switch

to second switch with trunk port. There will be 5 VLAN on first Switch and there

will be 7 VLAN on second switch. Trunk port will be port 25 on both switches

as well. I made VLAN s on both switch, but I did not find trunk options on both

switches. How can I use Port 25 as trunk port?

The scenario is described as below:

Where the configurations of VLAN in this two switches are:

VLAN 2, 3, 4, 5, 6, 7, 8 on switch A

VLAN 2, 3, 4, 5, 6 on switch B

Configuration of VLAN on switch A

ES-3100 Series Switch Support Notes

-------------------------------------

2. Configuration of VLAN on switch B

Answer:

-------------------------------------

In switch A, add port 25 in each VLAN

VID:101 (port 1,2,3,"25 TAG")

VID:102 (port 4,5,6,,"25 TAG")

VID:103 (port 7,8,9,10,"25 TAG")

VID:104 (port 23,24,"25 TAG")

VID:105 (port 11,12,13,14,"25 TAG")

VID:106 (port 15,16,17,"25 TAG")

VID:107 (port 18,19.20,21,"25 TAG")

-------------------------------------

In switch B, add port 25 in each VLAN

VID:101 (port 1,2,3,,4,"25 TAG")

ES-3100 Series Switch Support Notes

VID:102 (port 6,7,8,9,10,"25 TAG")

VID:103 (port 11,12,13,14,"25 TAG")

VID:104 (port 15,16,17,18,"25 TAG")

VID:105 (port 19,20,21,23,22"25 TAG)

Clients in same VLAN on both switches can communicate each other.

PVID:

z Set PVID on switch 1

Port 1, 2, 3 : 101

Port 4, 5, 6 : 102

Port 7, 8, 9, 10 : 103

Port 23, 24: 104

Port 11, 12, 13, 14: 105

Port 15, 16, 17: 106

Port 18, 19, 20, 21: 107

port 25: PVID=any

z Set PVID on switch 2:

Port 1, 2, 3, 4 : 101

Port 6, 7, 8, 9, 10, : 102

Port 11, 12, 13, 14, : 103

Port 15, 16, 17, 18: 104

Port 19, 20, 21, 22, 23: 105

Port 25:PVID=any

ES-3100 Series Switch Support Notes

Setting up VLAN Trunking

With the benefit of deploying VLAN trunking, we can connect two switches by a

port that is configured as VLAN trunking port. PC1 with each VLAN tag frames

from switch 1 can communicate with PC2 with another VLAN tag frames in

switch 2 via VLAN trunking port. In our example, we set up port 5 in switch 1 as

the VLAN Trunking port while in switch 2, we set up port 10 as the VLAN

Trunking port.

In the switch 1, the configuration is:

ES-3100 Series Switch Support Notes

In the switch 2, the configuration is

In the switch 1, we set port 2 as VLAN 2 untag

ES-3100 Series Switch Support Notes

In the switch 2, we set port 6 as VLAN 2 untag.

The switch 1 IP address: 192.168.1.31

The switch 2 IP address: 192.168.1.21

After the configuration, we can observe that in the switch 1, the PC1 running on

port 2 can find the PC2 running on port 6 in the switch 2.

ES-3100 Series Switch Support Notes

How to configure GVRP?

Description:

In this scenario, PCs belong to different divisions within a single

corporation can not communicate with each other, and we leave some ports of

switches for GVRP-aware PC and others for VLAN-unaware PC. So network

administrator can manage and configure VLAN smartly based on different

devices and requirements. For switches on floor 1 and 2, PC connecting to

port 3 joins VLAN 10 statically; PC connecting to port 4 joins VLAN 20 statically;

and PCs connecting to port 1&2 can join VLAN 10/20/30 which determined by

its configuration on GVRP-aware NIC dynamically. For switch on basement,

PC connecting to port 1 joins VLAN 30 while PC connecting to port 3 can join

VLAN10/20/30 dynamically. Please Note: all clients connecting to switches in

this scenario should be located in the same subnet (in this example, the subnet

is 192.168.1.0/24)

How to configure this scenario:

1. For Switch A on Floor 2:

ES-3100 Series Switch Support Notes

Please enter VLAN setting under Advanced Application menu and click “static

VLAN” to bring up the following screen, adding VLAN 10: port 3, fixed, untag;

port 23, fixed, Tx tagging”.

Add VLAN 20 to this switch, VLAN 20: port 4, fixed, untag; port 23, fixed, Tx

tagging.

Please click VLAN port setting to bring up the following screen, setup PVID 10

for port 3, PVID 20 for port 4, and enable GVRP on the top of the screen and

port 1, port 2, port 23.

ES-3100 Series Switch Support Notes

2. For Switch B on Floor 1:

Please follow the same steps to adding VLAN 10: port 3, fixed, untag; port

23, fixed, Tx tagging; port 24, fixed, Tx tagging”.

Add VLAN 20 to this switch, VLAN 20: port 4, fixed, untag; port 23, fixed, Tx

tagging; port 24, fixed, Tx tagging.

ES-3100 Series Switch Support Notes

Please click VLAN port setting to bring up the following screen, setup PVID 10

for port 3, PVID 20 for port 4, and enable GVRP on the top of the screen

and port 1, port 2, port 23, port 24.

3. For Switch C on Basement:

Please set static VLAN 10: port 23, fixed, untag.

ES-3100 Series Switch Support Notes

Please set static VLAN 20: port 23, fixed, untag.

Please add VLAN 30: port 1, fixed, untag; port23, fixed, untag; port 24,

fixed, Tx tagging.

ES-3100 Series Switch Support Notes

Please setup PVID 30 for port 1 and enable GVRP on port 3 and port 24.

Then, this scenario is done here.

ES-3100 Series Switch Support Notes

IP Multicasting

How to setup IGMP snooping in your switch?

Figure 1: IGMP and IGMP snooping

IGMP snooping is designed for application with deployment of multicast traffic.

It operates on the underlying IGMP mechanism where a layer two switch

passively listens to the IGMP Query, Report and Leave (IGMP version 2)

packets transmitted between the IGMP router and clients and collects passing

IGMP messages. After that, the switch records the message’s group

registration information, and configures multicasting information accordingly. If

the multicast group information is unknown (not recorded on the switch), the

switch discards that multicast traffic. Only the registered clients that join the

group will receive multicast stream from the IGMP router. Thus this

significantly reduces the multicast traffic forwarded down to the clients.

Another advantage of IGMP snooping is to allow the intermediate switch to

learn multicast group information without manually configuring switches.

ES-3100 Series Switch Support Notes

Configuration of IGMP snooping by web

In this example, we enable the IGMP function on the GS-4024 (an IGMP router)

to connect to a multimedia server. Also, we enable IGMP snooping function on

the ES-3124 or other ZyXEL L2 Switch to connect to the multimedia clients.

Figure 2: IGMP snooping Example

Step one: In the GS-4024, click the IP Application, select IGMP where,

IGMP function can be enabled and we can select either IGMP-v1 or IGMP-v2.

Figure 3: IGMP Setup

ES-3100 Series Switch Support Notes

Step two: In the L2 Switch, click Basic Setting and then Switch Setup

where we can enable IGMP snooping function with WEB-GUI.

Figure 4: IGMP Snooping Setup

Configuration of IGMP and IGMP snooping by CLI

Step one: Enable IGMP function

In the configure mode

GS-4024(config)# router igmp

Step two: Enable IGMP snooping

ES-3100 Series Switch Support Notes

In the configure mode of CLI,

L2Switch(config)# igmp-snooping

Step three: Display the IGMP Status

In the exec mode of CLI

GS-4024# show router igmp

Step Four: Display the IGMP snooping Status

In the exec mode of CLI

L2Switch# show igmp-snooping

______________________________________________________________

Note: One thing needs to be mentioned is that in the IGMP router, we do not

need to enable IGMP snooping function.

ES-3100 Series Switch Support Notes

Overview of MVR

MVR refers to Multicast VLAN Registration that enables a media server to

transmit multicast stream in a single multicast VLAN while clients receiving

multicast VLAN stream can reside in different VLANs. Clients in different

VLANs intend to join or leave the multicast group simply by sending the IGMP

Join/leave message to a receiver port. The receiver port belongs to one of the

multicast group can receive multicast stream from media server. In the Figure

1, without support of MVR, the Multicast stream from media server and

subscriber must reside in the same VLAN. For each VLAN, A media server is

required to transmit multicast stream once and totally, media server transmits 6

times. In the Figure 2, on the contrary, with MVR, a media server is required to

transmit multicast traffic once to clients in different VLANs.

Figure 1

Figure 2

ES-3100 Series Switch Support Notes

MVR Mode

 Dynamic Mode

If we select the dynamic mode in MVR setting, IGMP report message

transmitted from the receiver port will be forwarded to a multicast router

through its source port. Multicast router knows which multicast groups exist on

which interface dynamically.  Compatible mode

If we select the dynamic mode in MVR setting, IGMP report message

transmitted from the receiver port will not be transmitted to a multicast router.

Multicast router must be statically configured.

Operation Mode

 Join Operation

A subscriber sends an IGMP report message to the switch to join the

appropriate multicast. Whether IGMP report matches the switch

ES-3100 Series Switch Support Notes

configured multicast MAC address. If matches, the switch CPU

modifies the hardware address table to include this receiver port and

VLAN as a forwarding destination of the MVLAN

 Leave Operation

Subscriber sends an IGMP leave message to the switch to leave the

multicast. The switch CPU sends an IGMP group-specific query

through the receiver port VLAN. If there is another subscriber in the

VLAN, subscriber must respond within the max response time. If

there is no subscriber, the switch eliminates this receiver port.

 Immediate Leave Operation

Subscriber sends an IGMP leave message to the switch to leave the

multicast. Subscribers do not need to wait the switch CPU to send an

IGMP group-specific query through the receiver port VLAN. The

switch will immediately eliminate this receiver port.

ES-3100 Series Switch Support Notes

Scenario of MVR

In the following section, we will provide an example to illustrate how to

configure MVR. In this scenario, the media stream from the media servers will

be transmitted from port 24 of GS-4024 (as an IGMP Router) to ES-3124 (L2

edge Switch) and GS-4012F.(work as L2 edge Switch). On Switch ES-3124

and GS4012F, we enabled the MVR function to allocate the multicast traffic

from GS-4024 to separate VLAN hosts located on ES-3124 and GS-4012F.

Moreover, we created a dummy ip interface for the multicast VLAN (VLAN100)

on GS-4024. VLAN100 will be the Multicast VLAN in this scenario.

Illustration of this scenario

ES-3100 Series Switch Support Notes

Configuration via Web [GS-4024]

1. First of all, you need to create all those IP domains on the GS-4024 Switch.

Once you completed those VLANs, your VLAN status should looks like the

same as below.

2. Below are their related PVID settings.

ES-3100 Series Switch Support Notes

3. Right after the VLAN, you should add the IP domains to the related VLANs.

4. Since this GS-4024 works as an IGMP Router, you need to enable IGMP

V2 on the multicast ip interface (which is the dummy interface). Please

notice that since GS-4024 works here as an IGMP Router, you cannot

enable IGMP Snooping on the same time because IGMP Snooping is a L2

feature.

ES-3100 Series Switch Support Notes

Here we have done everything we need on the IGMP Router <GS-4024>.

ES-3100 Series Switch Support Notes

Configuration via Web [ES-3124]

1. At the very beginning, you can create your MVR VLAN First (which is

VLAN100). To create this multicast VLAN, we do it in another way. First,

access to the GUI of your Switch. Then click “Advanced Application” on the

left and choose “Multicast”. Finally, you should click MVR on the right frame

to setup your Multicast VLAN.

2. Give a name to this Multicast VLAN following by its VLAN ID. Active this

VLAN; Pick port 1 and 2 as the receiver ports; Pick port 27 and 28 as the

Source Port. In this scenario, we need to make the source ports remain the

VLAN “tag”. Thus, we come out the following setting. Click “add” to create

this VLAN. When the VLAN is set, we keep going and click “Group

Configuration” on the upper right corner to create our Multicast Groups.

ES-3100 Series Switch Support Notes

3. First of all, please choose the Multicast VLAN ID that we just created

(which is VLAN100). Then give a name to this group, as long as you can

understand. Place the range of Multicast groups here with the start address

and End address. Finally, click “Add” to create this group. (In this scenario,

we use 224.10.10.0 ~ 224.10.10.50)

4. At this point we go back to the “Multicast Setting” page, enable “IGMP

Snooping” here. (Since MVR needs IGMP Snooping). For Unknown

Multicast Frame, we prefer “Drop” here in order to avoid any Multicast

Video with no subscriber. (No body joining that multicast group).

ES-3100 Series Switch Support Notes

5. Right after that you will need to create all other non-Multicast VLANs on this

Switch. Once you completed those VLANs, your VLAN status should looks

like the same as below.

6. Below are their related PVID settings.

ES-3100 Series Switch Support Notes

Here we have done everything we need on the Edge Switch <ES-3124>.

ES-3100 Series Switch Support Notes

Configuration via Web [GS-4012F]

1. At the very beginning, you can create your MVR VLAN First (which is

VLAN100). To create this multicast VLAN, we do it in another way. First,

access to the GUI of your Switch. Then click “Advanced Application” on the

left and choose “Multicast”. Finally, you should click MVR on the right frame

to setup your Multicast VLAN.

2. Give a name to this Multicast VLAN following by its VLAN ID. Active this

VLAN; Pick port 11 as the receiver port; Pick port 9 and 10 as the Source

Port. In this scenario, we need to make the source port remains the VLAN

“tag”. Thus, we come out the following setting. Click “add” to create this

VLAN. When the VLAN is set, we keep going and click “Group

Configuration” on the upper right corner to create our Multicast Groups.

ES-3100 Series Switch Support Notes

3. First of all, please choose the Multicast VLAN ID that we just created

(which is VLAN100). Then give a name to this group, as long as you can

understand. Place the range of Multicast groups here with the start address

and End address. Finally, click “Add” to create this group. (In this scenario,

we use 224.10.10.0 ~ 224.10.10.50)

4. At this point we go back to the “Multicast Setting” page, enable “IGMP

Snooping” here. (Since MVR needs IGMP Snooping). For Unknown

Multicast Frame, we prefer “Drop” here in order to avoid any Multicast

ES-3100 Series Switch Support Notes

Video with no subscriber. (No body joining that multicast group).

5. Right after that you will need to create all other non-Multicast VLANs on this

Switch. Once you completed those VLANs, your VLAN status should looks

like the same as below.

6. Below are their related PVID settings.

ES-3100 Series Switch Support Notes

Here we have done everything we need on the Edge Switch <GS-4012F>.

ES-3100 Series Switch Support Notes

Configuration via CLI [GS-4024]

Connect the Switch Console port with your PC or Notebook.

8. Open your Terminal program.(Ex, Hyper Terminal in Windows System)

9. Make sure that your port settings are

bps:9600

Data bits:8

Parity: None

Stop bits:1

Flow control: None:

10. After you connected successfully, give the correct user name and

password.

11. Put “en” or “enable” to go into the privileged mode. Then put “config” to go

into the configuration mode.

Issue the following commands to setup your Switch in this scenario.

To Create VLAN2 with its related IP domain:

vlan 2

name server

normal 1,3-24

fixed 2

forbidden ""

untagged 2

ip address 192.168.2.1 255.255.255.0

exit

To Create VLAN100 (Multicast VLAN) with its related IP domain (the

dummy interface):

vlan 100

name MVR

normal 1-23

fixed 24

ES-3100 Series Switch Support Notes

forbidden ""

untagged ""

ip address 111.111.111.111 255.255.255.0

exit

To Create VLAN101 with its related IP domain:

vlan 101

name 101

normal 1-10,12-23

fixed 11,24

forbidden ""

untagged 11

ip address 192.168.101.1 255.255.255.0

exit

To Create VLAN102 with its related IP domain:

vlan 102

name 102

normal 1-11,13-23

fixed 12,24

forbidden ""

untagged 12

ip address 192.168.102.1 255.255.255.0

exit

To Create VLAN109 with its related IP domain:

vlan 109

name 109

normal 1-8,10-23

fixed 9,24

forbidden ""

untagged 9

ip address 192.168.109.1 255.255.255.0

exit

To Create VLAN110 with its related IP domain:

vlan 110

ES-3100 Series Switch Support Notes

name 110

normal 1-9,11-23

fixed 10,24

forbidden ""

untagged 10

ip address 192.168.110.1 255.255.255.0

exit

To enable IGMP Routing:

router igmp

exit

To set PVID of Port 2:

interface port-channel 2

pvid 2

exit

To set PVID of Port 9:

interface port-channel 9

pvid 109

exit

To set PVID of Port 10:

interface port-channel 10

pvid 110

exit

To set PVID of Port 11:

interface port-channel 11

pvid 101

exit

To set PVID of Port 12:

interface port-channel 12

pvid 102

exit

ES-3100 Series Switch Support Notes

To enable IGMP v2 on the dummy IP interface:

interface route-domain 111.111.111.111/24

ip igmp v2

exit

ES-3100 Series Switch Support Notes

Configuration via CLI [ES-3124]

Connect the Switch Console port with your PC or Notebook.

1. Open your Terminal program.(Ex, Hyper Terminal in Windows System)

2. Make sure that your port settings are

bps:9600

Data bits:8

Parity: None

Stop bits:1

Flow control: None:

3. After you connected successfully, give the correct user name and

password.

4. Put “en” or “enable” to go into the privileged mode. Then put “config” to go

into the configuration mode.

Issue the following commands to setup your Switch in this scenario.

To Setup VLAN 101:

vlan 101

name Data

normal 2-27

fixed 1,28

forbidden ""

untagged 1

exit

To Setup VLAN 102:

vlan 102

name Data

normal 1,3-27

fixed 2,28

forbidden ""

ES-3100 Series Switch Support Notes

untagged 2

exit

To enable IGMP Sooping with unknown Multicast “Drop”:

igmp-snooping

igmp-snooping unknown-multicast-frame drop

To set PVID of Port 1:

interface port-channel 1

pvid 101

exit

To set PVID of Port 2:

interface port-channel 2

pvid 102

exit

To create the MVR VLAN 100 with group information:

mvr 100

source-port 27-28

receiver-port 1-2

name 100

tagged 27-28

group 224.10.10.0 start-address 224.10.10.0 end-address 224.10.10.50

exit

ES-3100 Series Switch Support Notes

Configuration via CLI [GS-4012F]

Connect the Switch Console port with your PC or Notebook.

1. Open your Terminal program.(Ex, Hyper Terminal in Windows System)

2. Make sure that your port settings are

bps:9600

Data bits:8

Parity: None

Stop bits:1

Flow control: None:

3. After you connected successfully, give the correct user name and

password.

4. Put “en” or “enable” to go into the privileged mode. Then put “config” to go

into the configuration mode.

Issue the following commands to setup your Switch in this scenario.

To Setup VLAN 109:

vlan 109

name 109

normal 1-8,10,12

fixed 9,11

forbidden ""

untagged 9

exit

To Setup VLAN 110:

vlan 110

name 110

normal 1-9,12

fixed 10-11

forbidden ""

untagged 10

ES-3100 Series Switch Support Notes

exit

To enable IGMP Sooping with unknown Multicast “Drop”:

igmp-snooping

igmp-snooping unknown-multicast-frame drop

To set PVID of Port 9:

interface port-channel 9

pvid 109

exit

To set PVID of Port 10:

interface port-channel 10

pvid 110

exit

To create the MVR VLAN 100 with group information:

mvr 100

source-port 11

receiver-port 9-10

name 100

tagged 11

group 100 start-address 224.10.10.0 end-address 224.10.10.50

exit

ES-3100 Series Switch Support Notes

To ring a network by building reducdent links and connections between Switch

What is Spanning Tree Protocol

• Spanning Tree Overview

Spanning-Tree Protocol (STP) is a Layer 2 protocol designed to run on bridges

and switches. The specification for STP is defined in IEEE 802.1d. The main

purpose of STP is to ensure that you do not run into a loop situation when you

have redundant paths in your network. STP detects/disables network loops

and provides backup links between switches or bridges. It allows the device to

interact with other STP compliant devices in your network to ensure that only

one path exists between any two stations on the network.

The redundant topology without STP will cause the following problem:

1. Broadcast storm:

Without Spanning Tree loop avoidance mechanism, each switch will endlessly

flood broadcast packets to all ports. This situation is called broadcast storm.

1. When Host sends a broadcast frame, like an ARP request to Router,

the frame will be received by Switch A.

2. Switch A identify the destination MAC address field (broadcast

FF:FF:FF:FF:FF:FF) in the frame and determine to flood it onto

Segment B.

3. When the broadcast frame arrives at Switch B, Switch will repeat

above process, flood it to Segment A.

4. The broadcast frame will endlessly travel around the loop network

even Router has already received this frame.

ES-3100 Series Switch Support Notes

2. Filtering Database Instability:

When multiple copies of a frame arrive at different ports of a switch, the MAC

entry instability in Filtering Database will occur.

1. Host sends an unicast frame to Router (source MAC address is

Host's MAC, destination MAC address is Router's MAC). Both

Switch A and Switch B will receive this frame and learn MAC

address of Host on Port 2.

2. Switch A has not yet learned the MAC address of Router. So Switch

A will flood a copy of the received frame to Segment B.

3. When the copy of the frame from Switch A arrives at Switch B,

Switch B will remove the first entry (Host MAC address on Port 2) in

Filtering Database and add a new mapping of Host MAC address

on Port 1. Switch B incorrectly learn Host MAC address on Port 1.

Switch B can't forward frames properly because the instability of

mapping MAC address to Port.

ES-3100 Series Switch Support Notes

How STP Works

Spanning Tree provide a loop-free network. When a switch supported STP

recognize a loop in the network topology, it blocks one or more redundant

ports. Spanning Tree Protocol continually explore the network, so when the

network topology changes, STP automatically reconfigure switch ports to avoid

the failure by blocking certain port.

Spanning tree algorithm aware switches (bridges) exchange configuration

messages periodically. The configuration message is a multicast frame called

BPDU (Bridge Protocol Data Unit) or Hello message. According to BPDU,

these STP aware will construct a loop free network with "tree" architecture.

STP operation is listed as the following:

1. Select a root bridge

Only one switch/ bridge can be selected as the root bridge in a given network.

All other decisions in the network, such as which port is blocked and which port

is put in forwarding mode, are made regarding this root bridge. The root bridge

is the "root" of the constructed "tree".

1. One of the important field included in the BPDU is the bridge ID.

Each bridge has unique bridge ID. The root bridge is the bridge

with the lowest bridge ID in the spanning tree network.

ES-3100 Series Switch Support Notes

2. The bridge ID includes two parts, bridge priority (2 bytes) and

bridge MAC address (6 bytes). The 802.1d default bridge priority is

32768. For example, a switch with default priority 32768 (8000 hex),

MAC address is 00:A0:C5:12:34:56, its bridge ID is

8000:00A0:C512:3456.

3. On the root bridge, all its ports are designated ports. Designated

ports are always in the forwarding state. While in forwarding

state, a port can receive and send traffic.

2. Select a root port for the non-root bridge

For the non-root switch/bridge, there will be one root port. The root port is the

port through which this non-root switch / bridge communicates with the root

bridge (the "leaf" side of the "tree").

1. The root port is the port on the non-root bridge with the lowest path

cost to the root bridge. The root port is normally in forwarding

state.

2. Path cost is the total cost of transmitting a frame on to a LAN

through that port to bridge root. It is assigned according to the

bandwidth of the link. The slower the media, the higher the cost.

Some of the path costs specified in the IEEE 802.1d specification

are listed below.

Recommended

Link Speed

Cost

Cost Range

4Mbps 250 100 to 1000

10Mbps 100 50 to 600

16Mbps 62 40 to 400

100Mbps 19 10 to 60

1Gbps 4 3 to 10

10Gbps 2 1 to 5

3. When multiple ports have the same path cost to root bridge, the

port with lowest port priority is selected as root port.

3. Select a designated port on each segment

ES-3100 Series Switch Support Notes

For each LAN segment (collision domain), there is a designated port. The

designated port has the lowest cost to the root bridge. Designated ports are

normally in the forwarding state to forward and receive traffic to the segment. If

more than one port in the segment have the same path cost, the port on which

bridge has lowest bridge ID is selected as a designated port.

1. How STP works

After STP determines the lowest cost spanning tree, it enables all root ports

and designated ports, and disables all other ports. Network packets are

therefore only forwarded between root ports and designated ports, eliminating

any possible network loops. STP-aware devices exchange Bridge Protocol

Data Units (BPDUs) periodically. When the bridged LAN topology changes, a

new spanning tree is constructed.

Once a stable network topology has been established, all bridges listen for

Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a

bridge does not get a Hello BPDU after a predefined interval (Max Age), the

bridge assumes that the link to the root bridge is down. This bridge then

initiates negotiations with other bridges to reconfigure the network to

re-establish a valid network topology.

For example:

Switch A:

MAC = 00A0C5111111,

Priority = 32768

Switch B:

MAC = 00A0C5222222,

Priority = 32768

Switch C: MAC =

00A0C5333333

Priority = 1

Port 1 Port 2 Port 1 Port 2 Port 1

Cost 19 100 Cost 19 100 Cost 19

Priority 128 128 Priority 128 128 Priority 128

ES-3100 Series Switch Support Notes

1. Switch A bridge ID = 8000:00A0:C511:1111, Switch B bridge ID =

8000:00A0:C522:2222, Switch C bridge ID =

0001:00A0:C533:3333. Switch C has the lowest bridge ID, so

Switch C is the root bridge. All ports of the root bridge are

designated ports, so Port 1 is designated port.

2. For non-root bridge Switch A, Port 1 path cost to root bridge is 19,

Port 2 path cost is 119, 100 (Switch A Port 2) + 19 (Switch B Port 1).

For Switch B, Port 1 path cost is 19, Port 2 path cost is 119. Root

port = Port 1 of Switch A and Switch B because it has the lowest

path cost to the root bridge Switch C.

3. On Segment A, both Port 2 of Switch A and Switch B have the

same path cost to root bridge. Since Switch A has lower bridge ID

than Switch B, the designated port is selected on Switch A. So Port

2 of Switch A is designated port.

Blocking = Port 2 of Switch B, the non designated port on the segment.

Forwarding = All designated ports and root ports.

ES-3100 Series Switch Support Notes

Switching security

MAC freeze

As an added protection against network intrusion attacks, ZyXEL has

implemented the MAC Freeze feature on ES-2108 Series, ES-3124, ES-2024,

ES-3100 Series and ES-4024A. Security has been the focus of our Ethernet

switch design. This feature will also be available for GS-4024, GS-4012F,

GS-3012 Series, GS-2024 and new switch models in future firmware releases.

With the MAC freeze feature enabled, dynamic MAC addresses on specified

ports are stored in the static MAC address table. At the same time, MAC

address learning is disabled on these ports thus denying network access for

computers within unknown MAC addresses.

Without the MAC freeze function, any computer can access the network

through a switch port. The port automatically learns the computer’s MAC

address and stores that to the MAC address table.

Activate the MAC freeze function on a port by entering the port-security [port

number] MAC-freeze

The following figure shows an example where the MAC freeze feature is

enabled on port 6. The switch automatically copies all dynamically learnt MAC

address on port 6 to the static MAC address.

Figure 1: Enable MAC Freeze Example

command in the CLI.

ES-3100 Series Switch Support Notes

You can display the Static MAC Address screen in the web configurator to

view the copied MAC addresses.

Figure 2: Displaying MAC Addresses From MAC Freeze

After you enabled MAC freeze on port 6 using the CLI command, the switch

automatically disables MAC address learning on that port. Display the Port

Security screen to verify this.

Figure 3: Disabled Automatic MAC Address Learning After MAC Freeze

ES-3100 Series Switch Support Notes

Setting up 802.1x Radius Authentication.

Port-Authentication -- RADIUS settings:

Click Advanced Application, Port Authentication in the navigation

panel to display configuration screen as shown. Click Enable

Authentication Server and set the RADIUS server IP address, UDP

port and shared Secret, which is the same as Radius server. Then click

Apply to make the settings take effect.

Click the 802.1x link to enter the 802.1x settings. Check the Enable

Authentication and click Apply button to enable 802.1x authentication.

Check Enable to turn on 802.1x authentication on that port. You can leave

other settings as default values. Click Apply to save your changes.

ES-3100 Series Switch Support Notes

RADIUS server setup

Click RADIUS, RADIUS SERVER in the navigation panel to display

configuration screen as shown. You can use the default values or change

the Authentication port, Shared Secret. Remember these values MUST

be the as the settings of client.

Create User Account

Click RADIUS, USER ACCOUNT in the navigation panel to display

configuration screen as shown. You can use the existed user account or

create the new one by clicking Add New User button. Remember the

client site MUST use the account in RADIUS server.

Windows XP(Supplicant) settings:

There are many supplicants we can choose like MeetingHouse Aegis

client, Funk Odyssey client and Microsoft 802.1x client. We take Microsoft

ES-3100 Series Switch Support Notes

802.1x client as an example here.

802.1x/MD5-challenge setup

Open the Local Area connection Properties, and then click

Authentication page. Check the Enable IEEE 802.1x authentication for

this network and select the MD5-challenge in EAP type combobox.

Please see the following figure.

When the 802.1x starts, it will prompt you to enter the user name and

password. Please see the following figure.

ES-3100 Series Switch Support Notes

After click the icon, there will be a dialog for entering the user name

and password. Click ok after input the correct user name and password

that are in the database of authentication server. The settings of client site

are finished.

ES-3100 Series Switch Support Notes

After finishing the above procedures, we can allow the authenticated

port the access the server. If the switch port doesn’t be authenticated, the

PCs behind the port can’t access the network.

ES-3100 Series Switch Support Notes

Setting up Classifier & Policy rule to perform Access

Control on your Switch

Introduction on ACL

ACL (Access Control List) is the name of a combination of Classifier and Policy

Rule. A classifier groups traffic into data flows according to specific criteria

such as the source address, destination address, source port number,

destination port number or incoming port number. For example, you can

configure a classifier to select traffic from the same protocol port (such as

Telnet) to form a flow. A policy rule ensures that a traffic flow gets the

requested treatment in the network. Please be advised that you must first

configure a classifier in the Classifier screen before you configure a policy rule.

The relative weight of parameters in ACL

In the classifier, there are a lot of parameters that we can set. Each parameter holds a relative weight. This relative weight is meaningless unless

there is a multiple match (or conflict) on the rules.

Here is the order of weight from lowest to the highest:

1. [ Source-port ]

2. [ Destination-port ]

3. [ Packet-format ]

4. [ Destination-mac ]

5. [ Source – mac ]

6. [ Priority ]

7. [ VLAN ID ]

8. [ Ethernet-type ]

9. [ DSCP ]

10. [ IP-Protocol ]

11. [ Source-IP ]

12. [ Destination-IP ]

13. [ Source – Socket ]

14. [ Destination – Socket ]

15. [ Establish Only ]

If you choose a combination of parameters as your rules, the rule with a

ES-3100 Series Switch Support Notes

higher weight of parameter just gets the highest weight at all. For example, you

have defined the first classifier to have “Source Port” plus “Source Socket” as

your rule parameters; and your second classifier has only “Destination Socket”

as your rule parameter; at this time, since “Destination Socket” has a relative

high weight comparing to “Source Port” or “Source Socket”, thus the second

classifier will have a higher weight.

The higher the weight a classifier has, the higher the priority its related

policy rule can apply. A higher priority of policy rule can always overwrite a

lower priority of policy rule.

ACCESS CONTROL ACL Flow Example

In general, access control is done by assigning a policy for traffic at-large

and a specific policy for a subset. An example is if the network administrator

wants to deny all IP traffic originated from the subnet 192.168.3.xx, except for

ICMP traffic. The ICMP traffic is a subset of generic IP traffic. To implement

this policy, the ACL conflict resolution logic is required to handle this multiple

matching scenario.

In this scenario, all IP traffic originating from the 192.168.3.xx subnet is

discarded. This is implemented by the first rule, with the following:

• Layer 3 protocol type = IP

• IP source address = 192.168.3.0/24

Any packet matched is discarded as specified in ACTION—but if there is ICMP

traffic originated from the 192.168.3.xx subnet, they should be forwarded. This

is supported by the second rule, with the following:

• Layer 3 protocol type = IP

• Layer 4 protocol type = ICMP

• IP source address = 192.168.3.0/24

The action of the second rule is not to discard the packet (Do not drop the

matching frame previously marked for dropping).

When two rules match a packet and the resulting actions are conflicting

(discard versus not-discard), a higher layer rule has priority over lower layer

rule. In this case, the action of the second rule (Layer 4) is carried out because

the first rule is only up to Layer 3.

ES-3100 Series Switch Support Notes

QoS ACL Flow Example

Here is another scenario to help you understanding the flow of ACL. There

are totally 4 rules.

First rule contains the following:

• When there is traffic from Layer 2 VLAN ID = 4094

Any matched packet will be set the Priority to 7

Second rule contains the following:

•When there is traffic from Layer 2 Source MAC address = 00:00:00:00:00:01

Any matched packet will be set the Priority to 6

Third rule contains the following:

•When there is traffic from Layer 2 Source Port = 1

Any matched packet will be set the Priority to 5

Fourth rule contains the following:

•When there is traffic from IP source address = 192.168.1.100/32

Any matched packet will be set the Priority to 4

The above four rules are conflicting together since you can have traffic

coming from port 1 and also come with a source IP address of 192.168.1.100.

When two or more rules match a packet and the resulting actions are

conflicting (Set to different priority value), a higher layer rule has priority over

lower layer rule. In this case, the action of the fourth rule (Layer 3) is carried

out because the other rules are only up to Layer 2. Although VLAN, MAC, Port

are all belonging to Layer two, their carrying out priority would be

VLAN>MAC>Port.

In conclusion, every parameter (or rule) in the packet header has a weight.

The deeper the parameter in the packet header, the higher the weight is.

Further more, the deeper parameter in the packet header has much more

100

ZyXEL Communications ES-3124-4F User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual