Zyxel Switch Configuration Manual

Confidential : This document is intended for internal use of Tulip only.

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Document Title : Zyxel Switch Configuration Manual

Document Owner : Vriti Kulshrestha Document Classification : Confidential

This is a confidential document of Tulip and reproduction, translation, transformation to any medium requires prior written approval of Tulip. This document includes confidential information related to Tulip and shall not be distributed to the persons other than those mentioned in the distribution list without the consent of the parties.

Document distribution List Serial Number 1 2 Name SV Ramana Arun Singh Purpose Review & Approve Review & Approve

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Zyxel Switch Configuration Manual CONTENTS

Configuring Hostname How To Save configuration Basic Configuration 1. Administrator password configuration 2. Enable password configuration 3. Management IP address 4. Speed-duplex setting 5. Access and Trunk port configuration Multiple Spanning Tree Rate-limit Storm-Control IGMP Snooping Tacacs+ Authentication Port Security MTU on Switch Port Mirroring BPDU Control Password Recovery procedure

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

DEFAULT LOGIN In-band IP Address http://192.168.1.1 Out-of-band IP Address http://192.168.0.1 User Name admin Password 1234 Configuring Host Name:
ES-3124F(config)#hostname <name_string> System name string ES-3124F(config)# hostname Zyxel Zyxel(config)#

Saving Your Configuration:

Zyxel(config)# write memory

Configuring Basic Parameters:

Changing the Administrator Password: Syntax:admin-password <pw-string> <Confirm-string> Example: Zyxel(config)# admin-password <pw-string> New Password Zyxel(config)# admin-password tulip <confirm-string> Retype to Confirm Zyxel(config)# admin-password tulip tulip Changing the Enable Password: Syntax:password <password> Example: Zyxel(config)# password <password> Password String Zyxel(config)# password tulip Changing the Management IP Address: The Switch has a different IP address in each VLAN. By default, the Switch has VLAN 1 with IP address 192.168.1.1 and subnet mask 255.255.255.0.

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Syntax: ip address inband-default <ip> <mask> Example: Zyxel(config)# vlan 1 Zyxel(config-vlan)# ip address ? <ip-address> IP Address default-gateway Configre inband default gateway inband-default In-band Default IP Setting Zyxel(config-vlan)# ip address inband-default 2.2.2.2 255.255.255.0 Zyxel(config-vlan)# ip address default-gateway 2.2.2.1 Modifying port speed and duplex mode: The ports auto-sense and auto-negotiate the speed and duplex mode of the connected device. You can manually enter the port speed to operate at either 10, 100, or 1000 Mbps. Syntax: speed-duplex <value> The default is auto (auto-negotiation). Example: Zyxel(config)# interface port-channel 20 Zyxel(config-interface)# speed-duplex <auto|10-half|10-full|100-half|100-full|1000-full> Set Interface Speed duplex Zyxel(config-interface)# speed-duplex 100-full Disabling or re-enabling a port: A port can be made inactive (disable) or active (enable) by selecting the appropriate status option. The default value for a port is enabled. This same as shutdown and noshutdown option in other switches. Example: Zyxel(config)# interface port-channel 20 Zyxel(config-interface)# inactive Zyxel(config)# interface port-channel 20 Zyxel(config-interface)# no inactive

//disable the port// //enable the port//

Configuring Access Port:

In this switch the access port means the untagged port. The ports are defined untagged under the particular VLANs which are to be allowed on that port. Syntax: vlan <Vlan number> untagged <port number>

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Example: Zyxel(config)# vlan vlan vlan-stacking vlan-type Zyxel(config)# vlan 20 Zyxel(config-vlan)#untagged <port-list> Untagged port list Zyxel(config-vlan)# untagged 20 Zyxel(config-vlan)#

vlan1q

Configuring Trunk Port:

In this switch the trunk port means the tagged port. By default, all the ports are tagged for all the configured vlans. So no specific command required to make a trunk port.

Multiple Spanning Tree:

Configuring MSTP Mode: With the introduction of MSTP, a system can be either under MSTP mode or not under MSTP mode. The default state is to not be under MSTP mode. To configure a system into MSTP mode, use the following command at the Global Configuration level. Example: Zyxel(config)# spanning-tree mode <RSTP|MRSTP|MSTP> spanning tree mode Zyxel(config)# spanning-tree mode MSTP Setting the MSTP name: Each switch that is running MSTP is configured with a name. For compatibility of MSTP with Cisco and Maipu you need to configure identical MSTP name on all. Syntax: mstp configuration-name <name> Sets a name for an MSTP region. name: 1-32 printable characters

Example: Zyxel(config)# mstp configuration-name <name> Name string Zyxel(config)# mstp configuration-name TULIP_TEST Setting the MSTP revision number: Each switch that is running MSTP is configured with a revision number. For compatibility of MSTP with Cisco and Maipu you need to configure identical number on all. Syntax: mstp revision <0-65535> Sets the revision number for this MST Region Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

configuration. Example: Zyxel(config)#mstp revision 10 Configuring an MSTP instance: An MSTP instance is configured with an MSTP ID for each region. Each region can contain one or more VLANs. Syntax: mstp instance <0-16> vlan <vlan-list> no mstp instance <0-16> vlan <1-4094> Disables the assignment of specific VLANs from an MST instance. Example: Zyxel(config)# mstp instance 1 vlan 3,5,7 Configuring bridge priority: Priority can be configured for a specified instance. You can set a priority to the instance that gives it forwarding preference over lower priority instances within a VLAN or on the switch. Syntax: mstp instance <0-16> priority <0- 61440> Example: Zyxel(config)#mstp instance 1 priority 8192 Notes: Acceptable values are 0 - 61440 in increments of 4096. Specifies the VLANs that belongs to the instance.

Configuring Mstp on Ports:

Syntax: mstp instance <0-16> interface port- channel <port-list> Example: Zyxel(config)# mstp instance 0 interface port-channel 1 Activating MSTP on a switch: To enable MSTP on your switch, use the following at the Global Configuration level. Zyxel(config)#mstp Zyxel(config)#no mstp Activates MSTP on the Switch. Disables MSTP on the Switch.

Port Based Rate-limit:

Two separate commands (bandwidth-limit cir and Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

bandwidth-limit pir) are used to control the Committed Information Rate (CIR) and the Peak Information Rate (PIR) allowed on a port. The CIR and PIR should be set for all ports that use the same uplink bandwidth. If the CIR is reached, packets are sent at the rate up to the PIR. When network congestion occurs, packets through the ingress port exceeding the CIR will be marked for drop. Ingress Rate-limit: Syntax: bandwidth-control interface port-channel <port-list> bandwidth-limit cir bandwidth-limit cir <rate> Enables bandwidth control on the Switch. Enters subcommand mode for configuring the specified ports. Enables commit rate limits on the specified port(s). Sets the guaranteed bandwidth allowed for the incoming traffic flow on a port.

Example: Zyxel(config)# int port-channel 20 Zyxel(config-interface)# bandwidth-limit cir Set Interface Bandwidth limit egress Set Interface Bandwidth limit pir Set Interface Bandwidth limit Zyxel(config-interface)# bandwidth-limit cir <Kbps> Set Interface Bandwidth limit <cr> Set Interface Commit Bandwidth limit Zyxel(config-interface)# bandwidth-limit cir Zyxel(config-interface)#bandwidth-limit cir 64 Egress Rate-limit: Syntax: bandwidth-control interface port-channel <port-list> bandwidth-limit egress bandwidth-limit egress <rate> Enables bandwidth control on the Switch. Enters subcommand mode for configuring the specified ports. Enables bandwidth limits for outgoing traffic on the port(s). Sets the maximum bandwidth allowed for outgoing traffic on the port(s).

Example: Zyxel(config)# int port-channel 20 Zyxel(config-interface)# bandwidth-limit cir Set Interface Bandwidth limit

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

egress pir

Set Interface Bandwidth limit Set Interface Bandwidth limit

Zyxel(config-interface)# bandwidth-limit egress Zyxel(config-interface)# bandwidth-limit egress 64

Storm-Control:
Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in the network configuration, or users issuing a denial-of-service attack can cause a storm. To enable any kind of storm control first you have to enable it globally. Syntax: storm-control no storm-control Enables broadcast storm control on the Switch. Disables broadcast storm control on the Switch.

Example: ZYXEL(config)# storm control Broadcast Storm-control: Syntax: broadcast-limit broadcast-limit <pkt/s> Switch accepts Enables the broadcast packet limit on the specified port(s). Specifies the maximum number of broadcast packets the per second on the specified port(s).

Example: ZYXEL(config)# int port-channel 20 ZYXEL(config-interface)# broadcast-limit <cr> <pkt/s> Set Interface Broadcast Limit

ZYXEL(config-interface)# broadcast-limit ZYXEL(config-interface)# broadcast-limit 100 Multicast Storm-Control: Syntax:

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

multicast-limit multicast-limit <pkt/s>

Enables the multicast packet limit on the specified port(s). C 13 Specifies the maximum number of multicast packets the Switch accepts per second on the specified port(s).

Example: ZYXEL(config)# int port-channel 20 ZYXEL(config-interface)# multicast-limit <cr> <pkt/s> Set Interface Multicast Limit

ZYXEL(config-interface)# Multicast-limit ZYXEL(config-interface)# Multicast-limit 100 Unknown Unicast Storm-Control: Syntax: dlf-limit dlf-limit <pkt/s> accepts per second Example: ZYXEL(config)# int port-channel 20 ZYXEL(config-interface)# dlf-limit <cr> <pkt/s> Set Interface DLF Limit Enables the DLF packet limit on the specified port(s). Specifies the maximum number of DLF packets the Switch on the specified port(s).

ZYXEL(config-interface)# dlf-limit 100

IGMP Snooping
Syntax: igmp-snooping no igmp-snooping igmp-filtering Enables IGMP snooping. Disables IGMP snooping. Enables IGMP filtering on the Switch. Ports can only join multicast groups specified in their IGMP filtering profile.

igmp-filtering profile <name> start-address <ip> end- address <ip>

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Sets the range of multicast address(es) in a profile. Example: ZYXEL(config)# igmp-snooping ZYXEL(config)# igmp-filtering <cr> Enable IGMP Filtering

profile Add new igmp filter profile ZYXEL(config)# igmp-filtering

Tacacs+ Authentication:
Step 1:

aaa authentication enable: <method1> [<method2> Specifies which method should be used first, second, and third for checking privileges. method: enable, radius, or tacacs+. Step 2:
aaa authentication login Specifies which method should be used first, second, and third for the authentication of login accounts. method: local, radius, or tacacs+. Step 3: tacacs-server host <index> <ip> [auth-port <socket-number>][key<key-tring>] Specifies the IP address of the specified TACACS+ server.Optionally, sets the port number and key of the TACACS+ Step 4: tacacs-server mode <index- priority|round-robin> Specifies the mode for TACACS+ server selection. Step 5: tacacs-server timeout <1-1000> Specifies the TACACS+ server timeout value. Example:

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

ZYXEL(config)# aaa authentication enable tacacs+ ZYXEL(config)# aaa authentication login tacacs+ ZYXEL(config)# tacacs-server host 71.5.101.4 key cisco123

NTP Configuration:
Syntax: timesync server <ip> Sets the IP address of your time server. The Switch synchronizes with the time server in the following situations: When the Switch starts up. Every 24 hours after the Switch starts up. When the time server IP address or protocol is updated. timesync <daytime|time|ntp> Sets the time server protocol. You have to configure a time server before you can specify the protocol.

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

no timesync Example:

Disables timeserver settings.

ZYXEL(config)# timesync <daytime|time|ntp> Time server setting server Time server IP address setting ZYXEL(config)# timesync server <ip> IP address setting ZYXEL(config)# timesync server 1.1.1.1 For the Time settings following options are available: ZYXEL(config)# time <Hour:Min:Sec> Set time by Hour:Min:Sec date Date setting daylight-saving-time Daylight saving time help Description of Time help timezone Time zone(UTC) setting ZYXEL(config)# time 08/06/2010

Logging Commands:
Syntax: show logging no logging Example: Displays system logs. Clears system logs.

Port Security

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

These commands to allow only packets with dynamically learned MAC addresses and/or configured static MAC addresses to pass through a port on the Switch. For maximum port security, enable port security, disable MAC address learning and configure static MAC address(es) for a port. Syntax: port-security no port-security port-security <port-list> Enables port security on the Switch. Disables port security on the device. Enables port security on the specified port(s). port-security <port-list> learn inactive Disables MAC address learning on the specified port(s). port-security <port-list>address-limit <number> Limits the number of (dynamic) MAC addresses that may be learned on the specified port(s). Example: ZYXEL(config)#port-security <cr> <port-list> Port list of port security configuration ZYXEL(config)# port-security ZYXEL(config)# ZYXEL(config)# <number> ZYXEL(config)# ZYXEL(config)# port-security 20 port-security 20 address-limit number of learned MAC address port-security 20 address-limit 30 port-security 20 learn inactive

Check the port security on port: ZYXEL# sh port-security Port Security Active : YES Port Active Address Learning Limited Number of Learned MAC Address 01 N Y 0 02 N Y 0 03 N Y 0 04 N Y 0 05 N Y 0 06 N Y 0 07 N Y 0 08 N Y 0 09 N Y 0 10 N Y 0 11 N Y 0 12 N Y 0 13 N Y 0 14 N Y 0 15 N Y 0 16 N Y 0 17 N Y 0

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

18 N 19 N 20 Y 21 N 22 N 23 N 24 N 25 N 26 N 27 N 28 N ZYXEL# #

Y Y N Y Y Y Y Y Y Y Y

0 0 30 0 0 0 0 0 0 0 0

MTU On the Switch

By default, the switch supports Jumbo frames. You don't have to enable anything on port or switch.

Port Mirroring Commands

Syntax: mirror-port mirror-port <port-num> interface port-channel <port-list> mirror mirror dir <ingress|egress|both> Enables port mirroring on the Switch. Specifies the monitor port (the port to which traffic flow is copied) for port mirroring. Enters config-interface mode for the specified port(s). Enables port mirroring in the int. Enables port mirroring for incoming (ingress), outgoing (egress) or both incoming and outgoing (both) traffic.

Example: ZYXEL(config)# mirror-port ZYXELconfig)# mirror-port 3 ZYXEL(config)# interface port-channel 1 ZYXEL(config-interface)# mirror Mirrored port 1 is monitor port now. ZYXEL(config-interface)# mirror dir both OR ZYXEL(config-interface)# mirror dir egress

BPDU Control
Syntax: bcp-transparency Activate BPDU control interface port-channel <port-list> bpdu-control <peer|tunnel|discard|network>

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Select Peer to process any BPDU (Bridge Protocol Data Units) received on this port. Select Tunnel to forward BPDUs received on this port. Select Discard to drop any BPDU received on this port. Select Network to process a BPDU with no VLAN tag and forward a tagged BPDU.

Example: ES-3124# config ES-3124(config)# bcp-transparency ES-3124(config)# interface port-channel 20 ES-3124(config-interface)# bpdu-control ? <peer|tunnel|discard|network> ES-3124(config-interface)# bpdu-control discard

Password Recovery Of the Switch

If the password of the switch is not known the the following procedure can be used for the recovery of password. Step 1: Connect the Switch to a PC through console port.

Step2: Reboot the switch and keep pressing Enter key until the switch reaches the default mode.

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Step 3: Change the baud rate of the switch to 115200 so that the file transfer is quick. Command: atba5

Step 4: Save the ROM file to the computer. Type Command atlc to transfer the .ROM file from computer to switch through Xmodem. a) First type the command: altc on the switch.

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

b) Then transfer the file 380AIV1C0.ROM This will bring the switch to default configuration.

Step 5: Once the changes are done reboot the switch and the baud rate will automatically reset to 9600. Command: atgo

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020

Now the switch is on default configuration. Notes:

The .ROM file is available on the FTP please download it first before starting the recovery procedure. By this way the old configuration will be lost. I have already asked ZYXEL to provide a work around for this, once they will reply I will update.

Tulip Telecom Ltd., A 235, Okhla Phase I New Delhi 110 020