Switch Web configuration guide

Switch Web Configuration Guide

The corresponding software version of this manual is Release 4.0.x

Document version number: V1.08

Post date: 2019.07.13

1
Switch Web configuration guide

1 Overview

1.1 Introduction
In order to facilitate network administrators to operate and maintain network equipment, our company has
launched the Web management function for the equipment. Administrators can use the webpage directly
manage and maintain the equipment. The operating environment of Web administrator is shown in figure
1-1.
Figure 1-1 Web management operating environment

1.2 login to Web administrator

When the user first login, please use the default account to log in. After logging in, in order to ensure the
safety of the device, the password needs to be changed immediately. The specific steps are as follows:
• Log in to webmaster by using the default account
• Change user password

When the device leaves the factory, web server service has been enabled by default with default login
account: user name is admin, login password is admin, and IP address is 192.168.1.168. Users can use
these information to complete the first login of Web administrator.
Take the 4GX8GT switch as an example to introduce how to log in the device via Web. The specific steps
are as followed:
(1) Connect the device to the PC and connect the PC to the Ethernet port of the device (all ports belong
to VLAN 1 by default) with the network cable.
(2) Configure IP address for PC, and set the IP address of PC in the same network segment as the
default VLAN interface IP address of the device (except the default IP address of the device), such as
192.168.1.20.
(3) Launch the browser and enter your login information.
Figure 1-2 Web login page

2
Switch Web configuration guide

Start the browser on PC, enter "192.168.1.168" in the address bar and enter the Web login page of the
device, as shown in figure 1-2. Enter the default account "admin" and password "admin", and click the
"login" button to log in to the Web administrator. The system will automatically select the language
according to the operating system language used by the user, and the user can also manually switch
(including Chinese and English).
(1) For Windows browser, Edge is recommended and IE6 is not supported.
(2) In order to get better display effect, recommend to use Google browser, or 360 or baidu browser, as
shown in figure 1-3

Figure 1-3 360 safe browser

1.3 Equipment overview

As shown in figure 1-5, click "overview" in the navigation bar to enter the basic information page of the
system. In this page, MAC address, product serial number, software and hardware version, system
running state and other information of the device can be viewed. Specific parameters are shown in table
1-1.

3
Switch Web configuration guide

Figure 1-5 basic information of the system

Table 1-1 Basic information parameter description

Configuration
Instructions
items
The device's electronic tag is used to identify the host, can only be numeric,
Host name
alphanumeric, or alphanumeric combination
MAC address Used to indicate the MAC address of the device
Hardware
Used to indicate the hardware version number of the device
version
Software
Software version number used to indicate the device
version
Release time Used to indicate release time of software version
Product serial
Used to indicate the product serial number of the device
number
CPU Used to display the current CPU utilization
Available
Used to display the current system available memory
memory (KB)
The elapsed Used to indicate the continuous running time of the device after the last startup, and the
time time will be restarted after the restart of the device

1.4 Logout of Web administrator

• The system does not automatically save the current configuration when exiting webmaster. Before exiting
Webmaster please save the current configuration.

Operation steps:
Click the "logout" button below the navigation bar on the Web administrator page (as shown in figure 1-6)
to exit the Web administrator.

4
Switch Web configuration guide

1.5 Save configuration

• After configuring all projects on the page, be sure to save the configuration, otherwise unsaved configuration
information will be lost due to restart and other operations.

Operation steps:
Click the "save" button below the navigation bar on the Web administrator page (as shown in figure 1-6)
to save the current configuration to the configuration file. The configuration is still valid after restart or
power-down restart.
There are two ways to save the configuration:
(1) In the current configuration page, click "ok" or "apply" button, save the current configuration into
memory. The save in this current does not really save the configuration items into the configuration file. If
the switch has power failure or other failures at this time, the configuration of the page will fail.
(2) Click the "save" button below the navigation bar, the system will automatically save the configuration
of all pages to the configuration file.

1.6 Introduction of Web management page layout

As shown in figure 1-6, the main page of Web management is divided into four parts: product model,
navigation bar, language selection button, and configuration area. Function description of each part is
shown in table 1-2.

Table 1-2 Web layout instructions

Configuration
instructions
items

Product model Used to display the product model

Organize the Web network management function menu of the device in the form of
The navigation
navigation tree. Users can choose the function menu conveniently in the navigation bar
bar
The selection results are displayed in the configuration area
Language
For switching languages, currently only Chinese and English are supported
selection
The
Configuration An area for users to configure and view
area

Figure 1-6 Web administration home page

5
Switch Web configuration guide

(1) Product model (2) Navigation bar (3) Language selection (4) Configuration
area

1.7 Introduction of Web management functions

The specific description of Web network management function is shown in table 1-3.
Table 1-3 Web management function description

Menu/TAB Functional specifications

Displays the device's MAC address, serial number, hardware

Overview The basic information and software version, and sets the device's electronics
Tags, CPU usage, running time, etc

Displays information about all ports and sets the various

Port management
features of the ports

Port speed limit Show/set port speed limit

Show/set the suppression ratio for broadcast, multicast, and

The storm control
unknown list play ports

Interface accounters Display, query, and clear interface statistics

Port mirror Show/set/delete the mirror of the port

Port isolation Show/set/remove port isolation

port
Global
Show/configure an algorithm for port aggregation
configuration

The Displays information about the aggregation interface, as well

Port
Aggregation as information about the port members in the aggregation
aggregation
mouth interface

Aggregate Configure the aggregation port ID to which the member port

member port belongs, working mode

PoE PoE global Display/configure PoE power supply in non-standard mode

6
Switch Web configuration guide

management configuration

PoE
interface Show/configure PD devices that PSE hangs
configuration

VLAN Create, modify, and delete VLAN

VLAN Display port status, configure port properties, VLAN

Interface
ownership

General Shows the status of ERPS, previous event, ring number, east
situation interface, west interface, etc

Ring Configure the ERPS ring number, east

ERPS
configuration interface, west interface
configuration
The instance Configure blocking points of ERPS,
configuration manage VLAN, data VLAN, etc

IGMP
Turn on/off the IGMP Snooping function
Snooping

IGMP IGMP route

Show/configure IGMP route ports
Snooping mouth

IGMP static
Display/configure IGMP static groups
Switching group

General
Displays the MSTP port parameters
situation

Global
Display and set MSTP global parameters
configuration
Spanning tree
The MST
Display MSTP field information, modify the MSTP field
configuration

The instance Create/delete MSTP instances

Interface Display and set MSTP port parameters

MAC
Set the aging time for MAC addresses
management

MAC Static
Configure static MAC addresses without aging table entries
management address

Filter
Used to discard packets containing a specific MAC address
addresses

The ACL Create, modify, and delete vlans

Security The ACL Display port status, configure port properties, VLAN
Application
ownership

7
Switch Web configuration guide

General
Display/configure QoS, queue weights
situation

Port trust Show/configure QoS port trust

CoS
QoS Display/configure QoS CoS mapping
mapping

DSCP
Display/configure QoS DSCP mapping
mapping

strategy Display/configure QoS policies

Disable/
DHCP Enable/disable this feature
enable
Snooping
Trust port Set the trust port for DHCP Snooping

802.1 X General
Display 802.1x authentication profile
authentication situation

Configuration Configure 802.1 X

General
MAC Displays MAC authentication profile
situation
authentication
Configuration Configure MAC authentication

Global
RADIUS global configuration
The RADIUS configuration

The server Show/configure RADIUS server configuration

Manage IP addresses Set the administrative IP address of the device

User management Set user password

Telnet server Turn on/off the Telnet server

SNMPv1 / v2c Configuration SNMPv1 / v2c

SNMP
SNMPv3 Configuration SNMPv3

Date and time Displays/sets the current system date and time
System
Download the
Setup to back up configuration files to localhost
backup

Profile Restore the

Set up a local restore profile to the device
management backup

Factory data
Settings to restore the device to its factory configuration
reset

Set up upload upgrade file from local host to upgrade system

System upgrade
software

8
Switch Web configuration guide

Generate a diagnostic information file and open it for viewing

Log/diagnosis
or saving on the localhost

Restart Set up the reboot device

Web tools Perform the ping/trace route operation and display the results

The Dying Gasp Turn on/off the gas gasp alert

diagnosis
View optical module information, such as manufacturer
Optical module information
information, serial number, optical power, etc

Save the currently set parameters to ensure the restart is

Save \
valid

Cancellation \ Log out

9
Switch Web configuration guide

2 Interface

2.1 Port management

• Due to the different parameters of electrical port and optical port, it is recommended to configure electrical port and
optical port separately when selecting multi-port configuration.

The port management module is used to configure and view the working parameters of the Ethernet
interface, including: name, description, port mode, media type, rate, duplex state, flow control, MTU, state,
as shown in figure 2-1.

Figure 2-1 Interface management page

Operation steps:
(1) Select [interface]  [port management] in the navigation bar, as shown in figure 2-1.
(2) Check the ports to be configured (support multiple ports) and click the "edit" button to enter the page
as shown in picture 2-2.
(3) Configure the working parameters of the port, as shown in table 2-1.
(4) Click the [apply] button to complete the operation.
(5) Click the [save] button in the navigation bar to save the configuration.

Figure 2-2 interface configuration page

10
Switch Web configuration guide

Table 2-1 interface working parameters description

Configuration
Instructions
items
Set the description information for the port, using a combination of letters and
Describe
Numbers.
Configure the media type of the multiplexing port, which is only valid for ports that
support photoelectric multiplexing (Combo).
Medium type
• RJ45: set the port to work in port mode.
• SFP: set the port to work in port mode.
Set the rate of the port
• 10 m: 10 MBPS
Rate • M: 100 100 MBPS
• M: 1000 1000 MBPS
• AUTO: automatically negotiates port rates
Sets the duplex state of the port

Duplex state
• AUTO: self negotiating duplex
• FULL duplex
• -sheldon: HALF duplex
Set the working mode of the port to support different working modes, which need
corresponding optical module support.
• 100base-fx: set the port to work in 100 MB light mode.
• 1000base-x: set the port to work in gigabit light mode.
• SGMII: set the port to work in SGMII mode, which needs to be configured
when the optical port inserts gigabit to 100 MBPS (SFP ge-fx) or
light-to-electricity (mini-gbic-gt) modules.
• 2500base-x: set the port to work in 2.5g optical port mode.
Port mode
• 10G base-x: set the port to work in 10G optical port mode.

• 2500base-x mode, there may be incompatibility with port interconnection of

other manufacturers.
• The optical port capability of different types of equipment is different, please
refer to the specification document corresponding to the specific product
model.
• This feature is only supported by optical ports
Set Enable or Disable port traffic control functions

When this end and the end of the device can enable the flow control function,
if the end of the device congestion, send a message to the end of the device,
notify the end of the device to temporarily stop sending messages; After
receiving the message, the opposite device will temporarily stop sending the
Flow control message to the opposite device. And vice versa. Thus, packet loss is
avoided.

Flow control can be realized only when the flow control function is turned on at
both the local port and the opposite port

11
Switch Web configuration guide

Set the frame length allowed for forwarding from 64 to 10240 bytes. The default is
MTU
1526 bytes.

Set the open/closed state of the port.

Manage state • Shutdown: the port setting is working normally.
• Shutdown: setting up the port is in the Shutdown state.

Configuration examples:
Case requirements: configure port eth0/9 to work in 2.5g mode, turn off flow control, set MTU to 10000
bytes, and port description to ABC.

Step 1: Select [interface]  [port management] in the navigation bar to enter the port management page

Step 2: Select port eth0/9 and click the [edit] button to enter the port configuration page, as shown in
figure 2-3.

Step 3: As shown in figure 2-3, follow the description of "ABC", medium type "SFP", port mode
"2500base-x", flow control "OFF", MTU "10000", management state "No shutdown", and configure
parameters.

Figure 2-3 Interface configuration example

Step 4: click the apply button to complete the operation.

Step 5: click the "save" button in the navigation bar to save the configuration.

2.2 Port speed limit

Port speed limit is a port-based speed limit, which limits the total speed of port input and output messages.
Before the flow is sent from the interface, speed limit is configured on the direction of the interface to
control all outgoing message flow. Before the traffic is received from the interface, the speed limit is
configured in the direction of the interface to control all incoming message traffic.

Operation steps:
(1) Select [interface]  [port speed limit] in the navigation bar and enter the port speed limit
configuration page, as shown in figure 2-4.

12
Switch Web configuration guide

(2) For ports that need to be configured with speed limit, enter corresponding values in the dialog box,
and the specific parameters are defined as shown in table 2-2.
(3) Click the "apply" button on the corresponding port to complete the operation.
(4) Click the "save" button in the navigation bar to save the configuration.

• This feature only supports single-port configuration, such as eth0/1, and if parameters are entered on other ports,
when eth0/1's apply button is clicked, parameters for other ports are cleared (configuration does not take effect).

Figure 2-4 port speed limit page

• Limit values are deterministic, such as 1M, limit is 1024, but burst values are derived from empirical values. When the
burst numerical distribution is large, the flow peak is higher, the speed limit is stable, but the average speed may be
higher than the speed limit. When the burst value is small, the flow peak is low and the speed limit fluctuates greatly.
The average speed may be less than the speed limit. It is recommended to configure burst with a value of 4 times limit
and a small value of 16384.

Table 2-2 parameter description

Configuration
Instructions
items
Input rate (KBPS) Bandwidth limit per second of input direction (KBits).

Input burst flow (KB) Burst traffic limits in the input direction (Kbytes).
Output rate (KBPS) Bandwidth limit per second in the output direction (KBits).
Output burst flow
Output direction burst traffic limit (Kbytes)
(KB)
Application Sets the port speed limit function that enables the specified port.
Remove Clear the dialog box of what has been filled in.

13
Switch Web configuration guide

Configuration examples:
Case requirements: suppose the port eth0/1 of the switch is connected to the Internet, the traffic limit at
the port eth0/1 outlet is required, the bandwidth limit is 102400KBits per second, and the burst traffic limit
is 256Kbytes per second.

Step 1: Select [interface]  [port speed limit] in the navigation bar to enter the port speed limit
configuration page.

Step 2: Fill in the corresponding parameter dialog box for port eth0/1, as shown in figure 2-5.

Step 3: Click the [apply] button of port eth0/1 to complete the configuration.

Figure 2-5 port speed limit configuration page

Step 4: click the "save" button in the navigation bar to save the configuration.

2.3 Storm control

When there is excessive broadcast, multicast or unknown unicast data stream in local area network, the
network performance will decline, or even the phenomenon of network paralysis, called broadcast storm.
Storm control for broadcast and multicast and unicast unknown data flow speed, when the switch port
receives the broadcast and unknown unknown multicast or unicast data flow rate exceeds the bandwidth
set, the device will only be allowed through the data stream set bandwidth, beyond the bandwidth of data
flow will be discarded, so as to avoid excessive flood storms formed in the data stream into the LAN.

Storm control module for setting port suppression ratio for broadcast, multicast, unknown list
broadcast.The storm control mode based on bandwidth percentage is adopted.When the speed of data
stream received by the device port exceeds the set bandwidth, the device will only allow the data stream
passing through the set bandwidth, and the data stream exceeding the set bandwidth will be discarded
until the data stream returns to normal.
Configuration steps:
(1) Select [interface]  [storm control] in the navigation bar and enter the storm control page, as shown in
figure. 2-6.
(2) Check the ports to be configured (support multiple ports) and click [edit] to enter the page shown in
figure 2-7.
(3) Configure storm suppression types and bandwidth suppression ratios of ports, as shown in table 2-3.
(4) Click the "apply" button to complete the operation.
(5) Click the "save" button to save the configuration.

Figure 2-6 Interface of storm control page

14
Switch Web configuration guide

Figure 2-7 Port configuration page

Table 2-3 Parameter description

Configuration items Instructions

Name Selected port

Disabled Turn off the function

Turn on the broadcast message storm suppression function to realize
Broadcast
the traffic limit of broadcast message.
Open unknown group broadcast text storm suppression function, can
Multicast
realize the unknown group broadcast text traffic restrictions.
Open unknown list broadcast text storm suppression function, can
Unicast
realize the unknown list broadcast text traffic restrictions.
Type
Turn on the storm suppression function of group broadcast message
Multicast-broadcast +broadcast message to realize the flow control of unknown unicast
Message and broadcast.
Open unknown unicast message + broadcast message storm
Unicast- broadcast suppression function, can realize the raffic limits of unknown unicast
message and broadcast messages.
All Select suppress broadcast, multicast, unknown Unicast
Percentage of the maximum broadcast traffic allowed to pass through
Bandwidth ratio (%) the port's transmission capacity, after choosing this item, you need to
enter a specific percentage.

Configuration examples:
Case requirements: enable storm control on port eth0/1, and set the suppression ratio of broadcast
messages to 10%.

15
Switch Web configuration guide

Step 1: Select [interface]  [storm control] in the navigation bar to enter the storm control page.
Step 2: Select port eth0/1 and click the "edit" button to enter the configuration page.
Step 3: [Type] select broadcast and set the bandwidth ratio to 10, as shown in figure 2-8.
Step 4: Click the apply button to complete the operation.

Figure 2-8 storm control configuration page

Step 5: Click the "save" button in the navigation bar to save the configuration.

2.4 Port statistics

The port statistics function is used to display statistics about the number of messages received and sent
by ports.
(1) Select [interface] -> [port statistics] in the navigation bar and enter the port statistics page, as shown
in figure 2-9.
(2) In the page, check the number of messages received and sent by each port of the device, the
number of bytes, and the rate of sending and receiving. The specific parameters are shown in the table
2 to 4.

Figure 2-9 port statistics page

Table 2-4 port statistical parameter description

Configuration items Instructions

Name Switch port

16
Switch Web configuration guide

Receive a message All messages received by the port

Number of bytes
The number of bytes of all messages received by the interface
received
Number of sent
All messages sent by the port
messages
Number of
The number of bytes of all messages sent by an interface
sent bytes
Reception rate
Interface receiving rate, unit PPS (bit per second bit/second)
(PPS)
Reception rate Packet Per Second Packet rate received by the interface, BPS (Packet Per
(BPS) Second)

Send rate (PPS) Interface send rate, unit PPS (bit per second bit/second)

Sending rate (BPS) Packet Per Second Packet Per Second Packet Packet

remove Reset message

2.5 Port mirroring

SPAN (Local Switched Port Analyzer) is the Local mirror function. The function of SPAN will copy the
packet of the designated port to the destination port. In general, the destination port of SPAN will access
data detection equipment. Users can use these devices to analyze the packet received by the destination
port for network monitoring and troubleshooting, as shown in figure 2-10.

SPAN does not affect the message exchange between the source port and the destination port, but
simply copies a copy of all incoming and outgoing messages from the source port to the destination port.
Messages may be discarded when the mirror traffic of the source port exceeds the destination port
bandwidth, such as when the 100Mbps destination port monitors the traffic of the 1000Mbps source port.

SPAN is based on session management, configuring the source and destination ports of SPAN in the
session. There can be only one destination port in a session, but multiple source ports can be configured
simultaneously.

Figure 2-10 port mirroring

17
Switch Web configuration guide

Configuration steps:
(1) select [interface]  [port mirror] in the navigation bar and enter the page shown in figure 2-11.
Figure 2-11 port mirroring page

(2) Click the "add" button to enter the page as shown in picture 2-12.
Figure 2-12 port mirroring configuration page

(3) Select the session, destination interface and source interface, and the specific parameters are
described in table 2-5.
(4) Click the "apply" button to complete the operation.
(5) Click the "save" button in the navigation bar to save the configuration.

Table 2-5 port mirroring parameters

Configuration
Instructions
items
Select the group number of the port mirroring group to configure, and you can
The session
create a total of 7 mirroring groups.
Purpose
Select mirror destination port, only one destination interface per session is allowed
interface
The source
Select mirror source ports to allow multiple source ports to exist simultaneously
interface

Configuration examples:
Case requirement: Monitoring eth0/1 port and eth0/2 inbound/outbound messages by using port eth0/3.

Step 1: Select [interface]  [port image] in the navigation bar to enter the port image configuration page.
Step 2: Click the "add" button to enter the port image configuration page.

Step 3: Select session 1, as shown in figure 2-13, eth0/3 for the destination interface, eth0/1 and eth0/2
for the source interface.

Figure 2-13 port mirroring configuration page

18
Switch Web configuration guide

Step 4: Click the "apply" button to complete the configuration and automatically return to the port
mirroring page. You can see the successfully created mirror group 1, as shown in figure 2-14.

Figure 2-14 Port mirror display page

Step 5: Click the "save" button in the navigation bar to save the configuration.

2.6 Port isolation

In order to achieve layer isolation between messages, different ports can be added to different vlan, but
limited VLAN resources will be wasted. The isolation between ports in the same VLAN can be realized by
using the port isolation feature. The user only needs to add ports to the isolation group to realize the layer
2 data isolation between ports in the isolation group. The function of port isolation provides users with a
more secure and flexible networking scheme. The port isolation feature is independent of the VLAN to
which the port belongs. For devices that do not support uplinking ports, two-way traffic interchanges
between ports in isolation group and ports outside isolation group.
Configuration steps:
(1) Select [interface]  [port isolation] in the navigation bar to enter the port isolation page, as shown in
figure 2-15.
(2) Select the port to be isolated and click the "enable/disable" button.
(3) Click the "save" button in the navigation bar to save the configuration.

Figure 2-15 port isolation page

19
Switch Web configuration guide

Configuration examples:
Networking requirements, as shown in figure 2-16:
• The cell User1, User2, and User3 are connected to the Switch ports eth0/2, eth0/3, and eth0/4,
respectively.
• The device connects to the external network through the eth0/1 port.
• Eth0/1, eth0/2, eth0/3 and eth0/4 belong to the same VLAN; Realize that cell users User1, User2 and
User3 cannot communicate with each other, but can communicate with external network.

Figure 2-16 Networking topology

Step 1: Select [interface] -> [port isolation] in the navigation bar to enter the port isolation page.

Step 2: Select eth0/2, eth0/3, eth0/4, and click the [disabled] button to enable port isolation, as shown in
figure 2-17.

20
Switch Web configuration guide

Figure 2-17 port isolation configuration page

Step 3: Click the "save" button in the navigation bar to save the configuration.

2.7 Port aggregation

2.7.1 Overview

2.7.1.1 Polymerization mouth

Binding multiple physical links together creates a logical link, which we call an aggregate port
(port-channel). This function conforms to IEEE802.3ad standard. It can be used to extend link bandwidth
and provide higher connection reliability. It is often used for uplink port connection, as shown in figure
2-18.

Figure 2-18 port aggregation networking model

The polymerization port has the following characteristics:

(1) High bandwidth, the total bandwidth of the aggregation port is the sum of the bandwidth of the physical
member ports;
(2) Support the traffic balancing strategy, according to which traffic can be allocated to each member link;
(3) Support link backup. When a member link in the aggregation port is disconnected, the system will
automatically allocate the traffic of the member link to other effective member links in the aggregation
port.

2.7.1.2 LACP

21
Switch Web configuration guide

Link Aggregation Control Protocol (LACP) based on IEEE802.3 AD standard is a Protocol for dynamic
Link Aggregation. If the port enable LACP protocol, the port will send the LACPDU to announce its
system priority, system MAC, port priority, port number, operation key, etc. After receiving the LACP
message of the opposite end, the connected device compares the system priority of both ends according
to the system ID in the message. At one end of the system ID higher priority, will be in accordance with
the port ID, in order of priority from high to low set aggregation group within the port is in a state of
aggregation, and issue the updated LACP packets, the terminal device after receiving the message, will
set the corresponding port into the aggregation state, so that the two sides can keep consistently when
exit or join aggregation group. Only when both ports have completed the dynamic aggregation binding,
the physical link can transmit data messages.

After the LACP member port link is bound, periodic LACP message interactions are also conducted.
When the LACP message is not received for a period of time, the packet receipt timeout is considered,
the member port link is unbound, and the port is again in the non-forwarding state. There are two modes
of timeout: long timeout mode and short timeout mode. In the long timeout mode, a packet is sent at an
interval of 30 seconds. If the opposite packet is not received within 90 seconds, it will be in the packet
receiving timeout. In the short timeout mode, a packet is sent at an interval of 1 second between ports,
and if the opposite packet is not received within 3 seconds, it is in the packet receiving timeout.

Figure 2-19 port aggregation model

As shown in Figure 2-19, switch A and switch B are connected through 3 ports. The system priority of
switch A is 61440, and the system priority of switch B is 4096. Open the LACP port aggregation on the
three directly connected ports of switch A and B, set the aggregation mode of the three ports as the active
mode, and set the port priority of the three ports as the default priority 32768.
After receiving to end LACP message, switch B found their system ID is higher priority (switch B of A
higher priority than switches) system, and in accordance with the order of the port ID priority (port under
the condition of the same priority, according to the order of the port since the childhood) set port 4, 5, and
6 in the aggregation state.When switch A receives the updated LACP message from switch B, it finds that
the system ID of the opposite end has A higher priority, and the ports are set to aggregate state, and ports
1, 2 and 3 are set to aggregate state.

2.7.2 Configure the aggregation port

Configuration steps:

22
Switch Web configuration guide

(1) Select [interface]  [port aggregation] in the navigation bar, enter the port aggregation configuration
page, and select load balancing algorithm in the global configuration page, as shown in figure 2-20, and
parameter description is shown in table 2-6.

Figure 2-20 Global configuration page for port aggregation

Table 2-7 Global configuration parameter description

Configuration items Instructions

Name Load balancing algorithm

DST -MAC Equalize based on destination MAC address.
SRC-MAC Equalize based on the source MAC address.
SRC-DST Equalize based on source MAC address and
- MAC destination MAC.
DST IP - Equalize based on destination IP address.
SRT-IP Equalize based on source IP addresses.
Global Equalize based on source IP address and destination IP
value SRC-DST-IP
configuration address.
Equalize based on the L4 TCP/UDP destination port
DST-port
number.
Equalize based on the L4 TCP/UDP source port
SRC-port
number.
SRC-DST Equalize based on the L4 TCP/UDP source and
- port destination port Number
Application Click on the enable

(2) In the aggregation port member, configure the "ID" and "mode" of the corresponding port, and click
"apply" to complete the configuration, as shown in FIG. 2-21 and table 2-8 of parameter description.

Figure 2-21 aggregation port member configuration page

Table 2-8 Parameter description of aggregation member port configuration

Configuration items instructions

Name Corresponding port number

Aggregate
ID The ID of the aggregation port member
member port
Model Manual Set to manual mode

23
Switch Web configuration guide

Active This port initializes the LACP aggregation operation

The port will not initiate the LACP aggregation operation
Passive actively, but passively participate in the LACP calculation
after receiving the neighbor's LACP packet.
Application Click on the enable

Remove Click clear the physical port

After the configuration is completed, the aggregation port ID and member port information that have been
successfully created will be displayed in the page of the aggregation port, as shown in figure 2-22, and
the parameter description table 2-9.

Figure 2-22 Aggregation page display

Table 2-9 Parameters of polymerization port

Configuration items Instructions

The ID The ID of the aggregation port.

aggregation Name Name of polymerization port
mouth Name The specific aggregator member name.

2.7.3 Configuration examples

1. Networking requirements
• As shown in figure 2-23. Switch A and Switch B connect to each other through their layer 2 Ethernet
ports eth0/1~ eth/0/3
• Switch A and Switch B are connected by three physical links. On Switch A and Switch B, ports are
configured as port aggregation groups, so that the outgoing/incoming load is Shared among member
ports.

Figure 2-23 port aggregation example

2. Configuration steps
Load sharing can be achieved using both static and dynamic aggregation groups. The configuration
methods for both groups are described below.
(1) Method 1: Configure static aggregation groups
Step 1: Select [interface]  [port aggregation] in the navigation bar to enter the port aggregation
configuration page.

24
Switch Web configuration guide

Step 2: In the global configuration item, select "load balancing algorithm" as src-ip, and click "apply"
button to save the configuration, as shown in figure 2-24.

Figure 2-24 global configuration

Step 3: From the aggregation port member, select eth0/1, ID is "1", mode select "Manual", and click
"apply" to save the configuration.

Figure 2-25 aggregation member port static configuration

After configuration, you can see the successful aggregation port 1 created in the aggregation port, as
shown in figure 2-26.

Figure 2-26. Create a successful static aggregation port

Step 4: Click the "save" button in the navigation bar to save the current configuration.
(2) Method 2: Configure dynamic aggregation groups
Step 1: Select [interface]  [port aggregation] in the navigation bar to enter the port aggregation
configuration page.
Step 2: In the global configuration item, select "load balancing algorithm" as src-ip, and click "apply"
button to save the configuration, as shown in figure 2-27.

Figure 2-27 global configuration

Step 3: From the aggregation port member, select eth0/1, ID is "1", mode select "Manual", click "apply" to
save the configuration, and use the same operation to complete the configuration of eth0/2 and eth0/3
successively, as shown in figure 2-28.

Figure 2-28 aggregate member port dynamic configuration

25
Switch Web configuration guide

After configuration, you can see the successful aggregation port 1 created in the aggregation port, as
shown in figure 2-29.

Figure 2-26. Create a successful dynamic aggregation port

Step 4: Click the "save" button in the navigation bar to save the current configuration.

2.8 PoE Management

• Switches with PoE modules can support PoE.

• Non-poe switches, PoE functions will be displayed in Web pages, but no configuration is allowed.

2.8.1 PoE Introduction

The PoE (Power over Ethernet) refers to the remote power supply of the equipment via the Ethernet port
by connecting the twisted pair of wires to the external PD (Powered Device).
PoE system composition
The PoE system is shown in figure 2-27, including PoE Power supply, PSE (Power Sourcing Equipment),
PI (Power Interface) and PD.

Figure 2-27 PoE system

1. PoE power supply

PoE power supplies the entire PoE system.
2. PSE

26
Switch Web configuration guide

PSE is the device that directly powers PD. PSE comes in two flavors: Endpoint and Midspan: Endpoint
means PSE integrates in the switch, Midspan means PSE and the switch are independent. Our company
use built-in PSE. PSE supports main functions including finding and detecting PD, classifying PD,
supplying power to it, power management, and detecting whether the connection with PD is disconnected,
etc.
3. PI,
PI refers to Ethernet interfaces with PoE power supply capability, also known as PoE interfaces, including
FE and GE interfaces.
PoE interface remote power supply has two modes:
Signal line power supply mode: PSE USES 3/5 type twisted pair (1, 2, 3, 6) to transmit data to PD and
direct current at the same time.
Idle line power supply mode: PSE USES 3/5 type twisted pair of wires (4, 5, 7, 8) that are not used for
data transmission to transmit direct current to PD.
4. PD
PD is the device that receives PSE power, such as IP phone, wireless AP (Access Point), portable device
charger, card reader, network camera and so on.
PD equipment can be connected to other power sources while receiving PoE power supply for power
redundancy backup.

2.8.2 PoE Configuration

Before configuring PoE functions, make sure that the PoE power supply or PSE is in a normal operating state, otherwise
you may not be able to configure or the PoE cannot work.

PoE configuration steps:

(1) Select [interface] -> [PoE management] in the navigation bar to enter the PoE management page.
(2) Set the maximum power in PoE global configuration, and click "apply" to complete the configuration,
as shown in figure 2-28.

Figure 2-28 PoE global configuration

27
Switch Web configuration guide

PoE global configuration parameters are described in table 2-10.

Table 2-10 PoE global configuration parameter descriptions

Configuration
Instructions
items
By default, the default power provided by the device is 15.4w * port number. For
example, the maximum power provided by 8-port device is 123.2w.
• If the maximum power of PoE power supply is less than the maximum output power
The most
of the equipment, the maximum output power of PoE power supply should be set to
powerful
-10w (mainboard power consumption) in order to prevent the power of the
equipment from exceeding the PoE power rating and causing overcurrent of PoE
power supply.
Consumed
Shows the total power consumed by the PoE.
power
The default is energy saving mode, and the power allocated for each port is
Power supply
calculated by the actual consumed power. PSE will allocate the excess power to
management
other ports by default.

Port mode The default is DC disconnect mode.

Number of
power supply Displays the number of ports currently powered.
ports
ON/OFF, default to OFF.
OFF: Only standard PD devices are supported. The detected resistance is between
19k and 26.5k, and the detected capacitance is less than 150nF.
ON: Supports non-standard PD devices, which can supply power to some PD devices
Compatibility whose detected resistance and capacitance values exceed the standard values.
mode

This function belongs to the global mode and is effective for all ports. It is necessary
to confirm that the device with port access is PD product, otherwise it is easy to
cause wrong power supply to the access device and cause damage to the device.

28
Switch Web configuration guide

(3) Select the port to be configured, click [edit] to enter the page configuration interface, and select
"enable/disable" the PoE function of this port, as shown in figure 2-29.

Figure 2-29 PoE interface configuration

(4) Click the "apply" button to complete the operation and return to the PoE main page, as shown in
figure 2-30.

Figure 2-30 PoE interface configuration main page

(5) Click the "save" button in the navigation bar to save the configuration.
The PoE port status parameters are described in table 2-11.

Table 2-11 PoE parameter description

Configuration
Instructions
items
Enable/disable Set enable or disable PoE power on ports
PoE current power supply state, OFF power supply shutdown state, ON power supply
State
state.
The reason cannot power supply: -
Reason
Short: Load Short Circuit; Management: underpower
Current Operating current of the device.

Power The power consumed by the current device.

• The default power supply priority of the system is: the priority decreases with the increase of port number

29
Switch Web configuration guide

• When the external power supply of the equipment is insufficient, the PoE interface with high power supply priority
shall be given priority to power supply.
• If PSE power is low, no matter the priority of newly connected PD, it will not close the port that has been supplied, and
no power will be supplied to newly connected PD.

30
Switch Web configuration guide

3 Switching

3.1 VLAN

3.1.1 Overview
VLAN is short for Virtual Local Area Network, which is a logical Network divided from a physical Network.
This network corresponds to the second layer of the ISO model. VLAN are not partitioned by the physical
location of the network ports. VLAN has the same properties as a normal physical network, except that
there are no physical location restrictions. The unicast, broadcast, and multicast frames of second layer
are forwarded and diffused within one VLAN without directly entering into other vlans.

Port-based VLAN is the simplest VLAN partition method. Users can divide the ports on the device into
different vlans, and then the messages received from a certain port can only be transmitted in the
corresponding VLAN, so as to realize the isolation of broadcast domain and the division of virtual working
group.

3.1.1.1 Link type

Link connection types of ports can be divided into two types according to different processing methods of
VLAN Tag by ports when forwarding messages:
• Access:
Messages sent by the port do not carry VLAN Tag, it is generally used to connect with terminal devices
that cannot recognize VLAN Tag, or when different VLAN members do not need to be distinguished.
Trunk:
For messages sent by the port, messages in the default VLAN do not carry Tag, while messages in other
vlans must carry Tag. Usually used for interconnection between network transmission devices.
Hybrid:
Messages sent by the port can be set with Tag in some vlans and without Tag in some vlans as required.
Hybrid type ports are used for both interconnection between network transport devices and direct
connection to terminal devices.

3.1.1.2 Default VLAN (PVID)

In addition to the vVLAN that ports allow to pass, you can set the default VLAN for ports. By default, the
default VLAN for all ports is VLAN 1, but the user can configure it as needed.
• The default VLAN for an Access port is the VLAN to which it belongs.
• Trunk ports and Hybrid ports allow multiple vlans to pass through and configure the default VLAN.
• When removing a VLAN, if the VLAN is the default VLAN of a port, the default VLAN of the port will
revert to VLAN 1 for Access port; For Trunk or Hybrid ports, the default VLAN configuration for ports does
not change, meaning they can use a VLAN that no longer exists as the default VLAN.

31
Switch Web configuration guide

• It is recommended that the default VLAN of this end device port should be the same as the default VLAN for the
connected end device port.
• It is recommended to ensure the default VLAN of the port is the allowed VLAN can pass through. If the port does not
allow a VLAN to pass through, but the default VLAN of the port is that VLAN, then the port will discard the received
message of the VLAN or the message without VLAN Tag.

3.1.1.3 Port processing of segment

After configure the port connection type and the default VLAN, there are several different process
conditions for the port to receive and send segment, as shown in table 3-1.

Table 3-1 port mail message processing

Processing of received segment
Port type When segment is received When segment is received Processing of sending segment
without Tag with Tag
• Receive this message
when the VLAN is
identical to the default
Add the default VLAN Tag VLAN
Acces Remove Tag and send the text
to the segment • When the VLAN is
different from the default
VLAN, the newspaper is
discarded
• VLAN columns • When the VLAN is the same as
allowed when the the default VLAN and in the
default VLAN is on allowed of VLAN that ports allow
the port when the to pass through, remove the Tag
table is in, it and send the text
Trunk receives the • The segment be received
segment and add when this VLAN in the • When the VLAN is different from
the Tag of the allowed list the default VLAN and the port is
default VLAN to the allowed to pass through the
• When the VLAN is not in VLAN list, keep the original Tag
message the allowed list, the and send the segment
• When the default segment is discarded
VLAN is not in the list When the VLAN is in the allowed
of VLAN that the port list, send the segment, remove the
Hybrid
allows to pass, the Tag or not can be set manually.
message is
discarded

3.1.2 Configuration VLAN

3.1.2.1 Introduction to VLAN configuration
Configure the Access port-based VLAN
Table 3-2 VLAN configuration steps based on Access ports
Steps Configuration tasks Instructions
Optional
Configure the connection
1 The connection type for the configured port is Access, by default, the
type of the port
connection type for the port is Access

32
Switch Web configuration guide

Mandatory create one or

2 Create a VLAN
more LAN
Configure the default VLAN
3 Configure the default VLAN for Access ports
for the port

Configure a VLAN based on Trunk ports

Table 3-3 VLAN configuration steps based on Trunk ports
step Configuration
instructions
s tasks
Optional: By default, the Trunk port is
Tagged VLAN (the default VLAN) is VLAN 1
The connection type for the
Configure the configured port is Trunk
1 connection type of the
By default, the port's
port When a Trunk port's UntaggedVLAN is
connection type is Access
changed, the Trunk port's UntaggedVLAN will
be automatically Tagged VLAN

Create a VLAN that

Optionally create one or more
2 needs to be added to
vlans
this Trunk
Configure the Trunk to Will choose
Select the Trunk and add the
3 which the VLAN VLAN Trunk port has only one Untagged VLAN,
belongs which is its default VLAN.

Configure vlans based on Hybrid ports

Table 3-4 VLAN configuration steps based on Hybrid ports
Configuration
Steps Instructions
tasks
Hybrid ports can have multiple Untagged
Mandatory: vlans. So, configure the Hybrid port multiple
times through these two steps
Configure the Configure the port's
1 connection type of the connection type as Hybrid Tagged VLAN will also be available
port By default, the port's By default, the Hybrid port's Untagged VLAN
connection type is Access is
VLAN 1
Create a VLAN that Mandatory:
2 needs to be added to
the Hybrid port Create one or more vlans

The Hybrid port can have multiple Tagged

Configure the Trunk
Select the Trunk and add the vlans. Therefore, Tagged VLAN configured
3 which belongs to
VLAN multiple times for Hybrid ports through these
VLAN
two steps will be valid at the same time

3.1.2.2 Configure ports in the VLAN

The VLAN configuration page is shown in figure 3-1, the detailed description of each parameter
is shown in table 3-5.

Figure 3-1 VLAN configuration page

33
Switch Web configuration guide

Table 3-5 VLAN configuration parameters

Configuration
Instructions
items
Select the group number of the port mirroring group to configure, it can create
ID
total 7 mirroring groups.

Name VLAN name, not configurable, default VLAN 1 is default, VLAN 2 is VLAN0002.

Tagged member
It means the port member sends a VLAN segment with a Tag.
port
Tagged member
It means the port member sends a VLAN segment without a Tag.
port

Edit Select the VLAN ID need to be edited and click enter the edit page.

Add Click this button to enter the VLAN add page.

Delete Select the VLAN ID need to be edit, and click this button to delete the VLAN.

Configuration steps:
(1) Select [switch] -> [VLAN] in the navigation bar to enter the VLAN configuration page, as shown in
figure 3-2.

Figure 3-2 VLAN display page

Figure 3-3 VLAN configuration page

(2) Click the "add" button to enter the page as shown in picture 3-3.
(3) Configure the port members of VLAN, click the "apply" button to complete the operation.
(4) Click the "save" button in the navigation bar to save the configuration.

3.1.2.3 Configure the VLAN to which the port belongs

The interface configuration page is shown in figure 3-4, and the detailed description of each
parameter is shown in table 3-6.

34
Switch Web configuration guide

Figure 3-4 interface display page

Table 3-6 Interface configuration parameters

Configuration items Instructions

Name Corresponding port name.

The
Configure the port type to be an Access port.
VLAN Access
mode Trunk Configure the port type to be Trunk port
Hybrid Configure the port type to be the Hybrid port.
PVID PORT-BASE VLAN ID, suitable for Access PORT.

Native Vlan Native ALNA are applied to Trunk port

Edit Select the port need to be edit and click this button to enter the edit page.

Configuration steps:
(1) Select [switch] -> [VLAN] in the navigation bar to enter the interface configuration page, as shown in
figure 3-4.
(2) Select the port to be configured and click the "edit" button to enter the interface configuration page.
(3) Configure the VLAN mode of the port, PVID or Native VLAN. In general, it is recommended to
configure the Native VLAN of the Trunk port as “1”. The configuration page is shown in figure 3-6.

Figure 3-6 VLAN configuration page

(4) Click the "save" button in the navigation bar to save the configuration.

3.1.3 VLAN configuration example

Configuration example:
Case requirements: Switch A and Switch B connect with each other through trunk port. PCs of the same
VLAN can exchange visits, and PCs of different vlans are forbidden to exchange visits. The network
topology is shown in FIG. 3-7.

35
Switch Web configuration guide

Figure 3-7 network topology diagram

Switch A configuration:

Step 1: Configure eth0/9 as a Trunk and Native Vlan as a default of 1.

Select [VLAN] in the navigation bar [switch] to enter the interface configuration page. Select port eth0/9
and click the "edit" button to enter configuration mode, as shown in figure 3-8. Select Trunk for VLAN
mode, Native VLAN in default is 1.

Figure 3-8 interface configuration page

Step 2: Create VLAN 10, VLAN 20, and add VLAN 10 and VLAN 20 to Trunk eth0/9.
Under the VLAN page, click "add" button to enter the VLAN edit page, as shown in figure 3-9. Enter
"10,20" in the dialog box, select port eth0/9 from Tagged member port, and click "apply" button to
complete the configuration.

Figure 3-9 VLAN configuration page

Step 3: Configure port eth0/1 VLAN mode for Access and PVID 10.
Under the interface page, select eth0/1 and click the "edit" button to enter the interface configurationpage,
as shown in figure 3-10. VLAN mode is the default Access and PVID is configured as 10. Click "apply"
button to complete the configuration.

36
Switch Web configuration guide

Figure 3-10 VLAN configuration page

Step 4: Configure port eth0/2 VLAN mode as Access and PVID as 20.
The same as step 3, set eth0/2's VLAN mode as Access and PVID as 20. Click [apply] to complete the
configuration, and the VLAN page is shown in figure 3-11:

Figure 3-11 VLAN page

Step 5: Click the "save" button in the navigation bar to save the configuration.

Switch B configuration:
Configuration methos ia the same as switch A, Eth0/9 and eth0/10 are configured with the Switch A.
Create VLAN 10 and VLAN 20 and complete the corresponding port configuration. After configuration, the
VLAN page is shown in figure 3-12.

Figure 3-12 VLAN page

3.2 ERPS

3.2.1 ERPS function overview

ERPS (Ethernet Ring Protection Switching protocol) is a network Protection protocol developed for the
ITU, also known as G.8032. It is a link layer protocol for Ethernet ring networks. It can prevent broadcast

37
Switch Web configuration guide

storms caused by the data loop when the Ethernet is complete and quickly restore communication
between the nodes of the Ethernet when one link is disconnected.
At present, STP is another technology to solve the problem of layer 2 network loop. STP is more mature,
but its convergence time is longer (second level). ERPS is a link-layer protocol specially used in Ethernet
ring networks. The two-layer convergence performance is up to 50ms, which has a faster convergence
rate than STP.

Figure 3-13 typical ERPS networking

3.2.2 Introduction of ERPS principle

ERPS is a standard ring network protocol dedicated to Ethernet link layer, take ERPS Ring as Basic Unit.
Only two ports can join the same ERPS ring on each layer switching device. In ERPS ring, incase the
loop, you can start a loop breaking mechanism and blocks the RPL owner port, eliminates the loop.When
link failure occurs in the ring network, the equipment running ERPS protocol can quickly release blocking
ports, perform link protection switching, and recover link communication between nodes in the ring
network. This section mainly introduces the basic implementation principle of ERPS under single-ring
networking in the form of example according to the process of link is normal-> link is fault-> link is
recovery (including protection switching operation).

3.2.2.1 Link is normal

As shown in figure 3-14, all devices on the Switch A ~ Switch E circuit communicate normally.
Fig. 3-14 ERPS link is normal

38
Switch Web configuration guide

To prevent loop generation, ERPS first blocks the RPL owner port, if the RPL neighbor is configured, the
port will also be blocked, other ports can normally forward traffic.

3.2.2.2 Link is fault

As shown in figure 3-15, when the link between Switch D and Switch E fails, the ERPS protocol starts the
protection switching mechanism, blocks the ports at both ends of the fault link, and then releases the RPL
owner port. The two ports resume the receiving and sending of user traffic, thus ensuring the
uninterrupted traffic.

Figure 3-15 ERPS link failure

39
Switch Web configuration guide

3.2.2.3 Link recovery

When the link returns to normal, ERPS rings are configured with a backcut mode by default, and the
device that owns the RPL owner port reblocks traffic on the RPL link, and the original fault link is reused to
complete the user traffic transfer.

3.2.2.4 The types of ERPS ring

Single ring:
For example, in figure 3-16, there is only one ring in the network topology. There is and only one RPL
Owner; only one RPL link; All nodes need to have the same RAPS to managed Vlan
 All devices in the ring should support ERPS function
 Links between devices in the ring network must be directly connected, without intermediate
equipment.

Figure 3-16 ERPS single-loop model

Tangent ring:
A ring network in a network topology in which two or more devices share the same device. For example,
in figure 3-17, two rings in the network topology share one device. Each ring has only one blocking point,
and each ring has only one RPL link. Different rings should have different RAPS to manage vlans.
All devices in the ring need to support ERPS
Links between devices in the ring network must be directly connected, without intermediate equipment

FIG. 3-17 ERPS tangential ring model

Intersecting rings:

40
Switch Web configuration guide

In a network topology, two or more rings share a link (the two intersecting nodes must be directly
connected, and no other nodes are allowed). Take figure 3-18 as an example, there are two rings in the
network topology. Each ring has one RPL owner node and each ring has one RPL link. Different rings
need to have different RAPS to manage VLAN.
 All devices in the ring need to support ERPS
 Links between devices in the ring network must be directly connected, without intermediate
equipment

Figure 3-18 ERPS intersecting ring model

3.2.3 ERPS configuration profile

• The spanning tree protocol and the ERPS protocol cannot be turned on at the same time.

3.2.3.1 ERPS management page

Click [exchange] -> [ERPS] in the navigation bar to enter the ERPS overview page, as shown in figure
3-19, and the specific description of parameter information is shown in table 3-8.

Figure 3-19 ERPS overview page

Table 3-7 description of ring configuration parameters

Configuration
Instructions
items
Name The name of the ERPS ring
Ring number Number of ERPS rings
The current state of the ERPS ring including:
Idle: Idle state, no fault, cut back
State
Pending: no fault, waiting to cut back
Protection: failure condition protection
The previous Recent state machine events including:

41
Switch Web configuration guide

event RAPA-NR: remote failover event

RAPA-NR-RB: remote backcut event
RAPA-SF: remote fault event
LOCAL-SF: local fault event
LOCAL-CLEAR-SF: native fault recovery event
WTR-EXP: native callback event
East interface East facing interface of ERPS ring
West interface Westward interface of ERPS ring
When the fault link resumes, you can choose manually cut back immediately,
Cut back
otherwise the system will automatically cut back after 5 minutes

3.2.3.2 ERPS ring configuration

In the ERPS page, click the "configure" button in the upper left corner to enter the ERPS ring
configuration page. Click the "add" button to add ERPS ring. After the configuration is completed, click the
"apply" button, as shown in Figure. 3-20.

Figure 3-20 ERPS ring configuration

Table 3-8 configuration parameters

Configuration
Instructions
items
ERPS ring ID can be any number. Each ERPS ring must have a unique ring
Ring number
number.
Specify one port of the switch as • East port and west port are
East interface
eastbound port relatively defined, without strict
Specify one port of the switch as distinction, that is, the loop can
West interface enter and exit at this point.
westbound port

After the configuration is completed, return to the ERPS ring configuration page. Click the "delete" button
after the ring entry to delete the ERPS ring, as shown in figure 3-21.

Figure 3-21 ERPS ring configuration

3.2.3.3 ERPS instance configuration

42
Switch Web configuration guide

Click the "+ add" button of ERPS instance configuration to enter the ERPS instance configuration page.
After the configuration is completed, click the "apply" button, as shown in figure 3-22. Specific parameters
of the instance configuration are described in table 3-9.

Figure 3-22 ERPS instance configuration

Table 3-9 configuration parameters

Configuration
Instructions
items
Instance names and string format need to be unique, such as number "1", character
Name
"aa"
Configure VLAN Instance for ERPS Instance protection; All vlans belong to
ID
Instance 0 by default; The default ID is 0.
Ring number The associated ring ID must be the ring already created

Level ERPS priority, default is 0

Each switch in the same ring must be configured with the same RAPS to manage
RAPS
VLAN for transmitting ERPS protocol segment.
management
A RAPS management VLAN can be a virtual VLAN, requiring a distinction from a
VLAN
data VLAN, without the need for actual creation.
ERPS data vlans, setting up the vlans that are allowed to transfer in the ERPS
ring. Must be the VLAN already exist, if it is not exist please add a new one in VLAN
Data VLAN
configuration;
Support VLAN Range class configuration, such as "1-3,5" stand for VLAN 1,2,3,5;
Main ring ERPS Owner node, can choose east interface or west interface as Owner
Owner node.
interface Each ERPS ring has only one device configured as an RPL owner node and this
node controls the port that needs to be blocke.
Sub-ring blocking interface, a sub-ring only has one blocking interface, you can
choose east or west interface.
Sub-ring
This parameter needs to be configured only when the ring is tangential, and the
Blocking interface
sub-ring of the two devices whose rings are tangential must set sub-ring
blocking port.
Associated Set to the ring ID that is tangent to the current subring only if the subring blocking
instance port needs to be configured.

3.2.4 Examples of single ring configuration

43
Switch Web configuration guide

Case requirements:
As shown in figure 3-21, 3 switching unit ring networks are configured with eth0/9 port S1 as the default
blocking port. In case of failure, links can be restored in time to ensure network availability. Where the
data VLAN is 1, 2 and 3.

Figure 3-23 ERPS network topology

3.2.4.1 Configure switch S1

Step 1: Configure ports 9 and 10 as trunk port, Native Vlan as default value 1.
Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the interface configuration page,
select ports eth0/9 and eth0/10, and click the [edit] button to enter the configuration mode, as shown in
figure 3-24. Select "Trunk" for VLAN mode, Native VLAN defaults to "1".

Figure 3-24 port configuration page

Click the "apply" button, and the interface returned page is shown in figure 3-25.

Figure 3-25 port status display page

Step 2: Create VLAN 2, 3, 4 and add VLAN 2, 3, 4 to Trunk ports eth0/9, eth0/10.

In VLAN page, as shown in Figure 3-26, click [add] button, input “2-3” in ID, tagged member ports are
select with eth0/9, eth0/10.

44
Switch Web configuration guide

Figure 3-36 create VLAN 2, 3, and 4

Click the "apply" button, and the interface returned page is shown in figure 3-37.

Figure 3-37 port status display page

Step 3: Create the ERPS ring ID and set up the east and west interface.
Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the [+ add]
to enter the ERPS ring configuration page, as shown in figure 3-28. The ring number is set as "1", the
east interface set as "eth0/9", and the west interface set as "eth0/10".

Figure 3-28 ERPS ring configuration page

Click the "apply" button to return to the following page, as shown in picture 3-29.

Figure 3-29 ERPS ring configuration display page

Step 4: Create an ERPS instance and set the ring name, number, blocking port and other parameters.
In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-30. Name "1", ring number "1", level "0", RAPS
management VLAN "1000", Owner interface "East", sub-ring blocking port "None".

45
Switch Web configuration guide

Figure 3-30 ERPS instance configuration page

Click the "apply" button to return to the following page:

Figure 3-31 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

• In the case of single ring, only one blocking point needs to be set, and the choice of blocking point is generally
considered in the middle of the ring.

3.2.4.2 Configure switch S2 and S3

Step 1: Configure ports 9 and 10 as trunk port and Native Vlan as default value 1.
Select [VLAN] in the navigation bar [switch] to enter the interface configuration page, select ports "eth0/9"
and "eth0/10", click the "edit" button to enter the configuration mode, as shown in the figure. Select
"Trunk" for VLAN mode, Native VLAN defaults to "1".
Step 2: Creat VLAN 2, VLAN 3, add VLAN 2 and VLAN 3 to Trunk port eth0/9, eth0/10 respectively.
Step 3: Create the ERPS ring and set up east and west interface.
Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the button
[+ add] to enter the ERPS ring configuration page, as shown in figure 3-27. The ring number is set as "1",
the east interface to "eth0/9", and the west interface to "eth0/10".
Step 4: Create an ERPS instance
In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-32. Name "1", ring number "1", level "0", RAPS
management VLAN "1000", Owner interface "None", sub-ring blocking port "None".
Figure 3-32 ERPS instance configuration display page

46
Switch Web configuration guide

• Unlike S1, the break point Owner interface of S2 and S3=None

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.2.5 Examples of tangential ring configuration

The topology diagram is shown in figure 3-33. S1 is located in the central machine room, which can be
monitored and maintained by administrators in real time and has high reliability. S2-S5 is distributed at
various deployment points. In order to improve the reliability of network formation, avoid the single point
fault risk of single link out connection, and avoid the single machine fault risk of double link out connection,
the form of ring network formed by double link out connection is adopted. The data VLAN is 1, 2, 3 and 4,
requires each ring network to be able to rapidly converge when a single point of failure occurs, so as to
avoid network interruption of users.

Figure 3-33 network topology

3.2.5.1 Divide main ring and sub-ring

• The ring ID of the primary ring and sub-ring must be different.

• The RAPS management vlans within the primary and sub-ring must be different.

There is no strict distinction between the main ring and the sub-ring, it is generally assumed one of the
rings as main ring, and the other is a sub-ring. In this example, the ring composed of S1, S2 and S3 is
defined as the main ring, the ring number is "1", the blocking port is "eth0/9" of S2, the RAPS
management VLAN is "1000", the ring composed of S1, S4 and S5 is a sub-ring, the ring number is "2",
the blocking port is "eth0/9" of S4, and the RAPS management VLAN is "1001", the specific parameters
are shown in table 3-10.

47
Switch Web configuration guide

Table 3-10 Equipment parameters list

Parameter Ring RAPS VLAN The Sub-ring Associated instance
equipment number Owner blocking port
interface
Switch S2 1 1000 Eth0/9 None \
Switches S3 1 1000 None None \
Switch S1 1 1000 None None \
2 1001 None None \
Switches S4 2 1001 Eth0/9 None \
Switch the S5 2 1001 None None \

3.2.5.2 Configure switch S1

Step 1: Configure ports 9, 10, 11, 12 as trunk ports and Native Vlan as default value 1.
Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the VLAN configuration page. In
the interface configuration item, select ports eth0/9, eth0/10, eth0/11, eth0/12, and click the edit button to
enter the configuration mode, as shown in figure 3-34. Select "Trunk" for VLAN mode, Native VLAN
defaults to "1".

Figure 3-34 port configuration page

Click the "apply" button, and the interface page returned is shown in figure 3-35.

Figure 3-35 port status display page

Step 2: Create VLAN 2, 3, 4 and add VLAN 2, 3, 4 to Trunk ports eth0/9, eth0/10, eth0/11, and eth0/12.

In the VLAN page, click [add] button, as shown in Figure 3-36, input “2-4” in ID, Tagged member ports
select eth0/9, eth0/10, eth0/11, and eth0/12.

48
Switch Web configuration guide

Figure 3-36 create VLAN 2, 3, and 4

Click the "apply" button, and the interface returned page is shown in Figure 3-37.

Figure 3-37 port status display page

Step 3: Create the ERPS primary ring and sub-ring and set up east and west interface as “eth0/10”

(1) Create the primary ring

Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the button
[+ add] to enter the ERPS ring configuration page, as shown in figure 3-38. The ring number is set as "1",
the east interface set as "eth0/9", and the west interface set as "eth0/10".

Figure 3-38 creates the ERPS primary ring

(2) Create sub-rings

Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the button
[+ add] to enter the ERPS ring configuration page, as shown in figure 3-39. The ring number is set as "2",
the east interface set as "eth0/11", and the west interface set as "eth0/12".

Figure 3-39 creates an ERPS subring

Click the "apply" button to return to the following page:

Figure 3-40 ERPS ring configuration display page

49
Switch Web configuration guide

Step 4: Create an ERPS instance

(1) Create ERPS instance 1

In the ERPS page, select the instance configuration and click [+ add] button to enter the ERPS instance
configuration page, as shown in figure 3-41. Name "1", ring number "1", level "0", RAPS management
VLAN "1000", Owner interface "None", sub ring blocking port "None".

Figure 3-41 ERPS instance configuration page

(2) Create ERPS instance 2

In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-42. Name "2", ring number "2", level "0", RAPS
management VLAN "1001", Owner interface "None", sub-ring blocking port "None".

Figure 3-42 ERPS instance configuration page

Click the "apply" button to return to the following page, as shown in Figure 3-43:

Figure 3-43 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

50
Switch Web configuration guide

3.2.5.3 Configure switch S2

Step 1: Configure ports 9 and 10 as trunk ports and Native Vlan as default value 1.
Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the VLAN configuration page. In
the interface configuration item, select ports eth0/9 and eth0/10, and click the [edit] button to enter the
configuration mode, as shown in the figure. Select "Trunk" for VLAN mode, Native VLAN defaults to "1".
Click the "apply" button, and the interface returned page is shown in figure 3-44.

Figure 3-44 port status display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk eth0/9 and eth0/10.
Under the VLAN option, click the "add" button, enter "2-4" in the ID, Tagged member port select eth0/9
and eth0/10. Click the "apply" button, and the interface returned page is shown in figure 3-45.

Figure 3-45 port status display page

Step 3: Create the ERPS ring and set up the thing interface.
Select "ERPS" from the "switch" sub-item in the navigation bar and enter the ERPS configuration page.
Click "+ add" button to enter the ERPS ring configuration page. The ring number is set as "1", the east
interface set as "eth0/9", and the west interface set as"eth0/10". Click the "apply" button, and the return
page is shown in figure 3-46:

Figure 3-46 ERPS ring configuration display page

Step 4: Create an ERPS instance and set up the blocking port.

In the ERPS configuration page, select the instance configuration and click the [+ add] button to enter the
ERPS instance configuration page. The name is "1", ring number "1", level "0", RAPS management VLAN

51
Switch Web configuration guide

"1000", Owner interface "East", and sub ring blocking port is "None". Click the "apply" button to return to
the page as shown in figure 3-47:

Figure 3-47 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.2.5.4 Configure switch S3

Step 1: Configure ports 9 and 10 as trunk ports and Native Vlan as default value 1.
Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the interface configuration page,
select ports eth0/9 and eth0/10, and click the button of [edit] to enter the configuration mode. Select
"Trunk" for VLAN mode, Native VLAN defaults as "1". Click the "apply" button, and the interface returned
page is shown in figure 3-48.

Figure 3-48 port status display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk eth0/9 and eth0/10.
Under the VLAN page, click the [add] button, enter "2-4" in the ID, Tagged member port and tick eth0/9
and eth0/10. Click the "apply" button, and the port interface returned page is shown in figure 3-49.

Figure 3-49 port status display page

Step 3: Create the ERPS ring and set up the east and west interface.
Select "ERPS" from the "switch" sub-item in the navigation bar and enter the ERPS configuration page.
Click "+ add" button to enter the ERPS ring configuration page. The ring number is set to "1", the east
interface to "eth0/9", and the west interface to "eth0/10". Click the "apply" button to return to the page as
shown in figure 3-50:

52
Switch Web configuration guide

Figure 3-50 ERPS ring configuration display page

Step 4: Create an ERPS instance and set up the blocking port.

In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page. Set the name "1", ring number "1", level "0", RAPS management
VLAN "1000", Owner interface "None", sub-ring blocking port "None". Click the "apply" button to return to
the page as shown in figure 3-51:

Figure 3-51 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.2.5.5 Configure switch S4

Step 1: Configure ports 9 and 10 as trunk ports and Native Vlan as default value 1.
Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the interface configuration page,
select ports eth0/9 and eth0/10, and click the button of [edit] to enter the configuration mode. Select
"Trunk" for VLAN mode, Native VLAN defaults to "1". Click the "apply" button, and the interface returned
page is shown in figure 3-52.

Figure 3-52 port status display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk ports eth0/9 and
eth0/10.
Under the VLAN page, click the "add" button, enter "2-4" in the ID, Tagged member port select eth0/9 and
eth0/10. Click the "apply" button, and the port interface returned page is shown in figure 3-53.

53
Switch Web configuration guide

Figure 3-53 port status display page

Step 3: Create the ERPS ring and set up east and west interface
Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the button
[+ add] to enter the ERPS ring configuration page, as shown in figure 3-54. The ring number is set as "2",
the east port set as "eth0/9" and the west interface set as "eth0/10". Click the "apply" button to return to
the following page:

Figure 3-54 ERPS ring configuration display page

Step 4: Create an ERPS instance and set up the blocking port.

In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-55. Name "2", ring number "2", level "0", RAPS
management VLAN "1001", Owner interface "East", sub-ring blocking port "None".
Click the "apply" button to return to the following page:

Figure 3-55 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.2.5.6 Configure switch S5

Step 1: Configure ports 9 and 10 as trunk ports and Native Vlan as default value 1.
Select [VLAN] in the navigation bar [switch] to enter the interface configuration page, select ports eth0/9
and eth0/10, click the button [edit] to enter the configuration mode, as shown in the figure. Select "Trunk"
for VLAN mode, Native VLAN defaults to "1". Click the "apply" button, and the interface returned page is
shown in figure 3-56.

54
Switch Web configuration guide

Figure 3-56 port status display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk eth0/9 and eth0/10.
Under the VLAN page, click the [add] button, enter "2-4" in the ID, Tagged member port select eth0/9 and
eth0/10. Click the [apply] button, and the interface returned page is shown in figure 3-57.

Figure 3-57 port status display page

Step 3: Create the ERPS ring and set up the east and west interface.
Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the button
[+ add] to enter the ERPS ring configuration page, as shown in figure 3-58. The ring number is set as "2",
the east interface set as "eth0/9" and the west interface set as"eth0/10". Click the "apply" button to return
to the following page:

Figure 3-58 ERPS ring configuration display page

Step 4: Create an ERPS instance and set up the blocking port.

In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-57. Name "2", ring number "2", level "0", RAPS
management VLAN "1001", Owner interface "None", sub ring blocking port "None".
Click the "apply" button to return to the following page, as shown in picture 3-59:

Figure 3-59 ERPS instance configuration display page

Step 5: Select the [save] button on the navigation bar and save the configuration.

55
Switch Web configuration guide

3.2.6 Intersecting ring configuration example

As shown in figure 3-60, S1, S2, S3 and S4 form the intersection ring. The data vlan is 1, 2, 3 and 4. In
the network, two fault points (different rings) can occur at most, and no users are disconnected from the
network, so as to achieve the optimal reliability.

Figure 3-60 ERPS intersecting ring

3.2.6.1 Divide primary ring and sub-ring

• The ring ID of the primary and sub-ring must be different.

• The RAPS management VLAN within the primary and sub-ring must be different

• In the sub-ring, the port corresponding to the link where the main ring intersects with the sub-ring must be set as the
blocking port, and the associated instance is set as the main ring.

There is no strict distinction between the primary ring and the sub-ring. It is generally assumed that one of
the main rings is assumed, and the other is a sub-ring. In this example, the ring composed of S1, S2 and
S3 is defined as the primary ring, the ring number is "1", the eth0/9 of S3 is the blocking point, and the
RAPS management VLAN is "1000". The ring composed of S1, S2 and S4 is a sub-ring, the ring number
is "2", the eth0/9 of S4 is the breaking point, the RAPS management VLAN is "1001", and the intersecting
link of the two rings is eth0/9 of S1 to eth0/10 of S2. Specific parameters are described in table 3-11.

Table 3-11 equipment parameters list

The Sub-ring
Ring
RAPS VLAN Owner blocking Associated instance
Parameter number
interface mouth
equipment
Switch S1 1 1000 None None \

56
Switch Web configuration guide

2 1001 None Eth0/9 1

Switch S2 1 1000 None None \
2 1001 None Eth0/10 1
Switches S3 1 1000 Eth0/9 None \
Switches S4 2 1001 Eth0/9 None \

3.2.6.2 Configure switch S1

Step 1: Configure ports 9, 10 and 11 as trunk ports and Native Vlan as default value 1.
Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the VLAN configuration page.
Under the interface configuration option, check ports eth0/9, eth0/10 and eth0/11, and click the edit button
to enter the configuration mode, as shown in figure 3-61. Select "Trunk" for VLAN mode, Native VLAN
defaults to "1".

Figure 3-61 port configuration page

Click the "apply" button, and the interface returned page is shown in figure 3-62.

Figure 3-62 port status display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk ports eth0/9, eth0/10,
and eth0/11.
In the VLAN page, click [add] button, input “2-4” in ID, Tagged member ports select eth0/9, eth0/10,
eth0/11.

Figure 3-63 create VLAN 2, 3, and 4

Click the [apply] button, and the interface returned page is shown in figure 3-64.

Figure 3-64 VLAN state display page

57
Switch Web configuration guide

Step 3: Create the ERPS primary ring and sub-ring and set up the east and west interface.
(1) Create the primary ring
Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the button
[+ add] to enter the ERPS ring configuration page, as shown in figure 3-65. The ring number is set as "1",
the east interface set as "eth0/9", and the west interface set as "eth0/10".

Figure 3-65 ERPS ring configuration page

(2) Create sub-rings

Select "ERPS" from the "switch" sub-item in the navigation bar and enter the ERPS configuration page.
Click [+ add] button to enter the ERPS ring configuration page, as shown in figure 3-66. The ring number
is set as "2", the eastern interface set as "eth0/9", and the west interface set as "eth0/11". Note that the
eth0/9 (east interface) of the subring needs to be configured as a sub-ring blocking port.

Figure 3-66 ERPS ring configuration page

Click the "apply" button to return to the following page:

Figure 3-67 ERPS ring configuration display page

Step 4: Create an ERPS instance and set up the blocking port.

(1) Create ERPS instance 1
In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page.

58
Switch Web configuration guide

Figure 3-68 ERPS instance configuration page

As shown in figure 3-68, name "1", ring number "1", level "0", RAPS management VLAN "1000", Owner
interface "None", sub-ring blocking port "None".
(2) Create ERPS instance 2
In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-69. Name "2", ring number "2", level "0", RAPS
management VLAN "1001", Owner interface "None", sub-ring blocking port "East", associated instance
select "1".

Figure 3-69 ERPS instance configuration page

Click the "apply" button to return to the following page:

Figure 3-70 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.2.6.3 Configure switch S2

Step 1: Configure ports 9, 10 and 12 as Trunk ports and Native Vlan as default value 1.
Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the VLAN configuration page. In
the interface configuration options, select ports eth0/9, eth0/10, eth0/12, and click the edit button to enter
the configuration mode. Select "Trunk" for VLAN mode, Native VLAN defaults to "1". Click the "apply"
button, and the port interface returned page is shown in Figure 3-71.

59
Switch Web configuration guide

Figure 3-71 port status display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk port eth0/9, eth0/10,
and eth0/12.
Under the VLAN page, click "add" button, enter "2-4" in ID, Tagged member port se;ect eth0/9, eth0/10,
eth0/12, and click "apply" button. The interface returned page is shown in figure 3-72.

Figure 3-72 port status display page

Step 3: Create the primary ring and sub-rings and set up the east and west interface.
(1) Create the primary ring
Select [ERPS] from the [switch] subitem in the navigation bar to enter the ERPS configuration page. Click
[+ add] button to enter the ERPS ring configuration interface. The ring number is set as "1", the east
interface is set as "eth0/9", and the west interface is set as "eth0/10".
(2) Create sub-rings
Select [ERPS] in the navigation bar [switch] and enter the ERPS configuration page. Click [+ add] to enter
the ERPS ring configuration page. The ring number is set as "2", the east interface is set as "eth0/10",
and the west interface is set as "eth0/12". Click the "apply" button to return to the following page:

Figure 3-73 ERPS ring configuration display page

Step 4: Create an ERPS instance and set up the blocking points.

(1) Create the primary ring instance

60
Switch Web configuration guide

In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page. Name "1", ring number "1", level "0", RAPS management VLAN
"1000", Owner interface "None", sub-ring blocking port "None".
(2) Create a sub-ring instance
In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page. Name "2", ring number "2", level "0", RAPS management VLAN
"1001", Owner interface "None", sub ring blocking port "East", associated instance select "1". Click the
"apply" button to return to the following page, as shown in figure 3-74:

Figure 3-74 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.2.6.4 Configure switch S3

Step 1: Configure ports 9 and 10 as trunk ports and Native Vlan as default value 1.
Select [VLAN] from the [switch] sub-menu in the navigation bar to enter the VLAN interface configuration
page. In the interface configuration options, select ports eth0/9 and eth0/10, and click the [edit] button to
enter the configuration mode. Select "Trunk" for VLAN mode, Native VLAN defaults to "1". Click [apply]
button, and the interface returned page is shown in figure 3-75.

Figure 3-75 VLAN state display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk eth0/9 and eth0/10.
Under the VLAN page, click the "add" button, enter "2-4" in the ID, Tagged member port and tick eth0/9
and eth0/10. Click the "apply" button, and the interface returned page is shown in figure 3-76.

Figure 3-76 port status display page

61
Switch Web configuration guide

Step 3: Create ERPS ring 1 and set up the east and west port
Select "ERPS" from the "switch" sub-menu in the navigation bar and enter the ERPS configuration page.
Click "+ add" button to enter the ERPS ring configuration page, as shown in figure 3-77. The ring number
is set as "1", the east interface set as "eth0/9", and the west interface set as "eth0/10". Click the "apply"
button to return to the following page:

Figure 3-77 ERPS ring configuration display page

Step 4: Create an instance of ERPS ring 1

In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-78. Name "1", ring number "1", level "0", RAPS
management VLAN "1000", Owner interface "East", sub ring blocking port "None".
Click the "apply" button to return to the following page:

Figure 3-78 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.2.6.5 Configure switch S4

Step 1: Configure ports 9 and 10 as trunk ports and Native Vlan as default value 1.
Select [VLAN] from the submenu of [switch] in the navigation bar to enter the VLAN interface page. In the
interface configuration option, select ports eth0/9 and eth0/10, and click the edit button to enter the
configuration mode, as shown in the figure. Select "Trunk" for VLAN mode, Native VLAN defaults to "1".
Click the "apply" button, and the interface returned page is shown in figure 3-79.

62
Switch Web configuration guide

Figure 3-79 interface status display page

Step 2: Create VLAN 2, VLAN 3, and VLAN 4, and add VLAN 2, 3, and 4 to Trunk eth0/9 and eth0/10.
Under the VLAN page, click the "add" button, enter "2-4" in the ID, Tagged member port select eth0/9 and
eth0/10. Click the "apply" button, and the interface returned page is shown in figure 3-80.

Figure 3-80 VLAN status display page

Step 3: Create ERPS ring 2 and set up the east and west interface.
Select [ERPS] in the navigation bar [exchange] and enter the ERPS configuration page. Click the button
[+ add] to enter the ERPS ring configuration page, as shown in figure 3-81. The ring number is set to "2",
the east interface to "eth0/9" and the west interface to "eth0/10". Click the "apply" button to return to the
following page:

Figure 3-81 ERPS ring configuration display page

Step 4: Create ERPS instance 2

In the ERPS configuration page, select the instance configuration and click [+ add] button to enter the
ERPS instance configuration page, as shown in figure 3-82. Name "2", ring number "2", level "0", RAPS
management VLAN "1001", Owner interface "East", sub ring blocking port "None". Click the "apply"
button to return to the page as shown in figure 3-82:

Figure 3-82 ERPS instance configuration display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

63
Switch Web configuration guide

3.3 IGMP Snooping

3.3.1 Overview
IGMP Snooping, referred to as Internet Group Management Protocol Snooping, is a mechanism for
multicast constraint that runs on a layer 2 device and is used to manage and control multicast groups.
The layer 2 devices running IGMP Snooping analyzes the IGMP packets it receives, establishes a
mapping between the port and the MAC multicast address, and forwards the multicast data based on that
mapping. When IGMP Snooping is not performed by the layer 2 device, multicast data is broadcast at the
layer. When layer 2 devices performe with IGMP Snooping, the multicast data of a known multicast group
is not broadcast at the layer, but is multicast to the specified recipient at the layer.
As shown in figure 3-83, IP group broadcasts segment are broadcasted in VLAN when IGMP Snooping is
not performed by the layer 2 device. When the layer multicast device runs IGMP Snooping, IP group
broadcast segment are sent only to group member recipients.

Figure 3-83 how IGMP Snooping works

3.3.2 IGMP Snooping configuration

3.3.2.1 IGMP global configuration instructions
(1) Select [exchange] "IGMP Snooping" in the navigation bar, and click the "configuration" TAB to enter
the global configuration page of IGMP Snooping, as shown in figure 3-84.
(2) Click the IGMP Snooping "disabled" button to enable the global IGMP Snooping function.
(3) Click the "disabled" button of discarding unknown multicast to enable discarding unknown multicast
function.

Figure 3-84 IGMP global configuration page

64
Switch Web configuration guide

Table 3-11 Global configuration parameter description

Configuration items Instructions

IGMP Snooping Turns on/off the IGMP Snooping function, which is turned off by default.
Turn on/off discard unknown multicast function
An unknown multicast data packet is defined as a forwarding item that
does not exist in an IGMP Snooping forwarding
Discard Those multicast data segment:
unknown • When use enable to discards the unknown multicast segment function,
IGMP
multicast the switch will discard all received segment of unknown groups
Snooping
• When use forbid discarding multicast segement function, the switch will
broadcast the segment in the VLAN to which the unknown multicast
segment belongs
Topological
change Turn on/off topology change suppression
suppression

3.3.2.2 IGMP route port configuration instructions

(1) Select > [IGMP Snooping] in the navigation bar, and click the "configuration" TAB to enter the IGMP
route port display page, as shown in figure 3-85.

Figure 3-85 IGMP route port display page

Table 3-12 IGMP route port parameters

Configuration items Instructions

VID The ID of the VLAN to which the multicast table entry belongs
IGMP route
Interface All member ports
mouth
Delete Delete the IGMP route
(2) Click the [add] button to enter the page of setting IGMP route port, as shown in figure 3-86. Configure
Vid and select the port to be applied. Click the "apply" button to complete the configuration.

Figure 3-86 IGMP route port configuration page

65
Switch Web configuration guide

3.3.2.3 IGMP static group configuration instructions

(1) Select [switch] -> [IGMP Snooping] in the navigation bar, and enter the IGMP static group display
page, as shown in figure 3-87.

Figure 3-87 IGMP static group display page

Table 3-13 IGMP static group parameter description

Configuration items Instructions

VID The ID of the VLAN to which the multicast table entry belongs
Group address Multicast group address
IGMP static
Source address Multicast source address
group
interface All member ports
delete Delete the IGMP static group
(2) click the "add" button to enter the IGMP static group setting page, as shown in figure 3-88.Configure
vids, group addresses, source addresses, and interface names.Click the "apply" button to complete the
configuration.

Figure 3-88 IGMP static group configuration page

3.3.3 Examples of configuration

Configuration example
Case requirements:
Video server USES 225.0.0.1 as the multicast source and use multicast data stream to play video. Users
click to play video as needed. Video message flow exists in the network only in the server-on-demand
client channel, and no duplicate or invalid flow is allowed to maximize the utilization of network
bandwidth.The network topology is shown in figure 3-89, in which the three-layer switch is used as the
multicast route device to directly connect the multicast source, enable the multicast route forwarding
function, and configure the multicast route protocol (see the corresponding three-layer switch product
configuration manual for details). The layer 2 access switch is the user access device. The data VLAN is
the default VLAN 1, the upper port is eth0/9, the lower port is eth0/1 and eth0/2 respectively.

Figure 3-89 IGMP network topology

66
Switch Web configuration guide

Step 1: Enable the IGMP Snooping function on Switch B.

Select "IGMP Snooping" from the "switch" subitem in the navigation bar, and enter the configuration page.
Click the "disable" button after "IGMP Snooping" to enable the IGMP Snooping function, as shown in
figure 3-90.

Figure 3-90 IGMP enable configuration page

Step 2: Turn on the Switch B to discard unknown multicast (optional)

Select "IGMP Snooping" in the "switch" subitem in the navigation bar, enter the configuration page, and
click "disable" button after "discard unknown multicast" to enable the function of discarding unknown
multicast, as shown in figure 3-91.

Figure 3-91 IGMP discarding unknown multicast configuration page

Step 3: Configure the IGMP route port on Switch B (optional)

Select "IGMP Snooping" from the "switch" sub-item in the navigation bar, and enter the configuration
page. Click "add" button under "IGMP route port" to enter the interface of route port adding page, as
shown in figure 3-92

Figure 3-92 IGMP route interface configuration page

Click the "ok" button to return to the interface as shown in figure 3-93

Figure 3-93 IGMP route port display page

Step 4: Configure IGMP static groups under Switch B (optional)

67
Switch Web configuration guide

Select "IGMP Snooping" from the "switch" sub-item in the navigation bar, and enter the configuration
page. Click the "add" button under "IGMP route port" to enter the interface of route port adding page, as
shown in figure 3-94:

Figure 3-94 IGMP static group configuration page

Click the "ok" button to return to the interface as shown in figure 3-95.

Figure 3-95 IGMP static group display page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.4 Spanning tree

3.4.1 Overview
Spanning tree protocol is a layer 2 management protocol, which eliminates the layer 2 loop by selectively
blocking redundant links in the network, and has the function of link backup.

Like many other protocols, apanningTree protocols are constantly being updated as the network evolves,
from the original STP (SpanningTree Protocol) to the RSTP (Rapid SpanningTree Protocol) to the latest
MSTP (Multiple SpanningTree Protocol).

With layer 2 Ethernet, there can only be one active path between the two LAN, otherwise there will be a
broadcast storm. However, in order to enhance the reliability of a LAN, it is necessary to establish
redundant links, some of which must be in a backup state. If the network fails and another link fails, the
redundant links must be promoted to active state. Manually controlling such a process is obviously a lot of
hard work, and the STP protocol does it automatically. It enables a device in a LAN to do the following:
• Discover and launch an optimal tree topology for the LAN.
• Discover failures and then recover, automatically update the network topology so that the best tree
structure possible is selected at all times.

3.4.2 Spanning tree configuration

68
Switch Web configuration guide

The spanning tree module provides the global configuration, MST configuration, instance, interface, etc.
The state and configuration page are shown in figure 3-96~101, and the detailed parameters are shown
in table 3-14~18:

Figure 3-96 spanning tree overview

Table 3-14 overview parameter description of spanning tree

Configuration items Instructions
Name The name of the interface
The instance Hardware instance ID

Version Interface spanning tree protocol version

Interface spanning tree roles including:
Root: Root port, the interface connects to the direction of the Root
bridge
Role Designated: specifies the port that connects to the root port
Alternate: Alternate port, Alternate root port
Backup: Backup port
General
Disable: Port Down or Disable the ports of the spanning tree protocol
situation
Interface spanning tree state including:
Forwarding: forward
State Discarding: discard
Learning: Learning
Listening: listen
Root Bridge ID Root Bridge ID

Region Root Bridge ID Region Root Bridge ID

Designate Bridge ID Designate Bridge ID

Remove Clear negotiated protocol version information

Figure 3-97 global configuration page

69
Switch Web configuration guide

Table 3-15 Global configuration parameter description

Configuration items Instructions
Set the working mode of STP, including STP, RSTP, and MSTP
STP: in STP mode, each port of the device will send out STP BPDU
segment
RSTP: In the RSTP mode, each port of the device will send out RSTP
BPDU messages. When it is found to be connected with the
Model device running STP, the port will automatically migrate to the STP
mode
MSTP: In MSTP mode, each port of the device will send out MSTP
BPDU messages. When it is found to be connected with the
device running STP, the port will automatically migrate to STP
mode
State Set whether to enable global STP functionality
Set whether to enable global BPDU protection
Enable BPDU protection function can prevent artificial forged
BPDU protection
Global configuration messages malicious attack devices, avoid network
configuration shock
BPDU filter Turn on / off BPDU filtering
Sets the maximum number of hops for the MST domain, which
determines the size of the MST domain
The largest hop
This parameter will only take effect in the domain if configured on the
domain root, not on the non-domain root
The Forward Delay Set the delay time for device state migration

Hello Time Set the period of sending hello message to detect link fault

Max Age Sets the maximum length of time messages are held on the device

Priority The bridge priority

The maximum number of BPDU segment per second sent by the
Forward threshold
bridge
Timeout is disabled
Configure the wrong port auto disable feature
on the wrong port

70
Switch Web configuration guide

Error port disables Configuration error port automatically disabled after timeout
timeout undisabled time

Figure 3-98 MST configuration page

Table 3-16 MST configuration parameters

Configuration items Instructions

Set the domain name for the MST domain

The MST The domain name
By default, the domain name for the MST domain is "Default"
configuration
Revision level Sets the revision level for the MST domain

Figure 3-99 instance configuration page

Table 3-17 example configuration parameter description

Configuration items Instructions

ID Instance ID
VLAN list All VLAN associated with the instance, shown as a list
The
Priority The priority of the bridge in the current instance
instance
The editor Click to edit the instance

Delete Click delete this instance

Figure 3-100 instance creation page

Figure 3-101 Interface status display page

71
Switch Web configuration guide

Table 3-18 Interface parameter description

Configuration items Instructions

Name The name of the interface

The instance Interface associated instance ID

State Spanning tree switching state of the interface

TCN segment limit Configure topology change notification message suppression

Priority Configure interface priority

Road king overhead Configure interface path overhead

Link type Configure the interface link type
Interface
Root protection Configure the interface to enable root protection
Automatic edge Configure the interface's ability to automatically identify edge
interface interface
Edge of the interface Configure the interface as an edge interface

Fast port Configure the interface as a fast interface

BDPU filter The configuration interface turns on BPDU filtering

BDPU protection The configuration interface turns on BPDU protection

Figure 3-102 Interface configuration page

3.4.2 Configuration examples

3.4.2.1 Networking requirements

72
Switch Web configuration guide

MSTP is configured. Messages of different VLAN in figure 3-103 are forwarded according to different
spanning tree instances. The specific configuration is:
• All devices in the network belong to the same MST domain;
• VLAN 20 is forwarded along instance 0, VLAN 10's message is forwarded along instance 1, VLAN 30 is
forwarded along instance 3, and VLAN 40 is forwarded along instance 4.
The parameter configuration of each device is shown in table 3-18:

Table 3-19 equipment parameters list

VLAN The instance port

Parameter
equipment
10 1 Eth9, eth0/10
20 0 Eth9, eth0/10, eth0/11
Switch A
30 3 Eth9, eth0/11
40 4 eth9
10 1 Eth0/10, eth0/11
20 0 Eth9, eth0/10, eth0/11
Switch B
30 3 Eth9, eth0/10
40 4 eth10
10 1
20 0 Eth9, eth0/10, eth0/11
Switch C
30 3 Eth10, eth0/11
40 4 eth9
10 1 Eth9, eth0/11
20 0 Eth9, eth0/10, eth0/11
Switch D
30 3
40 4 eth10

Figure 3-103 MSTP network topology

73
Switch Web configuration guide

• The note "Allow vlan" on the link in the figure indicates which VLAN segment are allowed to pass through the link.

3.4.2.2 Configure Switch A

Step 1: Select [switch] [VLAN] in the navigation bar and configure ports 9, 10 and 11 as trunk ports and
Native VLAN as default value 1 in the interface configuration page.

Figure 3-104 VLAN mode configuration page

Step 2: In the VLAN page, click "add" button to create VLAN 10,20,30,40, as shown in figure 3-105.

Figure 3-105 VLAN creation page

Click the "apply" button to return to the page as shown in the figure. At this time, all ports will be
added to the VLAN by default.

Figure 3-106 VLAN state display page

Select VLAN 10 and click the [edit] button to enter the edit page. Eth0/11 is deleted. Click "apply" to
return to the following page.

Figure 3-107 VLAN state display page

74
Switch Web configuration guide

Step 3: Select the [exchange]  [spanning tree], click the [instance] TAB, and click the [add] button, as
shown in the figure below, ID is "1", VLAN list is "10", the default parameters are used for priority, and
click the "apply" button to save the configuration.

Figure 3-108 spanning tree instance configuration page

In the same way, create instances 3 and 4 with corresponding VLAN lists of 30 and 40, and create the
successful instance list as shown in the figure.

Figure 3-109 spanning tree instance display page

• There is no associated VLAN, which defaults to instance 0.

Step 4: In the current page, click the "global configuration" tab, select mode as "MSTP", state as "Enable",
select default for other parameters, and click "apply" button to complete the configuration.

Figure 3-110 spanning tree global configuration page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.4.2.3 Configure Switch B

75
Switch Web configuration guide

Step 1: Refer to Swtich A to configure ports 9, 10, and 11 as trunk ports and Native Vlan as default value
1.
Step 2: Create VLAN 10, 20, 30, 40 and add the corresponding ports to the VLAN, as shown in the figure.

Figure 3-111 VLAN status display page

Step 3: Select the [exchange] [spanning tree], click the [instance] TAB, and click the [add] button, as
shown in the figure below, ID is "1", VLAN list is "10", the default parameters are used for priority, and
click the "apply" button to save the configuration.

Figure 3-112 spanning tree instance display page

Step 4: In the current page click the "global configuration" TAB, select mode as "MSTP", state as "Enable",
select default for other parameters, and click "apply" button to complete the configuration.

Figure 3-113 spanning tree global configuration page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.4.2.4 Configure Switch C

Step 1: Refer to Swtich A to configure ports 9, 10, and 11 as trunk ports and Native Vlan as default value
1.
Step 2: Create VLAN 10, 20, 30, 40 and add the corresponding ports to the VLAN, as shown in the figure.

76
Switch Web configuration guide

Figure 3-114 VLAN state display page

Step 3: Select the [exchange]  [spanning tree], click the [instance] TAB, and click the [add] button, as
shown in the figure below, ID is "1", VLAN list is "10", the default parameters are used for priority, and
click the "apply" button to save the configuration.

Figure 3-115 spanning tree instance display page

Step 4: In the current page, click the "global configuration" TAB, select mode as "MSTP", state as
"Enable", select default for other parameters, and click "apply" button to complete the configuration.

Figure 3-116 spanning tree global configuration page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.4.2.5 Configure Switch D

Step 1: Refer to Swtich A to configure ports 9, 10, and 11 as trunk ports and Native Vlan as default value
1.
Step 2: Create VLAN 10,20,30,40 and add the corresponding ports to the VLAN, as shown in the figure.

Figure 3-117 VLAN status display page

77
Switch Web configuration guide

Step 3: Select the [exchange]  [spanning tree], click the [instance] TAB, and click the [add] button, as
shown in the figure below, ID is "1", VLAN list is "10", the default parameters are used for priority, and
click the "apply" button to save the configuration.

Figure 3-118 spanning tree instance display page

Step 4: In the current page , click the "global configuration" TAB, select mode as "MSTP", state as
"Enable", select default for other parameters, and click "apply" button to complete the configuration.

Figure 3-119 spanning tree global configuration page

Step 5: Select the "save" button on the navigation bar and save the configuration.

3.5 MAC management

3.5.1 Overview
Ethernet switches parse the destination MAC address of segment, query the MAC address table, and
send messages to the corresponding port. The MAC address table records the device’s MAC address,
interface, and VLAN ID information which connected to the device. Ethernet switches decide to forward
known listcast or unknown broadcast based on the results of MAC address table lookup.

Known unicast: Ethernet switch finds the table item corresponding to the destination MAC address and
VLAN ID of the segment in the MAC address table, and the output port in the table item is unique, the
segment is directly output from the corresponding port of the table item.

78
Switch Web configuration guide

Unknown broadcast: the Ethernet switch did not find the corresponding table entry of the target MAC
address in the address table, and the message was sent to all other ports in the VLAN to output, except
the message input port.

MAC addresses of Ethernet switches can be obtained dynamically or statically, usually dynamically. The
working principle of MAC address dynamic learning is presented by analyzing the interaction process
between user A and user C.
As shown in figure 3-120, user A sends messages to port eth0/1 of the switch, in this time, the Ethernet
switch learns user A's MAC address to the MAC address table. Since there is no source MAC address in
user C’s address table, Ethernet switches broadcast segment to all ports belonging to VLAN 1 except
eth0/1 which connected with user A, including ports for user B and user C, where user B can receive
messages sent by user A that do not belong to it.

Figure 3-120 unknown broadcast 1

Current dynamic MAC address table information is shown in table 3-20:

Table 3-20 Equipment parameters list

The user VLAN The MAC address port

User A 1 000 e. C6C1 C8AB Eth0/1

As shown in figure 3-121, user B after receiving the segment will reply segment through Ethernet switch
port eth0/2, sent to the user A, at this time, MAC address table of the Ethernet switch already existed in
user A’s MAC address, A segment is in the form of unicast forwarding to eth0/1 port, the Ethernet
switches at the same time will learn C’s MAC address of the user, the difference is user B can not receive
the segment which sent to user A from user C

Figure 3-121 unknown broadcast 2

79
Switch Web configuration guide

Current dynamic MAC address table information is shown in table 3-21:

Table 3-21 equipment parameters list

The user VLAN The MAC address Port

User A 1 000 e. C6C1 C8AB Eth0/1

User C 1 000 e. C6C1 C8AD Eth0/2,

After an interaction between user A and user C, the device learns the source MAC address of user A and
user C. After that, the message interaction between user A and user C is forwarded by unicast, and user
B will no longer receive the interactive message between user A and user C.

3.5.2 Configure the MAC address

MAC address table entries are divided into: static MAC address table entries, dynamic MAC address
table entries and filtered MAC address table entries.
Static MAC address table entries: manually configured by the user, table entries do not age
Dynamic MAC address table entries: includes user-configured and device learned from the source MAC
address, table entries have aging time.
Filtering MAC address table entries: used to discard segment containing a specific MAC address (for
example, for security reasons, a user can be blocked from receiving packets). Manually configured by the
user, the table entries do not age.
Select [switch]  [MAC management] from the navigation bar and enter the MAC management page, as
shown in the figure below. All MAC management parameters are shown in table 3-22.

80
Switch Web configuration guide

Table 3-22 MAC address management parameters

Configuration items instructions
Name Aging tim, per second
<30,1000>, the default aging time is 300 seconds, MAC address was last
Aging time Value updated
within 300 to 600 seconds of the system aging
Application Click configure to take effect
The MAC
Static MAC address configuration in a format such as: 00-00-00-00-01
address
Static
VID Vlan properties of MAC addresses
address
Interface The port property of the MAC address
Delete Remove the static MAC address
The MAC
Configure to filter MAC addresses in formats such as: 00-00-00-00-01
Filter address
addresses VID Vlan properties of MAC addresses
Delete Remove the filtered MAC address

3.5.3 MAC address configuration examples

Configuration example:
Case requirements: all destination MAC address 000e.c6c1.c8ab, VLAN 1 message forward from port
eth0/1, while filtering MAC address 000e.c6c1.c8cc, VLAN 10 message

Step 1: Create the static MAC address, MAC: 000e.c6c1.c8ab, VLAN 1, eth0/1.

Select [switch] -> [MAC management] in the navigation bar to enter the MAC address configuration page.
In the static address item, click "add" button, and then configure the MAC address, VID and interface
successively as shown in figure 3-122.
Figure 3-122 Static address configuration

81
Switch Web configuration guide

Click the "apply" button to complete the configuration and return to the page as shown in figure 3-
123.

Figure 3-123 static address display

Step 2: Create filter MAC address, MAC: 000e.c6c1.c8cc,VLAN10

Select [exchange] -> [MAC management] in the navigation bar to enter the MAC address configuration
page. In the address filtering item, click the "add" button.

Figure 3-124 static address display

Click the [apply] button to complete the configuration, and the return page is shown in figure 3-125.

Figure 3-125 static address display

Step 3: Select the "save" button on the navigation bar and save the configuration.

3.6 QinQ
3.6.1 Overview
QinQ is short for 802.1Q in 802.1Q, it is based on a layer 2 tunneling protocol of IEEE 802.1 Q technology,
through the encapsulation of user's private network segment with outer VLAN Tag, make it pass through
the backbone network(also called public network) of carrier with two layers of VLAN Tag, so that provide

82
Switch Web configuration guide

users with a simple layer 2 VPN tunnel technology, also allow operators to use one VLAN network to
provide service for users include multi VLANs.

3.6.1.1 QinQ's background and advantages

In the VLAN Tag domain defined by IEEE 802.1q, only 12 bits are used to represent VLAN IDs, maximum
represente 4094 VLANs. But in practical applications, especially in MAN, nned a large number of VLANs
to isolate users, 4094 VLANs far from meeting the needs. QinQ enables the entire network to provide up
to 4094×4094 VLANs, thus meeting the demand of MAN on the number of vlans. It has the following
advantages:
Alleviate the problem of public network VLAN ID resource shortage。
Users can plan their private VLAN IDs without causing conflicts with public VLAN IDs。
It provides a simple and flexible VPN solution for small MAN and enterprise network。
When the operator upgrades the network, the user network does not have to change the
original configuration, so the user network has a strong independence.

3.6.1.2 QinQ's implementation principles

In the transmission process of the public network, the device only forwards the segment according to the
outer VLAN Tag, and learns the source MAC address table item of the message to the MAC address
table of the outer VLAN Tag, while the private network VLAN Tag of the user is transmitted as the data
part of the message.

FIG. 3-126 QinQ network diagram of typical application

83
Switch Web configuration guide

As shown in figure 3-126, the private network VLANs of user network A and B are VLAN 1 ~ 10 and VLAN
1 ~ 20, respectively. The vlans assigned by the operator to the user network A and B are VLAN 3 and
VLAN 4 respectively. When the segment with VLAN Tag in network A and B enters into the operator's
network, VLAN 3 and VLAN 4 VLAN tags will be encapsulated on the outside of the message. In this way,
message from different user networks are completely separated when they are transmitted in the
operator's network, even if the VLAN ranges of these user networks overlap, there is no conflict when
they are transmitted in the operator's network.

3.6.1.3 The message structure of QinQ

It is shown in figure 3-127 that QinQ packets are transmitted with double-layer VLAN Tag in operator
network:
Inner VLAN Tag: It is the private network VLAN Tag of the user.
Outer VLAN Tag: It is the public network VLAN Tag assigned to the user by the
operator。

FIG. 3-127 QinQ's packet structure

84
Switch Web configuration guide

3.6.1.4 QinQ's implementation mode

QinQ can be implemented in the following two ways:
1. Basic QinQ
QinQ is basically implemented in port-based mode. After basic QinQ function is configured on the port,
regardless of whether the message received from the port are loaded with VLAN Tag or not, the device
will print the Tag of the default VLAN on the port for the packet:
If a message is received with a VLAN Tag, the message becomes a double-tag
message；
If a message is received without a VLAN Tag, the message becomes the default
VLAN Tag with the port.

2. Flexible QinQ
Flexible QinQ is implemented based on the combination of port and VLAN. It extends the functions of
QinQ and is a more flexible implementation of QinQ. Flexible QinQ in addition to realizing all basic
functions of QinQ, different operations can be carried out according to different VLAN on packets
received from the same port, including:
Add different outer VLAN tags for messages with different inner VLAN IDs.
According to the 802.1p priority of the inner VLAN of the message, mark the 802.1p
priority of the outer VLAN.
By using flexible QinQ technology, when ti isolate operator network and user network, in the same time it
can provide rich business characteristics and more flexible networking ability.

3.6.2 QinQ configuration

Read QinQ overview
Select [swap] > [QinQ] in the navigation bar, and proceed to the page shown in figure 3-128. QinQ
configuration can be shown in the [configuration] TAB, and the parameters are shown in table 3-23.

FIG. 3-128 QinQ overview

Table 3-23 QinQ overview parameter instructions

Configuration items Instructions

Name QinQ rule name

QinQ category
Classification Stacking: multilayer tag Stacking pattern
Mapping: tag replacement mode

85
Switch Web configuration guide

List of rules List of mapping rules

Application QinQ on application information of mapping

The editor Click the button to edit the rule

Delete Click the button to remove the rule

Configuration QinQ
Step 1: Create the VLAN VPN rule
In the current QinQ page, click [add] button to enter the VLAN VPN rule creation page, as shown in figure.
3-129, and parameters of VPN rules are shown in table 3-23.

Figure 3-129 creating VPN rules

Table 3-23 QinQ overview parameter instructions

Configuration items Instructions

Name QinQ rule name

CVID Client VLAN ID

SVID Server side VLAN ID

After configuring "name", "CVID" and "SVID", click the "apply" button and return to the following page, as
shown in picture 3-130, you can see the list of rules successfully created.

Figure 3-130 creates a successful rule list

Step 2: Configure the QinQ type port

In the current page, click the "apply" tab in the upper left corner to enter the interface of port application
configuration page, as shown in figure 3-131. Configure the corresponding port QinQ type, click the
"apply" button to complete the configuration.

86
Switch Web configuration guide

Figure 3-131 QinQ type on the configured port

Table 3-24 QinQ parameter instructions

Configuration items Instructions

Name The name of the interface

Basic QinQ on the basis of rule application state

VLAN Stacking QinQ read on several levels of rules application state

VLAN Mapping QinQ is a replacement state of rule application

After configuration, click the upper left corner [profile] TAB bar, click the [profile] button, you can see the
successful creation of QinQ rules. As showing in figure 3-132.

Figure 3-132 QinQ type on configured ports

3.6.3 QinQ configuration example

Configuration example
Case requirement 1: Based on the port realise layer 2 VPN service
Service provider provides VPN for enterprise A and B:
 On the public network, enterprise A and enterprise B are belong to different VLANs and communicate
through their respective public network VLANs.
 VLANs in enterprise A and B are transparent to the public network, and VLANs in enterprise A and B
can be reused without conflict.
 Tunnel will encapsulate a layer of VLAN tags of Native VLAN to user data mesage. In the public
network, user data messages are propagated by Native VLAN, which does not affect the use of
VLAN in different enterprise user networks, and realise a simple layer 2 VPN.

87
Switch Web configuration guide

FIG. 3-133 QinQ network topology 1

Illustration:
 Customer A1 and Customer A2, Customer B1 and Customer B2 are the edge devices in the network
of enterprise user A and enterprise user B respectively. Provider A and Provider B are edge devices
of the service Provider network.
 The office network VLAN range used by enterprise A is VLAN 1-100.
 The office network VLAN range used by enterprise B is VLAN 1-200.
ProviderA and ProviderB are perfectly symmetrical and configured exactly the same:
Step 1: Configure ports eth0/1, eth0/2, and eth0/5 to be Trunk ports.
Select [switch] > [VLAN] > [interface] in the navigation bar to enter the interface configuration page, select
ports eth0/1, eth0/2, eth0/5, click the [edit] button to enter the configuration mode, as shown in figure.
3-133. Select "Trunk" for VLAN mode, Native VLAN defaults to "1".

Figure 3-133 configure port VLAN mode

Step 2: Create VLAN 2-200, Tagged member ports select eth0/1, eth0/2, and eth0/5.
Select [switch] > [VLAN] in the navigation bar, click [add] button to enter the VLAN configuration page,
enter "2-100" in the ID text box, Tagged member port select eth0/1, eth0/2, eth0/5, and click [apply] button
to complete the configuration.

Figure 3-134 creating a VLAN

88
Switch Web configuration guide

Step 3: Create VLAN 2-200, Tagged member ports select eth0/2 and eth0/5.
Select [switch] > [VLAN] in the navigation bar, enter into the VLAN configuration page, enter "101-200" in
the ID text box, Tagged member port select eth0/2 and eth0/5, and click [apply] button to complete the
configuration.

Figure 3-135 create a VLAN

Step 4: Configure ports eth0/1, eth0/2, and eth0/5 to be Trunk ports.

Select [switch] > [VLAN] > [interface] in the navigation bar to enter the interface configuration page, select
ports eth0/1 and eth0/2, click [edit] button to enter the configuration mode, as shown in figure. 3-136.
Select "Trunk" for VLAN mode, and "10" for Native VLAN.

Figure 3-136 configure port VLAN mode

Step 5: Configure ports eth0/1, eth0/2, and eth0/5 with their Trunk modes.
Select [switch] > [QinQ] in the navigation bar to enter the QinQ configuration page. Click the [apply] tab in
the upper left corner to configure the "basic" of ports eth0/1 and eth/2 to be Enabled, as shown in figure
3-137. Click the [apply] button to complete the configuration.

Figure 3-137 QinQ type on the configured port

89
Switch Web configuration guide

Step 6: Select the "save" button on the navigation bar and save the configuration.
Case 2: Flexible QINQ based on C-Tag realizes layer 2 VPN and business flow management
Basic QinQ can only encapsulate user data message with one layer outer Tag of Native VLAN, that is, the
outer Tag encapsulateion depends on Native VLAN of Tunnel port. Flexible QinQ provides flexible
encapsulation of external Tag(s-tag) of service provider (ISP) based on the user's Tag(c-tag) of message,
so as to realize VPN passthrough and QOS policy of business flow more flexibly.
 Broadband Internet access, IPTV service are the important business of MAN, MAN service providers
network divides VLAN for different traffic flows to differentiate management, and provide QOS policy
services for these VLANs. QinQ based on C-Tag can be used on the edge equipment of service
provider to encapsulate the service flow of users with related VLANs, when pass through also use
QOS strategy of service provider network.
 The unified VLAN planning is realized among the enterprise branches, and the important business
and general business are respectively in different VLAN scope. The enterprise network can make
use of C-Tag based flexible QinQ pass through of the company's internal business, and make use of
the QOS policy of the service provider network to guarantee the data transmission of important
business in priority.
As shown in the figure below, the user-end equipment converges in MAN area through the corridor
switches in the residential area. Broadband Internet access and IPTV services are distinguished by
assigning different VLANs to enjoy different QOS service strategies.
 In the public network, different traffic flows of broadband Internet access and IPTV are propagated in
different VLANs to realize pass-through of user services.
 ISP network sets QOS policy for VLAN, and can package corresponding VLAN for user service on
edge equipment of service provider, so that IPTV service has priority in ISP network transmission.

FIG. 3-138 QinQ network topology 2

90
Switch Web configuration guide

Illustration:
 CE1 and CE2 are edge devices that connect to the user's network, and PE1 and PE2 are edge devices
that the provider serves on the network.
 VLAN 1-100 and VLAN 101-200 on CE1 and CE2 devices are the broadband Internet service flow for
users, and the IPTV service flow for users.
 PE1 and PE2 devices encapsulate different S-Tags for VLAN of different businesses to distinguish
different business data. VLAN 1-100 encapsulate VLAN100, vlan101-200 encapsulate VLAN200.

PE1 and PE2 are configured exactly the same:

Step 1: Create VLAN 2-200.

Select [switch] > [VLAN] in the navigation bar, click [add] button to enter the VLAN configuration page,
enter "2-200" in the ID text box and click [apply] button to complete the configuration.

Figure 3-139 creates a VLAN

Step 2: Configure port eth0/1 for Hybrid port and PVID "100".
Select [switch] > [VLAN] > [interface] in the navigation bar to enter the interface configuration page, select
port eth0/1, click [edit] button to enter the configuration mode, as shown in figure 3-140. VLAN mode
select "Hybrid" and PVID is "100".

Figure 3-140 configure port VLAN mode for Hybrid

91
Switch Web configuration guide

Step 3: Configure port eth0/2 port mode to Trunk port, Native Vlan configure ro "1".
Select [switch] > [VLAN] > [interface] in the navigation bar to enter the interface configuration page, select
port eth0/2, click the [edit] button to enter the configuration mode, as shown in figure 3-141. Select
"Trunk" for VLAN mode, Native VLAN defaults to "1".

Figure 3-141 configure port VLAN mode for Trunk

Step 4: Configure the Tagged and Untagged member ports for VLAN200.
Select [switch] > [VLAN] in the navigation bar, click [add] button to enter the VLAN configuration page,
enter "200" in the ID text box, select eth0/2 on Tagged member port, eth0/1 on Untagged member port,
and click [apply] button to complete the configuration.

Figure 3-142 to configure Tagged and Untagged member ports

Step 5: Create the VLAN VPN rule

Select [switch] > [QinQ] in the navigation bar, click [add] button to enter the VPN rule creation page, enter
the VLAN VPN rule creation page, configure name "isp", CVID "1-100", SVID "100", and click the
application button to complete the configuration.

Figure 3-143 create VLAN VPN rules

92
Switch Web configuration guide

Step 5: Configure QinQ type of the port

In the current page, click the "apply" TAB in the upper left corner to enter the interface application
configuration page, as shown in figure 3-144. Configure the "isp" in the VLAN Stacking drop-down option
for the QinQ type of the corresponding port, click the apply button to complete the configuration.

Figure 3-144 configure the port's QinQ type

The configured QinQ profile page is shown in figure 3-145.

FIG. 3-145 QinQ overview page

Step 6: Select the "save" button on the navigation bar and save the configuration.

93
Switch Web configuration guide

4 Safety

4.1 ACL
4.4.1 ACL overview
ACL implement message filtering by configuring matching rules and processing operations on messages.
It can effectively prevent illegal users from accessing the network, and also can control traffic and save
network resources. Data packet matching rules defined by ACL, it can also be referenced by other
Functions that need to distinguish traffic, such as the definition of flow classification rules in QoS.
ACL classify packets by a series of matching conditions, which can be SMAC, DMAC, SIP, DIP, etc.
According to the matching conditions, ACL can be divided into the following categories:
IP based standard ACL: rules are made only based on the source IP address of the data packet.
IP based extended ACL: make rules according to data packet source IP address, destination IP address,
ETYPE and protocol.
Mac-based ACL: make rules according to the source MAC address and destination MAC address of data
packet.
Can be named ACL: rules are made with IP-based standard ACL and extended acls.

4.1.2 ACL configuration

• Maximum 128 rules can be configured under single ACL-ID. Due to the limitation of hardware resource, single device
can maximum support 500 rule.
• When an ACL is already applied to a port, if a deletion rule needs to be added, it needs to be applied from the port first.

The ACL module provides configuration based on ACL types, including IP, IP-Extend, MAC-Extend, IP-
named, and IP-Named-Extend. ACL configuration page as shown in figure 4-1~5, and each
parameter description is shown in table 4-1~5.

Figure 4-1 ACL IP type configuration page

Table 4-1 ACL IP type parameter description

Configuration items Instructions

94
Switch Web configuration guide

The ACL
IP ACL of standard IP that match the source IP fields in IPv4 messages
type

Name The number <1, 99> or <1300, 1999>

Permit Release the message hitting the rule

Type
Deny Discard messages that hit the rule
Source address Source IP address, such as 192.168.64.1
The IP mask is reversed, if it matches the first 24 bits of the IP address, the
Source mask
mask is 255.255.255.0, which should be configured as 00.00.00.255

Figure 4-2 ACL IP-Extend type configuration page

Table 4-2 IP-Extend type parameter specification

Configuration items Instructions
Extend the ACL to match the protocol number, source IP address, and destination
ACL type IP-Extend
IP address of IPv4 messages

Name The number <100, 199> or <2000, 2699>

Permit Release the message hitting the rule

Type
Deny Discard messages that hit the rule
Support common protocol message options, including TCP, udp, VRRP, igmp,
gre,
Agreement ipcomp, ospf, pim, RSVP, etc
Support all the IPv4 messages
Support IPv4 messages that user-defined protocol
Source address Source IP address, such as 192.168.64.1
The IP mask is reversed, if it matches the first 24 bits of the IP address, the mask
Source mask
is 255.255.255.0, which should be configured as 00.00.00.255
The target address Destination IP address, such as 192.168.64.100
Target mask The same mask

Figure 4-3 ACL mac-extend type configuration page

95
Switch Web configuration guide

Table 4-3 ACL mac-extend type parameter specification

Configuration items instructions

The ACL Extend MAC ACL, match layer 2 source MAC addresses and destination
MAC-Extend
type MAC addresses

Name The number < 200,699 >

Permit Release the message hitting the rule

Type
Deny Discard messages that hit the rule
Source address Source MAC address, such as 00. D0. F8.22.33.40
The MAC address mask is inverted. If the first 24 bits of the MAC address are
Source mask matched, the mask is ffff.ff00.0000, which needs to be configured as
0000.00ff.ffff
The target address Destination MAC address, such as 00. D0. F8.22.33.41
Target mask The same mask

Figure 4-4 ACL ip-named type configuration page

Table 4-4 ACL IP-Named type parameter description

Configuration items instructions

The ACL
IP-Named Standard ACL, support name naming, the first character must be a letter
type
Name A string that begins with a letter
Deny Release the message hitting the rule
Type
Permit Discard messages that hit the rule

96
Switch Web configuration guide

Source address Source IP address, such as 192.168.64.1

The IP mask is reversed, such as it matches the first 24 bits of the IP address,
Source mask
The mask is 255.255.255.0, which should be configured as 00.00.00.255

Figure 4-5 ACL ip-nomined-extend type configuration page

Table 4-5 ACL ip-nomined-extend type parameter description

Configuration Items Instructions

The ACL IP-Named-

Extend ACL, support name naming, the first character must be a letter
type Extend

Name A string that begins with a letter

Permit Release the message hitting the rule

Type
Deny Discard messages that hit the rule
Support common protocol message options, including TCP, udp, VRRP, igmp,
gre, ipcomp, ospf, pim, RSVP, etc
Protocol
Support all the IPv4 messages
IPv4 messages that support user-defined protocol
Source address Source IP address, such as 192.168.64.1
The IP mask is reversed, if it matches the first 24 bits of the IP address, the
Source mask mask
is 255.255.255.0, which should be configured as 00.00.00.255
The target address Destination IP address, such as 192.168.64.100
Target mask The same mask

Operation Steps:
(1) Select ACL in the navigation bar [safety] to enter the ACL configuration page
(2) Select the ACL tab and click [add] button to enter the ACL rules page
(3) Fill in the parameters as required, and click the [apply] button to save.
(4) Select the [application] tab to enter the ACL application page. Select the corresponding entry number
on the corresponding port and click the "apply" button to make the configuration effective.
(5) Click the "save" button in the navigation bar to save the configuration.

97
Switch Web configuration guide

4.1.3 Configuration examples

Configuration example:
Case requirements: for ports eth0/1 and eth0/3, release IPv4 messages in the network segment of
192.168.0.1/24 IP address range, and discard all other IPv4 messages.

Step 1: Create standard IP ACL rule 1

Click the [security]  ACL in the navigation bar to enter the ACL configuration page. Click the "add"
button, as shown in figure 4-1, ACL type "IP" name "1", type "permit", matching IP: "192.168.0.1", mask
255.255.255.0, inverting to "0.0.0.255".

Figure 4-1 creating ACL rules

Click the "apply" button and automatically return to the main page of ACL configuration, as shown in
figure 4-2, the ACL regulation that has been successfully created can be seen.

Figure 4-2 creates a successful ACL rule

Step 2: Create standard IP ACL rule 2

Under the rule list, click "add" button to add a matching rule, as shown in figure 4-3, with type "deny",
source IP "0.0.0.0" and source mask "255.255.255.255".

Figure 4-3 creating ACL rules

98
Switch Web configuration guide

Click the [apply] button and automatically return to the main page of ACL configuration, as shown in
figurec 4-4, the ACL regulations that have been successfully created can be seen.

Figure 4-4 creates a successful ACL rule

Step 3: Apply ACL rules to ports.

As shown in figure 4-5, click the tab bar [apply] to select "1" for the ports eth0/1 and eth0/3 that need to
enable ACL rules, and click the [apply] button to make the rule take effect.

Figure 4-5 port opening ACL rule

Step 4: Click the "save" button in the navigation bar to save the configuration.

4.2 QoS
4.2.1 Overview
QoS (Quality of Service) refers to the ability of a network to provide better service capability for specified
network communication by utilizing various basic technologies.

Traditional networks use the "best effort" forwarding mechanism, when the network bandwidth is sufficient,
all the data flows are better processed, when the network congestion, all the data flows are likely to be
discarded. In order to meet the requirements of different applications and different service qualities, the
network needs to be able to allocate and schedule resources according to the requirements of users and
provide different service qualities for different data streams.

99
Switch Web configuration guide

Transmission equipment to support the QoS ability, able to provide quality services, according to a certain
class of data stream, for it gives a certain level of transmission priority, to identify the relative importance
of it, and use the equipment provided by the various forward priority strategy, such as congestion
avoidance mechanisms for these data streams to provide special transport services.
The network environment with QoS configuration can increase the predictability of network performance,
effectively allocate network bandwidth and make the use of network resources reasonably.

4.2.2 QoS configuration

The cir values are deterministic, such as 1M speed limit, so the cir values are 1024, but the CBS values are derived from
empirical values. When the value of CBS is large, the flow peak is higher and the speed limit is stable, but the average
speed may be higher than the speed limit. When the value of CBS distribution is small, the flow peak is low, the speed limit
fluctuation is large, and the average speed may be less than the speed limit.It is recommended that CBS be configured
with a 4 times cir value and a small value of 31250.

QoS module provides, QoS global, port trust, CoS mapping, DSCP mapping, policy and other
configuration. The configuration page is shown in figure 4-6~10, and the detailed parameters are shown
in table 4-6~10:

Figure 4-6 QoS profile configuration page

Table 4-6 description of QoS overview parameters

Configuration items Instructions

Enable QOS, all QOS functions are not configured until

Enable
Enable enabled
QoS Disable QOS, When QOS is disabled, remove all QOS
Disable
General configurations
QoS
situation Absolute priority scheduling, queue ID large priority high, high
Scheduling Sp priority queue processing after the completion of low priority
algorithm queue processing
Wrr Rotation scheduling algorithm, according to queue weight,

100
Switch Web configuration guide

from queue ID maximum to minimum, scheduling each queue

in turn.
The queue < 0, 7 >
The
<0, 32>, the higher the value, the higher the weight, the higher
queue
The weight the priority processing probability of this queue message in the
weight
case of channel congestion, 0 means infinity.

Figure 4-7 QoS port trust configuration page

Table 4-7 description of QoS port trust parameters

Configuration items Instructions

Name Port
Default <0, 7>, when the configured port does not trust, or the configured trust does not
CoS meet the trust condition, adopt port default cos to mark the entry message
Support distrust, trust cos, trust dscp configuration. When in no trust mode, the
entry stage modifies the message cos field and dscp field according to the
Port trust
default cos of port; When configuring trust cos, for message without tag, the same
Trust
as no trust mode, for message with tag, choose the message with cos. When
configure trust dscp, for IP message, select messag with DSCP, for non-IP
mesaage, the same as trust cos mode.
Application Click configure to take effect

Figure 4-8 QoS CoS mapping configuration page

Table 4-8 Description of QoS CoS mapping parameters

Configuration items instructions

CoS \ The < 0, 7 >

<0, 7>, cos-queue mapping relationship, modify message exit
queue based on port marked Cos, and take effect when
The queue \
port is configured as no trust, trust Cos or trust DSCP and
CoS
non-ip message.
mapping
The cos-dscp mapping relationship, it takes effect when the
port is configured as no trust, trust cos or trust DSCP and
DSCP \
the message is not IP, and the DSCP value of the message
is modified

101
Switch Web configuration guide

Application \ Click configure to take effect

Figure 4-9 QoS DSCP configuration page

Table 4-9 QoS DSCP parameter description

Configuration items instructions

DSCP \ < 0, 63 >

<0, 7>, dsp-queue mapping relationship, takes effect when the
The queue \ port is configured as trust DSCP and IP message is
configured, modify the message exit queue
<0, 7>, dscp-cos mapping relationship, it takes effect when the
DSCP
CoS \ port is configured as trust DSCP and IP message is
mapping
configured, and the message cos segments is modified
<0, 63>, dscp-dscp mapping relationship, it takes effect when
New DSCP
\ the port is configured as trust DSCP and IP message, first
values
dscp-dscp mapping, and then dscp-cos mapping
Application \ Click configure to take effect
Figure 4-10 QoS policy configuration page

Figure 4-10 Description of QoS policy parameters

Configuration items Instructions

Name Create categories and define category names

Strategy Class-map
Matching Define matching types, support associative ACL;

102
Switch Web configuration guide

Support the matching of message etype, DSCP, cos, l4port

and vlan sgements
Value The flow matches the specific value corresponding to the type
Delete Delete the classification
Name Create policies and define policy names
Match
Select the class-map for the policy association
class-map
Action one corresponding to the policy supports modification of
Modify
cos, dscp, vlan and other actions
Policy-map
Modify value Strategy action 1 corresponds to the value
Speed limit The corresponding action of strategy two, speed limit
CIR Speed limit waterline, unit kbps
CBS Burst capacity, unit Kbyte
Delete Deletion policy
Name port
Application Entry strategy Select the policy already created
Application The policy is applied to the port

4.2.3 Examples of QoS configuration

Configuration example 1:
Case requirements: for port eth0/1, which satisfies the stream with source IP of 192.168.64.1, the inlet
speed limit is 1024kbps.

Step 1: Globally enable QoS functionality

Select [safty] QoS of navigation bar to enter QoS configuration page. As shown in figure 4-11, click the
"profile" tab and click the "disabled" button to enable global switch of QoS.

Figure 4-11 QoS global enabling switch

Step 2: Create standard ACL 1, match source IP: 192.168.64.1, mask 255.255.255.255
Click the [security]  ACL in the navigation bar to enter the ACL configuration page. Click the [add] button,
as shown in figure 4-12, name "1", type "permit", match IP "192.168.64.1", mask "255.255.255.255",
invert to "0.0.0.0".

103
Switch Web configuration guide

Figure 4-12 creating an ACL rule

Step 3: Create category c1, matching ACL 1

Click the "security"  QoS in the navigation bar to enter the QoS configuration page. As shown in figure
4-13, click the "policy" tab to enter the QoS policy configuration page

Figure 4-13 QoS policy configuration

page

Click [add] button to configure QoS policy according to figure 4-14.

Figure 4-14 QoS policy configuration page

Click [apply] to complete the configuration, and return to the page shown in figure 4-15. You can see
the successful rule creation.

Figure 4-15 QoS policy configuration page

Step 4: Create policy p1, associate category c1, and set the action speed limit of 1024kbps

104
Switch Web configuration guide

Under the current QoS policy page, select policy-map and click [add] button to enter the policy-map
configuration page. The specific configuration method is shown in figure 4-16.
Figure 4-16 policy-map configuration page

Click [apply] to complete the configuration, and return to the page shown in figure 4-17. You can see
the successful policy creation.
Figure 4-17 policy-map display page

Step 5: Policy p1 is applied to port eth0/1

Under the current QoS policy page, select the application option, select port eth0/1 and the entry policy is
p1, and click the "apply" button of the port, as shown in figure 4-18.
Figure 4-18 QoS policy application configuration page

Step 6: Click the "save" button in the navigation bar to save the configuration.

Configuration example 2:
Case requirements: In the case of network congestion, ensure the normal forwarding of eth0/2, eth0/2 is
access port

Step 1: Globally enable QoS function

Select navigation bar [Safty]  QoS of navigation bar to enter QoS configuration page. As shown in
picture 4-19, click the "profile" tab and click the "disabled" button to enable global switch of QoS.

105
Switch Web configuration guide

Figure 4-19 QoS global enabling switch

Step 2: Configure the default cos of port eth0/2 to 7, port trust cos, and other ports to default cos is 0,
default don't trust.

In the current QoS configuration page, click the tab of "port trust" to enter the port trust configuration page,
as shown in figure 4-20. The default CoS for port eth0/2 is “7”, trust to “CoS”, and other ports remain
configured by default.

Figure 4-20 port trust configuration page

Step 3: Configure the queue mapping relationship so that the cos 7 mapping queue is 7

In the current QoS configuration page, click tab [CoS mapping] to enter the CoS mapping configuration
page. As shown in figure 4-21, the mapping queue of CoS 7 is selected as "7" and click the "apply"
button.

Figure 4-21 CoS mapping configuration page

Step 4: Configure the scheduling mode to wrr, configure queue 7 to have a weight of 0

In the current QoS configuration page, click [overview] tab, as shown in figure 4-22. Under QoS option,
select the scheduling algorithm as "wrr", and configure the weight of queue 7 as "0".

106
Switch Web configuration guide

Figure 4-22 QoS overview page

Step 5: Click the "save" button in the navigation bar to save the configuration.

4.3 DHCP Snooping

4.3.1 Overview
DHCP (Dynamic Host Configuration Protocol) is a LAN network Protocol, which is widely used to
dynamically allocate reusable network resources. It is a means for users or internal network
administrators to centrally manage all computers. DHCP Snooping is DHCP security technology, which
realizes the isolation function of illegal DHCP Server by detecting and managing DHCP interactive
messages. DHCP Snooping divides ports into two types, TRUST port and UNTRUST port. Devices only
forward DHCP Offer message received by TRUST port, and discard all DHCP Offer message from
UNTRUST port, so as to realize the masking of illegal DHCP Server.

Figure 4-23 DHCP application topology

4.3.2 DHCP Snooping configuration

Table 4-11 DHCP Snooping global enable switch
Configuration items Instructions

Disable/enable Global enable or disable DHCP Snooping

107
 Switch Web configuration guide

Disabled/enabled Enable or disable DHCP Snooping for a specific port

Configuration steps:
(1) Select [security] in the navigation and skip to the DHCP Snooping page.
(2) Click the [enable/disable] button to turn on the DHCP Snooping function.

Figure 4-24 DHCP Snooping global enable switches

(2) Select the corresponding port to open this function, select enable, and click the [apply] button to
complete the configuration.

Figure 4-25 DHCP Snooping trustmouth configuration

(4) Click the [save] button in the navigation bar to save the configuration.

4.4 802.1 X authentication

4.4.1 Overview
Initially, the IEEE 802 LAN/WAN committee proposed the 802.1x protocol to solve the network security
problem of wireless LAN. Later, 802.1x protocol, as a common access control mechanism of LAN, was
widely used in Ethernet, mainly to solve the authentication and security problems in Ethernet.

802.1x protocol is a port-based network access control protocol, that is, to authenticate the access user
devices on the ports of LAN access devices so that the user devices can control access to network
resources.

4.4.1.1 Architecture of 802.1x

The 802.1X system includes three entities: Client, Device and Authentication server, as shown in figure
4-26.
Figure 4-26 802.1x architecture

• A client is a user terminal device that requests access to the LAN, it is authenticated by the device
in the LAN. Client must install the software that supports 802.1x certification.

108
 Switch Web configuration guide

• The device side is the network device in the LAN that controls the access of the client. It is located
between the client and the authentication server, providing the client with the access port (physical
port or logical port) of the LAN, and authenticating the connected client through the interaction with
the server.
• The Authentication server is used to authenticate, authorize, and charge the client, usually the
RADIUS (Remote Authentication dial-in User Service) server. The authentication server verifies the
legitimacy of the client according to the authentication information sent from the device end, and
notifies the verification result to the device end, which decides whether to allow the client end to
access or not. In some smaller network environments, the role of authentication server can also be
replaced by the device side, that is, the device side performs local authentication, authorization
and billing for the client.

4.4.1.2 The ports control of 802.1x

1. Controlled/uncontrolled ports
The ports that the device provides the client with access to the LAN are divided into two logical ports:
controlled ports and uncontrolled ports. Any frame that reaches the port is visible on the controlled and
uncontrolled ports.
• The uncontrolled port is always in the state of bidirectional communication, mainly used to transfer
the Protocol frame of EAPOL (Extensible Authentication Protocol over LAN), to ensure the client
can always send or receive Authentication messages.
• The controlled port is in the state of bidirectional communication under the authorized state, which
is used to transfer service messages; Do not receive any messages from the client in an
unauthorized state.
2. Authorized/unauthorized status
The authentication server is used by the device to authenticate the client that needs to access the LAN,
and the authorization state of the controlled port is controlled according to the authentication result
(Accept or Reject).
Figure 4-27 shows the effect of different authorization states on messages passing through a controlled
port. The figure compares the port states of the two 802.1x authentication systems. The controlled port of
system 1 is in an unauthorized state, and messages are not allowed to pass through; The controlled port
of system 2 is in the authorized state, allowing messages to pass through.

109
 Switch Web configuration guide

Figure 4-27 Impact of authorization state on a controlled port

3. Controlled direction

Controlled ports can be set to unidirectional and bidirectional controlled in an unauthorized state.
• Under bidirectional control, the sending and receiving of frames are forbidden.

• When under one-way control, receiving frames from the client is forbidden, but sending frames to
the client is allowed.

Controlled ports of our switch can only in the state of one-way control state

4.4.1.3 Authentication trigger mode of 802.1x

The 802.1x authentication process can be initiated by either the client or the device.
1. Client active trigger mode

• Multicast trigger: the client sends eapol-start message to the device to trigger the authentication.
The destination address of this message is multicast MAC address 01-80-c2-00-00-03.
• Broadcast trigger: the client sends EAPOL-start message to the device to trigger authentication.
The destination address of this message is broadcast MAC address. This method can solve the
problem that the authentication device cannot receive the client authentication request because
some devices in the network do not support the above group broadcast.

Now our company devices only support multicast trigger mode.

2. Device side active trigger mode

110
 Switch Web configuration guide

The device side active trigger mode is used to support clients that cannot send EAPOL-Start messages
actively, such as 802.1x client that comes with Windows XP. There are two ways for devices to initiate
authentication:
• Multicast trigger: the device actively broadcasts an Identity type of EAP-Request frame to the client
group every N seconds (default: 30 seconds) to trigger authentication.
• Unicast trigger: when the device receives a packet of unknown source MAC address, it actively
broadcasts the EAP-Request frame of Identity type to the MAC address sheet to trigger
authentication. If the device does not receive a response from the client within the set time period,
the message will be reposted.

4.4.1.4 802.1x certification process

802.1x system supports EAP relay and EAP termination to interact with the remote RADIUS server.
EAP relay
This method is stipulated by IEEE 802.1x standard, which carries EAP in other high-level protocols, such
as EAP over RADIUS, so as to extend authentication protocol messages to reach authentication server
through complex network. Generally speaking, the RADIUS server is required to support EAP properties:
EAP-Message and Message-Authenticator, which respectively encapsulate EAP messages and protect
RADIUS messages that carry eap-message.
The following takes MD5-Challenge authentication method as an example to introduce the basic
business process. The authentication process is shown in figure 4-28.
Figure 4-28 EAP relay business process for IEEE 802.1X certification system

(2) When the user needs to access the external network, open the 802.1x client program, enter the user
name and password that have been applied and registered, and initiate the connection request. At this

111
Switch Web configuration guide

point, the client program will issue an authentication request frame (EAPOL-Start) to the device side to
start an authentication process.
(3) After the device receives the authentication request frame, it will issue an Identity Request frame
(eap-request /Identity) to ask the user's client program to send the input user name.
(4) The client program responds to the request from the device side, send the user name information to
the device side through the Identity type Response frame (eap-response /Identity).
(5) The device side encapsulate the EAP message sent by the client in RADIUS access-request and
sends it to the authentication server for processing.
(6) After RADIUS server receiving the user name information forwarded by the device end, it will
compare the information with the user name table in the database, finds the password information
corresponding to the user name, encrypts the password with a randomly generated MD5 Challenge, and
sends the MD5 Challenge to the device end through RADIUS access-challenge message.
(7) The device forwards the MD5 Challenge sent by the RADIUS server to the client.
(8) After receiving the MD5 Challenge sent by the device, the client encrypts the password part with the
Challenge, generates the EAP-Response /MD5 Challenge message, and sends it to the device.
(9) The device side encapsulate this EAP-Response /MD5 Challenge message in RADIUS message
(RADIUS-Access-Request) and send it to the RADIUS authentication server.
(10) The RADIUS server compares the encrypted password information received with the local encrypted
password information. If the same, it considers the user as a legitimate user and sends a RADIUS
access-accept message to the device side.
(11) After receiving the authentication pass message, the device sends the authentication successful
frame to the client, and change the port to the authorization state, allowing the user to access the network
through the port.
(12) When the user is online, the device side will monitor the user's online status by sending handshake
messages to the client on a regular basis.
(13) After receiving the handshake message, the client sends a reply message to the device, indicating
that the user is still online. By default, if the two-handshake request message sent by the device end are
not answered by the client, the device end will ask the user to log out to prevent the user from logging out
due to abnormal reasons and the device cannot perceive.
(14) The client can send the EAPOL-Logoff frame to the device, and actively request to Logoff.
(15) The device side changes the port state from the authorized state to the unauthorized state and sends
the EAP-Failure message to the client.

In EAP relay, it is necessary to ensure that a consistent EAP authentication method is selected on the client and RADIUS
server, while on the device, only need to configure the authentication mode of 802.1x configuration is required
The authentication mode of 802.1X user is EAP.

112
 Switch Web configuration guide

4.4.1.5 802.1x access control mode

The device not only supports Port Based access authentication, but also extends and optimizes it to
support MAC Based access control.
• When the port-based access control mode is adopted, as long as the first user under the port is
successfully authenticated, other access users can use network resources without authentication,
but when the first user is offline, other users will be refused to use the network.
• When MAC based access control mode is adopted, all access users under this port need to be
independently authenticated. When a user goes offline, only this user cannot use the network.

4.4.2 Configuration 802.1 X

View the 802.1x overview
Select "safe > 802.1x" in the navigation bar and enter the page shown in figure 4-30. The configuration of
802.1x can be displayed in "profile", and the parameters are shown in table 4-12.

Figure 4-30 802.1x overview page

Table 4-12 802.1x overview parameters

Configuration items Instructions

Interface The physical port

Port is enabled Whether the 802.1x function is enabled on the port

Port is controlled Port controlled mode

Port state Port controlled state
PAE state Port Access Entity

The configuration of 802.1 X

Select "secure > 802.1x > configuration" in the navigation bar and enter the page shown in figure 4-31. In
this page, you can do global configuration of 802.1x and configuration based on individual ports.
Configuration parameters are shown in table 4-13.

113
Switch Web configuration guide

Figure 4-31 802.1X configuration page

Table 4-13 802.1X configuration parameters

Configuration items Instructions

Global Function switch

802.1 X
configuration

Interface The physical port

Port controlled Port controlled mode

Protocol version 802.1x protocol version

Set the value of silent timer. When 802.1x user fails to authenticate, the
device needs to be silent for a period of time (through setting "silent
Silent time duration") and then initiate authentication again. During the silent period,
the equipment does not carry out the relevant processing of 802.1x
certification.

Send the cycle Message retransmission period

Enable Whether enabled auto recertification

Port recertification

configuration Sets the value of the periodic recertification timer

When the periodic recertification function is enabled on the port, the
Recertification device side will start the periodic recertification timer after the successful
cycle user authentication, which is used to initiate recertification to the online
user periodically, so as to update the authorization information of the
server to the user regularly
Sets the value of the client timeout timer
When the device side sends the EAP-Request /MD5 Challenge Request
Client timeout message to the client, the device side starts the timer. If the device side
does not receive the response from the client within the time limit set by
the timer, the device side will send the message again
Sets the value of the server timeout timer
Server timeout
When the device side sends RADIUS Access-Request Request message

114
Switch Web configuration guide

to the authentication server, the device side starts the server timeout
timer. If the device side does not receive the response from the
authentication server within the time limit set by the timer, the device side
will resend the authentication Request message

4.4.2 802.1X configuration examples

1) Scene demand
 The access user is required to be authenticated on port eth0/3 to control his access to the Internet.
 IP address of RADIUS server group 1.1.1.2.
 Set the Shared key of the system when interacting with the RADIUS server to be name.
2) Networking diagram
Figure 4-32 802.1X authentication typical networking diagram

3) Typical configuration examples

Step 1: Configure the server side

Server side:
Configure NAS authentication device 1.1.1.1 and communication key name.
In this example, freeradius is used as the server and the main configuration is as follows:
# vim/etc/freeRADIUS is / 3.0 / clients. Conf
add
Client 1.1.1.1 {
Ipaddr = 1.1.1.1
Secret = name
}
Add user account test password test.
# cat /etc/freeRADIUS/3.0/mods-config/files/authorize | grep "password"
Testing Cleartext-Password: = "Password"
Corresponding authentication methods, such as EAP-MSCHAPv2, need to be supported

Step 2: Configure the RADIUS server.

Select “secure > RADIUS > server” in the navigation bar and go to the page shown in figure 4-33

Figure 4-33 RADIUS server display page

115
Switch Web configuration guide

Click the "add" button to enter the page shown in figure 4-34. Configure RADIUS server IP as 1.1.1.2,
authentication port as 1812 by default, enter password, timeout as 5S by default, retransmission times as
3, and click the "apply" button to complete the configuration.
Figure 4-34 RADIUS server configuration
page

When configured, automatically return to the following page, as shown in figure 4-35, to see a
successful RADIUS server created.
Figure 4-35 the RADIUS server display page

Step 3: Enable 802.1x authentication global enablement.

Select "safe > 802.1x > configuration" in the navigation bar, enter the page shown in figure 4-36, click
"enable/disable" button, and start 802.1x authentication.
Figure 4-36 802.1x global configuration
page

Step 4: Configure switch port 3 to enable 802.1x authentication global enablement.

Select "secure > 802.1x > configuration" in the navigation bar and enter the 802.1x configuration page.
Under port configuration, select eth0/3, the port to be configured, and click "edit" button to enter the
following configuration page.

116
Switch Web configuration guide

Figure 4-37 802.1X port configuration

page

Click the "apply" button to complete the configuration and automatically return to the following page,
as shown in figure 4-38. You can see the successfully created port.
Figure 4-38 802.1X port configuration display
page

Step 5: Configure the authentication client

Open the 802.1x authentication client and log in using the account test.
Corresponding authentication methods need to be supported, such as the EAP-MSCHAPv2 method.

4.5 MAC authentication

4.5.1 Overview
4.5.1.1 Introduction of MAC address authentication
MAC address authentication is a method to control network access rights of users based on port and
MAC address. It does not require users to install any client software. When the device first detects the
user's MAC address on the port where MAC address authentication is enabled, it initiates authentication
for that user. During authentication, the user does not need to manually enter a username or password. If
the user is authenticated successfully, it is allowed to access network resources through the port,
otherwise the user's MAC address is added as silent MAC. During the silent time (which can be
configured by the silent timer), when the user message from this MAC address arrives, the device directly
discards it to prevent illegal MAC authentication in a short time.

If the configuration of a static MAC is the same as a silent MAC, the MAC silent function will be disabled

117
 Switch Web configuration guide

if the MAC address authentication fails.

Currently, the device supports MAC address authentication:

• Through RADIUS (Remote Authentication dial-in User Service) server to do remote Authentication.
Currently, MAC address authentication supports two types of username formats:
• MAC address username: use the user's MAC address as the username and password for
authentication.

4.5.1.2 MAC address authentication by RADIUS server authentication

When the MAC address is authenticated by the RADIUS server, the device as the RADIUS client and
coordinates with the RADIUS server to complete MAC address authentication:
• When adapt MAC address username, the device sends the detected MAC address of the user to
the RADIUS server as the username and password.
• With a fixed username, the device sends the username and password that have been configured
locally to the RADIUS server as the username and password of the user to be authenticated.
After the RADIUS server has authenticated this user, authenticated users can access the network.

4.5.1.4 MAC address authentication timer

The MAC address authentication process is controlled by the following timer:
• Authentication timeout timer: used to set the connection timeout between the device and the
RADIUS server. During the authentication of a user, if the device has not received a RADIUS server
response when the authentication timeout and timer timeout, the device will forbid the user from
accessing the network on the appropriate port.
4.5.2 Configure MAC authentication

View the MAC certification overview

Select "secure > MAC authentication" in the navigation bar and enter the page as shown. The MAC
authentication configuration can be shown in overview, the parameters described in the table.
Figure 4-39 MAC certification overview page

Table 4-14 MAC overview parameters

Configuration items Instructions

VID User VLAN ID

MAC User MAC

General
situation MAC
address Whether enable the MAC aging function
aging

118
Switch Web configuration guide

Forwarding MAC forwarding status

Interface User port
The time
MAC generation time
stamp
Delete Table item delete button

Configure MAC authentication

Select "secure > MAC certified > configuration" in the navigation bar and enter the page shown in figure
4-40. From this page, you can do global configuration of 802.1x and configuration based on individual
ports. Configuration parameters are described in table 4-15.
Figure 4-40 MAC authentication configuration page

Table 4-15 MAC overview parameters

Configuration items Instructions

Global MAC
MAC authentication switch
configuration authentication

Interface The physical port

Port
Port controlled Port controlled mode
configuration
MAC address
Whether to enable MAC aging function
aging

4.5.3 MAC authentication configuration examples

1) Demand
 The access user is required to be authenticated on port eth0/3 to control the access to the Internet.
 IP address of RADIUS server group 1.1.1.2.
 Set the shared key of the system when interacting with the RADIUS server to be name.
2) Networking diagram

Figure 4-41 typical MAC authentication networking diagram

119
Switch Web configuration guide

3) Typical configuration examples

Step 1: Configure the server

Server:
Configure NAS authentication device 1.1.1.1 and communication key name.
Add the client MAC address to the user database as the user account and password.

Step 2: Configure the RADIUS server

Select “secure > RADIUS > server” in the navigation bar and go to the page shown in figure 4-42
Figure 4-42 the RADIUS server display page

Click the "add" button to enter the interface shown in figure 4-43. Configure RADIUS server IP as 1.1.1.2,
authentication port as 1812 by default, enter password, timeout as 5S by default, retransmission times as
3, and click the "apply" button to complete the configuration.
Figure 4-43 RADIUS server configuration page

When finish configuration, automatically return to the following page, as shown in figure 4-44, it can
be seen a successful RADIUS server created.

Figure 4-44 creating a successful RADIUS server

120
Switch Web configuration guide

Step 3: MAC authentication global enablement.

Select "safe > MAC authentication > configuration" in the navigation bar, enter the page shown in figure
4-45, click [enable/disable] button to start MAC authentication.

Figure 4-45 MAC authentication global configuration

page

Step 4: Configure switch port 3 to enable MAC authentication global enablement.

Select "safe > MAC authentication > configuration" in the navigation bar and enter the MAC configuration
page. Under port configuration, tick eth0/3, the port to be configured, and click "edit" button to enter the
following configuration page.

Figure 4-46 MAC authentication port configuration page

Click the "apply" button to complete the configuration and automatically return to the following page,
as shown in figure 4-47, you can see the successfully created port.
Figure 4-47 Creates a successful MAC authentication port

Step 5: Configure the authentication client

Open the 802.1x authentication client and log in with any account.

121
 Switch Web configuration guide

4.6 RADIUS
4.6.1 Overview
RADIUS (Remote Authentication dial-in User Service) is a common protocol for implementing AAA
(Authentication, Authorization and Accounting).

4.6.1.1 RADIUS profile

RADIUS is a distributed, client-server structured information interaction protocol that protects networks
from unauthorized access and is often used in various network environments that require high security
and allow remote users to access. This protocol defines the RADIUS message format and its message
transmission mechanism, and stipulates that UDP is used as the transport layer protocol to encapsulate
RADIUS message (UDP ports 1812 and 1813 are used as authentication and billing ports respectively).

At the beginning, RADIUS was just a AAA protocol for dial-up users. Later, with the diversified
development of user access methods, RADIUS also ADAPTS to a variety of user access methods, such
as Ethernet access and ADSL access. It provides access services through authentication authorization
and collects and records users' use of network resources through billing.

4.6.1.2 Client/server mode

• Client: the RADIUS client is typically located on a NAS device and can span the entire network,
transmitting user information to a designated RADIUS server and then processing the information
returned from the server (such as accepting/rejecting user access) accordingly.
• Server: the RADIUS server typically runs on a central computer or workstation, maintains relevant
user authentication and network service access information, it responsible for receiving and
authenticating user connection requests, and then returns all required information to the client (such
as accepting/rejecting authentication requests).
The RADIUS server typically maintains three databases, as shown in figure 4-48.
Figure 4-48 the composition of the RADIUS server creates a successful MAC authentication port

• “Users”: Used to store user information (such as user name, password, and configuration
information such as the protocol used, IP address, etc.).
• "Clients": Used to store information about RADIUS Clients (such as shared keys of access devices,
IP addresses, etc.).
• "Dictionary”: Used to store properties and the meaning of property values of he RADIUS protocol.
4.6.1.3 Security and authentication mechanism

122
Switch Web configuration guide

The interaction of authentication messages between RADIUS client and RADIUS server is accomplished
through the participation of Shared key, and the shared key cannot be transmitted through the network,
which enhances the security of information interaction. In addition, passwords are encrypted during
transmission to prevent them from being stolen when they are transmitted over insecure networks.

The RADIUS server supports several methods for authenticating users, such as PAP, CHAP
authentication based on PPP. In addition, RADIUS server can also act as a proxy to communicate with
other RADIUS authentication servers as RADIUS client and be responsible for forwarding RADIUS
authentication and billing messages.

4.6.1.4 Basic message interaction flow of RADIUS

The interaction flow between the user, RADIUS client, and RADIUS server is shown in figure 4-49.
Figure 4-49 basic message interaction flow of RADIUS

The flow of message interaction is as follows:

(1) The user initiates a connection request to send the username and password to the RADIUS client.
(2) According to the acquired user name and password, RADIUS client sends access-request packet to
RADIUS server, where the password is encrypted by MD5 algorithm with the participation of shared key.
(3) The RADIUS server authenticates the user name and password. If the authentication is successful,
the RADIUS server sends an access-accept to the RADIUS client; If authentication fails, access-reject is
returned. Because the RADIUS protocol merges the authentication and authorization processes, the
authentication acceptance package also contains the user's authorization information.
(4) RADIUS clients access/deny users based on the authentication results received. If a user is allowed
access, the RADIUS client sends a accounting start request package to the RADIUS server.
(5) The RADIUS server returns the billing to begin the account-response and start accounting.
(6) Users start accessing network resources;
(7) The user requests to disconnect, and the RADIUS client sends the stop Accounting-Request
package to the RADIUS server.
(8) The RADIUS server returns the Accounting-Response package and stops accounting.

123
Switch Web configuration guide

User ends access to network resources.

Our equipment does not support RADIUS billing function

4.6.2 Configure RADIUS

RADIUS global configuration

Select “secure > RADIUS” in the navigation bar and go to the page shown in figure 4-50. The global
configuration parameters are described in table 4-16.
Figure 4-50 the RADIUS global configuration page

Table 4-16 MAC overview parameters

Configuration items Instructions

Global default password configuration; Configurable, Unreadable;

Aassword
Optional configuration

Global Timeout Global server timeout time ; Optional configuration

configuration Retransmission Global server retransmission times; Optional configuration

Duration of server death; Optional configuration; The default is 0,

Dead time
which means the server is resurrected immediately after death.

The RADIUS server

Select "secure > RADIUS > server" in the navigation bar and go to the page shown in figure 4-51. The
parameters of the server are described in table 4-17.

124
Switch Web configuration guide

Figure 4-51 RADIUS server configuration page

Table 4-17 RADIUS server parameter description

Configuration items Instructions

IP Server IP address

Anthentication port Server authentication port number; The default is 1812

Password Server key; Global configuration is used when there is no configuration

Timeout Server timeout; The default 5 s
The retransmission Server retransmission times, default 3 times

4.6.3 RADIUS configuration example

The RADIUS configuration steps are shown in the 802.1x or MAC authentication configuration steps.

125
Switch Web configuration guide

5 System

5.1 Manage IP addresses

• After changing the IP address, you need to manually point the page to the new address and re-access the switch.
• The configuration of VLAN (VID) management is complicated, and improper operation will cause failure to log on the
device. If you need to change the VID, please refer to the specific operation method
Manage VLAN configuration instances.

As shown in figure 5-1, select "manage IP address" from the menu of "system" to enter the IP address
management page.

Figure 5-1 IP address management page

Table 5-1 Parameter description

Configuration
Instructions
items
Manage the VLAN configuration, specifying which VLAN to use as the administrative VLAN
VID
that must already exist.
None: Donot use IPV4 to manage address
Static: Specifies the IPv4 address manually, which requires the IPv4 address and mask
IPV4 type length
to be set
DHCP: Means to get the IPv4 address through DHCP allocation

IPV4 address Set IPV4 to manage IP addresses. IPV4 addresses are available when "static" is selected

Set the subnet mask to 255.255.255.0 by default. The IPv4 address is available when "static"
IPV4 mask
is selected

IPV4 gateway Specify the IP address of the gateway. The IPv4 address is available when "static" is selected

None: Do not use IPV6 manage addresses

IPV6 type Static: Means to specify IPv6 address manually, which is required to be set when selecting
this option

126
Switch Web configuration guide

DHCP: Means to get IPv6 address through DHCP assignment

IPV6 address Set IPV6 administrative IP address. IPV6 address can be obtained by selecting "static"

IPV6 prefix
Set the IPV6 prefix length. IPV6 address is available when "static" is selected
length

IPV6 gateway Set up IPV6 gateway. IPV6 address is available when "static" is selected

Configuration example 1
Case requirements: management VLAN 1, management IP 192.168.64.200, subnet mask 255.255.255.0,
gateway address 192.168.64.1.
Configuration steps:

Step 1: Click [system] ->[manage IP address] in the navigation bar to enter the IP address management

page.

Step 2: Enter the content need to be changed as shown in figure 5-2 and click the [apply] button to make

the configuration

effective.

Figure 5-2 IP address management page

Step 3: Modify the login IP of the browser to be 192.168.64.200. The PC needs to be equipped with the

same network segment and log in again.

After re-logging in, the system will prompt whether to save the current IP address, and users can choose
"save" or "ignore" according to the needs.

Step 4: Click the "save" button on the navigation bar to save the configuration.

127
Switch Web configuration guide

Configuration example 2
Case requirements: the device manages VLAN 1 by default, the management IP address is
192.168.1.168. The management VLAN needs to be modified to VLAN 100, and the management IP
needs to be modified to 192.168.1.100.

• Ensure that the VLAN of the PC and switch is accessible before modifying the management VLAN, otherwise the
switch may not be accessible.

Scenario 1: PC is connected directly to the switch. The PC is connected to the switch eth0/1, which is

configured by default as an access port and Native VLAN 1.

Step 1: Create VLAN 100;

Click navigation bar [switch] -> [VLAN], enter the VLAN page, and click [add] button, as shown in the
figure. VLAN ID is "100", tagged member port is empty, click [apply] to return to VLAN main page

Figure 5-3 VLAN creation page

Return confirmation that the administrative VLAN configuration was successful

Figure 5-4 VLAN display page

Step 2: Configure an idle port as access port and Native VLAN as new administration VLAN 100.
For example, use the eth0/2 port, select eth0/2, and click the edit button to enter the following
configuration page. Change the mode of eth0/2 to access and PVID to 100, and click the "apply" button to
complete the configuration.

128
Switch Web configuration guide

Figure 5-5 Interface configuration page

Go back and check the modified configuration to make sure port eth0/2 is configured correctly

Figure 5-6 Interface display page

Step 3: Modify the administration VLAN to 100 and configure the new IP address.
Click [system] -> [management IP address] in the navigation bar to enter the management VLAN
configuration page
Modify the management VLAN to the expected configuration of 100, and modify the management IP to
the expected configuration of 192.168.1.100, and click [apply] to modify.

Figure 5-7 IP address management

page

Step 4: Switch the PC from eth0/1 to eth0/2 to connect to the switch and log in to the switch WEB page
using the new IP 192.168.1.100.
Step 5 :(optional) if you want to access the switch from other devices, you need to add the trunk port
connected with devices to the new management VLAN 100.
Scenario 2: As shown in figure 5-8, Switch A is the Switch to which expected to be modified configuration,
and the PC is connected to SW1 through the Switch B Switch.

Figure 5-8 Scenario 2 topology diagram

Step 1: Configure the Switch A and Switch B interconnect port eth0/5 as their trunk port.

129
Switch Web configuration guide

Click the navigation bar [switch] -> [VLAN], enter the interface page, select port eth0/5, click the button
[edit], as shown in the figure, select Trunk for VLAN mode, Native VLAN default is 1, click [apply] to
complete the configuration.

Figure 5-9 Interface configuration page

Step 2: Switch A and Switch B create VLAN 100, tagged member port select eth0/5.
Click the navigation bar [switch] -> [VLAN] to enter the VLAN page, click the button [add], VLAN ID is
"100", Tagged member port select eth0/5, and click [apply] to return to the VLAN main page

Figure 5-10 VLAN configuration page

Return confirmation that the administrative VLAN configuration was successful

Figure 5-11 VLAN display page

Step 3: Modify Switch A management VLAN to 100 and configure the new IP address.
Click the navigation bar [system] -> [IP address management] to enter the IP address management page.
Modify the management VLAN to be the expected configuration value 100, and modify the management
IP to be the expected configuration 192.168.1.100, and click [apply] to modify.

130
Switch Web configuration guide

Figure 5-12 IP address management page

Step 4: Change the eth0/1 of Switch B which directly connected to PC to access mode, NativeVLAN100,
after ensure the management mesaage of PC and the management VLAN 100 of Switch A can arrive,
you could access Switch A through PC.

Configuration example 3
Case requirements: VLAN management is 1, and IP management is DHCP allocation.

Step 1: Click [system] ->[IP management] in the navigation bar to enter the IP address management

page

Step 2: Select DHCP according to the IPV4 type shown in figure 5-2, and click the "apply" button to

make the configuration effective.

After the configuration takes effect, the IP address of the device can be seen on the DHCP server, or
logged in the device by serial port, enter “show management summary” to check device IP

address.

Step 3: Log in the device with the new IP address and re-enter the IP management page to see the

IP address of the device.

131
Switch Web configuration guide

Step 4: Click the "save" button on the navigation bar to save the configuration.

5.2 User management

• In order to improve the security of the device, please change the password as soon as possible, and be sure to save
the changed password. If you forget the password, you will be unable to log in the device.

Click the navigation bar [system] -> [user management] to enter the user management page, as shown in
figure 5-13.

Figure 5-13 user management page

Table 5-3 user management parameters

Configuration
Instructions
items

Name User name

Edit Click edit user

Delete Click delete the user

Add Add a new user

Steps to add an account:

Step 1: Click [system]-> [user management] in the navigation bar to enter the user management

page.

Step 2: Click the "add" button to enter the add account page, as shown in figure 5-14.
After logging into the device for the first time, please modify the password as soon as possible and enter
the new password twice according to the prompts, as shown in figure 5-13. Passwords are composed of
Numbers and letters that are 0-32 bytes long and case-sensitive.

132
Switch Web configuration guide

Figure 5-14 Add account page

Step 3: Click the "apply" button to complete the configuration, and the page will automatically return to the
account display page, as shown in figure 5-15, to see the newly created account.

Step 4: Click the "save" button on the navigation bar to save the configuration.

5.3 Services
5.3.1 Overview
The service management module provides management functions of Telnet and SSH services, enable
users to enable the service only when they need to use the corresponding service, or close the service.
This can improve the performance of the system and the safety of equipment, to achieve the safety
management of equipment.
1.The Telnet service
Telnet protocol belongs to the application layer protocol in TCP/IP protocol family, which is used to
provide remote login and virtual terminal functions in the network.
2. SSH services
SSH is short for Secure Shell. When the user logs into the device remotely through a network
environment that cannot guarantee security, SSH can use encryption and powerful authentication
functions to provide security to protect the device from attacks such as IP address fraud and
plaintext password interception.

5.3.2 Configuration service management

As shown in figure 5-14, select [service] from the drop-down menu of [system] to enter the configuration
page
Click on the enable/disable button to switch Telnet/SSH service state to enable or disable Telnet/SSH
service.

133
Switch Web configuration guide

Figure 5-14 service configuration page

5.4 SNMP
5.4.1 Overview
SNMP (Simple Network Management Protocol) is a Network Management standard Protocol in the
Internet, which is widely used to realize the access and Management of managed devices by managed
devices. SNMP has the following features:
• Support intelligent management of network equipment. Using the network management platform
based on SNMP, network administrators can query the running status and parameters of network
equipment, set parameter values, find faults, complete fault diagnosis, carry out capacity planning
and generate reports.

• Support for managing devices with different physical characteristics. SNMP only provides a basic
set of functions, making management tasks relatively independent from the physical
characteristics and networking technologies of managed devices, so as to realize the management
of devices from different manufacturers.

5.4.1.1 Working mechanism of SNMP

SNMP network contains NMS and Agent.
• NMS (Network Management System) is the manager of SNMP Network, which can provide a very
friendly human-computer interaction interface and facilitate Network administrators to complete
most of the Network Management work.
• Agent is the manager of SNMP network, responsible for receiving and processing the request
message from NMS. In some emergencies, such as the change of interface state, Agent will
actively send warning information to NMS.
When NMS manage devices, it usually pays close attention to some parameters, such as interface status,
CPU utilization, etc. The set of these parameters is called MIB (Management Information Base). These
parameters are called nodes in the MIB. MIB defines hierarchical relationships between nodes and a set
of properties of an object, such as its name, access rights, and data types. Each Agent has its own MIB.
Managed devices have their own MIB files, which can be generated by compiling these MIB files on the
NMS. NMS carries out read/write operations on MIB nodes according to access rights, so as to realize
Agent management. The relationship of NMS, Agent and MIB is shown in figure 5-15.

134
Switch Web configuration guide

Figure 5-15 relationship between NMS, Agent and MIB

The MIB is organized in a tree structure and consists of several nodes, each of which represents the
managed Object. The managed object can be uniquely identified by a string of Numbers representing the
path starting from the root, which is called OID (Object Identifier).
As shown in figure 5-16, managed object B can be uniquely determined by a string of Numbers {1.2.1.1},
which is the OID of managed object B.

Figure 5-16 MIB tree structure

SNMP provides four basic operations to realize the interaction between NMS and Agent:
• GET operation: the NMS USES this operation to query the value of one or more nodes in the Agent
MIB.
• SET operation: this operation is used by the NMS to SET the value of one or more nodes in the
Agent MIB.
• Trap operation: Agent use this operation to send Trap information to the NMS. Agent does not require
NMS to send response message.
NMS will not respond to Trap information. SNMPv1, SNMPv2c, and SNMPv3 support Trap
operations.

5.4.1.2 Protocol version of SNMP

Currently, Agent supports three versions of SNMPv1, SNMPv2c and SNMPv3:
• SNMPv1 adopts Community Name authentication mechanism. Group names are similar to
passwords and are used to limit ommunication between NMS and agents. If the group name set by
NMS is different from that set by the managed device, the SNMP connection between NMS and
Agent cannot be established, so that the NMS cannot access the Agent, and the warning
information sent by the Agent will also be discarded by NMS.
• SNMPv2c also adopts the group name authentication mechanism. SNMPv2c extends the
functions of SNMPv1, provided more operation types; support for more data types; Provides richer
error code, allowing for more detailed error differentiation.

135
Switch Web configuration guide

• SNMPv3 adopts USM (user-based Security Model) authentication mechanism. Network

administrators can set authentication and encryption functions. Authentication is used to verify the
legitimacy of message sender and avoid access by illegal users. Encryption is to encrypt the
transmission message between NMS and Agent to avoid eavesdropping. Authentication and
encryption functions can provide higher security for communication between NMS and Agent.

Instruction

The precondition of NMS and Agent to creat connection is that NMS and Agent must use the same SNMP version

5.4.2 Configure SNMP

Since the configuration of SNMPv3 version is quite different from SNMPv1 version and SNMPv2c version,
there are following two ways of introduction.

5.4.2.1 SNMPv1/v2c configuration

SNMP community string is the authentication string agreed between the device and SNMP server, which
needs to ensure that the server configuration is consistent with the device side. SNMP community string
has two types of permissions: read-only and read-write. Configure community string with read-only
permission, the server can only performe related to GET. The community string possess read and write
permission can performe GET and SET. The device side can support configuring multiple for community
strings for different servers use.
(1) Select [system]  [SNMP] in the navigation bar, enter the SNMP configuration page, click the
SNMPv1/v2c tab, and the page will display all SNMP group word information and server information
currently configured.

Figure 5-17 SNMP group word

(2) Configure SNMP community string, click [+add] button to enter the new page and add new SNMP
community string, as shown in figure 5-18, and SNMP group word parameters 5-4 are described as
shown in the table.

136
Switch Web configuration guide

Figure 5-18 SNMP group word configuration

Table 5-4 SNMP group word parameter description

Configuration
Instructions
items
Name Community name
Community name permission type; Where read-write is possess Read and
Type
write and read-only is Read only
(3) Configure SNMP server, click [+add] button to add SNMP server, the page of adding server is shown
in figure 5-19, and the parameter description of SNMP server is shown in table 5-5.

Figure 5-19 SNMP server configuration

Table 5-5 SNMP server parameter description

Configuration
Instructions
items

IP SNMP server IP address.

Community
SNMP server authentication group word
string

5.4.2.2 Configuration SNMPv3

(1) Select [system]  [SNMP] from the navigation bar, enter the SNMP configuration page, click the
SNMPv3 tab, as shown in figure 5-20, and the page will display all SNMPv3 information currently
configured.

137
Switch Web configuration guide

Figure 5-20 SNMPv3 page

(2) Configure SNMPv3 view, click [+ add] button to enter the page of adding new view, as shown in figure
5-21, and view parameters are described in table 5-6.

Figure 5-21 add the SNMPv3 view page

Table 5-6 Detailed configuration of SNMP view rules

Configuration
Instructions
items
Displays the name of the SNMP view
Name All view and none view exist in the system by default. All view contains all the OID; none
view does not contain any OID
Set the object determined by the MIB subtree OID and subtree mask, object will be
Include/Exclude
included or excluded from view scope
Configure OID(such as 1.4.5.3.1) or name (such as system) of MIB sub-root node,
OID MIB subtree OID indicates the location of nodes in MIB tree, he can uniquely identify
objects in a MIB Library.
(3) Configure SNMPv3 group, click [+ add] button to enter the page of new SNMP group, as shown in
figure 5-22, and the parameters of SNMP group are shown in table 5-7.

138
Switch Web configuration guide

Figure 5-22 new SNMP group page

Table 5-7 Detailed configuration of SNMP group

Configuration
Instructions
items

Name Set the name of the SNMP group

Version

Set the security level of SNMP group

AuthPriv: Both authentication and encryption
AuthNoPriv: authentication only, no encryption
Security model NoAuthNoPriv: no authentication, no encryption
Prompt

Currently SNMPv3 users and groups support only authenticated and encrypted levels of
security.
Set up a read view of the SNMP group
All: Select All view
Read view None: Select the None view
Prompt

You can select other views

Set up the write view of the SNMP group
All: Select All view
Write a view None: Select None view
Prompt

You can select other views

(4) Configure SNMPv3 user, click [+ add] button to enter the new SNMP user page, as shown in figure
5-23, and SNMP user parameters are shown in table 5-8.

Figure 5-23 new SNMP user

139
Switch Web configuration guide

Table 5-8 detailed configuration of SNMP users

Configuration
Instructions
items

Name Set the name of SNMP user

Sets the name of the group which the user belongs

• Select the "no authentication, no encryption" group when the user's security level is "no
authentication, no encryption"
• When the user's security level is selected as "authentication without encryption only",
you can choose "no authentication no encryption" or "authentication only"

Group
Unencrypted groups
• Select groups of all security levels when the user's security level is "both authenticated
and encrypted.
Prompt

Currently SNMPv3 users and groups support only authenticated and encrypted levels of
security.
Authentication When the security level selects "authentication but no encryption " or " both
type authentication and encryption", set the authentication mode, including: MD5, SHA
Authentication Set the authentication password when the security level selects “authentication, not
passward Encryption” or “both authentication and encryption”
When the security level selects "both authentication and encryption", set the encryption
Encryption type
mode, including: DES, AES
Encrypted When the security level selects “both authentication and encryption”, set the encrypted
password password

(5) Configure SNMPv3 host, click [+add] button to enter new SNMP host, as shown in figure 5-24, and
SNMP host parameter description is shown in table 5-9.

Figure 5-24 create a new SNMP host

Table 5-9 Detailed configuration of SNMP hosts

Configuration
Instructions
items

Family IP address family, used to distinguish between IPv4 and IPv6 hosts

Address IP address values

Version The SNMP version number

User user name of SNMPv3 version

140
Switch Web configuration guide

Security model User security model of SNMPv3

The sent notification message type

Informs/Traps Informs: needs to wait for a response from the server to support retransmission
Traps: Do not support re-transmission, do not wait for response

5.5 Date/time
In order to ensure the coordination between the equipment and other equipment, users need to configure
the system time accurately. The date and time settings modules is used to display and set the system
time on the webmaster, and to set the system time zone. The device supports manual configuration of
system time and automatic synchronization of NTP Protocol (Network Time Protocol) server Time.

NTP (Network Time Protocol) is a time synchronization protocol defined by RFC 1305 for time
synchronization between distributed Time servers and clients. The purpose of using NTP is to
synchronize the clocks of all devices with clocks in the network so that the clocks of all devices in the
network are consistent, thus enabling the devices to provide multiple applications based on uniform time.
For the local system running NTP, synchronization from other clock sources can be accepted and can be
used as a clock source to synchronize other clocks and with other devices.

5.5.1 View the current date and time of the system

(1) Select [system] [date and time] in the navigation bar to enter the date and time page, as shown in
figure 5-25.
(2) View the current date and time of the system displayed in real time on the page.

Figure 5-25 Date and time configuration page

Table 5-4 NTP parameters instruction

Configuration
Instructions
items

Time zone Select the time zone

Date System date

Time The system time

NTP server IP NTP server IP address

5.5.2 Manually configure the date and time of the system

141
Switch Web configuration guide

(1) Select [system]  [date and time] in the navigation bar to enter the date and time page, as shown in
figure 5-26.
(2) Check the synchronization option follow the date and time text box, and click the "apply" button to
complete the configuration.
(3) Click the "save" button in the navigation bar to save the current configuration.
Figure 5-26 date and time configuration page

Instruction

• For devices without built-in RTC, the time and date of the device will be restored to factory Settings after restart, and
the time and date need to be reconfigured.

5.5.3 Configure network time

(1) Select [system]  [date and time] in the navigation bar to enter the date and time page, as shown in
figure 5-27.
(2) Enter the corresponding server address in the IP box of NTP server and click "apply" to complete the
configuration.
(3) Click the "save" button in the navigation bar to save the current configuration.
Figure 5-27 date and time configuration page

Instruction

• The device must be able to access the NTP server.

• After finish configuration, the device automatically synchronizes the time information from the server. The first time to
finish synchronization wil takes about 4-8 minutes.
• For devices without built-in RTC, the time and date of device restart will be restored to factory Settings, and the
equipment configured with NTP server will automatically synchronize network time.

5.6 Configure file management

5.6.1 Configure backup
Configure backup function, it can download the configuration of the machine to the computer, used to
restore the configuration or import to other devices.

142
Switch Web configuration guide

Select [configuration file management] from the drop-down menu of [system] in the navigation bar and
enter the configuration file management page, as shown in figure 5-28.

Figure 5-28 configure backup

Click the "backup configuration" button and popup the [file download] dialog box and save the
configuration file locally.

5.6.2 Configuration recovery

Configuration recovery allows you to quickly import configuration files into the machine.

Figure 5-29 configuration recovery

As shown in figure 5-29, click the [select file button] select the configuration file with the suffix ".conf "
need to be imported, and click the [upload configuration] button. The device will restart automatically
during the import configuration process and waiting page shown in figure 5-30.

Figure 5-30 configuration recovery wait page

5.6.3 Restore factory Settings

The restore factory configuration module provides the ability to restore all configurations in the device to
the factory default configuration, delete the current configuration file, and restart the device.

Step 1: Select system [profile management] in the navigation bar.

Step 2: Click the "restore Settings" button, as shown in figure 5-31.

Figure 5-31 restore factory Settings page

143
Switch Web configuration guide

Step 3: Wait for the device finish restart, as shown in figure 5-32. log in with default IP, user name
and password after the device restart.

Figure 5-32 Configuration recovery page

5.7 System upgrade

The software upgrade module provides the files to get the target application from localhost and set this
file as the startup file for the next startup of the device.

Note

• Software upgrades take some time. Please do not operate on the Web during the software upgrade,
as it may ause software upgrade interruption.
• After the upgrade, the device will restart automatically.

Step 1: Select [system] ->[system upgrade] in the navigation bar and enter the page of “Update

firmware”, as shown in figure 5-33.

Figure 5-33 software upgrade

Step 2: Click the "Choose File" button and select the upgrade File corresponding to the device in the

dialog box. The upgrade File is in the format of .bin

144
Switch Web configuration guide

Step 3: Click the "upgrade" or "save configuration & upgrade" buttons to start the software upgrade.

Figure 5-34 estimates the upgrade

5.8 Log/Diagnosis
Since each functional module has its corresponding running information, generally, users need to view
the display information module by module. In order to collect more information at one time in case of
routine maintenance or system failure, the device supports the diagnostic information module. When the
user performs the operation of generating the diagnostic information file, the system will save the
statistics information currently run by multiple functional modules in a file named "backup-SWITCH-year
mon-day-log " file, which users can view to locate problems faster.

Step 1: Select [system]  [log/diagnostics] in the navigation bar.

Step 2: click the "backup log" button, pop up the "file download" dialog box, and save the log file locally.

Figure 5-35 log/diagnostic page

5.9 Restart

• Be sure to save the configuration before restarting the device, otherwise all unsaved configuration will be lost after
restarting.
• After the device restarts, the user needs to log in again.

Step 1: Select [system]  [restart] in the navigation bar and enter the restart page, as shown in

figure 5-36.

145
Switch Web configuration guide

Figure 5-36 Restart page

Step 2: Click the [execute restart] button and wait for the device finish restart and it will take some time,

please be patient.

Figure 5-37 Restart waiting page

146
 Switch Web configuration guide

6 Route

6.1 Route
In the network, the router selects an appropriate path according to the destination address of the received
message and forwards the message to the next router. The last router in the path forwards the message
to the destination host. Route is the path information in the forwarding process of message, which is used
to guide message forwarding.

6.1.1 The route table

The router selects the route through the route table and send the preferred route to the table of FIB
(Forwarding Information Base), which instructs the Forwarding of message. Each router keeps at least
one route table and one FIB table.
The route table contains the routes discovered by various route protocols, which are usually divided into
the following three categories according to the source:
• Direct connect route: The route discovered by link-layer, also known as interface route.
• Static route: Route manually configured by the network administrator. Static route configuration is
convenient, low requirements for the system, suitable for simple topology and stable small network.
The disadvantage is that whenever the network topology changes, it needs to be reconfigured
manually and cannot be automatically adapted.
• Dynamic route: Route discovered by dynamic route protocols.
Each forwarding item in the FIB table indicates which physical interface of the router should be used to
send a message to a subnet or host to reach the next router in that path, or to the destination host in the
directly connected network without passing through another router.

6.1.2 Static route

A static route is a special route that is manually configured by an administrator. When networking is
simple, you only need to configure static route to make the network work normally.

Static route cannot automatically adapt to changes in network topology. When the network fails or the
topology changes, the configuration must be manually modified by the network administrator.

6.1.3 Configure static route

View the static route configuration

Select [route]  [static route] in the navigation bar and enter the static route display page, as shown in
figure 6-1. The static route configuration can be displayed in the "overview", and the parameters are
described in table 6-1.

147
Switch Web configuration guide

Figure 6-1 static route display page

Table 6-1 Description of static route parameters

Configuration
Instructions
items
Route prefix address, or route network segment; For example, a common route is 0.0.0.0/0
The prefix IP
192.168.1.1, the prefix IP is 0.0.0.0
Length of
Length of route network segment; For example, in the example above, the length is 0
prefix

Next address Route next hop addresses; For example, the next jump in the above examples is 192.168.1.1

Description Route description information, optional configuration

New static route

(1) Select [switch]  [VLAN] in the navigation bar to create a VLAN.
(2) In the VLAN page, add the VLAN created in step 1 to the specified port.
(3) Select [route]  [VLAN interface] in the navigation bar, enter the page shown in figure 6-2, and
complete the configuration of static route VLAN port.
(4) Select [route]  [static route] in the navigation bar and enter the page shown in figure 6-1. Click [add]
button to enter the static route creation page, as shown in figure 6-3.
(5) Configure the information of static route. Detailed configuration information is shown in table 6-1.
(6) Click the [ok] button to complete the operation.

Figure 6-2 Static route VLAN interface page

Figure 6-3 New static route page

• When the first VLAN interface IP is configured, the administrative IP address is automatically
removed. So in order to keep the IP address accessible, please set the first VLAN interface as the

148
Switch Web configuration guide

device's administrative IP. Take the default managed IP: 192.168.1.168, IP belongs to VLAN1 as an
example, as shown in the figure below
First, remove the device's management IP to the VLAN interface configuration.

6.1.4 Configure static route examples

1. Networking requirements

IP addresses and masks of Switch A, Switch B and Switch C interfaces and hosts are shown in figure 6-4.
Required that after configuration IPv4 static route between Switch A, Switch B, and Switch C, any two
hosts in the figure can communicate.

Figure 6-4 Static route configuration network diagram

2. Configuration ideas

Configure IPv4 static route using the following approach:

(1) VLAN creation and physical port VLAN partition.
(2) Configure the SVI port IP address of the device.
(3) Route planning: A and C are configured with default route to B, and B is configured with static route to
A and C respectively according to network segment.

3. Configuration steps

Configure the Switch A

(1) Create VLAN 300 and 500

149
Switch Web configuration guide

Select [VLAN] from the sub-item [switch] in the navigation bar to enter the VLAN configuration page. In
the sub-page of VLAN, click the button [add], as shown in figure 6-5, to create VLAN300 and VLAN500.

Figure 6-5 creating a VLAN page

(2) VLAN mode configured for port 3 is access, VLAN 300, and VLAN mode configured for port 9 is
access, VLAN500.
Select [VLAN] from the sub-item [switch] in the navigation bar to enter the VLAN configuration page. In
the interface of port eth0/3, click the button [edit] to enter the configuration mode, as shown in figure 6-6.
In VLAN mode, select Access and PVID 300. do the same configuration for port 9.

Figure 6-6 Configure the interface VLAN pattern

(3) Configure SVI 300 and 500 IP addresses

Select [VLAN interface] from the sub-item [route] in the navigation bar and enter the VLAN configuration
page, as shown in figure 6-7. Add SVI addresses of VLAN300 and VLAN500.

Figure 6-7 static route VLAN interface configuration

(4) Configure the default route to Switch B

Select "static route" from the sub-item of "route" in the navigation bar, enter the static route overview in
page, and click "add" button, as shown in figure 6-8, to complete the static route configuration.

150
Switch Web configuration guide

Figure 6-8 Static route configuration

Configure the Switch B

(1) Create VLAN 100, 500 and 600.
Select [VLAN] from the sub-item [switch] in the navigation bar to enter the VLAN configuration page. In
the sub-page of VLAN, click the button [add], as shown in figure 6-9, to create VLAN100, VLAN300 and
VLAN500.

Figure 6-9 create a VLAN page

(2) VLAN mode configured for port 3 is access, VLAN 100; VLAN mode configured for port 9 is access,
VLAN500; VLAN mode configured for port 10 is access, VLAN 600.
Select [VLAN] from the sub-item [switch] in the navigation bar to enter the VLAN configuration page. In
the interface of port eth0/3, click the button [edit] to enter the configuration mode, as shown in figure 6-10.
In VLAN mode, select Access and PVID 100. Do the same configuration for ports 9 and 10.

Figure 6-10 configure the interface VLAN pattern

(3) Configure SVI 100, 300, and 500 IP addresses

Select [VLAN interface] from the sub-item [route] in the navigation bar and enter the VLAN interface
configuration page, as shown in figure 6-11. Add SVI addresses of VLAN100, VLAN300 and VLAN500.

151
Switch Web configuration guide

Figure 6-11 static route VLAN interface

(4) Configure route to Switch A and Switch C

Select "static route" from the sub-item of "route" in the navigation bar, enter the static route overview page,
and click "add" button, as shown in pictures 6-12 and 6-13, to complete the static route configuration.

Figure 6-12. Static route configuration

Figure 6-13. Static route configuration

Configure the Switch C

(1) Create VLAN 100, 500 and 600.
Select [VLAN] from the sub-item [switch] in the navigation bar to enter the VLAN configuration page, In
the sub-page of VLAN, click the button [add], as shown in figure 6-14, to create VLAN600 and VLAN900.

Figure 6-14 create a VLAN page

152
Switch Web configuration guide

(2) VLAN mode configured for port 3 is access, VLAN 900, and VLAN mode configured for port 9 is
access, VLAN600.
Select [VLAN] from the sub-item [switch] in the navigation bar to enter the VLAN configuration page. In
the interface of port eth0/3, click the button [edit] to enter the configuration mode, as shown in FIG.
6-15.In VLAN mode, select Access and PVID 900. Do the same configuaration for port 9.

Figure 6-15 configure the interface VLAN pattern

(3) Configure SVI 100, 300, and 500 IP addresses

Select [VLAN interface] from the sub-item [route] in the navigation bar and enter the VLAN interface
configuration page, as shown in figure 6-16. Add SVI addresses of VLAN600 and VLAN900.

Figure 6-16 static route VLAN interface

(4) Configure the default route of Switch B

Select [static route] from the sub-item of [route] in the navigation bar, enter the static route overview page,
and click "add" button, as shown in figure 6-17, to complete the static route configuration.

Figure 6-17. Static route configuration

153
Switch Web configuration guide

4. Configuration result verification

(1) View the active route list.

Enter the IPv4 route display page of Switch A, Switch B and Switch C respectively. See the list of active
routes on the page for newly configured static routes.
(2) Use ping command on Host A to verify whether Host C is reachable.
C: \ Documents and Settings \ Administrator > ping 1.1.3.2

Pinging 1.1.3.2 with 32 bytes of data:

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128

Reply from 1.1.3.2: bytes=32 time=1ms TTL=128

Ping statistics for 1.1.3.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

6.2 Management of ARP

6.2.1 Overview
ARP (Address Resolution Protocol) is a Protocol that resolves IP addresses into Ethernet MAC
addresses (or physical addresses).

In a LAN, when a host or other network device has data to send to another host or device, it must know
the network layer address (IP address) of that host or device. However, IP address alone is not enough,
because IP data packets must be encapsulated into frames before they can be sent through the physical
network, so the sending station must also have the physical address of the receiving station, so a
mapping from IP address to physical address is required. ARP is the protocol that implements this
function.

ARP table

154
Switch Web configuration guide

After the device parses the destination MAC address through ARP, it will add a mapping table item of IP
address to MAC address in its own ARP table for subsequent forwarding of messages to the same
destination.
ARP table items are divided into dynamic ARP table items and static ARP table items.

1. Dynamic ARP table entries

Dynamic ARP table entries are automatically generated and maintained by ARP protocol through ARP
messages, which can be aged, updated by new ARP messages, and overwritten by static ARP table
entries. The corresponding dynamic ARP table entry is deleted when the aging time and port down are
reached.

2. Static ARP table entries

Static ARP table items are manually configured and maintained so they are not aged and overwritten
by dynamic ARP table items.

Configuring static ARP table entries increases the security of communication. Static ARP table item can
only use the designated MAC address when communicating with the designated IP address device. At
this time, attack message cannot modify the mapping relationship between the IP address and MAC
address of this table item, thus protecting the normal communication between the device and the
designated device.

6.2.2 Configure ARP management

View ARP table entries

Select [route]  [ARP] in the navigation bar and enter the ARP display page, as shown in figure 6-18.
ARP table item information can be found in "profile", and each parameter description is shown in table
6-2.

Figure 6-18 ARP table item information

Table 6-2 ARP table parameter description

Configuration
Instructions
items

IP Terminal IP address

The MAC
Terminal MAC address
address

Interface The name of the layer 3 port where the terminal resides

155
 Switch Web configuration guide

Type ARP address type

Configure ARP table entries

(1) Select [route]  [ARP] in the navigation bar and enter the ARP profile page. Click the [configuration]
tab to enter the ARP configuration page, as shown in gigure 6-19.
(2) Click the "add" button to enter the static route creation page, as shown in figure 6-20;
(3) Configure the static route information, as shown in table 6-2;
(4) Click the "ok" button to complete the operation.

Figure 6-19 New static route

page

Figure 6-20 New static route page

6.2.3 Examples of configuring ARP

1. Networking requirements

• Switch A connects to the host and connect with Router B via the interface eth0/10. Port eth0/10
belongs to VLAN 100.
• The IP address of Router B is 192.168.1.1/24, and the MAC address is 00e0-fc01-0000.
To increase the security of Switch A and Router B communication, static ARP table entries can be
configured on Switch A.

6-21 Static ARP configuration networking diagram

156
Switch Web configuration guide

2. Configuration steps

(1) Create VLAN 100.

Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the VLAN configuration page. In
the sub-page of VLAN, click [add] button to create VLAN100, as shown in figure 6-22.

Figure 6-22 new VLAN page

(2) VLAN mode of port 10 is access and VLAN 100.

Select [VLAN] from the sub-item of [switch] in the navigation bar to enter the VLAN configuration page. In
the interface of interface, select port eth0/10 and click the button [edit] to enter the configuration mode, as
shown in figure 6-23. In VLAN mode, select Access and PVID 100.

Figure 6-23 interface VLAN pattern

(3) Configure the interface IP address of VLAN 100

Select [VLAN interface] from the sub-item [route] in the navigation bar to enter the VLAN interface
configuration page, as shown in figure 6-24, and add the SVI address of VLAN100.

157
Switch Web configuration guide

Figure 6-24 Static route VLAN interface configuration

(4) Configure Router B as static ARP

Select [route]  [ARP] in the navigation bar and enter the ARP profile page. click the [configuration] tab to
enter the ARP configuration page, as shown in figure 6-25, and add static ARP.

Figure 6-25 ARP configuration page

158
Switch Web configuration guide

7 Diagnosis

7.1 Network tools

7.1.1 Overview
ping
Using the ping tool, users can check the availability of devices with specified IP addresses and test
for network connectivity failures. The successful execution of ping is:
(1) The source device sends ICMP ECHO-REQUEST message to the destination device.
(2) After receiving the request message, the destination device sends ICMP EACH-REPLY message
to the source device.
(3) After source device receiving the reply message, displays relevant statistical information.
The output information of ping can be divided into the following situations:
• The perform object of ping can be the IP address or host name of the destination device, and if the
host name of the destination device is not recognized, then a prompt message is printed on the
source device.
• If the internal source device does not receive the ICMP echo reply message from the destination
device within the timeout period, then the prompt message and statistical information of the ping
process message will be output; If the source device receives the response message timeout, it will
output the number of bytes, message sequence number, TTL (Time to Live), response time and the
statistics of the ping process message. The statistics of ping include the number of messages sent,
the number of messages received, the percentage of messages not responded, the minimum value,
average value and maximum value of response time.
Trace route
Using the trace route tool, users can view the layer 3 devices which messages travel from source
device to destination devices. When the network fails, users can use this command to analyze the
failed network nodes. The execution process of trace route is as follows:
(1) The source device sends a TTL message to the destination device.
(2) The first hop (the first layer 3 device that the message arrives) responds to an TTL ICMP timeout
message (which contains the IP address of the first hop), so that the source device gets the address
of the first layer 3 device.
(3) Source device resends a TTL message of 2 to the destination device.
(4) The second hop responds a 2 value TTL timeout ICMP message, so the source device gets the
address of the second layer 3 device.
(5) The above process continues until the destination device is finally reached, and the source device
gets the addresses of all layer 3 of devices that pass from it to the destination device.

The trace route execution object can be the IP address or host name of the destination device, if the
host name of the destination device cannot be recognized, then the source device will output prompt
message.

159
Switch Web configuration guide

7.1.2 Ping and trace route operation

Ping operation
(1) Select [diagnosis]  [network tools] in the navigation bar and enter the ping/trace route page, as
shown in figure 7-1. Enter the IP address in the ping operation IP address bar and click the ping button.

Figure 7-1 Ping operation page

(2) Check the results of ping operation in the information box below, as shown in figure 7-2.
Figure 7-2 Ping operation returns results

Trace the route operation

(1) Select [diagnosis]  [network tools] in the navigation bar and enter the ping/trace route page, as
shown in figure 7-1. Enter the IP address in the ping operation IP address bar and click the ping button.

Figure 7-3 Trace route operation page

Figure 7-4 trace route operation returns the result

(2) Check the results of ping operation in the information box below, as shown in figure 7-2.

160
Switch Web configuration guide

7.2 Dying Gasp

7.2.1 Overview
The Dying-gasp function provides the moment power supply when the equipment is cut off, and relies on
10-20ms of power supply time for energy storage devices such as capacitors inside the equipment to
support the equipment to send out power warning messages.
According to the definition in 802.3ah, when the power failure event occurs, the device will send the OAM
event message to the connected devices. Since OAM is a point-to-point protocol, the power failure event
message will not continue to be forwarded after it reaches the next OAM support device. The device
which receive the power failure event will output the power failure LOG message.
In addition to the OAM warning message, the power failure device also sends a trap message to the
SMMP server.
Node information Data
Mib files DOT3-OAM - MIB. MIB
Oid 1, 3, 6, 1, 2, 1, 158, 1, 6, 1, 4
Value Dying Gasp Event (257)

7.2.2 Configure Dying Gasp

Choose [diagnosin]  [Dying Gasp] from the navigation bar and go to the Dying Gasp alarm page, as
shown in figure 7-5, and click on the enable/disable button to enable or turn off the Dying Gasp function,
this function status is off by default.
Figure 7-5 Trace route operation returns the result

7.3 Fiber module information

Select [diagnosis]  [fiber module information] in the navigation bar to enter the light module information
monitoring page. As shown in figure 7-6, the digital diagnostic information of the optical module can be
inquired.

161
Switch Web configuration guide

Figure 7-6 digital diagnostic information of optical module

Click the “detail” button to query the supplier, serial number, production date and other basic information
of the optical module, as shown in figure 7-7.

Figure 7-7 Basic information of light module

162