ZyXEL Communications ES3500 Series manuals
Computer Equipment > Network Router
When we buy new device such as ZyXEL Communications ES3500 Series we often through away most of the documentation but the warranty.
Very often issues with ZyXEL Communications ES3500 Series begin only after the warranty period ends and you may want to find how to repair it or just do some service work.
Even oftener it is hard to remember what does each function in Network Router ZyXEL Communications ES3500 Series is responsible for and what options to choose for expected result.
Fortunately you can find all manuals for Network Router on our side using links below.
ZyXEL Communications ES3500 Series Manual
360 pages 8.58 Mb
1 ES3500 SeriesUser’s Guide 3 Contents Overview5 Table of ContentsPart I: User’s Guide Chapter 7 Basic Setting8 10.2 Configuring Static MAC ForwardingConfigure Multiple Rapid Spanning Tree Protocol Multiple Rapid Spanning Tree Protocol Status 13.8.1 Multiple Spanning Tree Protocol Port Configuration Multiple Spanning Tree Protocol Status 9 Link AggregationPort Authentication Port Security Classifier Policy Rule Queuing Method 10 22.1.1 Strictly Priority Queuing22.1.2 Weighted Fair Queuing 22.1.3 Weighted Round Robin Scheduling (WRR) 23.1.1 VLAN Stacking Example 23.3.1 Frame Format 23.4.1 Port-based Q-in-Q 23.4.2 Selective Q-in-Q 24.1.1 IP Multicast Addresses 24.1.2 IGMP Filtering 24.1.3 IGMP Snooping 24.1.4 IGMP Snooping and VLANs 24.4 IGMP Snooping VLAN 24.6 MVR Overview 24.6.1 Types of MVR Ports 24.6.2 MVR Modes 24.6.3 How MVR Works 24.8.1 MVR Configuration Example 25.1.1 Local User Accounts 25.1.2 RADIUS and TACACS+ 25.2.1 RADIUS Server Setup 11 25.2.2 TACACS+ Server Setup25.2.3 AAA Setup 25.2.4 Vendor Specific Attribute 25.2.5 Tunnel Protocol Attribute 25.3.1 Attributes Used for Authentication 25.3.2 Attributes Used for Accounting 26.1.1 DHCP Snooping Overview 26.1.2 ARP Inspection Overview 26.4 DHCP Snooping 26.5.1 DHCP Snooping Port Configure 26.5.2 DHCP Snooping VLAN Configure 26.6.1 ARP Inspection VLAN Status 26.6.2 ARP Inspection Log Status 26.7.1 ARP Inspection Port Configure 26.7.2 ARP Inspection VLAN Configure 28.1.1 VLAN Mapping Example 29.1.1 Layer-2Protocol Tunneling Mode 12 30.1 sFlow Overview30.2 sFlow Port Configuration 30.2.1 sFlow Collector Configuration PPPoE Intermediate Agent Overview 31.1.1 PPPoE Intermediate Agent Tag Format 31.1.2 Sub-OptionFormat 31.1.3 Port State 31.2 The PPPoE Screen PPPoE Intermediate Agent 31.3.1 PPPoE IA Per-Port 31.3.2 PPPoE IA Per-Port Per-VLAN 31.3.3 PPPoE IA for VLAN Error Disable CPU Protection Overview Error-DisableRecovery Overview The Error Disable Screen CPU Protection Configuration Error-DisableDetect Configuration Error-DisableRecovery Configuration Private VLAN Private VLAN Overview Configuring Private VLAN Green Ethernet Overview Configuring Green Ethernet Static Route Static Routing Overview Configuring Static Routing 13 36.1.1 DSCP and Per-HopBehavior36.1.2 DiffServ Network Example 36.2.1 TRTCM-Color-blindMode 36.2.2 TRTCM-Color-awareMode 36.3.1 Configuring 2-Rate3 Color Marker Settings 36.3.2 Configuring DSCP Profiles 36.4.1 Configuring DSCP Settings 37.1 DHCP Overview 37.1.1 DHCP Modes 37.1.2 DHCP Configuration Options 37.3 DHCP Relay 37.3.1 DHCP Relay Agent Information 37.3.2 Configuring DHCP Global Relay 37.3.3 Global DHCP Relay Configuration Example 37.4.1 Example: DHCP Relay for Two VLANs 38.8 FTP Command Line 38.8.1 Filename Conventions 38.8.2 FTP Command Line Procedure 38.8.3 GUI-basedFTP Clients 38.8.4 FTP Restrictions 14 39.3.5 Configuring SNMP Trap Group15 ARP TableAppendix A Common Services 19 Getting to Know Your Switch25 Hardware Installation and Connection2.1 Installation Scenarios 2.2Desktop Installation Procedure 2.3Mounting the Switch on a Rack 28 Hardware Overview3.1 Front and Rear Panels29 Chapter 3 Hardware OverviewFigure 12 ES3500-24HPRear Panel Figure 13 ES3500-8PDFront Panel Ethernet Ports PoE In Figure 14 ES3500-8PDRear Panel DC Power Connection The following table describes the connectors on the front and rear panels Table 3 Front and Rear Panel Connections LABEL DESCRIPTION 10/100 Mbps Connect these ports to a computer, a hub, an Ethernet switch or router RJ-45Ethernet Ports Dual Personality Interfaces RJ-45Ports: Connect these ports to high-bandwidthbackbone network Ethernet switches using Category 5/5e/6 copper cables SFP Slots: The console port is for local configuration of the Switch AC Power Connect an appropriate power supply to this port Connection DC Power 31 •Type: SFP connection interface•Connection speed: 1 Gigabit per second (Gbps) Use the following steps to install a mini-GBICtransceiver (SFP module) 2Press the transceiver firmly until it clicks into place 4Close the transceiver’s latch (latch styles vary) 32 Figure 16 Connecting the Fiber Optic CablesUse the following steps to remove a mini-GBICtransceiver (SFP module) 1Remove the fiber optic cables from the transceiver 2Open the transceiver’s latch (latch styles vary) 3Pull the transceiver out of the slot Figure 17 Removing the Fiber Optic Cables Figure 18 Opening the Transceiver’s Latch Example Figure 19 Transceiver Removal Example 33 3.2 LEDs37 The Web Configurator4.1 Introduction 4.2System Login 38 4.3The Web Configurator Layout40 In the navigation panel, click a main link to reveal a list of submenu linksTable 7 Navigation Panel Sub-linksOverview BASIC SETTING ADVANCED IP APPLICATION MANAGEMENT APPLICATION Note: Only the ES3500-24HPhas a PoE menu Note: Only the ES3500-8PDhas a Green Ethernet menu The following table describes the links in the navigation panel Table 8 Navigation Panel Links LINK 41 Chapter 4 The Web ConfiguratorTable 8 Navigation Panel Links (continued) This link takes you to a screen where you can configure the Switch to supply power over Ethernet Advanced Application VLAN This link takes you to screens where you can configure port-basedor 802.1Q Static MAC Forwarding port. These static MAC addresses do not age out Static Multicast This link takes you to a screen where you can configure static multicast MAC addresses for port(s). These static multicast MAC addresses do not age out Filtering This link takes you to a screen to set up filtering rules Spanning Tree Protocol prevent network loops Bandwidth This link takes you to screens where you can cap the maximum bandwidth Control allowed on a port Broadcast Storm This link takes you to a screen to set up broadcast filters Mirroring interference Link Aggregation form one logical, higher-bandwidthlink Port This link takes you to a screen where you can configure IEEE 802.1x port Authentication Switch Port Security set the maximum number of MAC addresses to learn on a port Classifier This link takes you to a screen where you can configure the Switch to group packets based on the specified criteria Policy Rule special treatment on the grouped packets Queuing Method queue weights for each port VLAN Stacking This link takes you to screens where you can activate and configure VLAN stacking Multicast IGMP snooping and create multicast VLANs AAA This link takes you to a screen where you can configure authentication (Terminal Access Controller Access-ControlSystem Plus) IP Source Guard DHCP and ARP packets in your network Loop Guard This link takes you to a screen where you can configure protection against network loops that occur on the edge of your network VLAN Mapping the Switch Layer 2 Protocol Tunneling Tunneling) settings on the Switch 42 sFlowThis link takes you to screens where you can configure sFlow settings on the PPPoE use to identify and authenticate a PPPoE client Errdisable disable recovery Private VLAN This link takes you to a screen where you can block traffic between ports in a VLAN on the Switch Green Ethernet power consumption. See Chapter 34 on page 266 for more details IP Application Static Routing This link takes you to a screen where you can configure static routes. A static route defines how the Switch should forward traffic by configuring the TCP/IP parameters manually DiffServ rules and set DSCP-to-IEEE802.1pmappings DHCP This link takes you to screens where you can configure the DHCP settings Management Maintenance file maintenance as well as reboot the system Access Control and configure SNMP and remote management Diagnostic This link takes you to screens where you can view system logs and can test port(s) Syslog server Cluster and view its status MAC Table ARP Table resolution table Configure Clone This link takes you to a screen where you can copy attributes of one port to (an)other port(s) 43 4.4 Saving Your Configuration4.5 Switch Lockout 44 4.6Resetting the Switch45 4.7 Logging Out of the Web Configurator4.8 Help 47 Initial Setup Example52 Tutorials79 System Status and Port Statistics7.1 Overview 7.2 Port Status Summary80 Chapter 7 System Status and Port StatisticsThe following table describes the labels in this screen Table 11 Status screen (refer to Figure 29 on page 81) Name This is the name you assigned to this port in the Basic Setting > Port Setup screen Link For Ethernet ports, this field displays the speed (10M for 10Mbps or 100M for 100Mbps) and duplex (F for full duplex or H for half) settings for full duplex or H for half) and media type (Copper) settings for half) and media type (Copper or Fiber) settings This field displays Down if the port is not connected to any device State port (see Section 13.1 on page 124 for more information) displays STOP LACP enabled on the port TxPkts This field shows the number of transmitted frames on this port RxPkts This field shows the number of received frames on this port Errors This field shows the number of received errors on this port Tx KB/s This field shows the number of kilobytes per second transmitted on this port Rx KB/s This field shows the number of kilobytes per second received on this port Up Time has been up Clear Counter information for that port, or select Any to clear statistics for all ports 81 Figure 29 Status > Port DetailsTable 12 Status: Port Details 82 Table 12 Status: Port Details (continued)duplex (F for full duplex or H for half) settings half) and media type (Copper) settings type (Copper or Fiber) settings Status Section 13.1 on page 124 for more information) STOP This field shows if LACP is enabled on this port or not This field shows the number of transmitted frames on this port This field shows the number of received frames on this port This field shows the number kilobytes per second transmitted on this port This field shows the total amount of time the connection has been up Tx Packet The following fields display detailed information about packets transmitted Unicast This field shows the number of good unicast packets transmitted This field shows the number of good multicast packets transmitted Broadcast This field shows the number of good broadcast packets transmitted Pause This field shows the number of 802.3x Pause packets transmitted Rx Packet The following fields display detailed information about packets received This field shows the number of good unicast packets received This field shows the number of good multicast packets received This field shows the number of good broadcast packets received This field shows the number of 802.3x Pause packets received TX Collision The following fields display information on collisions while transmitting Single exactly one collision Multiple more than one collision Excessive reset Late have already been transmitted Error Packet 83 Chapter 7 System Status and Port StatisticsRX CRC Length Runt including the ones with CRC errors Distribution in length 65 and 127 octets in length 128 and 255 octets in length 256 and 511 octets in length 512 and 1023 octets in length 1024 and 1518 octets in length Giant 1519 octets and the maximum frame size The maximum frame size varies depending on your switch model 84 Basic Setting8.1 Overview 8.2 System Information85 Table 13 Basic Setting > System InfoSystem Name Product Model This field displays the model number of the Switch ZyNOS F/W Version created Ethernet Address Hardware Monitor Temperature Unit Fahrenheit) in this field BOARD PHY printed circuit board Current This shows the current temperature at this sensor MAX This field displays the maximum temperature measured at this sensor MIN This field displays the minimum temperature measured at this sensor Threshold This field displays the upper temperature limit at this sensor Fan Speed (RPM) (ES3500-24HP falls below the threshold shown only) This field displays this fan's current speed in Revolutions Per Minute (RPM) "<41" is displayed for speeds too small to measure This field displays the minimum speed at which a normal fan should work this fan is functioning below the minimum speed Voltage (V) the voltage falls out of the tolerance range This is the current voltage reading This field displays the maximum voltage measured at this point This field displays the minimum voltage measured at this point otherwise Error is displayed 86 8.3 General Setup87 8.4 Introduction to VLANs89 8.5 Switch Setup90 Table 15 Basic Setting > Switch Setup (continued)Aging Time Join Leave Leave All Join Timer a Join Period timer. The allowed Join Time range is between 100 and background information Leave Timer Timer; the default is 600 milliseconds Leave All Timer Timer Priority Queue Assignment Level delay) Architecture) transactions business traffic that can tolerate some delay This is for “spare bandwidth” allowed but that should not affect other applications and users Typically used for best-efforttraffic Click Cancel to reset the fields 91 8.6 IP Setup92 Table 16 Basic Setting > IP SetupDomain Name Server use a domain name instead of an IP address Default Management IP Address DHCP Client subnet mask, a default gateway IP address and a domain name server IP address automatically Static IP Address select this option IP Address Enter the IP address of your Switch in dotted decimal notation for example IP Subnet Mask Enter the IP subnet mask of your Switch in dotted decimal notation for example Default Gateway example VID a member of Management VLAN configuring Click Cancel to begin configuring the fields again Management IP Addresses the VID field below Enter the IP subnet mask in dotted decimal notation Type the VLAN group identification number non-volatilememory when you are done configuring Click Cancel to reset the fields to your previous configuration Index This field displays the IP address This field displays the subnet mask This field displays the ID number of the VLAN group This field displays the IP address of the default gateway 93 8.7 Port Setup94 8.8 PoE95 Figure 35 Powered Device ExamplesPSE PDPD PoE Figure 36 Basic Setting > PoE Status Table 18 Basic Setting > PoE Status PoE Status PoE Mode in Classification or Consumption mode mode Total Power enabled devices on the PoE ports 96 Consuming Power (W)the connected PoE-enableddevices Allocated Power (W) negotiating with the connected PoE device(s) Consuming Power (W) can be less than or equal but not more than the Allocated Power (W) Remaining Power (W) This field displays the amount of power the Switch can still provide for PoE Note: The Switch must have at least 16 W of remaining power in order to supply power to a PoE device, even if the PoE device needs less than 16 W the Basic Setting > PoE Status screen • Disable - The PD connected to this port cannot get power • Enable - The PD connected to this port can receive power Class This shows the power classification of the PD and current (mA) that the PD requires to function. The ranges are as follows • Class 0 - Default, 0.44 to • Class 1 - Optional, 0.44 to • Class 2 - Optional, 3.84 to • Class 3 - Optional, 6.49 to • Class 4 - Reserved (PSEs classify as Class 0) in a switch that supports IEEE PD Priority the Switch, you can set the PD priority to allow the Switch to provide power to ports with higher priority first • Critical has the highest priority served ports are served This field displays the current amount of power consumed by the PD from the Switch on this port Max Power (mW) This field displays the maximum amount of power the PD could use from the Max Current (mA) This field displays the maximum amount of current drawn by the PD from the 97 PoE SetupPoE Status Table 19 Basic Setting > PoE Setup Select the power management mode you want the Switch to use with lower priority do not get power to function supply so that each connected PD gets a resource. However, the power Select this to provide power to a PD connected to the port If left unchecked, the PD connected to the port cannot receive power from the This field is not available for the Gigabit or mini-GBICports ports with higher priority Select Critical to give the PD connected to this port the highest priority critical priority ports are served critical and high priority ports are served are done configuring 99 VLAN116 Static MAC Forward Setup10.1 Overview 10.2 Configuring Static MAC Forwarding117 Chapter 10 Static MAC Forward SetupTable 28 Advanced Application > Static MAC Forwarding clearing this rule Note: Static MAC addresses do not age out Enter the VLAN identification number forwarded changes to the non-volatilememory when you are done configuring Click Clear to reset the fields to the factory defaults Click an index number to modify a static MAC address rule for a port (No). You may temporarily deactivate a rule without deleting it address-forwardingrule number to which the MAC address belongs 118 Static Multicast Forward Setup122 Filtering12.1 Configure a Filtering Rule123 Chapter 12 FilteringAdvanced Application > FIltering (continued) MAC Click Clear to clear the fields to the factory defaults which the MAC address belongs This field displays the VLAN group identification number button Click Cancel to clear the selected checkbox(es) in the Delete column 124 Spanning Tree Protocol13.1 STP/RSTP Overview 129 13.2 Spanning Tree Protocol Status Screen13.3 Spanning Tree Configuration 130 13.4 Configure Rapid Spanning Tree Protocol131 Chapter 13 Spanning Tree ProtocolTable 34 Advanced Application > Spanning Tree Protocol > RSTP (continued) Bridge Priority the root switch. Select a value from the drop-downlist box and Forwarding Delay Hello Time This is the time interval in seconds between BPDU (Bridge Protocol Data Units) configuration message generations by the root switch. The allowed range is 1 to seconds Max Age is 6 to 40 seconds Forwarding Delay data loops might result. The allowed range is 4 to 30 seconds As a general rule: Note: 2 * (Forward Delay - 1) >= Max Age >= 2 * (Hello Time + 1) Select this check box to activate RSTP on this port Edge is configured as an edge port or when its link status changes Unit (BPDU) Configure the priority for each port here between 0 and 255 and the default value is media, the higher the cost - see Table 31 on page 124 for more information 132 13.5 Rapid Spanning Tree Protocol Status133 13.6 Configure Multiple Rapid Spanning Tree Protocol134 13.7 Multiple Rapid Spanning Tree Protocol Status135 Note: This screen is only available after you activate MRSTP on the SwitchFigure 67 Advanced Application > Spanning Tree Protocol > Status: MRSTP Table 37 Advanced Application > Spanning Tree Protocol > Status: MRSTP edit MRSTP settings on the Switch Select which STP tree configuration you want to view This Switch may also be the root bridge This ID is the same for Root and Our Bridge if the Switch is the root switch message before attempting to reconfigure listening to learning to forwarding) 136 13.8 Configure Multiple Spanning Tree Protocol137 Table 38 Advanced Application > Spanning Tree Protocol > MSTPClick Status to display the MSTP Status screen (see Figure 70 on page 140) on the Switch Spanning Tree Protocol > Configuration screen to enable MSTP on the Switch screen to enable MSTP on the Switch MaxAge rule: Maximum hops discarded and the port information is aged Enter a descriptive name (up to 32 characters) of an MST region Revision Number number to belong to the same region Instance Use this section to configure MSTI (Multiple Spanning Tree Instance) settings supports instance numbers tree instance 53248, 57344 and 61440) 138 Table 38 Advanced Application > Spanning Tree Protocol > MSTP (continued)VLAN Range remove from the VLAN range edit area in the End field Next click: • Add - to add this range of VLAN(s) to be mapped to the MST instance • Clear - to remove all VLAN(s) from being mapped to this MST instance Enabled VLAN(s) This field displays which VLAN(s) are mapped to this MST instance Select this check box to add this port to the MST instance This field displays the ID of an MST instance Active Port This field display the ports configured to participate in the MST instance Delete button 139 To configure MSTP ports, clickscreen Figure 69 Advanced Application > Spanning Tree Protocol > MSTP > Port Table 39 Advanced Application > Spanning Tree Protocol > MSTP > Port the common settings and then make adjustments on a port-by-portbasis as an edge port or when its link status changes (BPDU) 140 13.9 Multiple Spanning Tree Protocol Status141 This field displays the configuration name for this MST regionThis field displays the revision number for this MST region A configuration digest is generated from the VLAN-MSTImapping information Digest displays the digest when MSTP is activated on the system Instance: spanning tree instance This field displays the MSTI ID This field displays which VLANs are mapped to an MSTI MSTI Select the MST instance settings you want to view also be the root bridge Internal Cost communicate with the root of the MST instance 142 Bandwidth Control145 Broadcast Storm Control15.1 Broadcast Storm Control Setup 147 Mirroring16.1 Port Mirroring Setup148 Chapter 16 MirroringAdvanced Application > Mirroring (continued) set the common settings and then make adjustments on a port-by-portbasis Mirrored Select this option to mirror the traffic on a port Direction Egress (outgoing), Ingress (incoming) and Both 149 Link Aggregation157 Port Authentication18.1 Port Authentication Overview158 Chapter 18 Port AuthenticationFigure 79 IEEE 802.1x Authentication Process New Connection Identity Request Login Credentials Authentication Request Access Challenge Challenge Request Challenge Response Access Request Authentication Reply Session Granted/Denied 159 18.2 Port Authentication Configuration160 Figure 82 Advanced Application > Port AuthenticationTable 49 Advanced Application > Port Authentication Select this check box to permit 802.1x authentication on the Switch 802.1x authentication on the Switch before configuring it on each port Max-Req unresponsive ports to the Guest VLAN 161 Table 49 Advanced Application > Port Authentication > 802.1x (continued)Reauth stay connected to the port Reauth-period username and password to stay connected to the port Quiet-period Tx-period identity request to the client Supp-Timeout before sending another request Figure 83 Guest VLAN Example 162 Port AuthenticationFigure 84 Advanced Application > Port Authentication > 802.1x > Guest VLAN Table 50 Advanced Application > Port Authentication > 802.1x > Guest VLAN Select this checkbox to enable the guest VLAN feature on this port services Guest Vlan guest VLAN Make sure this is a VLAN recognized in your network 163 Chapter 18 Port AuthenticationHost-mode (using a hub) Select Multi-Secure to authenticate each user that connects to this port Multi-Secure Num 1 and 5) that the Switch will authenticate on this port MAC Authentication Figure 85 Advanced Application > Port Authentication > MAC Authentication 164 Table 51 Advanced Application > Port Authentication > MAC AuthenticationSelect this check box to permit MAC authentication on the Switch Name Prefix authentication. You can enter up to 32 printable ASCII characters RADIUS server Password Type the password the Switch sends along with the MAC address of a client for Timeout authentication to try and authenticate again. Maximum time is 3000 seconds timeout value, then this entry will not be deleted from the MAC address table Aging Time Switch Setup supersedes this setting. See Section 8.5 on page adjustments on a port-by-portbasis authentication on the Switch before configuring it on each port 165 Port Security19.1 About Port Security 19.2 Port Security Setup166 Chapter 19 Port SecurityTable 52 Advanced Application > Port Security Port List MAC freeze display in the Static MAC Forwarding screen MAC freeze the Address Learning check boxes only for the ports specified in the Port list Select this option to enable port security on the Switch matching MAC address(es) are dropped this port on a port, the port itself must be active with address learning enabled Limited Number disabled 167 Classifier20.1 About the Classifier and QoS 20.2Configuring the Classifier168 Chapter 20 ClassifierAdvanced Application > Classifier Figure 87 Advanced Application > Classifier Table 53 Advanced Application > Classifier Select this option to enable this rule Enter a descriptive name for this rule for identifying purposes Layer Specify the fields below to configure a layer-2classifier VLAN ID in the field provided priority level in the field provided Other value. Refer to Table 55 on page 170 for information Source Select Any to apply the rule to all MAC addresses (six hexadecimal character pairs) 169 20.3 Viewing and Editing Classifier Configuration171 20.4 Classifier Example172 Policy Rule21.1 Policy Rules Overview 21.2 Configuring Policy Rules173 Chapter 21 Policy RuleAdvanced Applications > Policy Rule Figure 90 Advanced Application > Policy Rule Table 57 Advanced Application > Policy Rule Select this option to enable the policy Enter a descriptive name for identification purposes Classifier(s) press [SHIFT] and select the choices at the same time Parameters Action 174 Table 57 Advanced Application > Policy Rule (continued)General Egress Port Type the number of an outgoing port Specify a priority level Specify a DSCP (DiffServ Code Point) number between 0 and TOS Specify the type of service (TOS) priority level Rate Limit You can configure the desired bandwidth available to a traffic flow Select No change to forward the packets Select Discard the packet to drop the packets frames that were marked to be dropped before Select No change to keep the priority setting of the frames the packets in the designated queue TOS field. Then put the packets in the designated queue Diffserv Select No change to keep the TOS and/or DSCP fields in the packets TOS field you configure in the DSCP field Send the packet to the egress port Select Enable to activate bandwidth limitation on the traffic flow(s) memory when you are done configuring 175 21.3 Viewing and Editing Policy Configuration176 21.4 Policy Example177 Queuing Method22.1 Queuing Method Overview 178 22.2 Configuring Queuing179 Table 59 Advanced Application > Queuing MethodThis label shows the port you are configuring Robin) get more guaranteed bandwidth than queues with smaller weights more service than queues with smaller weights Weight WFQ WRR Q0-Q7 different traffic queues according to their weights Hybrid This field is applicable only when you select WFQ or WRR SPQ Lowest Queue Q5, Q6 and Q7 using SPQ Select None to always use WFQ or WRR 180 VLAN Stacking187 Multicast24.1 Multicast Overview 188 24.2 Multicast Status189 24.3 Multicast Setting190 Table 67 Advanced Application > Multicast > Multicast Setting (continued)Unknown Multicast Frame Reserved The layer-2multicast MAC addresses used by Cisco layer-2protocols 01:00:0C:CC:CC:CC and 01:00:0C:CC:CC:CD, are also included in this group Immed. Leave IGMP version 2 leave message is received on this port Select this option if there is only one host connected to this port Normal Leave port port should remain in the specific multicast group from a host Fast Leave the Switch sends out an IGMP Group-SpecificQuery (GSQ) message to determine This helps speed up the leave process Group Limited Max Group Num dropped on this port 191 Chapter 24 MulticastThrottling number of the IGMP groups a port can join is reached Deny multicast forwarding table entry is aged out IGMP report(s) received on this port Profile Default to prohibit the port from joining any multicast group IGMP Filtering Profile screen IGMP Querier server). The Switch forwards IGMP join or leave packets to an IGMP query port IGMP query packets when you connect an IGMP multicast server to the port forward IGMP join or leave packets to this port 192 24.4 IGMP Snooping VLAN193 24.5 IGMP Filtering Profile194 24.6 MVR Overview196 24.7 General MVR Configuration197 Figure 104 Advanced Application > Multicast > Multicast Setting > MVRTable 70 Advanced Application > Multicast > Multicast Setting > MVR among different subscriber VLANs on the network Multicast VLAN Enter the VLAN ID (1 to 4094) of the multicast VLAN control packets (belonging to this multicast VLAN) Specify the MVR mode on the Switch. Choices are Dynamic and Compatible Select Compatible to set the Switch not to send IGMP reports This field displays the port number on the Switch 198 24.8 MVR Group Configuration199 boxSection 24.1.1 on page address for a multicast group MVLAN This field displays the starting IP address of the multicast group This field displays the ending IP address of the multicast group the table Select Cancel to clear the checkbox(es) in the table 200 NewsMovie Multicast VID 202 AAA25.1 Authentication, Authorization and Accounting (AAA) 203 25.2 AAA Screens204 RADIUS Server SetupFigure 112 Advanced Application > AAA > RADIUS Server Setup Table 73 Advanced Application > AAA > RADIUS Server Setup Use this section to configure your RADIUS authentication settings This field only applies if you configure multiple RADIUS servers second RADIUS server requests to response from the RADIUS server index-priority RADIUS server for 15 seconds and then tries the second RADIUS server This is a read-onlynumber representing a RADIUS server entry Enter the IP address of an external RADIUS server in dotted decimal notation UDP Port value unless your network administrator instructs you to do so 205 Table 73 Advanced Application > AAA > RADIUS Server Setup (continued)Shared Secret be the same on the external RADIUS server and the Switch entry is deleted when you click Apply Accounting Use this section to configure your RADIUS accounting server settings response from the RADIUS accounting server This is a read-onlynumber representing a RADIUS accounting server entry this value unless your network administrator instructs you to do so Switch. This entry is deleted when you click Apply 206 TACACS+ Server SetupAuthentication and Accounting Figure 113 Advanced Application > AAA > TACACS+ Server Setup Table 74 Advanced Application > AAA > TACACS+ Server Setup Use this section to configure your TACACS+ authentication settings This field is only valid if you configure multiple TACACS+ servers second TACACS+ server response from the TACACS+ server TACACS+ server for 15 seconds and then tries the second TACACS+ server This is a read-onlynumber representing a TACACS+ server entry Enter the IP address of an external TACACS+ server in dotted decimal notation 207 Table 74 Advanced Application > AAA > TACACS+ Server Setup (continued)TCP Port must be the same on the external TACACS+ server and the Switch Use this section to configure your TACACS+ accounting settings This is a read-onlynumber representing a TACACS+ accounting server entry unless your network administrator instructs you to do so 208 AAA SetupFigure 114 Advanced Application > AAA > AAA Setup Table 75 Advanced Application > AAA > AAA Setup Privilege Enable management) Reference Guide) for local authentication. The TACACS+ and RADIUS are external database correctly first specify them in Method 2 and Method 3 fields Select local to have the Switch check the access privilege configured for local servers 209 Table 75 Advanced Application > AAA > AAA Setup (continued)Login authenticate administrator accounts (users for Switch management) up the corresponding database correctly first Method 2 and Method 3 fields and Control > Logins screen radius RADIUS Server TACACS+ Server Authorization Use this section to configure authorization settings on the Switch Set whether the Switch provides the following services to a user different access privilege level assigned via the external server Dot1x assigned via the external server Select this to activate authorization for a specified event types events RADIUS is the only method for IEEE 802.1x authorization Use this section to configure accounting settings on the Switch Update Period accounting is disabled out via the console port, telnet or SSH session privilege level and higher are executed on the Switch Select this to activate accounting for a specified event types servers at the same time accounting server then it tries the second accounting server 210 Advanced Application > AAA > AAA Setup (continued)The Switch supports two modes of recording login events. Select: a user ends a session user ends a session TACACS+ is the only method for recording Commands type of event Privilege executed on the Switch The VSAs are composed of the following: Vendor-ID Vendor-Type •Vendor-data:A value you want to assign to the setting 211 25.3 Supported RADIUS Attributes215 IP Source Guard26.1 IP Source Guard Overview218 •It pretends to be computer A and responds to computer B•It pretends to be computer B and sends a message to computer A Chapter 12 on page •They are stored only in volatile memory •They do not use the same space in memory that regular MAC address filters use They appear only in the ARP Inspection MAC Address Filter The Switch does not discard ARP packets on trusted ports for any reason The Switch discards ARP packets on untrusted ports in the following situations: •The rate at which ARP packets arrive is too high Chapter 41 on page Follow these steps to configure ARP inspection on the Switch 1Configure DHCP snooping. See Section 26.1.1.4 on page 2Enable ARP inspection on each VLAN 219 26.2 IP Source Guard26.3 IP Source Guard Static Binding220 Advanced Application > IP Source Guard > Static BindingFigure 118 IP Source Guard Static Binding Table 82 IP Source Guard Static Binding Enter the source MAC address in the binding Enter the IP address assigned to the MAC address in the binding Enter the source VLAN ID in the binding Any Click this to create the specified static binding or to update an existing one applicable, to clear the fields above Click this to clear the fields above This field displays how long the binding is valid Select this, and click Delete to remove the specified entry Click this to clear the Delete check boxes above 221 26.4 DHCP Snooping222 Table 83 DHCP Snooping (continued)Write delay timer update in the DHCP snooping database before it gives up Abort timer This field displays how long (in seconds) the Switch waits to update the DHCP snooping database after the current bindings change DHCP snooping database Agent running database none: The Switch is not accessing the DHCP snooping database write: The Switch is updating the DHCP snooping database Delay timer expiry current update before it gives up. It displays Not Running if the Switch is not updating the DHCP snooping database right now Abort timer expiry This field displays when (in seconds) the Switch is going to update the DHCP changed since the last update snooping database Last succeeded time This field displays the last time the Switch updated the DHCP snooping database successfully Last failed time unsuccessfully Last failed reason This field displays the reason the Switch updated the DHCP snooping database successfully or unsuccessfully read or updated the DHCP snooping database Total attempts This field displays the number of times the Switch has tried to access the DHCP snooping database for any reason Startup failures Successful transfers bindings in the DHCP snooping database successfully Failed transfers or update the bindings in the DHCP snooping database Successful reads This field displays the number of times the Switch read bindings from the DHCP snooping database successfully Failed reads the DHCP snooping database Successful writes Failed writes in the DHCP snooping database Database detail any reason 223 26.5 DHCP Snooping Configure224 Advanced Application > IP Source Guard > DHCP Snooping > ConfigureFigure 120 DHCP Snooping Configure Table 84 DHCP Snooping Configure snooping on specific VLAN and specify trusted ports no trusted ports DHCP Vlan specific VLAN Note: You have to enable DHCP snooping on the DHCP VLAN too different VLAN Database current one name; for example, tftp://192.168.10.1/database.txt ; for example Timeout interval the DHCP snooping database before it gives up Write delay Enter how long (10-65535seconds) the Switch waits to update the DHCP snooping interval in the next update 225 Table 84 DHCP Snooping Configure (continued)Renew DHCP Enter the location of a DHCP snooping database, and click Renew if you want the Snooping URL snooping database than the one specified in Agent URL DHCP Snooping screen (Section 26.4 on page 221) Click this to reset the values in this screen to their last-savedvalues Advanced Application > IP Source Guard > DHCP Snooping > Configure > Port Figure 121 DHCP Snooping Port Configure 226 Table 85 DHCP Snooping Port Configureof the ports Server Trusted state untrusted ports in the following situations: • The packet is a DHCP server packet (for example, OFFER, ACK, or NACK) current bindings port do not match any of the current bindings • The rate at which DHCP packets arrive is too high Rate (pps) limit, which is recommended for trusted ports Advanced Application > IP Source Guard > DHCP Snooping > Configure > VLAN Figure 122 DHCP Snooping VLAN Configure Table 86 DHCP Snooping VLAN Configure Show VLAN Use this section to specify the VLANs you want to manage in the section below Start VID Enter the lowest VLAN ID you want to manage in the section below 227 26.6 ARP Inspection Status228 Table 87 ARP Inspection Status (continued)Expiry (sec) can also delete the record manually (Delete) Reason This field displays the reason the ARP packet was discarded MAC+VLAN: The MAC address and VLAN ID were not in the binding table valid number was not valid Select this and click Delete to remove the specified entry Click this to remove the selected entries Advanced Application > IP Source Guard > ARP Inspection > VLAN Status Figure 124 ARP Inspection VLAN Status Table 88 ARP Inspection VLAN Status Use this section to specify the VLANs you want to look at in the section below range Enabled VLAN Selected VLAN Start VID End VID This field displays the VLAN ID of each VLAN in the range specified above Received last restarted Request the Switch last restarted 229 ReplySwitch last restarted Forwarded Dropped Advanced Application > IP Source Guard > ARP Inspection > Log Status Figure 125 ARP Inspection Log Status Table 89 ARP Inspection Log Status and that have not been sent to the syslog server yet Total number of logs This field displays the number of log messages that were generated by ARP with the current number of dropped log messages This field displays a sequential number for each log message This field displays the source port of the ARP packet This field displays the source VLAN ID of the ARP packet Sender Mac This field displays the source MAC address of the ARP packet Sender IP This field displays the source IP address of the ARP packet Num Pkts message. The Switch consolidates identical log messages generated by ARP 230 26.7 ARP Inspection Configure231 Table 90 ARP Inspection Configureinspection on specific VLAN and specify trusted ports Filter Aging Time Filter aging time This setting has no effect on existing MAC address filters be permanent Log Profile Log buffer size appropriate for the specified Syslog rate and Log interval dropped due to unavailable buffer. Click Clearing log status table in the ARP 26.6.2 on page Syslog rate Type the maximum number of syslog messages the Switch can send to the syslog generated by ARP packets to the syslog server examples: sends 4 syslog messages every second sends 5 syslog messages every 2 seconds Log interval Syslog rate for an example of the relationship between Syslog rate and Log interval 232 open this screen, clickFigure 127 ARP Inspection Port Configure Table 91 ARP Inspection Port Configure Trusted State The Switch does not discard ARP packets on trusted ports for any reason The Switch discards ARP packets on untrusted ports in the following situations: which ARP packets can arrive on untrusted ports Limit Rate and Burst Interval settings have no effect on trusted ports this limit Burst interval (seconds) second interval Enter the length (1-15seconds) of the burst interval 233 Advanced Application > IP Source Guard > ARP Inspection > Configure > VLANFigure 128 ARP Inspection VLAN Configure Table 92 ARP Inspection VLAN Configure VLAN, the settings are applied to all VLANs Log 234 Loop Guard238 VLAN Mapping242 Layer 2 Protocol Tunneling29.1 Layer 2 Protocol Tunneling Overview 244 29.2 Configuring Layer 2 Protocol Tunneling245 Chapter 29 Layer 2 Protocol TunnelingTable 96 Advanced Application > Layer 2 Protocol Tunneling (continued) STP based on bridge information from all (local and remote) networks VTP Point to Point determine the link’s physical status and detect a unidirectional link PAGP and build a logical port aggregation and manages trunk groups UDLD monitor the physical status of a link Access service provider's network access port(s) only 246 sFlow250 PPPoE31.1 PPPoE Intermediate Agent Overview251 Chapter 31 PPPoETable 101 PPPoE IA Remote ID Sub-optionFormat PPPoE > Intermediate Agent Table 103 PPPoE IA Circuit ID Sub-optionFormat: Defined in WT-101 252 31.2The PPPoE Screen31.3 PPPoE Intermediate Agent253 Figure 144 Advanced Application > PPPoE > Intermediate AgentTable 104 Advanced Application > PPPoE > Intermediate Agent access-node identifier spaces are also allowed. The default is the Switch’s host name circuit-id over this Per-Port Per-VLANscreen (specified in the option field) to PADI or PADR packets from PPPoE clients identifier field field identifier string 53 ASCII characters. Spaces are allowed option into the PADI and PADR packets for the slot value forward slash (/) or space 254 Table 104 Advanced Application > PPPoE > Intermediate Agent (continued)Table 105 Advanced Application > PPPoE > Intermediate Agent > Port 255 Chapter 31 PPPoETable 105 Advanced Application > PPPoE > Intermediate Agent > Port (continued) Trusted ports are uplink ports connected to PPPoE servers Switch forwards it to other trusted port(s) Untrusted ports are downlink ports connected to subscribers to the trusted port(s) received on an untrusted port Circuit-id PPPoE > Intermediate Agent > Port > VLAN screen) has the highest priority screen) has the highest priority Remote-id Remote-id Switch automatically uses the PPPoE client’s MAC address 256 Intermediate Agent > PortTable 106 Advanced Application > PPPoE > Intermediate Agent > Port > VLAN Show Port VLAN(s) on the port Enter the lowest VLAN ID you want to configure in the section below Enter the highest VLAN ID you want to configure in the section below Click Apply to display the specified range of VLANs in the section below This field displays the port number specified above the * VLAN, the settings are applied to all VLANs adjustments on a VLAN-by-VLANbasis Note: Changes in this row are copied to all the VLANs as soon as you make them sub-optionfor this VLAN on the specified port. Spaces are allowed The Circuit ID you configure here has the highest priority automatically uses the PPPoE client’s MAC address The Remote ID you configure here has the highest priority 257 Figure 147 Advanced Application > PPPoE > Intermediate Agent > VLANTable 107 Advanced Application > PPPoE > Intermediate Agent > VLAN Select this option to turn on the PPPoE Intermediate Agent on a VLAN 258 Error Disable263 Private VLAN265 Green Ethernet267 Static Route35.1 Static Routing Overview 268 35.2 Configuring Static Routing269 Chapter 35 Static RouteTable 113 IP Application > Static Routing (continued) Subnet Mask This field displays the subnet mask for this destination Gateway your Switch that will forward the packet to the destination This field displays the cost of transmission for routing purposes 270 Differentiated Services36.1 DiffServ OverviewP - Platinum G - Gold S - Silver B - Bronze 271 36.2 Two Rate Three Color Marker Traffic Policing272 36.3 Activating DiffServ273 IP ApplicationDiffServ Table 114 IP Application > DiffServ Select this option to enable DiffServ on the Switch This field displays the index number of a port on the Switch Select Active to enable DiffServ on the port 2-rate 3 Color Marker 274 Note: You cannot enable both TRTCM and Bandwidth Control at the same timeFigure 162 IP Application > DiffServ > 2-rate3 Color Marker Table 115 IP Application > DiffServ > 2-rate3 Color Marker and marks the packets based on the TRTCM settings DiffServ red (high loss priority) colored packets color-blind packets are evaluated against the CIR and PIR through the Switch Select this to activate TRTCM on the port 275 Chapter 36 Differentiated ServicesIP Application > DiffServ > 2-rate3 Color Marker (continued) Specify the Commit Information Rate (CIR) for this port Peak Specify the Peak Information Rate (PIR) for this port DSCP Profile 2-Rate Figure 163 IP Application > DiffServ > 2-rate3 Color Marker > DSCP Profile Table 116 IP Application > DiffServ > 2-rate3 Color Marker > DSCP Profile Specify the DSCP value to use for packets with low packet loss priority Yellow Specify the DSCP value to use for packets with medium packet loss priority Specify the DSCP value to use for packets with high packet loss priority 276 36.4 DSCP-to-IEEE802.1p Priority Settings278 DHCP37.1 DHCP Overview 37.2DHCP Status 279 37.3DHCP Relay280 Figure 166 IP Application > DHCP > GlobalTable 121 IP Application > DHCP > Global Select this check box to enable DHCP relay Remote DHCP Enter the IP address of a DHCP server in dotted decimal notation Server 1 Relay Agent Option number and VLAN ID) to client DHCP requests that it relays to a DHCP server it relays to a DHCP server 281 VLAN1Figure 167 Global DHCP Relay Network Example DHCP Server: VLAN1VLAN2 DHCP Relay VLAN ID Figure 168 DHCP Relay Configuration Example 282 37.4 Configuring DHCP VLAN Settings285 Maintenance38.1 The Maintenance Screen 286 38.2 Load Factory Default38.3Save Configuration 38.4 Reboot System 287 38.5Firmware Upgrade288 38.6 Restore a Configuration File38.7 Backup a Configuration File 289 38.8 FTP Command Line290 1Launch the FTP client on your computer2Enter open, followed by a space and the IP address of your Switch 3Press [ENTER] when prompted for a username 4Enter your password as requested (the default is “1234”) 5Enter bin to set transfer mode to binary Use put put firmware.bin put config.cfg config get config config.cfg Table 124 on page 7Enter quit to exit the ftp prompt General Commands for GUI-basedFTP Clients COMMAND Host Address Enter the address of the host server Login Type Anonymous anonymous access. Anonymous logins will work only if your ISP or service administrator has enabled this option Normal The server requires a unique User ID and Password to login Transfer Type firmware files should be transferred in binary mode Initial Remote Specify the default remote directory (path) Directory Initial Local Directory Specify the default local directory (path) FTP will not work when: • FTP service is disabled in the Service Access Control screen 291 Remote Management292 Access Control39.1 Access Control Overview 39.2 The Access Control Main Screen 39.3 About SNMP293 Figure 179 SNMP Management ModelAn SNMP managed network consists of two main components: agents and a manager Table 126 SNMP Commands Get Allows the manager to retrieve an object variable from the agent GetNext a Get operation, followed by a series of GetNext operations Set Allows the manager to set values for object variables within an agent Trap Used by the agent to inform the manager of some events 294 1.3.6.1.4.1.890.1.5.8.61”1.3.6.1.4.1.890.1.5.8.72” 1.3.6.1.4.1.890.1.5.8.73” OPTION OBJECT LABEL OBJECT ID 295 Table 127 SNMP System Traps (continued)297 SNMP System Traps (continued)Table 128 SNMP Interface Traps 298 SNMP Interface Traps (continued)AAA Traps 299 AAA Traps (continued)Table 130 SNMP IP Traps 300 Table 131 SNMP Switch Traps301 SNMP Switch Traps (continued)rmon RmonRisingAlarm This trap is sent when a variable goes over the RMON "rising" threshold RmonFallingAlarm below the RMON "falling" threshold cfm dot1agCfmFaultAlarm The trap is sent when the Switch detects a connectivity fault Figure 180 Management > Access Control > SNMP Table 132 Management > Access Control > SNMP General Setting Use this section to specify the SNMP version and community (password) values both (v3v2c) Note: SNMP version 2c is backwards compatible with SNMP version Get Community Enter the Get Community string, which is the password for the incoming Get- and GetNext- requests from the management station lower 302 Table 132 Management > Access Control > SNMP (continued)Set Community management station Trap Community Trap Community SNMP manager Trap Destination Use this section to configure where to send SNMP traps from the Switch Specify the version of the SNMP trap messages Enter the IP addresses of up to four managers to send your SNMP traps to Enter the port number upon which the manager listens for SNMP traps Username Enter the username to be sent to the SNMP manager along with the SNMP v3 trap Management > Access Control > SNMP > User screen) screen) to view the screen as shown. Use the Note: Only the ES3500-24HPsupports fanspeed and poe system traps Figure 181 Management > Access Control > SNMP > Trap Group 303 Table 133 Management > Access Control > SNMP > Trap GroupSNMP Setting screen Options Section 39.3.3 on page 294 for individual trap descriptions categories) User Figure 182 Management > Access Control > SNMP > User 304 Table 134 Management > Access Control > SNMP > UserUser create accounts on the SNMP v3 manager Specify the username of a login account on the Switch Security Level Select whether you want to implement authentication and/or encryption for SNMP communication from this user. Choose: noauth security level priv user. This is the highest security level than the security level settings on the Switch Select an authentication algorithm. MD5 (Message Digest 5) and SHA (Secure Hash generally considered stronger than MD5, but is slower Enter the password of up to 32 ASCII characters for SNMP user authentication Privacy one of the following: DES encryption. It applies a 56-bitkey to each 64-bitblock of data uses a secret key. AES applies a 128-bitkey to 128-bitblocks of data Enter the password of up to 32 ASCII characters for encrypting SNMP packets group this user is the management of administrator accounts information from the Switch number to view more details and edit an existing account This field displays the username of a login account on the Switch Security SNMP communication with this user Authenticati user 305 39.4 Setting Up Login Accounts306 39.5 SSH Overview307 39.6 How SSH works308 39.7 SSH Implementation on the Switch39.8 Introduction to HTTPSHTTP Service Access Control 309 39.9 HTTPS Example314 39.10 Service Port Access Control315 39.11 Remote Management316 Access ControlFigure 195 Management > Access Control > Remote Management Table 137 Management > Access Control > Remote Management Entry wish to temporarily disable the set without deleting it this Switch protocol matches the range set here. The Switch immediately disconnects the session if it does not match Telnet/FTP/HTTP/ICMP SNMP/SSH/HTTPS computers 317 Diagnostic318 Syslog321 Cluster Management327 MAC Table43.1 MAC Table Overview 328 43.2 Viewing the MAC Table329 Table 146 Management > MAC Table (continued)Select Dynamic to MAC forwarding and click the Transfer button to change all They also display in the Static MAC Forwarding screen Filtering Discard source Click Cancel to change the fields back to their last saved values This is the incoming frame index number This is the MAC address of the device from which this incoming frame came This is the VLAN group to which this frame belongs This is the port where the above MAC address is forwarded This shows whether the MAC address is dynamic (learned by the Switch) or static (manually entered in the Static MAC Forwarding screen) 330 ARP Table332 Configure Clone45.1 Configure Clone334 Table 148 Management > Configure CloneSource Source separated by a comma or a range of ports by using a dash Example: • 2, 4, 6 indicates that ports 2, 4 and 6 are the destination ports • 2-6 indicates that ports 2 through 6 are the destination ports Basic Setting the destination port(s) Advanced Application copied to the destination ports 335 Troubleshooting46.1Power, Hardware Connections, and LEDs336 Chapter 46 TroubleshootingOne of the LEDs does not behave as expected Make sure you understand the normal behavior of the LED. See Section 3.2 on page 2Check the hardware connections. See Section 3.1 on page 1Make sure the PoE LED for the port supplying power over Ethernet is on Chapter 8 on page 3Inspect your Ethernet cables for damage. Replace any damaged cables 4Check cable lengths 6Increase the priority of the port. See Chapter 8 on page A port is cabled correctly, but the port status is down Disable Green Ethernet on the port. See Chapter 34 on page 2Inspect your Ethernet cables for damage. Replace any damaged cables 3Check cable lengths 4Check that the device at the other end of the link is powered on 337 46.2 Switch Access and Login338 I can see the Login screen, but I cannot log in to the Switch3Disconnect and re-connectthe cord to the Switch Pop-upWindows, JavaScripts and Java Permissions •Web browser pop-upwindows from your device •JavaScripts (enabled by default) There is unauthorized access to my Switch via telnet, HTTP and SSH Display System Log Section 39.11 on page 339 46.3 Switch Configuration341 Common Services345 Legal Information348 Safety Warnings
Also you can find more ZyXEL Communications manuals or manuals for other Computer Equipment.