![\"A](\"https:\/\/support.connexite.co.uk\/web_images\/image117.png\")
A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, all workstations and servers used by a particular workgroup can be connected to the same LAN, regardless of their physical locations. VLAN technology delivers the following benefits:<\/p>\n
- \n
- Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance.<\/li>\n
- Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. For hosts in different VLANs to communicate, routers or Layer 3 switches are required.<\/li>\n
- Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance is much easier and more flexible.<\/li>\n<\/ul>\n
You can create VLANs based on:<\/p>\n
- \n
- Port<\/li>\n
- MAC address<\/li>\n
- Protocol<\/li>\n
- IP subnet<\/li>\n
- Policy<\/li>\n
- Other criteria<\/li>\n<\/ul>\n
Because the Web interface is available only for port-based VLANs, this chapter introduces only port-based VLANs. 3.1.1.1 VLAN Mode Depending on the tag handling mode, the VLAN Mode of a port can be one of the following three:<\/p>\n
- \n
- Access \uff1a<\/li>\n<\/ul>\n
An access port belongs to only one VLAN and usually connects to a user device.<\/p>\n
- \n
- Trunk \uff1a<\/li>\n<\/ul>\n
A trunk port can join multiple VLANs to receive and send traffic for them. It usually connects to a network device.<\/p>\n
- \n
- Hybrid \uff1a<\/li>\n<\/ul>\n
A hybrid port can join multiple VLANs to receive and send traffic for them. It can connect either a user device or a network device.<\/p>\n
A hybrid port is different from a trunk port in that:<\/p>\n
- \n
- A hybrid port allows traffic of multiple VLANs to pass through untagged.<\/li>\n
- A trunk port allows only traffic of the default VLAN to pass through untagged.<\/li>\n<\/ul>\n
3.1.1.2 Port link type<\/p>\n
By default, VLAN 1 is the default VLAN for all ports. However, you can change the default VLAN for a port as required. When doing that, follow these guidelines:<\/p>\n
- \n
- Because an access port can join only one VLAN, its default VLAN is the VLAN to which it belongs and cannot be configured.<\/li>\n
- Because a trunk or hybrid port can join multiple VLANs, you can configure a default VLAN for the port.<\/li>\n<\/ul>\n
3.1.1.3 Frame handling methods<\/p>\n
Table 3-1: A port configured with a default VLAN handles a frame as follows:<\/strong><\/p>\n
\n\n\n
\n Port type<\/th>\n Actions (in the inbound direction)<\/th>\n<\/tr>\n \n Actions (in the outbound direction)<\/td>\n<\/tr>\n \n Untagged frame<\/td>\n Tag the frame with the default VLAN tag.<\/td>\n<\/tr>\n \n \u2022 Receive the frame if its VLAN ID is the same as the default VLAN ID<\/td>\n \u2022 Drop the frame if its VLAN ID is different from the default VLAN ID.<\/td>\n<\/tr>\n \n Remove the default VLAN tag and send the frame.<\/td>\n<\/tr>\n \n Trunk<\/td>\n Check whether the default VLAN is carried on the port\uff1a<\/td>\n<\/tr>\n \n \u2022 If yes, tag the frame with the default VLAN tag.<\/td>\n \u2022 If not, drop the frame.<\/td>\n<\/tr>\n \n \u2022 Receive the frame if its VLAN is carried on the port.<\/td>\n \u2022 Drop the frame if its VLAN is not carried on the port.<\/td>\n<\/tr>\n \n \u2022 Remove the tag and send the frame if the frame Carries the default VLAN tag.<\/td>\n \u2022 Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one.<\/td>\n<\/tr>\n \n Hybrid<\/td>\n Send the frame if its VLAN is carried on the port. The frame is sent with the VLAN tag removed or intact depending on your configuration.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n 3.1.2 Configuring VLAN 3.1.2.1 Creating VLAN<\/p>\n
- \n
- Select Configuration > VLAN in the navigation area. The system automatically enters the VLAN page as shown in Figure 3-2. Table 3-2 describes the configuration items of creating a VLAN.<\/li>\n<\/ol>\n
![\"VLAN](\"https:\/\/support.connexite.co.uk\/web_images\/image118.png\")
Figure 3-2: VLAN configuration page<\/figcaption><\/figure>\n Table 3-2: Vlan configuration items<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n ID<\/td>\n This field displays the ID of the VLAN<\/td>\n<\/tr>\n \n name<\/td>\n By default, the description string of a VLAN is its VLAN ID, such as VLAN 0002.<\/td>\n<\/tr>\n \n Members<\/td>\n Indicates that the port sends the traffic of the VLAN without removing the VLAN tag.<\/td>\n<\/tr>\n \n Edit<\/td>\n Click to enter the VLAN editing page<\/td>\n<\/tr>\n \n Add<\/td>\n Click to enter the VLAN adding page<\/td>\n<\/tr>\n \n Delete<\/td>\n Select the VLAN ID, click to delete<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n - \n
- Click Add button to enter the page for creating a VLAN, as shown in Figure 3-3.<\/li>\n
- Type VLAN number into the ID box, select the Tagged Members in the port panel to be assigned to these VLAN.<\/li>\n<\/ol>\n
![\"Create](\"https:\/\/support.connexite.co.uk\/web_images\/image119.png\")
Figure 3-3: Create VLAN<\/figcaption><\/figure>\n - \n
- Click the Save in the auxiliary area to save the configuration.<\/li>\n<\/ul>\n
3.1.2.2 Configuring Trunk Port<\/p>\n
- \n
- Select Configuration > VLAN in the navigation area to enter the VLAN page as shown in Figure 3-4. Table 3-3 describes the configuration items of configuring a Trunk Port.<\/li>\n<\/ol>\n
![\"Trunk](\"https:\/\/support.connexite.co.uk\/web_images\/image12.png\")
Figure 3-4: Trunk Configuration page<\/figcaption><\/figure>\n - \n
- Click Batch Edit button below \u201cTrunk Configuration\u201d to enter the trunk configuration page, as shown in Figure 3-5. Table 3-3 describes the configuration items of configuring a VLAN.<\/li>\n<\/ol>\n
![\"Interface](\"https:\/\/support.connexite.co.uk\/web_images\/image120.png\")
Figure 3-5: Interface configuration page<\/figcaption><\/figure>\n Table 3-3: The description of the Trunk configuration<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n Mode<\/td>\n Access<\/td>\n<\/tr>\n \n Set the port\u2019s default VLAN ID, only exist in access mode.<\/td>\n The trunk ports at the two ends of a link must have the same PVID. Otherwise, the link cannot properly transmit packets<\/td>\n<\/tr>\n \n Native Vlan<\/td>\n VLAN\uff08Native Vlan\uff09, only exist in Trunk mode.<\/td>\n<\/tr>\n \n Allow VLANs<\/td>\n Select the VLANs that are allowed through the port.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n - \n
- Select the Vlan Mode, type VLAN number in PVID and Allow VLANs box, click Ok button to complete the configuration.<\/li>\n
- Click the Save in the auxiliary area to save the configuration.<\/li>\n<\/ol>\n
Port<\/h2>\n
3.2.1 Port Configuration<\/p>\n
You can use the interface management feature to view interface information, create\/remove logical interfaces, change interface status, and reset interface parameters, as shown in Figure 3-6.<\/p>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image121.png\")
Figure 3-6: Port Configuration page<\/figcaption><\/figure>\n Configuring interface management<\/p>\n
- \n
- Select Configuration > Port > Port Configuration in the navigation area to enter the port configuration page as shown in Figure 3-6.<\/li>\n
- Select the ports to be configured, click Edit button to enter the page for configuring an interface, as shown in Figure 3-7. Table 3-4 describes the configuration items of configuring an interface.<\/li>\n<\/ol>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image122.png\")
Figure 3-7: Port Configuration page<\/figcaption><\/figure>\n Table 3-4: Configuration items of Port<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n Admin State<\/td>\n Shutdown\/no shutdown the port.<\/td>\n<\/tr>\n \n Description<\/td>\n Set the description of a logical interface.<\/td>\n<\/tr>\n \n Port Mode<\/td>\n Set the port\u2019s vlan mode, Access or Trunk<\/td>\n<\/tr>\n \n PVID\/Native VLAN<\/td>\n Set the port\u2019s PVID or Native VLAN.<\/td>\n<\/tr>\n \n Medium type<\/td>\n Set the medium type of the Combo ports<\/td>\n<\/tr>\n \n \u2022 RJ45\uff1athe mode of port is 10\/100\/1000BASE-T<\/td>\n \u2022 SFP\uff1athe mode of port is 1000BASE-X<\/td>\n<\/tr>\n \n Note: only for combo ports.<\/td>\n<\/tr>\n \n Speed(copper)<\/td>\n Set the port\u2019s transmission rate:<\/td>\n<\/tr>\n \n \u2022 10: indicates 10 Mbps<\/td>\n \u2022 100M\uff1aindicates 100 Mbps<\/td>\n<\/tr>\n \n \u2022 1000M\uff1aindicates 1000 Mbps<\/td>\n \u2022 Auto: indicates auto-negotiation<\/td>\n<\/tr>\n \n Note: only for copper ports.<\/td>\n<\/tr>\n \n Duplex(copper)<\/td>\n Set the port\u2019s duplex mode:<\/td>\n<\/tr>\n \n \u2022 AUTO\uff1aindicates auto-negotiation<\/td>\n<\/tr>\n \n \u2022 FULL\uff1aindicates full duplex<\/td>\n<\/tr>\n \n \u2022 HALF\uff1aindicates half duplex<\/td>\n<\/tr>\n \n Set the port\u2019s mode<\/td>\n \u2022 100BASE-FX\uff1aindicates the port mode is 100BASE-FX.<\/td>\n<\/tr>\n \n \u2022 1000BASE-X\uff1aindicates the port mode is 1000BASE-X.<\/td>\n \u2022 2500BASE-X\uff1aindicates the port mode is 2.5G BASE-X.<\/td>\n<\/tr>\n \n \u2022 10G BASE-X: indicates the port mode is 10G BASE-X.<\/td>\n Note: only for fiber ports.<\/td>\n<\/tr>\n \n Autoneg(fiber)<\/td>\n Enables or disables port\u2019s autoneg.<\/td>\n<\/tr>\n \n The auto-negotiation function needs to be enabled or disabled at the same<\/td>\n time as the peer end, otherwise a link failure will occur.<\/td>\n<\/tr>\n \n Note: only for fiber ports.<\/td>\n<\/tr>\n \n Flow control<\/td>\n Enables or disables port\u2019s Flow control.<\/td>\n<\/tr>\n \n MTU<\/td>\n Allows or forbids jumbo frames to pass through the port. Default length of packets is 46-1500 bytes.<\/td>\n<\/tr>\n \n Admin Shutdown<\/td>\n Shutdown\/no shutdown the port.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n 3.2.2 Port Extension 3.2.2.1 Rate Limiting Port-based rate limiting allows you to limit the speed at which network traffic is sent or received by a device that is connected to a port on your switch. Unlike 802.1p Quality of Service (QoS), port-based rate limiting does not prioritize information based on type. Rate limiting simply means that the switch will slow down traffic on a port to keep it from exceeding the limit that you set. If you set the rate limit on a port too low, you might see degraded video stream quality, sluggish response times during online activity, and other problems.<\/p>\n
The best use of rate limiting is to keep low-priority devices that are connected to your switch from using too much of your bandwidth and slowing down your other connected devices. A combination of rate limiting and QoS can help you maximize your network\u2019s efficiency and prioritize devices and activities.<\/p>\n
Configuring Port Ratelimit<\/p>\n
- \n
- Select Configuration > Port > Port Extension > Rate Limiting in the navigation area to enter the port ratelimit page as shown in Figure 3-8.<\/li>\n
- Click the Batch Edit button below \u201cRate Limiting\u201d to enter the configure rate limiting page, as shown in Figure 3-9, type the number in the box. Table 3-5 describes the configuration items of configuring an interface.<\/li>\n
- Click the Ok button.<\/li>\n
- Click the Save button in the auxiliary area.<\/li>\n<\/ol>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image123.png\")
Figure 3-8: Port Ratelimit page<\/figcaption><\/figure>\n ![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image124.png\")
Figure 3-9: Port Ratelimit configuration<\/figcaption><\/figure>\n - \n
- CBS embodies a rate-limit feature for policing traffic. When policing traffic with CBS, here recommends the burst value 4 times of the limit value. If the burst values are too low, then the achieved rate is often much lower than the configured rate.<\/li>\n<\/ul>\n
Table 3-5: Port Ratelimit Configuration items<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n In CIR (kbps)<\/td>\n Specify the rate limit in the inbound direction (KBits).<\/td>\n<\/tr>\n \n In CBS (KB)<\/td>\n Specify the burst size in the inbound direction (KBits).<\/td>\n<\/tr>\n \n Out CIR (kbps)<\/td>\n Specify the rate limit in the outbound direction (KBits).<\/td>\n<\/tr>\n \n Out CBS (KB)<\/td>\n Specify the burst size in the outbound direction (KBits).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n 3.2.2.2 Storm Control A traffic storm occurs when a large amount of broadcast, multicast, or unicast packets congest a network.<\/p>\n
You can use the storm suppression function to limit the size of a particular type of traffic (currently broadcast, multicast and unknown unicast traffic) on a per-interface basis in Ethernet port view or port group view.<\/p>\n
In interface or port group view, you set the maximum broadcast, multicast or unknown unicast traffic allowed to pass through an interface or each interface in a port group. When the broadcast, multicast, or unknown unicast traffic on the interface exceeds the threshold, the system discards packets until the traffic drops below the threshold.<\/p>\n
Configuring the Storm Control<\/p>\n
- \n
- Select Configuration > Port > Port Extension > Strom Control in the navigation area to enter the storm control page as shown in Figure 3-10.<\/li>\n<\/ol>\n
![\"Strom](\"https:\/\/support.connexite.co.uk\/web_images\/image125.png\")
Figure 3-10: Strom Control page<\/figcaption><\/figure>\n - \n
- Select the Type, type the box of the Percentage, select the ports to be configured in the port panel, as shown in Figure 3-11. Table 3-7 describes the configuration items of configuring Strom control.<\/li>\n
- Click the Ok button to complete the configuration.<\/li>\n
- Click the Save in the auxiliary area.<\/li>\n<\/ol>\n
![\"Strom](\"https:\/\/support.connexite.co.uk\/web_images\/image126.png\")
Figure 3-11: Strom Control configuration<\/figcaption><\/figure>\n Table 3-7: Items of the storm control<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n Type<\/td>\n Disabled<\/td>\n<\/tr>\n \n Selects the parameter used in broadcast suppression and sets its<\/td>\n value in the percentage box.<\/td>\n<\/tr>\n \n Multicast<\/td>\n Selects the parameter used in multicast suppression and sets its<\/td>\n<\/tr>\n \n value in the percentage box.<\/td>\n<\/tr>\n \n Unicast<\/td>\n Selects the parameter used in unicast suppression and sets its<\/td>\n<\/tr>\n \n value in the percentage box.<\/td>\n<\/tr>\n \n multicast-broadcast<\/td>\n Selects the parameter used in multicast and broadcast<\/td>\n<\/tr>\n \n suppression and sets its value in the percentage box.<\/td>\n<\/tr>\n \n unicast-broadcast<\/td>\n Selects the parameter used in unicast and broadcast,<\/td>\n<\/tr>\n \n suppression and sets its value in the percentage box.<\/td>\n<\/tr>\n \n All<\/td>\n Selects the parameter used in unicast and unicast,<\/td>\n<\/tr>\n \n broadcast, suppression and sets its value in the percentage box.<\/td>\n<\/tr>\n \n Percentage (%)<\/td>\n Indicates the maximum percentage of traffic to the total<\/td>\n<\/tr>\n \n transmission capability of an Ethernet interface.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n 3.2.2.1 Isolation Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security.<\/p>\n
- \n
- Switch support multiple isolation groups which can be configured manually. These devices are referred to as multiple-isolation-group devices.<\/li>\n
- There is no restriction on the number of ports assigned to an isolation group.<\/li>\n
- Within the same VLAN, Layer 2 data transmission between ports within and outside the isolation group is supported.<\/li>\n<\/ol>\n
Configuring an Isolation Group<\/p>\n
- \n
- Select Configuration > Port > Port Extension > Isolation in the navigation area to enter the Port isolate page as shown in Figure 3-12.<\/li>\n
- Select the port to be isolated, click Ok button.<\/li>\n
- Click Save in the auxiliary area.<\/li>\n<\/ol>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image127.png\")
Figure 3-12: Port Isolate page<\/figcaption><\/figure>\n 3.2.3 Port Mirroring Port mirroring is to copy the packets passing through one or multiple ports (called source interface) to a port (called the destination interface) on the local device. The source interface is connected with a monitoring device. By analyzing on the monitoring device, the packets mirrored to the destination interface, you can monitor the network and troubleshoot possible network problems.<\/p>\n
Figure3-13 A port mirroring implementation Creating a mirroring group<\/p>\n
- \n
- Select Configuration > Port > Port Mirror in the navigation area to enter the Port mirror page as shown in Figure 3-14.<\/li>\n<\/ol>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image129.png\")
Figure 3-14: Port Mirror Page<\/figcaption><\/figure>\n - \n
- Click the Edit button for the corresponding ID and select the destination interface or source interface, as shown in Figure 3-15. Table 3-8 describes the configuration items of creating a mirroring group.<\/li>\n<\/ol>\n
![\"The](\"https:\/\/support.connexite.co.uk\/web_images\/image13.png\")
Figure 3-15: The page for creating a mirroring group<\/figcaption><\/figure>\n Table 3-8: Configuration items of creating a mirroring group<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n Session<\/td>\n ID of the mirroring group to be created<\/td>\n<\/tr>\n \n Destination Interface<\/td>\n the monitor port for the mirroring group, there can only be one<\/td>\n<\/tr>\n \n Source Interface<\/td>\n mirroring ports for the mirroring group, there can be more than one<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n - \n
- Click the Save button for the corresponding ID.<\/li>\n
- Click Ok button.<\/li>\n
- Click Save in the auxiliary area.<\/li>\n<\/ol>\n
3.2.4 Port Aggregation 3.2.4.1 Overview Link Aggregation Ethernet link aggregation, most often simply called link aggregation, aggregates multiple physical Ethernet links into one logical link to increase link bandwidth beyond the limits of any one single link. This logical link is called an aggregate link. It allows for link redundancy because the member physical links dynamically back up one another.<\/p>\n
As shown in Figure 3-16, Switch A and Switch B are connected with three physical Ethernet links. These physical Ethernet links are aggregated into an aggregate link, Link aggregation 1. The bandwidth of this aggregate link can be as high as the total bandwidth of these three physical Ethernet links.<\/p>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image130.png\")
Figure 3-16: Port Isolate page<\/figcaption><\/figure>\n LACP<\/p>\n
The IEEE 802.3ad Link Aggregation Control Protocol (LACP) enables dynamic aggregation of physical links. It uses link aggregation control protocol data units (LACPDUs) for exchanging aggregation information between LACP-enabled devices.<\/p>\n
There are two link aggregation modes: dynamic and static. Dynamic link aggregation uses LACP while static link aggregation does not. A link aggregation group operating in static mode is called a static link aggregation group, while a link aggregation group operating in dynamic mode is called a dynamic link aggregation group. 3.2.4.2 Configuring an Aggregation Group<\/p>\n
Configuration procedure:<\/p>\n
- \n
- Select Configuration > Port > Port Aggregation in the navigation area to enter the Link Aggregation page as shown in Figure 3-17, The description of the link aggregation is described in Table 3-9.<\/li>\n<\/ol>\n
![\"Global](\"https:\/\/support.connexite.co.uk\/web_images\/image131.png\")
Figure 3-17: Global Configure Page<\/figcaption><\/figure>\n Table 3-9: description of global configure item<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n Equalize according to the destination MAC address and source MAC address<\/td>\n<\/tr>\n \n dst-ip<\/td>\n Equalize according to the destination IP address<\/td>\n<\/tr>\n \n srt-ip<\/td>\n Equalize according to the source IP address<\/td>\n<\/tr>\n \n src-dst-ip<\/td>\n Equalize according to the destination IP address and source IP address<\/td>\n<\/tr>\n \n dst-port<\/td>\n Equalize according to the L4 TCP\/UDP destination port number<\/td>\n<\/tr>\n \n src-port<\/td>\n Equalize according to the L4 TCP\/UDP source port number<\/td>\n<\/tr>\n \n src-dst-port<\/td>\n Equalize according to the L4 TCP\/UDP destination port number and source port number<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n - \n
- In the Aggregate ports Configure page, click +Add button to enter port configuration page, as shown in Figure 3-18, The description of the link aggregation is described in Table 3-10.<\/li>\n<\/ol>\n
![\"Aggregation](\"https:\/\/support.connexite.co.uk\/web_images\/image132.png\")
Figure 3-18: Aggregation port configuration page<\/figcaption><\/figure>\n ![\"Aggregation](\"https:\/\/support.connexite.co.uk\/web_images\/image133.png\")
Figure 3-19: Aggregation port page<\/figcaption><\/figure>\n Table 3-10: description of Aggregation Member<\/strong><\/p>\n
\n\n<\/tbody>\n<\/table>\n<\/figure>\n
Table 3-11: description of Aggregation port<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n Aggregation<\/td>\n<\/tr>\n \n The member ports of the Aggregation Port<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n 3.2.5 Port Violation During the use of the device, active or passive violations may occur on the switch port, such as port security violations, port flapping violations, port loop detection violations, etc. The port violation module is used to configure the recovery enablement and recovery time of the violating port, and displays the port's violation behavior.<\/p>\n
Configuration procedure:<\/p>\n
Select Configuration > Port > Port Violation in the navigation bar to enter the port violation global configuration interface, check the service that needs to be violated, turn on the automatic recovery button and configure the recovery time, click the Apply button to complete the configuration, such as Figure 3-40 is shown, and the global configuration parameters are shown in Table 3-13.<\/p>\n
Figure 3-19: Global configuration page<\/figcaption><\/figure>\n ![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image134.png\")
Figure 3-20: Port State<\/figcaption><\/figure>\n Spanning Tree<\/h2>\n
3.3.1 Overview Spanning Tree Protocol (STP) is a Layer-2 management protocol. It cannot only selectively block redundant links to eliminate Layer-2 loops but also can back up links.<\/p>\n
Like many protocols, STP is continuously updated from Rapid Spanning Tree Protocol (RSTP) to Multiple Spanning Tree Protocol (MSTP) as the network develops.<\/p>\n
For the Layer-2 Ethernet, only one active link can exist between two local area networks (LANs). Otherwise, a broadcast storm will occur. To enhance the reliability of a LAN, it is necessary to establish a redundant link and keep some paths in backup state. If the network is faulty and a link fails, you must switch the redundant link to the active state. STP can automatically activate the redundant link without any manual operations. STP enables devices on a LAN to:<\/p>\n
Discover and start the best tree topology on the LAN.<\/p>\n
Troubleshoot a fault and automatically update the network topology so that the possible best tree topology is always selected.<\/p>\n
The LAN topology is automatically calculated based on a set of bridge parameters configured by the administrator. The best topology tree can be obtained by properly configuring these parameters.<\/p>\n
RSTP is completely compatible with 802.1D STP. Like traditional STP, RSTP provides loop-free and redundancy services. It is characterized by rapid speed. If all bridges in a LAN support RSTP and are properly configured by the administrator, it takes less than 1 second (about 50 seconds if traditional STP is used) to re-generate a topology tree after the network topology changes.<\/p>\n
STP and RSTP have the following defects:<\/p>\n
STP migration is slow. Even on point-to-point links or edge ports, it still takes two times of the forward delay for ports to switch to the forwarding state.<\/p>\n
RSTP can rapidly converge but has the same defect with STP: Since all VLANs in a LAN share the same spanning tree, packets of all VLANs are forwarded along this spanning tree. Therefore, redundant links cannot be blocked according to specific VLANs and data traffic cannot be balanced among VLANs.<\/p>\n
MSTP, defined by the IEEE in 802.1s, resolves defects of STP and RSTP. It cannot only rapidly converge but also can enable traffic of different VLANs to be forwarded along respective paths, thereby providing a better load balancing mechanism for redundant links.<\/p>\n
In general, STP\/RSTP works based on ports while MSTP works based on instances. An instance is a set of multiple VLANs. Binding multiple VLANs to one instance can reduce the communication overhead and resource utilization. 3.3.2 Spanning Tree Configuring Global Configuration of the Spanning Tree<\/p>\n
Select Configuration > Spanning Tree > Global Configuration in the navigation area to enter the Global Configuration page, as shown in Figure 3-20. Table 3-12 describes the Spanning Tree Global Configuration items.<\/p>\n
Figure 3-20: Spanning Tree Global Configuration<\/figcaption><\/figure>\n ![\"Spanning](\"https:\/\/support.connexite.co.uk\/web_images\/image135.png\")
Figure 3-21: Spanning Tree Instance Configuration<\/figcaption><\/figure>\n Table 3-12: Spanning Tree Global Configuration items<\/strong><\/p>\n
\n\n<\/tbody>\n<\/table>\n<\/figure>\n
![\"Spanning](\"https:\/\/support.connexite.co.uk\/web_images\/image136.png\")
Figure 3-22: Spanning Tree port Configuration<\/figcaption><\/figure>\n Table 3-13: Spanning Tree Instance items<\/strong><\/p>\n
\n\n<\/tbody>\n<\/table>\n<\/figure>\n
ERPS<\/h2>\n
3.4.1 Overview<\/p>\n
The ITU-T G.8032 ERPS feature implements protection switching mechanisms for Ethernet layer ring topologies. This feature uses the G.8032 Ethernet Ring Protection (ERP) protocol, defined in ITU-T G.8032, to provide protection for Ethernet traffic in a ring topology, while ensuring that no loops are within the ring at the Ethernet layer. The loops are prevented by blocking traffic on either a predetermined link or a failed link.<\/p>\n
Initial State<\/p>\n
As the following figure, the devices on the ring have been configured, and all the link status is up.<\/p>\n
The RPL owner interface will be blocked by ERPS protocol to prevent loops. If a RPL neighbor interface is configured, it will also be blocked. Other interfaces are under the forwarding state, can forward the traffic.<\/p>\n
Link failure<\/p>\n
When there is a link failure between SwitchD and SwitchE, the two interfaces on the link will be blocked by ERPS protocol, the RPL owner interface will be forwarded.<\/p>\n
Figure 1 Link failure Link restores<\/p>\n
When the failure link is restored. When the erps ring is configured to revertive mode, the RPL owner interface will be blocked by ERPS protocol, the restored link will be configured to forwarding state to forward traffic.<\/p>\n
Single-Ring\uff1a Only one ring in a network topology needs to be protected.<\/p>\n
In Figure 3-23, the network topology has only one ring, only one ring protection link (RPL) owner node, and only one RPL. All nodes must belong to the same ring automatic protection switching (R-APS) virtual local area network (VLAN).<\/p>\n
All devices in the ring network must support ERPS.<\/p>\n
The links between devices in the ring network must be directly connected, and there must be no intermediate devices.<\/p>\n
![\"ERPS](\"https:\/\/support.connexite.co.uk\/web_images\/image137.png\")
Figure 3-23: ERPS single ring<\/figcaption><\/figure>\n Tangent Rings\uff1a<\/p>\n
The two rings in a network topology that share one device need to be protected.<\/p>\n
In Figure 3-24, the two rings in the network topology share one device. Each ring has only one PRL owner node and only one RPL. The two rings belong to different R-APS VLANs.<\/p>\n
All devices in the ring network need to support ERPS.<\/p>\n
The links between devices in the ring network must be directly connected, and there must be no intermediate devices.<\/p>\n
![\"ERPS](\"https:\/\/support.connexite.co.uk\/web_images\/image138.png\")
Figure 3-24: ERPS Tangent Rings<\/figcaption><\/figure>\n Intersecting Rings\uff1a Two or more rings in a network topology share one link. (Each link between intersecting nodes must be a direct link without any intermediate node.)<\/p>\n
In Figure 3-25, four rings exist in the network topology. Each ring has only one PRL owner node and only one RPL. The four rings belong to different R-APS VLANs.<\/p>\n
All devices in the ring network need to support ERPS.<\/p>\n
The links between devices in the ring network must be directly connected, and there must be no intermediate devices.<\/p>\n
![\"ERPS](\"https:\/\/support.connexite.co.uk\/web_images\/image139.png\")
Figure 3-25: ERPS Intersecting Rings<\/figcaption><\/figure>\n 3.4.2 Configure the ERPS Ring Configuration<\/p>\n
Select Configuration > ERPS > Ring Configuration in the navigation area to enter the ERPS Ring Configuration page as shown in Figure 3-26, The description of the ERPS Ring Configuration is described in Table 3-15.<\/p>\n
![\"ERPS](\"https:\/\/support.connexite.co.uk\/web_images\/image14.png\")
Figure 3-26: ERPS Ring Configuration<\/figcaption><\/figure>\n ![\"ERPS](\"https:\/\/support.connexite.co.uk\/web_images\/image140.png\")
Figure 3-27: ERPS Instance Configuration<\/figcaption><\/figure>\n Table 3-15: Ring Configuration description<\/strong><\/p>\n
\n\n<\/tbody>\n<\/table>\n<\/figure>\n
![\"ERPS](\"https:\/\/support.connexite.co.uk\/web_images\/image141.png\")
Figure 3-28: ERPS Instance Configuration<\/figcaption><\/figure>\n ![\"ERPS](\"https:\/\/support.connexite.co.uk\/web_images\/image142.png\")
Figure 3-29: ERPS State<\/figcaption><\/figure>\n Table 3-16: Description of the ERPS Instance Configuration<\/strong><\/p>\n
\n\n<\/tbody>\n<\/table>\n<\/figure>\n
PoE Management<\/h2>\n
3.5.1 PoE Overview Power over Ethernet (PoE) means that power sourcing equipment (PSE) supplies power to powered devices (PDs) from Ethernet interfaces through twisted pair cables. 3.5.2 PoE Configuration<\/p>\n
- \n
- 1. Before configure PoE, make sure that the PoE power supply and PSE are operating normally; otherwise, you cannot configure PoE or the configured PoE function does not take effect.<\/li>\n
- 2. For switches with external power supply, the input voltage range is 44-57 V. In order to obtain a more stable power supply, it is recommended that the power supply voltage of AT equipment be greater than 50V, and that of BT equipment be greater than 53V.<\/li>\n
- 1. Before configure PoE, make sure that the PoE power supply and PSE are operating normally; otherwise, you cannot configure PoE or the configured PoE function does not take effect.<\/li>\n
- 2. For switches with external power supply, the input voltage range is 44-57 V. In order to obtain a more stable power supply, it is recommended that the power supply voltage of AT equipment be greater than 50V, and that of BT equipment be greater than 53V.<\/li>\n
- Select Configuration > PoE in the navigation area to enter the PoE Management page as shown in Figure<\/li>\n<\/ul>\n
3-30, the Table 3-18 describes the items of PoE Global Configuration.<\/p>\n
- \n
- Type the \u201cPower supply\u201d and \u201cPower reserved\u201d boxes, and click Apply button.<\/li>\n<\/ol>\n
![\"PoE](\"https:\/\/support.connexite.co.uk\/web_images\/image143.png\")
Figure 3-30: PoE Global Configuration<\/figcaption><\/figure>\n ![\"PoE](\"https:\/\/support.connexite.co.uk\/web_images\/image144.png\")
Figure 3-31: PoE Interface Configuration<\/figcaption><\/figure>\n Table 3-18: description of PoE Global Configuration<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n Power supply (w)<\/td>\n By default, the default power provided by the device is 15.4W*port number, for example, the maximum power provided by an 8-port device is 123.2W<\/td>\n<\/tr>\n \n \u2022 For devices with external power supply, please fill in this parameter according to the actual configured power supply<\/td>\n \u2022 For devices with built-in power supply, please refer to the description of PoE power in the product manual for this parameter<\/td>\n<\/tr>\n \n Power reserved (%)<\/td>\n Reserved power set against power fluctuations<\/td>\n<\/tr>\n \n \u2022 For devices with external power supply, it is recommended to fill in the power consumption of the main board<\/td>\n \u2022 For devices with built-in power supply, this parameter can be set 0 by default<\/td>\n<\/tr>\n \n Power<\/td>\n management<\/td>\n<\/tr>\n \n Display the mode of power management is energy-saving. In this mode, the power requested and allocated to the port is based on the actual port's (real time) power consumption.<\/td>\n<\/tr>\n \n Disconnect mode<\/td>\n Display the mode of disconnection is DC disconnect<\/td>\n<\/tr>\n \n Alarm state<\/td>\n Turn on\/off the log alarm when the power is insufficient<\/td>\n<\/tr>\n \n Power alarm (%)<\/td>\n Alarm power limit setting, when the PoE power consumption exceeds this value, the system will automatically output a log alarm<\/td>\n<\/tr>\n \n \u2022 Click Batch Edit below \u201cport configuration\u201d to enter PoE port configuration page, Select the port to be configured, as shown in Figure 3-31.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n - \n
- Click the OK to complete the operation, and then the page will return to the PoE Interface Configuration page, as shown in Figure 3-32. the Table 3-19 describes the items of the PoE Interface Configuration.<\/li>\n<\/ol>\n
![\"PoE](\"https:\/\/support.connexite.co.uk\/web_images\/image145.png\")
Figure 3-32: PoE Interface Configuration<\/figcaption><\/figure>\n - \n
- Click the Save in the navigation area to save the configuration.<\/li>\n<\/ol>\n
Security<\/h2>\n
3.6.1 Port Security 3.6.1.1 Overview<\/p>\n
The Port Security function restricts the number of valid MAC addresses on the port to limit the access of illegal users to the port. The illegal MAC packets will be directly discarded.<\/p>\n
The legal MAC can be generated statically or dynamically. The static legal MAC is generated through user command line configuration; the dynamic legal MAC is dynamically generated through the MAC address learning function.<\/p>\n
When the number of secure addresses on the port has reached the configured value of the maximum number of secure addresses, the new MAC access port will be recognized as an illegal MAC and a violation event will be generated. The user can configure the actions to be taken when the violation event occurs, respectively restrict or shutdown the port.<\/p>\n
Restrict: Prohibit illegal MAC data from passing, and generate alarm log prompt information. Illegal MAC will prohibit access to the port within the MAC address aging time. It can be restored through shutdown and no shutdown ports.<\/p>\n
Shutdown: The port is forced to be down, and the port recovery time can be configured. The port will automatically recover when the time is up; it can also be recovered by the shutdown, no shutdown command.<\/p>\n
If you want to convert a dynamic security user to a static security user, you can enable the sticky function on the port. When the sticky function is enabled on the port, the dynamic users learned on the port will exist as static users. If the configuration is saved, the device will still exist after restarting the device.<\/p>\n
- \n
- Only support L2 port configuration port security, such as ordinary physical port, aggregation port.<\/li>\n
- Only support port security configuration in access mode.<\/li>\n
- Does not support aggregation port member ports to configure port security functions.<\/li>\n
- Does not support SPAN destination port configuration port security function.<\/li>\n
- Does not support configuring port security functions on ports that have been configured with static MAC addresses.<\/li>\n
- Only support L2 port configuration port security, such as ordinary physical port, aggregation port.<\/li>\n
- Only support port security configuration in access mode.<\/li>\n
- Does not support aggregation port member ports to configure port security functions.<\/li>\n
- Does not support SPAN destination port configuration port security function.<\/li>\n
- Does not support configuring port security functions on ports that have been configured with static MAC addresses.<\/li>\n<\/ul>\n
3.6.1.2 Configuring Port Security Port Configuration<\/p>\n
Select Configuration > Security > Port security in the navigation area to enter the Port security page as shown in Figure 3-33.<\/p>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image146.png\")
Figure 3-33: Port Security statistic page<\/figcaption><\/figure>\n Click the Batch Edit button below \u201cPort Configuration\u201d to enter the Port Configuration page, as shown in Figure 3-34. The items of the port configuration are described in Table 3-20.<\/p>\n
![\"Port](\"https:\/\/support.connexite.co.uk\/web_images\/image147.png\")
Figure 3-34: Port Security configuration page<\/figcaption><\/figure>\n ![\"MAC](\"https:\/\/support.connexite.co.uk\/web_images\/image148.png\")
Figure 3-35: MAC configuration summary<\/figcaption><\/figure>\n ![\"MAC](\"https:\/\/support.connexite.co.uk\/web_images\/image149.png\")
Figure 3-36: MAC configuration page<\/figcaption><\/figure>\n Table 3-20: the items of the port security configuration<\/strong><\/p>\n
\n\n<\/tbody>\n<\/table>\n<\/figure>\n
Table 3-21: the items of the mac configuration<\/strong><\/p>\n
\n\n\n
\n Item<\/th>\n Description<\/th>\n<\/tr>\n \n MAC<\/td>\n Configuration<\/td>\n<\/tr>\n \n Interface<\/td>\n Select the interface to be configured.<\/td>\n<\/tr>\n \n MAC Address<\/td>\n Configure a static security address, the format of the security address: XXXX.XXXX.XXXX<\/td>\n<\/tr>\n \n The security address cannot be a broadcast or multicast Address.<\/td>\n<\/tr>\n \n Type<\/td>\n Configure the MAC address as dynamic or static.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n 3.6.2 IP Source Guard 3.6.2.1 Overview IP Source Guard\uff1a<\/p>\n
The Ip Source Guard binding function allows IP packets conforming to the IP+MAC binding to pass through the port, and non-conforming packets are directly discarded, thereby achieving the purpose of preventing IP\/MAC spoofing attacks.<\/p>\n
The binding entries of Ip Source Guard mainly come from two sources: user static configuration and dynamic acquisition in the ip dhcp snooping environment.<\/p>\n
User static configuration: mainly for host users whose IP addresses are statically configured in the local area network.<\/p>\n
Ip dhcp snooping dynamic acquisition: mainly respond to the host users who dynamically acquire the IP address through dhcp in the local area network.<\/p>\n
IP\/MAC spoofing attack: Illegal MAC users send IP packets with legal source IP to realize the legalization of access identity.<\/p>\n
ARP Check\uff1a<\/p>\n
The Arp-check (ARP packet check) function filters all ARP packets under the port and discards all illegal ARP packets, which can effectively prevent ARP spoofing in the network and improve the stability of the network.<\/p>\n
In the device that supports the Arp-check function, the Arp-check function can generate corresponding ARP filtering information based on the legal user information (IP+MAC) generated by the security application modules such as IP Source Guard, so as to realize the illegal ARP packets filtering in the network. 3.6.2.2 Configuring IP Source Guard<\/p>\n
- \n
- Select Configuration > Security > IP Source Guard in the navigation area to enter the IP Source Guard Summary page as shown in Figure 3-37.<\/li>\n<\/ol>\n
- Click the Save in the navigation area to save the configuration.<\/li>\n<\/ol>\n
- Click the OK to complete the operation, and then the page will return to the PoE Interface Configuration page, as shown in Figure 3-32. the Table 3-19 describes the items of the PoE Interface Configuration.<\/li>\n<\/ol>\n
- Type the \u201cPower supply\u201d and \u201cPower reserved\u201d boxes, and click Apply button.<\/li>\n<\/ol>\n
- In the Aggregate ports Configure page, click +Add button to enter port configuration page, as shown in Figure 3-18, The description of the link aggregation is described in Table 3-10.<\/li>\n<\/ol>\n
- Select Configuration > Port > Port Aggregation in the navigation area to enter the Link Aggregation page as shown in Figure 3-17, The description of the link aggregation is described in Table 3-9.<\/li>\n<\/ol>\n
- Click the Edit button for the corresponding ID and select the destination interface or source interface, as shown in Figure 3-15. Table 3-8 describes the configuration items of creating a mirroring group.<\/li>\n<\/ol>\n
- Select Configuration > Port > Port Mirror in the navigation area to enter the Port mirror page as shown in Figure 3-14.<\/li>\n<\/ol>\n
- Select Configuration > Port > Port Extension > Strom Control in the navigation area to enter the storm control page as shown in Figure 3-10.<\/li>\n<\/ol>\n
- CBS embodies a rate-limit feature for policing traffic. When policing traffic with CBS, here recommends the burst value 4 times of the limit value. If the burst values are too low, then the achieved rate is often much lower than the configured rate.<\/li>\n<\/ul>\n
- Click Batch Edit button below \u201cTrunk Configuration\u201d to enter the trunk configuration page, as shown in Figure 3-5. Table 3-3 describes the configuration items of configuring a VLAN.<\/li>\n<\/ol>\n
- Select Configuration > VLAN in the navigation area to enter the VLAN page as shown in Figure 3-4. Table 3-3 describes the configuration items of configuring a Trunk Port.<\/li>\n<\/ol>\n
- Click the Save in the auxiliary area to save the configuration.<\/li>\n<\/ul>\n
- Select Configuration > VLAN in the navigation area. The system automatically enters the VLAN page as shown in Figure 3-2. Table 3-2 describes the configuration items of creating a VLAN.<\/li>\n<\/ol>\n
- Hybrid \uff1a<\/li>\n<\/ul>\n
- Trunk \uff1a<\/li>\n<\/ul>\n
- Access \uff1a<\/li>\n<\/ul>\n