Software Administration Manual

Chapter 1 Introduction and Documentation

This software administration manual is for the AV Line of Fully Managed Switches M4250 Series and covers all M4250 switch models. The manual provides selected configuration examples for the main local browser user interface (main UI) and the command-line interface (CLI).

Available Publications

You can download the following guides and manuals for the AV Line of Fully Managed Switches M4250 Series by visiting netgear.com/support/download/:

• Installation Guide
• Hardware Installation Guide
• Main User Manual
• Audio Video User Manual
• Software Administration Manual (this manual)
• CLI Command Reference Manual

Interface Naming Conventions

The switch supports physical and logical interfaces. Interfaces are identified by their type and the interface number. The physical ports are Gigabit Ethernet or multispeed 10G Ethernet interfaces and are numbered on the front panel. The logical interfaces are configured.

The following table describes the naming convention for all interfaces available on the switch.

IMPORTANT: Most examples in this manual show the 1/0/x interface designation, in which x is the interface number. However, the M4250 series switch uses the 0/x designation, in which x is the interface number.

Chapter 2 VLANs

Virtual LANs

VLAN Concepts

Adding virtual LAN (VLAN) support to a Layer 2 switch offers benefits of both bridging and routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast. Like a router, it partitions the network into logical segments, providing better administration, security, and management of multicast traffic.

A VLAN is a set of end stations and the switch ports that connect them. The logical division can be based on department or project membership. The only physical requirement is that the end station and the port to which it is connected both belong to the same VLAN.

Each VLAN has an associated VLAN ID, which appears in the IEEE 802.1Q tag in the Layer 2 header of packets transmitted on a VLAN. An end station might omit the tag, or the VLAN portion of the tag. In such cases, the first switch port to receive the packet can either reject it or insert a tag using its default VLAN ID. A given port can handle traffic for more than one VLAN, but it can support only one default VLAN ID.

The Private Edge VLAN feature allows protection between ports on the same switch. A protected port cannot forward traffic to another protected port on the same switch. This feature does not provide protection between ports on different switches.

Diagram Description: A switch with four ports configured to handle traffic for two VLANs. Port 1/0/2 handles traffic for both VLANs, port 1/0/1 is a member of VLAN 2 only, and ports 1/0/3 and 1/0/4 are members of VLAN 3 only.

The following examples demonstrate how to create VLANs, assign ports to VLANs, and assign a VLAN as the default VLAN to a port.

Auto-Trunk

Auto-trunk is a feature that lets the switch automatically enable Trunk mode on capable physical links and LAG interfaces between partner devices. A trunk can carry all active VLANs. By default, the Auto-Trunk feature is enabled on the switch.

If the switch automatically configures a port as a trunk (an Auto-Trunk), all VLANs on the switch become part of the trunk, allowing automatic configuration of all VLANs on the switch and the partner device. Before configuring an Auto-Trunk, the switch detects physical links with a partner device that also supports Auto-Trunk, then automatically configures the connected and capable ports at both ends.

A trunk carries multiple VLANs and accepts both tagged and untagged packets. Typically, a connection between the switch and a partner device like a router, access point, or another switch functions as a trunk.

For an Auto-Trunk to form, the following are required:

• The Auto-Trunk feature must be supported and globally enabled on both the switch and the partner device. (On all M4250 switch models, Auto-Trunk is enabled by default.)
• Interconnected ports on both devices must be enabled. (On all M4250 switch models, all ports are enabled by default.)
• The PVID on the interconnected ports must be set to the management VLAN. (On all M4250 switch models, the management VLAN is VLAN 1 by default.)
• LLDP must be enabled on the interconnected ports on both devices. (On all M4250 switch models, LLDP is enabled by default on all ports.)
• Interconnected ports must be in the default switch port mode (General mode). If ports are in Access or Trunk mode, an Auto-Trunk cannot form on an Auto-LAG.

For an Auto-Trunk, the PVID is automatically set to the management VLAN. To change the PVID for an Auto-Trunk, change the management VLAN.

The Auto-Trunk feature works with the Auto-LAG feature. After an Auto-LAG is formed, the switch automatically applies trunk mode (Auto-Trunk) to the LAG at both ends. This means the mode for ports participating in an Auto-LAG changes from default switch port mode to trunk port mode, and the Auto-LAG becomes an Auto-Trunk.

CLI: Enable the Auto-Trunk Feature

By default, the Auto-LAG feature is enabled. If disabled, it can be re-enabled.

(Netgear Switch)#config
(Netgear Switch)(Config)#switchport mode auto
(Netgear Switch)(Config)#exit
(Netgear Switch)#

Main UI: Enable the Auto-Trunk Feature

By default, the Auto-Trunk feature is enabled. If disabled, it can be re-enabled.

1. Select Switching > VLAN > Advanced > VLAN Trunking Configuration.
2. Select the Admin Mode Enable radio button. By default, the Auto-Trunk feature is globally enabled.
3. Click Apply to save the settings.

Create Two VLANs

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Create Two VLANs

Use the following commands to create two VLANs and assign VLAN IDs, leaving names blank.

(Netgear Switch) #vlan database
(Netgear Switch) (Vlan)#vlan 2
(Netgear Switch) (Vlan)#vlan 3
(Netgear Switch) (Vlan)#exit

Main UI: Create Two VLANs

1. Create VLAN 2:
   1. Select Switching > VLAN > Basic > VLAN Configuration.
   2. Enter the following information:
      
      • VLAN ID: 2
      • VLAN Name: VLAN2
      • VLAN Type: Static
   3. Click Add.
2. Create VLAN 3:
   1. Select Switching > VLAN > Basic > VLAN Configuration.
   2. Enter the following information:
      
      • VLAN ID: 3
      • VLAN Name: VLAN3
      • VLAN Type: Static
   3. Click Add.

Assign Ports to VLAN 2

This sequence shows how to assign ports to VLAN 2, specifying that frames will always be transmitted tagged from member ports and untagged frames will be rejected.

CLI: Assign Ports to VLAN 2

(Netgear Switch) #config
(Netgear Switch) (Config)#interface range 1/0/1-1/0/2
(Netgear Switch) (conf-if-range-1/0/1-1/0/2)#vlan participation include 2
(Netgear Switch) (conf-if-range-1/0/1-1/0/2)#vlan acceptframe vlanonly
(Netgear Switch) (conf-if-range-1/0/1-1/0/2)#vlan pvid 2
(Netgear Switch) (conf-if-range-1/0/1-1/0/2)#exit
(Netgear Switch) (Config)#vlan port tagging all 2
(Netgear Switch) (Config)#

Main UI: Assign Ports to VLAN 2

1. Assign ports to VLAN 2:
   1. Select Switching > VLAN > Advanced > VLAN Membership.
   2. In the VLAN ID list, select 2.
   3. Click Unit 1. The ports display.
   4. Click the gray boxes under ports 1 and 2 until T displays. (T specifies egress packet tagging.)
   5. Click Apply.
2. Specify tagged frame acceptance on ports 1/0/1 and 1/0/2:
   1. Select Switching > VLAN > Advanced > Port PVID Configuration.
   2. Under PVID Configuration, select the checkboxes for Interface 1/0/1 and Interface 1/0/2.
   3. Enter the following:
      
      • Acceptable Frame Type: VLAN Only
      • PVID (1 to 4093): 2
   4. Click Apply.

Create Three VLANs

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Create Three VLANs

Use the following commands to create three VLANs and assign VLAN IDs, leaving names blank.

(Netgear Switch) #vlan database
(Netgear Switch) (Vlan)#vlan 100
(Netgear Switch) (Vlan)#vlan 101
(Netgear Switch) (Vlan)#vlan 102
(Netgear Switch) (Vlan)#exit

Main UI: Create Three VLANs

1. Create VLAN 100: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 100, VLAN Name VLAN100, select Static type, and click Add.
2. Create VLAN 101: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 101, VLAN Name VLAN101, select Static type, and click Add.
3. Create VLAN 102: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 102, VLAN Name VLAN102, select Static type, and click Add.

Assign Ports to VLAN 3

This example shows how to assign ports belonging to VLAN 3, specifying that untagged frames will be accepted on port 1/0/4. Port 1/0/2 belongs to both VLANs, and port 1/0/1 cannot belong to VLAN 3.

CLI: Assign Ports to VLAN 3

(Netgear Switch) (Config)#interface range 1/0/2-1/0/4
(Netgear Switch) (conf-if-range-1/0/2-1/0/4)#vlan participation include 3
(Netgear Switch) (conf-if-range-1/0/2-1/0/4)#exit
(Netgear Switch) (Config)#interface 1/0/4
(Netgear Switch) (Interface 1/0/4)#vlan acceptframe all
(Netgear Switch) (Interface 1/0/4)#exit
(Netgear Switch) (Config)#exit

Main UI: Assign Ports to VLAN 3

1. Assign ports to VLAN 3:
   1. Select Switching > VLAN > Advanced > VLAN Membership.
   2. In the VLAN ID list, select 3.
   3. Click Unit 1. The ports display.
   4. Click the gray box before Unit 1 until U displays.
   5. Click Apply.
2. Specify untagged frame acceptance on port 1/0/4:
   1. Select Switching > VLAN > Advanced > Port PVID Configuration.
   2. Select the Interface 1/0/4 checkbox.
   3. In the Acceptable Frame Types list, select Admit All.
   4. Click Apply.

Assign VLAN 3 as the Default VLAN for Port 1/0/2

This example shows how to assign VLAN 3 as the default VLAN for port 1/0/2.

CLI: Assign VLAN 3 as the Default VLAN for Port 1/0/2

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/2
(Netgear Switch) (Interface 1/0/2)#vlan pvid 3
(Netgear Switch) (Interface 1/0/2)#exit
(Netgear Switch) (Config)#exit

Main UI: Assign VLAN 3 as the Default VLAN for Port 1/0/2

1. Select Switching > VLAN > Advanced > Port PVID Configuration.
2. Select the Interface 1/0/2 checkbox.
3. In the PVID (1 to 4093) field, enter 3.
4. Click Apply.

Create a MAC-Based VLAN

The MAC-based VLAN feature allows incoming untagged packets to be assigned to a VLAN and classifies traffic based on the source MAC address. You define a MAC to VLAN mapping by configuring an entry in the MAC to VLAN table using a source MAC address and VLAN ID. These configurations are shared system-wide. When untagged or priority-tagged packets arrive and entries exist in the MAC to VLAN table, the source MAC address is looked up. If an entry is found, the corresponding VLAN ID is assigned. If the packet is already priority-tagged, it retains that value; otherwise, priority is set to 0. The assigned VLAN ID is verified against the VLAN table; if valid, ingress processing continues; otherwise, the packet is dropped. This implies that a MAC address can be mapped to a VLAN that has not been created.

CLI: Create a MAC-Based VLAN

1. Create VLAN 3:

   (Netgear Switch)#vlan database
   (Netgear Switch)(Vlan)#vlan 3
   (Netgear Switch)(Vlan)#exit

2. Add port 1/0/23 to VLAN 3:

   (Netgear Switch)#config
   (Netgear Switch)(Config)#interface 1/0/23
   (Netgear Switch)(Interface 1/0/23)#vlan participation include 3
   (Netgear Switch)(Interface 1/0/23)#vlan pvid 3
   (Netgear Switch)(Interface 1/0/23)#exit

3. Map MAC 00:00:0A:00:00:02 to VLAN 3:

   (Netgear Switch)(Config)#exit
   (Netgear Switch)#vlan data
   (Netgear Switch)(Vlan)#vlan association mac 00:00:00A:00:00:02 3
   (Netgear Switch)(Vlan)#exit

4. Add all ports to VLAN 3:

   (Netgear Switch)#config
   (Netgear Switch)(Config)#interface range 1/0/1-1/0/28
   (Netgear Switch)(conf-if-range-1/0/1-1/0/28)#vlan participation include 3
   (Netgear Switch)(conf-if-range-1/0/1-1/0/28)#exit
   (Netgear Switch)(Config)#exit

Main UI: Assign a MAC-Based VLAN

1. Create VLAN 3: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 3, VLAN Name VLAN3, select Static type, and click Add.
2. Assign ports to VLAN 3: Select Switching > VLAN > Advanced > VLAN Membership, select VLAN ID 3, click Unit 1, click the gray box before Unit 1 until U displays, and click Apply.
3. Assign PVID 3 to port 1/0/23: Select Switching > VLAN > Advanced > Port PVID Configuration, select the 1/0/23 checkbox, enter 3 in the PVID field, and click Apply.
4. Map the specific MAC to VLAN 3: Select Switching > VLAN > Advanced > MAC based VLAN, enter MAC Address 00:00:0A:00:00:02 and PVID 3, and click Add.

Create a Protocol-Based VLAN

Create two protocol VLAN groups: one for IPX and one for IP/ARP. Untagged IPX packets are assigned to VLAN 4, and untagged IP/ARP packets are assigned to VLAN 5.

CLI: Create a Protocol-Based VLAN

1. Create VLAN protocol group vlan_ipx based on IPX protocol:

   (Netgear Switch)#config
   (Netgear Switch)(Config)#vlan protocol group 1
   (Netgear Switch)(Config)#vlan protocol group name 1 "vlan_ipx"
   (Netgear Switch)(Config)#vlan protocol group add protocol 1 ethertype ipx

2. Create VLAN protocol group vlan_ip based on IP/ARP protocol:

   (Netgear Switch)(Config)#vlan protocol group 2
   (Netgear Switch)(Config)#vlan protocol group name 2 "vlan_ip"
   (Netgear Switch)(Config)#vlan protocol group add protocol 2 ethertype ip
   (Netgear Switch)(Config)#vlan protocol group add protocol 2 ethertype arp

3. Assign VLAN protocol group 1 to VLAN 4:

   (Netgear Switch)(Config)#exit
   (Netgear Switch)#vlan database
   (Netgear Switch)(Vlan)#vlan 4
   (Netgear Switch)(Vlan)#vlan 5
   (Netgear Switch)(Vlan)#protocol group 1 4

4. Assign VLAN protocol group 2 to VLAN 5:

   (Netgear Switch)(Vlan)#protocol group 2 5

5. Enable protocol VLAN group 1 and 2 on the interface:

   (Netgear Switch)(Vlan)#exit
   (Netgear Switch)#config
   (Netgear Switch)(Config)#interface 1/0/11
   (Netgear Switch)(Interface 1/0/11)#protocol vlan group 1
   (Netgear Switch)(Interface 1/0/11)#protocol vlan group 2
   (Netgear Switch)(Interface 1/0/11)#exit

Main UI: Create a Protocol-Based VLAN

1. Create VLAN 4 and VLAN 5:
   • Create VLAN 4: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 4, VLAN Name VLAN4, select Static type, and click Add.
   • Create VLAN 5: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 5, VLAN Name VLAN5, select Static type, and click Add.
2. Create the protocol-based VLAN group vlan_ipx: Select Switching > VLAN > Advanced > Protocol Based VLAN Group Configuration, enter Group ID 1, Group Name vlan_ipx, Protocol ipx, and VLAN ID 4, then click Add.
3. Create the protocol-based VLAN group vlan_ip: Select Switching > VLAN > Advanced > Protocol Based VLAN Group Configuration, enter Group ID 2, Group Name vlan_ip, Protocol IP and ARP, and VLAN 5, then click Add.
4. Add port 11 to the group vlan_ipx: Select Switching > VLAN > Advanced > Protocol Based VLAN Group Membership, select Group ID 1, click the gray box under port 11, and click Apply.
5. Add port 11 to the group vlan_ip: Select Switching > VLAN > Advanced > Protocol Based VLAN Group Membership, select Group ID 2, click the gray box under port 11, and click Apply.

Virtual VLANs: Create an IP Subnet-Based VLAN

In an IP subnet-based VLAN, all end workstations in an IP subnet are assigned to the same VLAN. Users can move their workstations without reconfiguring network addresses. IP subnet VLANs are based on Layer 3 information from packet headers. The switch uses the network-layer address (e.g., subnet address for TCP/IP networks) to determine VLAN membership. If a packet is untagged or priority-tagged, the switch associates it with any matching IP subnet classification. If no IP subnet classification matches, the packet follows normal VLAN classification rules. This capability does not imply routing; appropriate 802.1Q VLAN configuration is necessary for the packet to be switched.

Diagram Description: Illustrates an IP subnet-based VLAN, showing a switch connecting PCs within the 10.100.5.x subnet to VLAN 2000.

CLI: Create an IP Subnet-Based VLAN

1. Create an IP subnet-based VLAN 2000:

   (Netgear Switch) #vlan database
   (Netgear Switch) (Vlan)#vlan 2000
   (Netgear Switch) (Vlan)#vlan association subnet 10.100.0.0 255.255.0.0 2000
   (Netgear Switch) (Vlan)#exit

2. Assign all ports to VLAN 2000:

   (Netgear Switch) #config
   (Netgear Switch) (Config)#interface range 1/0/1-1/0/24
   (Netgear Switch) (conf-if-range-1/0/1-1/0/24)# vlan participation include 2000
   (Netgear Switch) (conf-if-range-1/0/1-1/0/24)#exit
   (Netgear Switch) (Config)#

Main UI: Create an IP Subnet-Based VLAN

1. Create VLAN 2000: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 2000, select Static type, and click Add.
2. Assign all ports to VLAN 2000: Select Switching > VLAN > Advanced > VLAN Membership, select VLAN ID 2000, click Unit 1, click the gray box before Unit 1 until U displays, and click Apply.
3. Associate the IP subnet with VLAN 2000: Select Switching > VLAN > Advanced > IP Subnet Based VLAN, enter IP Address 10.100.0.0, Subnet Mask 255.255.0.0, and VLAN 2000, then click Add.

Voice VLANs

The voice VLAN feature enables switch ports to carry voice traffic with defined priority, separating voice and data traffic. This ensures sound quality of an IP phone is not degraded by high data traffic. VLAN isolation also ensures inter-VLAN traffic is managed and clients cannot initiate direct attacks on voice components.

The switch can be configured to support voice VLAN on a port connecting to a VoIP phone. When a VLAN is associated with the voice VLAN port, the VLAN ID info is passed to the VoIP phone using LLDP-MED. Voice data from the VoIP phone is tagged with the exchanged VLAN ID; regular data receives the port's default PVID, and voice traffic is received on a predefined VLAN. This segregates traffic for better voice service.

When a dot1p priority is associated with the voice VLAN port instead of VLAN ID, priority info is passed to the VoIP phone via LLDP-MED. Voice data is tagged with VLAN 0 and the exchanged priority. Regular data receives the port's default priority (0), and voice traffic receives higher priority. This segregates traffic for better voice service.

The switch can override data traffic CoS. This feature allows overriding the 802.1P priority of data traffic packets on ports enabled for voice VLAN, preventing rogue clients from degrading voice traffic.

The table below describes PVID and tagging handling by a voice VLAN in four modes.

Note: For Voice VLAN feature, CoS override can be enabled for 8 ports only.

Voice VLAN Interoperation with Auto-VoIP

This section describes a situation where both voice VLAN and Auto-VoIP are enabled on a port.

A voice VLAN configures the ingress port as tagged (in VLAN-ID mode) only if the switch can exchange LLDP-MED packets with the VoIP device. If the VoIP device is not LLDP-capable or LLDP is disabled on the switch port, the voice VLAN does not tag the ingress port. The voice VLAN does not function if LLDP-MED exchange does not occur.

Auto-VoIP requires a configured VLAN (Auto-VoIP VLAN). Enabling Auto-VoIP on a port automatically adds that port as an untagged member of the Auto-VoIP VLAN, as the switch expects untagged voice packets. The egress port must also be configured as a member of the VLAN (untagged is acceptable). The switch forwards all untagged voice traffic from the VoIP device through the egress port as tagged packets with the Auto-VoIP VLAN (even if the Auto-VoIP VLAN is untagged on the port) and with VLAN priority set to 7, enabling the next hop to prioritize the traffic.

Diagram Description: Illustrates egress packets from a VoIP device to a switch port, showing VLAN tagging and priority.

If a port is configured for both voice VLAN and Auto-VoIP with the same VLAN ID, and LLDP-MED functions, the voice VLAN takes precedence over Auto-VoIP. In this scenario, the VoIP device sends tagged VoIP packets to the switch.

If a data VLAN is needed, it must be configured separately, as voice VLAN and Auto-VoIP do not automatically create a data VLAN.

Using a separate data VLAN, the voice VLAN supports segregation and separation of voice traffic from data traffic. The priority in the VLAN header of tagged VoIP traffic depends on the VoIP device.

Diagram Description: Illustrates ingress packets from a VoIP device to a switch port, showing VLAN ID 10 and priority 5.

The CoS override aspect of the voice VLAN (using the vlan priority command) can lower the dot1p priority of the ingress port, assigning lower CoS queues to untagged data traffic.

The egress port must be configured with the voice VLAN as a member (untagged is acceptable) to forward traffic with the voice VLAN tag and the same priority as the incoming packet (priority 5 in this case). This allows the next hop to prioritize VoIP traffic.

Note: For more information about voice VLANs, see Auto VoIP on page 222.

Diagram Description: Shows a Voice VLAN setup with a PBX, VoIP phones, and PCs connected to a switch. Voice traffic and data traffic are shown separately.

CLI: Configure Voice VLAN and Prioritize Voice Traffic

1. Create VLAN 10:

   (Netgear Switch) #vlan database
   (Netgear Switch) (Vlan)#vlan 10
   (Netgear Switch) (Vlan)#exit

2. Include ports 1/0/1 and 1/0/2 in VLAN 10:

   (Netgear Switch) (Config)#interface range 1/0/1-1/0/2
   (Netgear Switch) (conf-if-range-1/0/1-1/0/2)#vlan participation include 10
   (Netgear Switch) (conf-if-range-1/0/1-1/0/2)#vlan tagging 10
   (Netgear Switch) (conf-if-range-1/0/1-1/0/2)#exit

3. Configure Voice VLAN globally:

   (Netgear Switch) (Config)# voice vlan

4. Configure Voice VLAN mode in interface 1/0/2:

   (Netgear Switch) (Config)#interface 1/0/2
   (Netgear Switch) (Interface 1/0/2)#voice vlan 10
   (Netgear Switch) (Interface 1/0/2)#exit

5. Optional: Assign packets with VLAN ID 10 to a high priority queue:
   1. Create DiffServ class ClassVoiceVLAN: Select QoS > Advanced > DiffServ > Class Configuration, enter Class Name ClassVoiceVLAN, Class Type All, and click Add.
   2. Configure matching criteria for the class as VLAN 10: Select QoS > DiffServ > Advanced > Class Configuration, click the ClassVoiceVLAN class, select VLAN, enter VLAN ID 10, and click Apply.
   3. Create DiffServ policy PolicyVoiceVLAN: Select QoS > DiffServ > Advanced > Policy Configuration, enter Policy Name PolicyVoiceVLAN, Policy Type In, Member Class ClassVoiceVLAN, and click Add.
   4. Map policy and class, assign to higher-priority queue: Select QoS > DiffServ > Advanced > Policy Configuration, click the PolicyVoiceVLAN policy, select the Assign Queue radio button, enter 3, and click Apply.
   5. Assign to interfaces 1/0/1 and 1/0/2: Select QoS > DiffServ > Advanced > Service Interface Configuration, select Interfaces 1/0/1 and 1/0/2, set Policy Name to PolicyVoiceVLAN, and click Apply.

Main UI: Configure Voice VLAN and Prioritize Voice Traffic

1. Create VLAN 10: Select Switching > VLAN > Basic > VLAN Configuration, enter VLAN ID 10, VLAN Name Voice VLAN, and click Add.
2. Include ports 1/0/1 and 1/0/2 in VLAN 10: Select Switching > VLAN > Advanced > VLAN Membership, select VLAN ID 10, select Ports 1 and 2 as tagged, and click Apply.
3. Configure Voice VLAN globally: Select Switching > VLAN > Advanced > Voice VLAN Configuration, enable Admin Mode, and click Apply.
4. Configure Voice VLAN mode in interface 1/0/2: Select Switching > VLAN > Advanced > Voice VLAN Configuration, select Interface 1/0/2, set Interface Mode to VLAN ID, enter 10 in the Value field, and click Apply.
5. Optional: Assign packets with VLAN ID 10 to a high priority queue:
   1. Create DiffServ class ClassVoiceVLAN: Select QoS > Advanced > DiffServ > Class Configuration, enter Class Name ClassVoiceVLAN, Class Type All, and click Add.
   2. Configure matching criteria for the class as VLAN 10: Select QoS > DiffServ > Advanced > Class Configuration, click the ClassVoiceVLAN class, select VLAN, enter VLAN ID 10, and click Apply.
   3. Create DiffServ policy PolicyVoiceVLAN: Select QoS > DiffServ > Advanced > Policy Configuration, enter Policy Name PolicyVoiceVLAN, Policy Type In, Member Class ClassVoiceVLAN, and click Add.
   4. Map policy and class, assign to higher-priority queue: Select QoS > DiffServ > Advanced > Policy Configuration, click the PolicyVoiceVLAN policy, select the Assign Queue radio button, enter 3, and click Apply.
   5. Assign to interfaces 1/0/1 and 1/0/2: Select QoS > DiffServ > Advanced > Service Interface Configuration, select Interfaces 1/0/1 and 1/0/2, set Policy Name to PolicyVoiceVLAN, and click Apply.

Configure GARP VLAN Registration Protocol

Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) provides IEEE 802.1Q-compliant VLAN pruning and dynamic VLAN creation on 802.1Q-tagged ports. With GVRP, a switch can exchange VLAN configuration information with other GVRP switches, prune unnecessary broadcast and unknown unicast traffic, and create and manage VLANs dynamically on switches connected via 802.1Q-tagged ports.

Diagram Description: Illustrates GVRP configuration between two switches, Switch A and Switch B, connected via tagged ports.

CLI: Enable GVRP

1. On Switch A, create VLANs 1000, 2000, and 3000, and add port 1/0/24 as a tagged port to these VLANs:

   (Netgear Switch) #vlan database
   (Netgear Switch) (Vlan)#vlan 1000,2000,3000
   (Netgear Switch) (Vlan)#exit
   (Netgear Switch) #config
   (Netgear Switch) (Config)#interface 1/0/24
   (Netgear Switch) (Interface 1/0/24)#vlan participation include 1000
   (Netgear Switch) (Interface 1/0/24)#vlan participation include 2000
   (Netgear Switch) (Interface 1/0/24)#vlan participation include 3000
   (Netgear Switch) (Interface 1/0/24)#vlan tagging 1000,2000,3000

2. On Switch A, enable GVRP:

   (Netgear Switch) #set gvrp adminmode
   (Netgear Switch) #config
   (Netgear Switch) (Config)#interface 1/0/24
   (Netgear Switch) (Interface 1/0/24)#set gvrp interfacemode

3. On Switch B, enable GVRP:

   (Netgear Switch) #set gvrp adminmode
   (Netgear Switch) #config
   (Netgear Switch) (Config)#interface 1/0/11
   (Netgear Switch) (Interface 1/0/11)#set gvrp interfacemode

4. On Switch B, verify VLAN creation:

   (Netgear Switch) #show vlan
   Maximum VLAN Entries........................... 1024
   VLAN Entries Currently in Use.................. 5
   
   VLAN ID VLAN Name                               VLAN Type
   ------- -------------------------------- -------------------
   1       default                           Default
   2       Auto VoIP                         AUTO VoIP
   1000    Dynamic (GVRP)
   2000    Dynamic (GVRP)
   3000    Dynamic (GVRP)
   
   (Netgear Switch) #show vlan 1000
   VLAN ID: 1000
   VLAN Name:
   VLAN Type: Dynamic (GVRP)
   
   Interface Current Configured Tagging
   ---------- -------- ----------- --------
   1/0/1      Exclude Autodetect Untagged
   1/0/2      Exclude Autodetect Untagged
   ...
   1/0/11     Include Autodetect Tagged
   ...

Main UI: Configure GVRP on switch A

1. On Switch A, create VLANs 1000, 2000, and 3000:
   • Select Switching > VLAN > Advanced > VLAN Configuration.
   • Enter VLAN ID 1000, click Add. Repeat for VLANs 2000 and 3000.
2. Add port 1/0/24 as a tagged port to VLANs 1000, 2000, and 3000:
   • Select Switching > VLAN > Advanced > VLAN Membership.
   • From the VLAN ID menu, select 1000.
   • Click Unit 1. The ports display.
   • Click the gray box under port 24 until T displays.
   • Click Apply.
3. Enable GVRP globally: Select Switching > VLAN > Advanced > GARP Switch Configuration, enable GVRP Mode, and click Apply.
4. Enable GVRP on port 1/0/24: Select Switching > VLAN > Advanced > GARP Port Configuration, select the checkbox for interface 1/0/24, set Port GVRP Mode to Enable, and click Apply.

Main UI: Configure GVRP on Switch B

1. Enable GVRP globally: Select Switching > VLAN > Advanced > GARP Switch Configuration, enable GVRP Mode, and click Apply.
2. Enable GVRP on port 1/0/11: Select Switching > VLAN > Advanced > GARP Port Configuration, select the checkbox for interface 1/0/11, set Port GVRP Mode to Enable, and click Apply.

Private VLANs

The Private VLANs feature separates a regular VLAN domain into two or more subdomains, defined by a primary VLAN and secondary VLANs. The primary VLAN ID is the same for all subdomains within a private VLAN. Secondary VLAN IDs differentiate subdomains and provide Layer 2 isolation between ports of the same private VLAN.

There are three types of VLAN within a private VLAN:

• Primary VLAN: Forwards traffic from promiscuous ports to isolated ports, community ports, and other promiscuous ports in the same private VLAN. Only one primary VLAN can be configured per private VLAN. All ports within a private VLAN share the same primary VLAN.
• Community VLAN: A secondary VLAN that forwards traffic between ports belonging to the same community and to promiscuous ports. Multiple community VLANs can exist per private VLAN.
• Isolated VLAN: A secondary VLAN that carries traffic from isolated ports to promiscuous ports. Only one isolated VLAN can be configured per private VLAN.

There are three types of port designation within a private VLAN:

• Promiscuous port: Belongs to a primary VLAN and can communicate with all interfaces in the private VLAN, including other promiscuous ports, community ports, and isolated ports.
• Community ports: Can communicate with other community ports and promiscuous ports.
• Isolated ports: Can ONLY communicate with promiscuous ports.

Diagram Description: Illustrates how private VLANs can be extended across multiple switches through inter-switch links that transport primary, community, and isolated VLANs between devices.

Diagram Description: Illustrates private VLAN traffic flow. Five ports A, B, C, D, and E form a private VLAN. Port A is promiscuous (primary VLAN 100). Ports B and C are host ports in the isolated VLAN 101. Ports D and E are community ports in community VLAN 102. Port F is the inter-switch link, configured to transmit VLANs 100, 101, and 102. Colored arrows represent possible packet flow paths.

Assign Private-VLAN Types (Primary, Isolated, Community)

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Assign Private-VLAN Type (Primary, Isolated, Community)

Use the following commands to assign VLAN 100 to primary VLAN, VLAN 101 to isolated VLAN, and VLAN 102 to community VLAN.

(Netgear Switch) #config
(Netgear Switch) (Config)#vlan 100
(Netgear Switch) (Config)(Vlan) #private-vlan primary
(Netgear Switch) (Config)(Vlan) #exit
(Netgear Switch) (Config)#vlan 101
(Netgear Switch) (Config)(Vlan) #private-vlan isolated
(Netgear Switch) (Config)(Vlan) #exit
(Netgear Switch) (Config)#vlan 102
(Netgear Switch) (Config)(Vlan) #private-vlan community
(Netgear Switch) (Config)(Vlan) #end

Main UI: Assign Private-VLAN Type (Primary, Isolated, Community)

1. Assign VLAN 100 as a primary VLAN: Select Security > Traffic Control > Private VLAN > Private VLAN Type Configuration, select VLAN ID 100, set Private VLAN Type to Primary, and click Apply.
2. Assign VLAN 101 as an isolated VLAN: Select Security > Traffic Control > Private VLAN > Private VLAN Type Configuration, select VLAN ID 101, set Private VLAN Type to Isolated, and click Apply.
3. Assign VLAN 102 to community VLAN: Select Security > Traffic Control > Private VLAN > Private VLAN Type Configuration, select VLAN ID 102, set Private VLAN Type to Community, and click Apply.

Configure Private-VLAN Association

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Configure Private-VLAN Association

Use the following commands to associate VLAN 101-102 (secondary VLAN) to VLAN 100 (primary VLAN).

(Netgear Switch) #config
(Netgear Switch) (Config)#vlan 100
(Netgear Switch) (Config)(Vlan) #private-vlan association 101-102
(Netgear Switch) (Config)(Vlan) #end

Main UI: Configure Private-VLAN Association

1. Associate VLAN 101-102 (secondary VLAN) to VLAN 100 (primary VLAN): Select Security > Traffic Control > Private VLAN > Private VLAN Association Configuration, select VLAN ID 100, enter 101-102 in the Secondary VLAN(s) field, and click Apply.

Configure Private-VLAN Port Mode (Promiscuous, Host)

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Configure Private-VLAN Port Mode (Promiscuous, Host)

Use the following commands to assign port 1/0/1 to promiscuous port mode and ports 1/0/2-1/0/5 to host port mode.

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/1
(Netgear Switch) (Interface 1/0/1)#switchport mode private-vlan promiscuous
(Netgear Switch) (Interface 1/0/1)#exit
(Netgear Switch) (Config)#interface 1/0/2-1/0/5
(Netgear Switch) (Interface 1/0/2-1/0/5)#switchport mode private-vlan host
(Netgear Switch) (Interface 1/0/2-1/0/5)#end

Main UI: Configure Private-VLAN Port Mode (Promiscuous, Host)

1. Configure port 1/0/1 to promiscuous port mode: Select Security > Traffic Control > Private VLAN > Private VLAN Port Mode Configuration, select the 1/0/1 interface checkbox, set Port VLAN Mode to Promiscuous, and click Apply.
2. Configure ports 1/0/2-1/0/5 to host port mode: Select Security > Traffic Control > Private VLAN > Private VLAN Port Mode Configuration, select the 1/0/2 to 1/0/5 interface checkboxes, set Port VLAN Mode to Host, and click Apply.

Configure Private-VLAN Host Ports

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Configure Private-VLAN Host Ports

Use the following commands to associate isolated ports 1/0/2-1/0/3 to a private-VLAN (primary=100, secondary=101). Community ports 1/0/4-1/0/5 are associated with a private-VLAN (primary= 100, secondary=102).

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/2-1/0/3
(Netgear Switch) (Interface 1/0/2-1/0/3)#switchport private-vlan host-association 100 101
(Netgear Switch) (Interface 1/0/2-1/0/3)#exit
(Netgear Switch) (Config)#interface 1/0/4-1/0/5
(Netgear Switch) (Interface 1/0/4-1/0/5)#switchport private-vlan host-association 100 102
(Netgear Switch) (Interface 1/0/4-1/0/5)#end

Main UI: Assign Private-VLAN Port Host Ports

1. Associate isolated ports 1/0/2-1/0/3 to a private-VLAN (primary=100, secondary=101): Select Security > Traffic Control > Private VLAN > Private VLAN Host Interface Configuration, select interfaces 1/0/2 and 1/0/3, enter 100 for Host Primary VLAN, enter 101 for Host Secondary VLAN, and click Apply.
2. Associate isolated ports 1/0/4-1/0/5 to a private-VLAN (primary=100, secondary=102): Select Security > Traffic Control > Private VLAN > Private VLAN Host Interface Configuration, select interfaces 1/0/4 and 1/0/5, enter 100 for Host Primary VLAN, enter 102 for Host Secondary VLAN, and click Apply.

Map Private-VLAN Promiscuous Port

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Map Private-VLAN Promiscuous Port

Use the following commands to map promiscuous port 1/0/1 to a primary VLAN (100) and secondary VLANs (101-102).

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/1
(Netgear Switch) (Interface 1/0/1)#switchport private-vlan mapping 100 101-102
(Netgear Switch) (Interface 1/0/1)#end

Main UI: Map Private-VLAN Promiscuous Port

1. Map promiscuous port 1/0/1 to a primary VLAN (100) and secondary VLANs (101-102): Select Security > Traffic Control > Private VLAN > Private VLAN Promiscuous Interface Configuration, select interface 1/0/1, enter 100 for Promiscuous Primary VLAN, enter 101-102 for Promiscuous Secondary VLAN, and click Apply.

VLAN Access Ports and Trunk Ports

Using switch ports can minimize potential configuration errors and reduce the number of commands needed. For ports connected to end users, use access mode. For ports connected to other switches, use trunk mode.

In addition to access and trunk modes, ports can be configured in general mode (the default), which allows flexible configuration. The switch supports the following port modes:

• Access mode:
  • Ports belong to a single VLAN (PVID).
  • Intended for end-point connections, generally not operating with LANs and tagged traffic.
  • Accept both tagged and untagged traffic (configuration not possible).
  • All egress traffic is sent untagged.
  • Ingress filtering is always enabled.
  • Intended for connecting end stations, especially those incapable of generating VLAN tags.
• Trunk mode:
  • Ports can belong to multiple VLANs.
  • Accept both incoming tagged and untagged traffic.
  • Incoming untagged frames are tagged with the native VLAN ID.
  • Egress frames are sent tagged for all VLANs except the native VLAN (sent untagged).
  • Ingress filtering is always enabled; frames are admitted if correctly tagged with a VLAN ID the port belongs to.
  • Intended for connections between switches, where traffic is generally tagged.
  • If an allowed VLAN list is configured, a trunk port becomes a member of VLANs defined in that list.
• General mode:
  • By default, all ports are general mode and belong to the default VLAN.
  • Conforms to NETGEAR legacy switch behavior.
  • VLAN parameters (membership, tagging, PVID) are configured using legacy commands.
  • Ingress filtering can be enabled or disabled.

Diagram Description: Shows a network configuration with access ports and a trunk port. PC1 is connected via an access port in VLAN 1000, PC2 via an access port in VLAN 2000, and a trunk port connects to the network.

CLI: Configure a VLAN Trunk

1. Create VLAN 1000 and 2000:

   (Netgear Switch) #vlan database
   (Netgear Switch) (Vlan)#vlan 1000
   (Netgear Switch) (Vlan)#vlan 2000
   (Netgear Switch) (Vlan)#exit

2. Configure port 1/0/1 as an access port:

   (Netgear Switch) #config
   (Netgear Switch) (Config)#interface 1/0/1
   (Netgear Switch) (Interface 1/0/1)#switchport mode access
   (Netgear Switch) (Interface 1/0/1)#switchport access vlan 1000
   (Netgear Switch) (Interface 1/0/1)#exit
   (Netgear Switch) (Config)#

3. Configure port 1/0/2 as an access port:

   (Netgear Switch) #config
   (Netgear Switch) (Config)#interface 1/0/2
   (Netgear Switch) (Interface 1/0/2)#switchport mode access
   (Netgear Switch) (Interface 1/0/2)#switchport access vlan 2000
   (Netgear Switch) (Interface 1/0/2)#exit
   (Netgear Switch) (Config)#

4. Configure port 1/0/3 as a trunk port:

   (Netgear Switch) (Interface 1/0/3)#switchport mode trunk
   (Netgear Switch) (Interface 1/0/3)#switchport trunk allowed vlan 1000,2000

5. Configure incoming untagged packets to be tagged with the native VLAN ID:

   (Netgear Switch) (Interface 1/0/3)#switchport trunk native vlan 1000

Main UI: Configure a VLAN Trunk

1. Create VLAN 1000: Select Switching > VLAN > Advanced > VLAN Configuration, enter VLAN ID 1000, and click Add.
2. Create VLAN 2000: Select Switching > VLAN > Advanced > VLAN Configuration, enter VLAN ID 2000, and click Add.
3. Configure port 1/0/1 as an access port in VLAN 1000: Select Switching > VLAN > Advanced > VLAN Trunking Configuration, select interface 1/0/1, set Switchport Mode to Access, set Access VLAN ID to 1000, and click Apply.
4. Configure port 1/0/2 as an access port in VLAN 2000: Select Switching > VLAN > Advanced > VLAN Trunking Configuration, select interface 1/0/2, set Switchport Mode to Access, set Access VLAN ID to 2000, and click Apply.
5. Configure port 1/0/3 as a trunk port allowing VLANs 1000 and 2000: Select Switching > VLAN > Advanced > VLAN Trunking Configuration, select interface 1/0/3, set Switchport Mode to Trunk, set Native VLAN ID to 2000 (or choose to drop untagged packets), enter 1000,2000 in the Trunk Allowed VLANs field, and click Apply.

Chapter 3 LAGs

Link Aggregation Groups

Link Aggregation Concepts

Link aggregation allows the switch to treat multiple physical links between two endpoints as a single logical link. All physical links in a link aggregation group (LAG) must operate in full-duplex mode and at the same speed. A LAG can be used to directly connect two switches if traffic requires high bandwidth and reliability, or to provide a higher-bandwidth connection to a public network. Management functions treat a LAG as a single physical port. A Layer 2 LAG can carry one or more VLANs. More than one LAG can be configured for a switch.

Diagram Description: Illustrates an example network with two LAGs. LAG_10 connects a Layer 3 switch to a server, and LAG_20 connects the Layer 3 switch to a Layer 2 switch.

LAGs offer the following benefits:

• Increased reliability and availability: If one physical link in the LAG fails, traffic is dynamically and transparently reassigned to other links.
• Better use of physical resources: Traffic can be load-balanced across physical links.
• Increased bandwidth: Aggregated links deliver higher bandwidth than individual links.
• Incremental bandwidth increase: While a physical upgrade might offer a tenfold increase, LAGs provide a twofold or fivefold increase, useful for smaller needs.

Note: A LAG is also referred to as a port channel or an EtherChannel.

Add Ports to LAGs

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Add Ports to the LAGs

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 0/2
(Netgear Switch) (Interface 0/2)#addport 1/1
(Netgear Switch) (Interface 0/2)#exit
(Netgear Switch) (Config)#interface 0/3
(Netgear Switch) (Interface 0/3)#addport 1/1
(Netgear Switch) (Interface 0/3)#exit
(Netgear Switch) (Config)#interface 0/8
(Netgear Switch) (Interface 0/8)#addport 1/2
(Netgear Switch) (Interface 0/8)#exit
(Netgear Switch) (Config)#interface 0/9
(Netgear Switch) (Interface 0/9)#addport 1/2
(Netgear Switch) (Interface 0/9)#exit
(Netgear Switch) (Config)#exit

Main UI: Add Ports to LAGs

1. Add ports to LAG 1 (lag_10): Select Switching > LAG > LAG Membership, select LAG ID LAG 1, click Unit 1, click the gray boxes under ports 2 and 3 until two check marks display, and click Apply.
2. Add ports to LAG 2 (lag_20): Select Switching > LAG > LAG Membership, select LAG ID LAG 2, click Unit 1, click the gray boxes under ports 8 and 9 until two check marks display, and click Apply.

Auto-LAG

An Auto-LAG is a LAG that forms automatically between two devices supporting the Auto-LAG feature. It is a dynamic Layer 2 LAG based on the Link Aggregation Control Protocol (LACP).

Note: A LAG is also referred to as a port channel or an EtherChannel.

The switch can detect physical links with a partner device and automatically configure an Auto-LAG on interconnected and capable ports at both ends. The switch can form only one Auto-LAG with each partner device.

The Auto-LAG feature works with the Auto-Trunk feature, which must also be supported and enabled on the partner device. After an Auto-LAG forms, the switch automatically applies trunk mode (Auto-Trunk) to the LAG at both ends. This means ports participating in an Auto-LAG change from default switch port mode to trunk port mode. For more on Auto-Trunk, see Auto-Trunk on page 20.

For an Auto-LAG to form, the following are required:

• Both Auto-LAG and Auto-Trunk features must be supported and globally enabled on the switch and partner device. (On M4250 models, these are enabled by default.)
• At least two links must be established between the switch and partner device, supporting the same speed and duplex mode.
• Links cannot be members of a manually configured static or dynamic LAG.
• LLDP must be enabled on interconnected ports on both devices. (On M4250 models, LLDP is enabled by default on all ports.)
• Interconnected ports must be in the default switch port mode (General mode). If ports are in Access or Trunk mode, an Auto-Trunk cannot form on the Auto-LAG.

An Auto-LAG can form with up to eight interfaces. Interfaces are automatically selected based on availability and conditions: the interface is not manually configured as a LAG member or as a trunk/access port (must be general).

Note: The switch supports multiple static and dynamic LAGs, but only one Auto-LAG per partner device.

CLI: Enable the Auto-LAG Feature

By default, the Auto-LAG feature is enabled. If disabled, it can be re-enabled.

(Netgear Switch)#config
(Netgear Switch)#configure
(Netgear Switch)(Config)#port-channel auto
(Netgear Switch)(Config)#exit
(Netgear Switch)#

Main UI: Enable the Auto-LAG Feature

1. Select Switching > LAG > LAG Configuration.
2. Select the Auto-LAG Enable Mode Enable radio button. By default, Auto-LAG is enabled using a hash mode (2 Dest MAC, VLAN, EType, incoming port). The hash mode can be changed.
3. To change the hash mode, select a hash mode from the Auto-LAG Global Hash Mode menu.
4. Click Apply to save the settings.

Chapter 4 Port Routing

Port routing, default routes, and static routes

Port Routing Concepts

Early networks allowed direct end-station communication. As networks grew, Layer 2 bridging segregated traffic, effective for unicast but problematic for multicast. Routing emerged next, examining and redirecting packets at Layer 3. End stations needed to know how to reach their nearest router, and routers interpreted network topology for forwarding. While bridges were faster, routers allowed network partitioning into logical subnetworks, restricting multicast and facilitating security.

An end station specifies the destination station's Layer 3 address in the IP header but sends the packet to a router's MAC address. Upon receiving the packet, the Layer 3 router minimally:

• Looks up the Layer 3 address in its address table to determine the outbound port.
• Updates the Layer 3 header.
• Re-creates the Layer 2 header.

The router's IP address is often statically configured in the end station, though the switch supports DHCP for dynamic assignment. Similarly, routing table entries can be static, or dynamically created/updated via protocols like RIP and OSPF as network configurations change.

Port Routing Configuration

The switch always supports Layer 2 bridging. Layer 3 routing must be explicitly enabled, first for the switch globally, then for each port intended for the routed network.

The configuration commands in this section enable IP routing on ports 1/0/2, 1/0/3, and 1/0/5. The router ID will be set to the switch's management IP address or an active router interface's IP address if the management address is not configured.

After issuing these commands, the following functions become active:

• IP forwarding: Responsible for forwarding received IP packets.
• ARP mapping: Maintains the ARP Table to correlate IP and MAC addresses, including static entries and dynamically updated entries from ARP frames.
• Routing Table Object: Manages the common routing table used by all registered routing protocols.

RIP or OSPF can then be activated on top of IP Routing for routers to exchange route information. RIP is common in smaller networks, while OSPF is designed for larger, complex topologies.

Diagram Description: Shows a Layer 3 switch configured for port routing, connecting three different subnets (Subnet 2, Subnet 3, Subnet 5) to different ports.

Enable Routing for the Switch

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Enable Routing for the Switch

The following script shows commands to configure the switch for port routing as depicted in the diagram. Execution enables IP forwarding by default.

(Netgear Switch) #config
(Netgear Switch) (Config)#ip routing
(Netgear Switch) (Config)#exit

Main UI: Enable Routing for the Switch

1. Select Routing > IP > Basic > IP Configuration.
2. For Routing Mode, select Enable.
3. Click Apply.

Enable Routing for Ports on the Switch

Use the following commands or the local browser interface to enable routing for ports. The default link-level encapsulation is Ethernet. Configure IP addresses and subnet masks for the ports. Network-directed broadcast frames will be dropped. The maximum transmission unit (MTU) size is 1500 bytes.

CLI: Enable Routing for Ports on the Switch

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/2
(Netgear Switch) (Interface 1/0/2)#routing
(Netgear Switch) (Interface 1/0/2)#ip address 192.150.2.1 255.255.255.0
(Netgear Switch) (Interface 1/0/2)#exit
(Netgear Switch) (Config)#interface 1/0/3
(Netgear Switch) (Interface 1/0/3)#routing
(Netgear Switch) (Interface 1/0/3)#ip address 192.150.3.1 255.255.255.0
(Netgear Switch) (Interface 1/0/3)#exit
(Netgear Switch) (Config)#interface 1/0/5
(Netgear Switch) (Interface 1/0/5)#routing
(Netgear Switch) (Interface 1/0/5)#ip address 192.150.5.1 255.255.255.0
(Netgear Switch) (Interface 1/0/5)#exit
(Netgear Switch) (Config)#exit

Main UI: Enable Routing for Ports on the Switch

1. Assign IP address 192.150.2.1/24 to interface 1/0/2: Select Routing > IP > Advanced > IP Interface Configuration, select interface 1/0/2, set IP Address Configuration Method to Manual, enter IP Address 192.150.2.1, Subnet Mask 255.255.255.0, and Routing Mode to Enable, then click Apply.
2. Assign IP address 192.150.3.1/24 to interface 1/0/3: Select Routing > IP > Advanced > IP Interface Configuration, select interface 1/0/3, set IP Address Configuration Method to Manual, enter IP Address 192.150.3.1, Subnet Mask 255.255.255.0, and Routing Mode to Enable, then click Apply.
3. Assign IP address 192.150.5.1/24 to interface 1/0/5: Select Routing > IP > Advanced > IP Interface Configuration, select interface 1/0/5, set IP Address Configuration Method to Manual, enter IP Address 192.150.5.1, Subnet Mask 255.255.255.0, and Routing Mode to Enable, then click Apply.

Add a Default Route

When IP routing occurs on a switch, a routing table is needed to forward packets based on destination IP addresses. Route entries can be created dynamically via protocols like RIP/OSPF or manually by administrators (static/default routes). A default route is used when the switch cannot find a match in the routing table for an IP packet.

CLI: Add a Default Route

(FSM7338S) (Config) #ip route default? <nexthopip>
(FSM7328S) (Config)#ip route default 10.10.10.2

Note: IP subnet 10.10.10.0 should be configured using port routing or VLAN routing.

Main UI: Add a Default Route

1. Select Routing > Routing Table > Basic > Route Configuration.
2. In the Route Type list, select DefaultRoute.
3. In the Next Hop IP Address field, enter one of the routing interface's IP addresses.
4. Click Add.

Add a Static Route

When the switch performs IP routing, it forwards packets to the default route for destinations not on the same subnet as the source address. However, a different path (static route) can be set. The following procedure shows how to add a static route.

CLI: Show Routing Information

This assumes the switch has a defined routing interface for network 10.10.10.0 and is configured for all packets destined for network 10.10.100.0 to use the routing port path.

(Netgear Switch) #show ip route
Total Number of Routes............................1
Network Address ---------10.10.10.0
Subnet Mask ------------255.255.255.0
Protocol -------Local
Next Hop Intf ---------1/0/3
Next Hop IP Address ----------10.10.10.1

To delete a static route, use the no keyword before the ip route command.

Main UI: Add a Static Route

1. Select Routing > Routing Table > Basic > Route Configuration.
2. In the Route Type list, select Static.
3. Fill in the Network Address field (e.g., 10.100.0.0, ensuring the last number is 0).
4. In the Subnet Mask field, enter the appropriate value.
5. The Preference field is optional (defaults to 1).
6. Click Add.
7. To remove a route, select its checkbox and click Delete.

Chapter 5 VLAN Routing

VLAN routing for a VLAN and for the switch

VLAN Routing Concepts

The switch can be configured with ports supporting VLANs and others supporting routing. It can also be configured to treat traffic on a VLAN as if the VLAN were a router port.

When a port is enabled for bridging (default) instead of routing, normal bridge processing occurs for inbound packets, associating them with a VLAN. The MAC destination address (DA) and VLAN ID are used to search the MAC address table. If routing is enabled for the VLAN and the MAC DA of an inbound unicast packet matches the internal bridge-router interface, the packet is routed. An inbound multicast packet is forwarded to all ports in the VLAN and to the internal bridge-router interface if received on a routed VLAN.

Since a port can belong to multiple VLANs, VLAN routing can be enabled for all VLANs on a port or a subset. VLAN routing allows multiple physical ports to reside on the same subnet, or when a VLAN spans multiple physical networks, or when more segmentation or security is required.

The following sections detail configuring the switch for VLAN routing and using RIP and OSPF. A port can be either a VLAN port or a router port, but not both. However, a VLAN port can be part of a VLAN that is itself a router port.

Create Two VLANs

This section provides an example of configuring the switch for VLAN routing. The configuration of a VLAN router port is similar to a physical port, with the main difference being the use of the show ip vlan command to find the VLAN's interface ID for router configuration commands.

Diagram Description: Shows a Layer 3 switch configured for port routing, connecting two VLANs (VLAN 10 and VLAN 20) via router ports.

CLI: Create Two VLANs

The following code sequence shows an example of creating two VLANs with egress frame tagging enabled.

(Netgear Switch) #vlan data
(Netgear Switch) (Vlan)#vlan 10
(Netgear Switch) (Vlan)#vlan 20
(Netgear Switch) (Vlan)#exit
(Netgear Switch) #conf
(Netgear Switch) (Config)#interface range 1/0/1-1/0/2
(Netgear Switch) (conf-if-range-1/0/1-1/0/2)#vlan participation include 10
(Netgear Switch) (conf-if-range-1/0/1-1/0/2)#vlan pvid 10
(Netgear Switch) (conf-if-range-1/0/1-1/0/2)#exit
(Netgear Switch) (Config)#interface 1/0/3
(Netgear Switch) (Interface 1/0/3)#vlan participation include 20
(Netgear Switch) (Interface 1/0/3)#vlan pvid 20
(Netgear Switch) (Interface 1/0/3)#exit
(Netgear Switch) (Config)#exit

Main UI: Create Two VLANs

1. Create VLAN 10 and VLAN 20:
   • Select Switching > VLAN > Advanced > VLAN Configuration.
   • Enter VLAN ID 10, VLAN Name VLAN10, select Static type, and click Add.
   • Repeat for VLAN 20 (VLAN ID 20, VLAN Name VLAN20).
2. Add ports to VLAN 10 and VLAN 20:
   • Select Switching > VLAN > Advanced > VLAN Membership.
   • For VLAN ID 10, click Unit 1, click the gray boxes under ports 1 and 2 until T displays, and click Apply.
   • For VLAN ID 20, click Unit 1, click the gray box under port 3 until T displays, and click Apply.
3. Assign PVID to VLAN 10 and VLAN 20:
   • Select Switching > VLAN > Advanced > Port PVID Configuration.
   • Select checkboxes for 1/0/1 and 1/0/2, enter 10 in the PVID field, and click Apply.
   • Select checkboxes for 1/0/3, enter 20 in the PVID field, and click Apply.

Set Up VLAN Routing for the VLANs and the Switch

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Set Up VLAN Routing for the VLANs and the Switch

1. Enable routing for the VLANs:

   (Netgear Switch) #vlan data
   (Netgear Switch) (Vlan)#vlan routing 10
   (Netgear Switch) (Vlan)#vlan routing 20
   (Netgear Switch) (Vlan)#exit

   This returns logical interface IDs (e.g., VLAN 10 as 3/1, VLAN 20 as 3/2) for subsequent routing commands.

2. Enable routing for the switch:

   (Netgear Switch) #config
   (Netgear Switch) (Config)#ip routing
   (Netgear Switch) (Config)#exit

3. Configure IP addresses and subnet masks for virtual router ports:

   (Netgear Switch) (Config)#interface vlan 10
   (Netgear Switch) (Interface-vlan 10)#ip address 192.150.3.1 255.255.255.0
   (Netgear Switch) (Interface-vlan 10)#exit
   (Netgear Switch) (Config)#interface vlan 20
   (Netgear Switch) (Interface-vlan 20)#ip address 192.150.4.1 255.255.255.0
   (Netgear Switch) (Interface-vlan 20)#exit
   (Netgear Switch) (Config)#exit

Main UI: Set Up VLAN Routing for the VLANs and the Switch

1. Configure VLAN 10 for routing: Select Routing > VLAN > VLAN Routing, select VLAN ID 10, enter IP Address 192.150.3.1, Subnet Mask 255.255.255.0, and click Add.
2. Configure VLAN 20 for routing: Select Routing > VLAN > VLAN Routing, select VLAN ID 20, enter IP Address 192.150.4.1, Subnet Mask 255.255.255.0, and click Add.

Chapter 6 RIP

Routing Information Protocol

Routing Information Protocol Concepts

Routing Information Protocol (RIP) is a protocol routers use to exchange network topology information. It's an interior gateway protocol typically used in small to medium networks. A RIP router sends its routing table contents to adjacent routers every 30 seconds. Unusable routes are flagged after 180 seconds and removed after an additional 120 seconds.

Two RIP versions are supported:

• RIPv1 (RFC 1058): Routes specified by IP destination network and hop count. Routing table broadcast to all stations on the attached network.
• RIPv2 (RFC 1723): Route specification includes subnet mask and gateway. Routing table sent to a multicast address, reducing traffic. Supports authentication for security.

A port can be configured to:

• Receive packets in either or both formats.
• Send packets formatted for RIPv1 or RIPv2, or send RIPv2 packets to the RIPv1 broadcast address.
• Prevent any RIP packets from being received.
• Prevent any RIP packets from being sent.

Diagram Description: Shows a network with RIP enabled on ports 1/0/2 and 1/0/3 of a Layer 3 switch acting as a router, connecting Subnet 2, Subnet 3, and Subnet 5.

Enable Routing for the Switch

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Enable Routing for the Switch

(Netgear Switch) #config
(Netgear Switch) (Config)#ip routing
(Netgear Switch) (Config)#exit

Main UI: Enable Routing for the Switch

1. Select Routing > IP > Basic > IP Configuration.
2. For Routing Mode, select Enable.
3. Click Apply.

Enable Routing for Ports

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Enable Routing and Assigning IP Addresses for Ports 1/0/2 and 1/0/3

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/2
(Netgear Switch) (Interface 1/0/2)#routing
(Netgear Switch) (Interface 1/0/2)#ip address 192.150.2.1 255.255.255.0
(Netgear Switch) (Interface 1/0/2)#exit
(Netgear Switch) (Config)#interface 1/0/3
(Netgear Switch) (Interface 1/0/3)#routing
(Netgear Switch) (Interface 1/0/3)#ip address 192.150.3.1 255.255.255.0
(Netgear Switch) (Interface 1/0/3)#exit
(Netgear Switch) (Config)#exit

Main UI: Enable Routing for the Ports

1. Assign IP address 192.150.2.1/24 to interface 1/0/2: Select Routing > Advanced > IP Interface Configuration, select interface 1/0/2, set IP Address Configuration Method to Manual, enter IP Address 192.150.2.1, Subnet Mask 255.255.255.0, and Routing Mode to Enable, then click Apply.
2. Assign IP address 192.150.3.1/24 to interface 1/0/3: Select Routing > Advanced > IP Interface Configuration, select interface 1/0/3, set IP Address Configuration Method to Manual, enter IP Address 192.150.3.1, Subnet Mask 255.255.255.0, and Routing Mode to Enable, then click Apply.

Enable RIP on the Switch

Note: Unless previously disabled, RIP is enabled by default, so this step can be skipped.

CLI: Enable RIP on the Switch

This sequence enables RIP for the switch. Route preference defaults to 15.

(Netgear Switch) #config
(Netgear Switch) (Config)#router rip
(Netgear Switch) (Config router)#enable
(Netgear Switch) (Config router)#exit
(Netgear Switch) (Config)#exit

Main UI: Enable RIP on the Switch

1. Select Routing > RIP > Basic > RIP Configuration.
2. For RIP Admin Mode, select Enable.
3. Click Apply.

Enable RIP for Ports 1/0/2 and 1/0/3

The example is shown as CLI commands and as a local browser interface procedure.

CLI: Enable RIP for Ports 1/0/2 and 1/0/3

This command sequence enables RIP for ports 1/0/2 and 1/0/3. Authentication defaults to none, and no default route entry is created. Both ports receive RIPv1 and RIPv2 frames but send only RIPv2-formatted frames.

(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/2
(Netgear Switch) (Interface 1/0/2)#ip rip
(Netgear Switch) (Interface 1/0/2)#ip rip receive version both
(Netgear Switch) (Interface 1/0/2)#ip rip send version rip2
(Netgear Switch) (Interface 1/0/2)#exit
(Netgear Switch) (Config)#interface 1/0/3
(Netgear Switch) (Interface 1/0/3)#ip rip
(Netgear Switch) (Interface 1/0/3)#ip rip receive version both
(Netgear Switch) (Interface 1/0/3)#ip rip send version rip2
(Netgear Switch) (Interface 1/0/3)#exit
(Netgear Switch) (Config)#exit

Main UI: Enable RIP for Ports 1/0/2 and 1/0/3

1. Select Routing > RIP > Advanced > RIP Configuration.
2. Select the checkboxes for Interface 1/0/2 and 1/0/3.
3. Enter the following:
   
   • RIP Admin Mode: Enable
   • Send Version: RIP-2
4. Click Apply.

Configure VLAN Routing with RIP Support

RIP is a protocol routers use to exchange network topology information, typically in small to medium networks.

Diagram Description: Illustrates a VLAN routing RIP configuration example, showing a Layer 3 switch with VLAN router ports and a separate router port connected to different subnets.

This example adds RIPv2 support to the base VLAN routing configuration. A second router using port routing has been added.

CLI: Configure VLAN Routing with RIP Support

1. Configure VLAN routing with RIP support:

   (Netgear Switch) #vlan data
   (Netgear Switch) (Vlan)#vlan 10
   (Netgear Switch) (Vlan)#vlan 20
   (Netgear Switch) (Vlan)#vlan routing 10
   (Netgear Switch) (Vlan)#vlan routing 20
   (Netgear Switch) (Vlan)#exit
   (Netgear Switch) #conf
   (Netgear Switch) (Config)#ip routing
   (Netgear Switch) (Config)#vlan port tagging all 10
   (Netgear Switch) (Config)#vlan port tagging all 20
   (Netgear Switch) (Config)#interface 1/0/2
   (Netgear Switch) (Interface 1/0/2)#vlan participation include 10
   (Netgear Switch) (Interface 1/0/2)#vlan pvid 10
   (Netgear Switch) (Interface 1/0/2)#exit
   (Netgear Switch) (Config)#interface 1/0/3
   (Netgear Switch) (Interface 1/0/3)#vlan participation include 20
   (Netgear Switch) (Interface 1/0/3)#vlan pvid 20
   (Netgear Switch) (Interface 1/0/3)#exit
   (Netgear Switch) #config
   (Netgear Switch) (Config)#interface vlan 10
   (Netgear Switch) (Interface vlan 10)#ip address 192.150.3.1 255.255.255.0
   (Netgear Switch) (Interface vlan 10)#exit
   (Netgear Switch) (Config)#interface vlan 20
   (Netgear Switch) (Interface vlan 20)#ip address 192.150.4.1 255.255.255.0
   (Netgear Switch) (Interface vlan 20)#exit

2. Enable RIP for the switch (route preference defaults to 15):

   (Netgear Switch) (Config)#router rip
   (Netgear Switch) (Config router)#enable
   (Netgear Switch) (Config router)#exit

3. Configure IP address and subnet mask for a non-virtual router port:

   (Netgear Switch) (Config)#interface 1/0/5
   (Netgear Switch) (Interface 1/0/5)#ip address 192.150.5.1 255.255.255.0
   (Netgear Switch) (Interface 1/0/5)#exit

4. Enable RIP for VLAN router ports: Authentication defaults to none, no default route entry created.

(Netgear Switch) (Config)#interface vlan 10
(Netgear Switch) (Interface vlan 10)#ip rip
(Netgear Switch) (Interface vlan 10)#exit
(Netgear Switch) (Config)#interface vlan 20
(Netgear Switch) (Interface vlan 20)#ip rip
(Netgear Switch) (Interface vlan 20)#exit
(Netgear Switch) (Config)#exit

Main UI: Configure VLAN Routing with RIP Support

1. Configure VLAN 10 with ports and IP: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 10, IP Address 192.150.3.1, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 2 until T displays, and click Apply.
2. Configure VLAN 20 with ports and IP: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 20, IP Address 192.150.4.1, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 3 until T displays, and click Apply.
3. Enable RIP on the switch (default): Select Routing > RIP > Basic > RIP Configuration, enable RIP Admin Mode, and click Apply.
4. Enable RIP on VLANs 10 and 20: Select Routing > RIP > Advanced > RIP Configuration, click VLANS, select checkboxes for vlan10 and vlan20, enable RIP Mode, and click Apply.

Chapter 7 PBR

Policy-based routing

Policy-Based Routing Concepts

Typically, switches make forwarding decisions based on routing tables populated by dynamic routing protocols or static routing. Policy-based routing (PBR) allows network administrators to define forwarding behavior based on packet contents, overriding traditional destination-based routing.

Configuring PBR involves creating a route map with match and set commands and applying it to inbound traffic on routing interfaces. A single interface can have one route-map tag, but multiple route-map entries with different sequence numbers can be created, evaluated sequentially until a match is found. If no match occurs, packets are routed normally.

Route-Map Statements

A route-map statement for PBR is configured as permit or deny. If marked as deny, traditional destination-based routing is performed on packets meeting the match criteria. If marked as permit, and the packet matches all criteria, the set commands are applied. If no match is found, packets are forwarded using standard destination-based routing. To drop unmatched packets, a set command routing to interface null 0 can be configured as the last entry.

Packets generated by the switch itself are not typically policy-routed, though some products support local PBR for such packets. This feature is not supported here.

Starting with Software Version 10.2, NETGEAR switches support route-map infrastructure for BGP. Match parameters for PBR operate in isolation from BGP and do not interfere with BGP protocol processing or policy propagation.

For classifying L3 routed traffic, the switch supports matching on:

• Packet size
• Payload protocol (Protocol ID in IP header)
• Source MAC address
• Source IP address
• Destination IP address
• Priority (802.1P priority)

NETGEAR's PBR feature overrides routing decisions, directing packets based on defined forwarding criteria:

• List of next hop IP addresses: Specifies adjacent next-hop routers. The first IP address with an active ARP entry is used.
• List of default next hop IP addresses: Indicates next-hop routers for packets where no active route exists in the routing table. PBR treats default routes in the routing table as inactive for unknown destinations.
• IP precedence: Sets precedence in IP packets (3 IP precedence bits, 8 possible values). This value is set in the IPv4 header.

PBR Processing Logic

When a packet arrives on an interface configured with a route map, PBR processes each route-map statement by sequence number.

Route map with a permit statement:

1. The incoming packet is matched against criteria in the match term (e.g., an IP/MAC ACL). The ACL itself contains permit/deny rules.
2. If the ACL decision is permit, PBR executes the set terms.
3. If the ACL decision is deny, PBR does not apply set terms, increments the counter, and moves to the next route-map statement. If no more statements exist, standard destination-based routing is used.

Route map with a deny statement:

1. The incoming packet is matched against criteria in the match term (e.g., an IP/MAC ACL).
2. If the ACL decision is permit, PBR processing terminates, and standard destination-based routing is used.
3. If the ACL decision is deny, the counter is incremented, and processing moves to the next statement. If no more statements exist, standard destination-based routing is used.

The following table specifies desired actions:

Actions include:

• Next: Fall through to the next route map; if none, use the default routing table.
• Set: Route according to the action in the set clause.
• Route: Use the default routing table.

PBR Configurations

PBR is configurable on eligible routing interfaces:

• Physical ports
• VLAN interfaces: Applying an ACL to a VLAN interface means any packet with that VLAN ID on any port is matched against PBR rules. If a PBR route map is applied to a VLAN interface, any packet with a corresponding VLAN ID on any port is matched against PBR rules in the match ACL clause, and corresponding set actions are taken. To use VLAN ID as a matching criterion for incoming packets, apply an ACL rule on the VLAN interface without configuring a rule with VLAN ID as the match condition.

PBR supports preconfiguring route maps on routing interfaces. If routing is not enabled on an interface, the route map can still be applied; configuration is maintained but not pushed to hardware until routing is enabled.

PBR Example

Network administrators use PBR for load sharing incoming traffic across multiple paths based on packet entities. For optimal network utilization, bulk traffic might use a higher-bandwidth, higher-cost link, while basic connectivity uses a lower-bandwidth, lower-cost link. PBR is suitable for such applications.

Consider a network with two IP address groups. If Group 1 addresses must route through ISP1 and Group 2 through ISP2, the switch connected to these groups must use PBR. Configure a route map match on the IP address ranges of different groups for equal access and source IP address-sensitive routing.

Diagram Description: Illustrates a Policy-Based Routing (PBR) topology. Two groups of company networks are connected to a switch, with traffic routed to different ISPs (ISP1 and ISP2) based on IP address ranges.

1. Create IP ACL 1 to match 10.1.0.0/16:

   (Netgear Switch) (Config) #access-list 1 permit 10.1.0.0 0.0.255.255

2. Create IP ACL 2 to match 10.2.0.0/16:

   (Netgear Switch) (Config)#access-list 2 permit 10.2.0.0 0.0.255.255

3. Create route map pbr_1 with sequence 10 to match IP ACL 1:

   (Netgear Switch) (Config) #route-map pbr_1 permit 10
   (Netgear Switch) (route-map) #match ip address 1
   (Netgear Switch) (route-map) #set ip next-hop 20.1.1.2
   (Netgear Switch) (route-map) #exit

4. Create route map pbr_1 with sequence 11 to match IP ACL 2:

   (Netgear Switch) (Config) # route-map pbr_1 permit 11
   (Netgear Switch) (route-map) #match ip address 2
   (Netgear Switch) (route-map) #set ip next-hop 20.2.1.2
   (Netgear Switch) (route-map) #exit

5. Create VLAN 30 and place interfaces 1/0/1 and 1/0/2 into it:

   (Netgear Switch) #vlan database
   (Netgear Switch) (Vlan) #vlan 30
   (Netgear Switch) (Vlan) #vlan routing 30
   (Netgear Switch) (Vlan) #exit
   (Netgear Switch) (Config) #interface 1/0/1-1/0/2
   (Netgear Switch) (Interface 1/0/1-1/0/2) #vlan participation include 30
   (Netgear Switch) (Interface 1/0/1-1/0/2) #vlan pvid 30
   (Netgear Switch) (Interface 1/0/1-1/0/2) #exit
   (Netgear Switch) (Config) #interface vlan 30
   (Netgear Switch) (Interface vlan 30) #routing
   (Netgear Switch) (Interface vlan 30) #ip address 10.1.1.1 255.0.0.0
   (Netgear Switch) (Interface vlan 30) #exit

6. Enable PBR on VLAN 30:

   (Netgear Switch) (Config) #interface vlan 30
   (Netgear Switch) (Interface vlan 30) #routing
   (Netgear Switch) (Interface vlan 30) #ip policy route-map pbr_1
   (Netgear Switch) (Interface vlan 30) #exit

7. Configure IP address 20.1.1.1 on interface 1/0/3:

   (Netgear Switch) (Config) #interface 1/0/3
   (Netgear Switch) (Interface 1/0/3) #routing
   (Netgear Switch) (Interface 1/0/3) #ip add 20.1.1.1 /16

8. Configure IP address 20.2.1.1 on interface 1/0/4:

   (Netgear Switch) (Config) #interface 1/0/4
   (Netgear Switch) (Interface 1/0/4) #routing
   (Netgear Switch) (Interface 1/0/4) #ip add 20.2.1.1 /16

Chapter 8 ARP

Proxy Address Resolution Protocol

Proxy ARP Concepts

Proxy ARP allows a router to answer ARP requests for a target IP address that is not its own but is reachable. If a host doesn't know its default gateway, proxy ARP can help find the first hop. Machines on one physical network can appear to be on another logical network. Without proxy ARP, a router only responds to an ARP request if the target IP address is configured on the interface where the request arrived.

Proxy ARP Examples

CLI: show ip interface

(Netgear Switch) #show ip interface ?
  <slot/port> brief  Display summary information about IP configuration settings for all ports.

(Netgear Switch) #show ip interface 0/24
Routing Mode................................... Disable
Administrative Mode............................ Enable
Forward Net Directed Broadcasts................ Disable
Proxy ARP...................................... Disable
Active State................................... Inactive
Link Speed Data Rate........................... Inactive
MAC Address.................................... 08:00:17:05:05:02
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500

CLI: ip proxy-arp

(Netgear Switch) (Interface 0/24)#ip proxy-arp ?
  <cr>  Press Enter to execute the command.

(Netgear Switch) (Interface 0/24)#ip proxy-arp

Main UI: Configure Proxy ARP on a Port

1. Select Routing > IP > Advanced > IP Interface Configuration.
2. Select the Interface 1/0/3 checkbox.
3. In the Proxy Arp field, select Enable.
4. Click Apply.

Chapter 9 ACLs

Access Control Lists

Access Control List Concepts

Access control lists (ACLs) control network traffic, typically residing in firewalls or routers connecting internal networks. ACLs allow selective admission or rejection of inbound traffic, controlling network access or specific resource access. ACLs can be set up for Layer 2 (MAC ACLs) or Layer 3 (IP ACLs). Each ACL contains rules applying to inbound traffic, specifying whether field contents permit or deny access. Limitations include a maximum of 100 ACLs, 8-10 rules per ACL, no simultaneous MAC and IP ACLs on the same interface, and support only for inbound traffic.

MAC ACLs

MAC ACLs are Layer 2 ACLs. Rules can inspect packet fields (platform-dependent):

• Source MAC address with mask.
• Destination MAC address with mask.
• VLAN ID (or range).
• Class of Service (CoS) (802.1p).
• EtherType: Secondary CoS (802.1p), Secondary VLAN (or range).

MAC ACLs can apply to one or more interfaces. Multiple ACLs can be applied to a single interface; sequence numbers determine execution order. Packets can be assigned to queues or redirected using options.

IP ACLs

IP ACLs classify Layer 3 traffic. Each ACL has up to 10 rules for inbound traffic, specifying field criteria for permit/deny access:

• Source IP address
• Destination IP address
• Source Layer 4 port
• Destination Layer 4 port
• ToS byte
• Protocol number

Rule order is critical; the first matching rule takes precedence. Once an ACL is defined for a port, all traffic not explicitly permitted is denied.

ACL Configuration

To configure ACLs:

1. Create an ACL by specifying a name (MAC ACL or named IP ACL) or number (IP ACL).
2. Add new rules to the ACL.
3. Configure match criteria for the rules.
4. Apply the ACL to one or more interfaces.

Set Up an IP ACL with Two Rules

This section demonstrates setting up an IP ACL with two rules for TCP and UDP traffic, with identical content. TCP and UDP packets are accepted only if source and destination stations have IP addresses within defined sets.

Diagram Description: Illustrates an IP ACL with rules for TCP and UDP traffic. PC1 can access FTP server 1 (dest. IP in range), but TCP traffic to an IP outside the range is rejected.

CLI: Set Up an IP ACL with Two Rules

This is an example of configuring ACL support on a 7000 Series Managed Switch.

1. Create ACL 101 and define the first rule: The ACL permits packets matching the specified source IP address (after mask), carrying TCP traffic, and sent to the specified destination IP address.
2. Define the second rule for ACL 101 for UDP traffic: Similar conditions as for TCP traffic.
3. Apply the rule to inbound traffic on port 1/0/2: Only matching traffic will be accepted.

(Netgear Switch) #config
(Netgear Switch) (Config)#access-list 101 permit tcp 192.168.77.0 0.0.0.255 192.178.77.0 0.0.0.255
(Netgear Switch) (Config)#access-list 101 permit udp 192.168.77.0 0.0.0.255 192.178.77.0 0.0.0.255
(Netgear Switch) (Config)#interface 1/0/2
(Netgear Switch) (Interface 1/0/2)#ip access-group 101 in
(Netgear Switch) (Interface 1/0/2)#exit
(Netgear Switch) (Config)#exit

Main UI: Set Up an IP ACL with Two Rules

1. Create IP ACL 101: Select Security > ACL > IP ACL, enter IP ACL ID 101, and click Add.
2. Create a new rule for ACL 101: Select Security > ACL > IP ACL > IP Extended Rules, select ACL ID 101, and click Add.
3. Configure Rule 1: Enter Rule ID 1, Action Permit, Protocol Type TCP, Source IP Address 192.168.77.0, Source IP Mask 0.0.0.255, Destination IP Address 192.178.77.0, Destination IP Mask 0.0.0.255, and click Apply.
4. Configure Rule 2: Enter Rule ID 22, Action Permit, Protocol Type UDP, Source IP Address 192.168.77.0, Source IP Mask 0.0.0.255, Destination IP Address 192.178.77.0, Destination IP Mask 0.0.0.255, and click Apply.
5. Apply ACL 101 to port 2: Select Security > ACL > IP ACL > IP Binding Configuration, select ACL ID 101, Sequence Number 1, click Unit 1, click the gray box under port 2, and click Apply.

One-Way Access Using a TCP Flag in an ACL

This example sets up one-way access using a TCP flag in an ACL. PC 1 can access FTP server 1 and FTP server 2, but PC 2 can access only FTP server 2.

Diagram Description: Illustrates one-way access using a TCP flag in an ACL. PC1 can access FTP server 1 and 2, but PC2 can access only FTP server 2.

CLI: Configure One-Way Access Using a TCP Flag in an ACL

This is a two-step process: Step 1 configures Switch A, and Step 2 configures Switch B.

Step 1: Configure the VLAN and IP addresses on Switch A

1. Create VLAN 30 with port 0/35 and assign IP address 192.168.30.1/24: Configure VLANs and interfaces as shown in the CLI commands.
2. Create VLAN 100 with port 0/13 and assign IP address 192.168.100.1/24: Configure VLANs and interfaces as shown in the CLI commands.
3. Create VLAN 200 with port 0/44 and assign IP address 192.168.200.1/24: Configure VLANs and interfaces as shown in the CLI commands.
4. Add static routes for destinations 192.168.40.0/24 and 192.168.50.0/24 to correct next hops: Enable IP routing and add static routes using the CLI commands.
5. Create an ACL that denies all packets with TCP flags +syn-ack: Use access-list 101 deny tcp any flag +syn -ack.
6. Create an ACL that permits all IP packets: Use access-list 102 permit ip any.
7. Apply ACLs 101 and 102 to port 0/44 with sequence 101=1 and 102=2: Apply the ACLs to the interface using the CLI commands.

Main UI: Configure One-Way Access Using a TCP Flag in an ACL

This is a two-part process: Configuring VLAN and IP addresses on switch A, and configuring Switch B.

Configuring VLAN and IP addresses on switch A

1. Create VLAN 30 with IP address 192.168.30.1/24: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 30, IP Address 192.168.30.1, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 35 twice until U displays, and click Apply.
2. Create VLAN 100 with IP address 192.168.100.1/24: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 100, IP Address 192.168.100.1, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 13 twice until U displays, and click Apply.
3. Create VLAN 200 with IP address 192.168.200.1/24: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 200, IP Address 192.168.200.1, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 44 twice until U displays, and click Apply.
4. Enable IP routing: Select Routing > IP > Basic > IP Configuration, enable Routing Mode and IP Forwarding Mode, and click Apply.
5. Add static route for 192.268.40.0/24: Select Routing > Routing Table > Basic > Route Configuration, select Route Type Static, enter Network Address 192.168.40.0, Subnet Mask 255.255.255.0, Next Hop IP Address 192.168.200.2, and click Add.
6. Create static route for 192.168.50.0/24: Select Routing > Routing Table > Basic > Route Configuration, select Route Type Static, enter Network Address 192.168.50.0, Subnet Mask 255.255.255.0, Next Hop IP Address 192.168.200.2, and click Add.
7. Create ACL with ID 101: Select Security > ACL > Advanced > IP ACL, enter IP ACL ID 101, and click Add.
8. Create ACL with ID 102: Select Security > ACL > Advanced > IP ACL, enter IP ACL ID 102, and click Add.
9. Add and configure IP extended rule for ACL 101: Select Security > ACL > Advanced > IP Extended Rules, select ACL ID 101, click Add. Configure Rule ID 1, Action Deny, Protocol Type TCP, Source IP 192.168.77.0, Source Mask 0.0.0.255, Destination IP 192.178.77.0, Destination Mask 0.0.0.255, TCP Flag SYN Set, ACK Clear, and click Apply.
10. Add and configure IP extended rule for ACL 102: Select Security > ACL > Advanced > IP Extended Rules, select ACL ID 102, click Add. Configure Rule ID 1, Action Permit, Protocol Type IP, and click Apply.
11. Apply ACL 101 to port 44: Select Security > ACL > Advanced > IP Binding Configuration, select ACL ID 101, Sequence Number 1, click Unit 1, click the gray box under port 44, and click Apply.
12. Apply ACL 102 to port 44: Select Security > ACL > Advanced > IP Binding Configuration, select ACL ID 102, Sequence Number 2, click Unit 1, click the gray box under port 44, and click Apply.

Configuring the Switch B

1. Create VLAN 40 with IP address 192.168.40.1/24: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 40, IP Address 192.168.40.1, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 24 twice until U displays, and click Apply.
2. Create VLAN 50 with IP address 192.168.50.1/24: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 50, IP Address 192.168.50.1, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 25 twice until U displays, and click Apply.
3. Create VLAN 200 with IP address 192.168.200.2/24: Select Routing > VLAN > VLAN Routing Wizard, enter VLAN ID 200, IP Address 192.168.200.2, Network Mask 255.255.255.0. Click Unit 1, click the gray box under port 48 twice until U displays, and click Apply.
4. Create static route for 192.168.100.0/24: Select Routing > Routing Table > Basic > Route Configuration, select Route Type Static, enter Network Address 192.168.100.0, Subnet Mask 255.255.255.0, Next Hop IP Address 192.168.200.1, and click Add.
5. Create static route for 192.168.30.0/24: Select Routing > Routing Table > Basic > Route Configuration, select Route Type Static, enter Network Address 192.168.30.0, Subnet Mask 255.255.255.0, Next Hop IP Address 192.168.200.1, and click Add.

Use ACLs to Configure Isolated VLANs on a Layer 3 Switch

This example shows how to isolate VLANs on a Layer 3 switch using ACLs. PC 1 (VLAN 24) and PC 2 (VLAN 48) are isolated from each other but can both access the server (VLAN 38).

Diagram Description: Illustrates using ACLs to isolate VLANs on a Layer 3 switch. PC1 (VLAN 24) and PC2 (VLAN 48) are isolated from each other but can both access the server (VLAN 38).

CLI: Configure One-Way Access Using a TCP Flag in ACL Commands

Enter the following CLI commands.

(Netgear Switch) #vlan database
(Netgear Switch) (Vlan)#vlan 24
(Netgear Switch) (Vlan)#vlan routing 24
(Netgear Switch) (Vlan)#exit
(Netgear Switch) #config
(Netgear Switch) (Config)#interface 1/0/24
(Netgear Switch) (Interface 1/0/24)#vlan participation include 24
(Netgear Switch) (Interface 1/0/24)#vlan pvid 24
(Netgear Switch) (Interface 1/0/24)#exit

...(CLI commands for other VLANs and ACL configuration would follow here, similar to previous examples)...

Chapter 10 CoS Queuing

CoS Queuing Concepts

CoS Queue Mapping

Trusted Ports

Untrusted Ports

CoS Queue Configuration

Show the Trust Mode for a Class of Service.

CLI: Show the Trust Mode for a Class of Service

Main UI: Show the Trust Mode for a Class of Service

Set the Trust Mode for a Class of Service

CLI: Set the Trust Mode for a Class of Service

Main UI: Set the Trust Mode for a Class of Service

Configure Cos-queue Min-bandwidth and Strict Priority Scheduler Mode

CLI: Configure Cos-queue Min-bandwidth and Strict Priority Scheduler Mode

Main UI: Configure CoS-queue Min-bandwidth and Strict Priority Scheduler Mode

Set the CoS Trust Mode for an Interface

CLI: Set the CoS Trust Mode for an Interface

Main UI: Set the CoS Trust Mode for an Interface

Configure Traffic Shaping

CLI: Configure Traffic Shaping

Main UI: Configure Traffic Shaping

Chapter 11 DiffServ

Differentiated Services Concepts

DiffServ

CLI: Configure DiffServ

Main UI: Configure DiffServ

DiffServ for VoIP

CLI: Configure DiffServ for VoIP

Main UI: Diffserv for VoIP

Auto VoIP

Protocol-Based Auto VoIP

OUI-Based Auto VoIP

Example 1: Enable Protocol-Based Auto VoIP

Example 2: Change the Queue of Protocol-Based Auto VoIP

Example 3: Create an Auto VoIP VLAN

DiffServ for IPv6

CLI: Configure DiffServ for IPv6

Main UI: Configure DiffServ for IPv6

Color Conform Policy

CLI: Configure a Color Conform Policy

Main UI: Configure a Color Conform Policy

WRED Explicit Congestion Notification

Chapter 12 IGMP Snooping and Querier

Internet Group Management Protocol Concepts

IGMP Snooping

CLI: Enable IGMP Snooping

Main UI: Enable IGMP Snooping

Show igmpsnooping

CLI: Show igmpsnooping

Main UI: Show igmpsnooping

Show mac-address-table igmpsnooping

CLI for IGMPv1 and IGMPv2: Show mac-address-table igmpsnooping

CLI for IGMPv3: show igmpsnooping ssm entries

Main UI: Show mac-address-table igmpsnooping

External Multicast Router

CLI: Configure the Switch with an External Multicast Router

Main UI: Configure the Switch with an External Multicast Router

Multicast Router Using VLAN

CLI: Configure the Switch with a Multicast Router Using VLAN

Main UI: Configure the Switch with a Multicast Router Using VLAN

IGMP Querier Concepts

Enable IGMP Querier

CLI: Enable IGMP Querier

Main UI: Enable IGMP Querier

Show IGMP Querier Status

CLI: Show IGMP Querier Status

Main UI: Show IGMP Querier Status

Chapter 13 MVR

Multicast VLAN Registration

Configure MVR in Compatible Mode

CLI: Configure MVR in Compatible Mode

Main UI: Configure MVR in Compatible Mode

Configure MVR in Dynamic Mode

CLI: Configure MVR in Dynamic Mode

Main UI: Configure MVR in Dynamic Mode

Chapter 14 Security Management

Port Security Concepts

Set the Dynamic and Static Limit on Port 1/0/1

CLI: Set the Dynamic and Static Limit on Port 1/0/1

Main UI: Set the Dynamic and Static Limit on Port 1/0/1

Convert the Dynamic Address Learned from 1/0/1 to a Static Address

CLI: Convert the Dynamic Address Learned from 1/0/1 to the Static Address

Main UI: Convert the Dynamic Address Learned from 1/0/1 to the Static Address

Create a Static Address

CLI: Create a Static Address

Main UI: Create a Static Address

Protected Ports

CLI: Configure a Protected Port to Isolate Ports on the Switch

Main UI: Configure a Protected Port to Isolate Ports on the Switch

802.1x Port Security

CLI: Authenticating dot1x Users by a RADIUS Server

Main UI: Authenticating dot1x Users by a RADIUS Server

Create a Guest VLAN

CLI: Create a Guest VLAN

Main UI: Create a Guest VLAN

Assign VLANs Using RADIUS

CLI: Assign VLANS Using RADIUS

Main UI: Assign VLANS Using RADIUS

Dynamic ARP Inspection

CLI: Configure Dynamic ARP Inspection

Main UI: Configure Dynamic ARP Inspection

Static Mapping

CLI: Configure Static Mapping

Main UI: Configure Static Mapping

DHCP Snooping

CLI: Configure DHCP Snooping

Main UI: Configure DHCP Snooping

Find a Rogue DHCP Server

CLI: Find a Rogue DHCP server

Main UI: Find a Rogue DHCP server

Enter Static Binding into the Binding Database

CLI: Enter Static Binding into the Binding Database

Main UI: Enter Static Binding into the Binding Database

Maximum Rate of DHCP Messages

CLI: Configure the Maximum Rate of DHCP Messages

Main UI: Configure the Maximum Rate of DHCP Messages

IP Source Guard

CLI: Configure Dynamic ARP Inspection

Main UI: Configure Dynamic ARP Inspection

Command Authorization

CLI Example 1: Configure Command Authorization by a TACACS+ Server

CLI Example 2: Configure Command Authorization by a RADIUS Server

Privileged Exec Command Mode Authorization

CLI Example 1: Configure EXEC Authorization by a TACACS+ Server

CLI Example 2: Configure EXEC Authorization by a RADIUS Server

Accounting

CLI: Configure Telnet Command Accounting by a TACACS+ Server

Configure Telnet EXEC Accounting by RADIUS Server

Use the Authentication Manager to Set Up an Authentication Method List

Configure a Dot1x-MAB Authentication Method List with Dot1x-MAB Priority

Configure a Dot1x-MAB Authentication Method List with MAB-Dot1x Priority

Configure a Dot1x, MAB, and Captive Portal Authentication Method List with Default Priority

RADIUS Change of Authorization

IPv6 Stateless RA Guard

Changing the SSH/Telnet Login Method to Radius

CLI: Change the SSH/Telnet Login Method to Radius

GUI: Change the SSH/Telnet Login Method to Radius

Chapter 15 MAB

MAC Authentication Bypass Concepts

Configure MAC Authentication Bypass on a Switch

Configure a Network Policy Server on a Microsoft Windows Server 2008 R2 or Later Server

Configure an Active Directory on a Microsoft Windows Server 2008 R2 or Later Server

Reduce the MAB Authentication Time

CLI: Reduce the Authentication Time for MAB

Main UI: Reduce the Authentication Time for MAB

Chapter 16 SNTP

Simple Network Time Protocol Concepts

Show SNTP (CLI Only)

show sntp

show sntp client

show sntp server

Configure SNTP

CLI: Configure SNTP

Main UI: Configure SNTP

Set the Time Zone (CLI Only)

Set the Named SNTP Server

CLI: Set the Named SNTP Server

Main UI: Set the Named SNTP Server

Chapter 17 Tools

Traceroute

CLI: Traceroute

Main UI: Traceroute

Configuration Scripting

script Command

script list Command and script delete Command

script apply running-config.scr Command

Create a Configuration Script

Upload a Configuration Script

Pre-Login Banner

Create a Pre-Login Banner

Port Mirroring

CLI: Specify the Source (Mirrored) Ports and Destination (Probe)

Main UI: Specify the Source (Mirrored) Ports and Destination (Probe)

Remote SPAN

CLI: Enable RSPAN on a Switch

Dual Image

CLI: Download a Backup Image and Make It Active

Main UI: Download a Backup Image and Make It Active

Outbound Telnet

CLI: show network

CLI: show telnet

CLI: transport output telnet

Main UI: Configure Telnet

CLI: Configure the Session Limit and Session Time-out

Main UI: Configure the Session Time-out

Error Disablement and Automatic Error Recovery

Loop Protection

Nondisruptive Configuration Management

Full Memory Dump

Chapter 18 Syslog

Syslog Concepts

Show Logging

CLI: Show Logging

Main UI: Show Logging

Show Logging Buffered

CLI: Show Logging Buffered

Main UI: Show Logging Buffered

Show Logging Traplogs

CLI: Show Logging Traplogs

Main UI: Show Logging Trap Logs

Show Logging Hosts

CLI: Show Logging Hosts

Main UI: Show Logging Hosts

Configure Logging for a Port

CLI: Configure Logging for the Port

Main UI: Configure Logging for the Port

Email Alerting

CLI: Send Log Messages to admin@switch.com Using Account aaaa@netgear.com

Chapter 19 SNMP

Add a New Community

CLI: Add a New Community

Main UI: Add a New Community

Enable SNMP Trap

CLI: Enable SNMP Trap

Main UI: Enable SNMP Trap

SNMP Version 3

CLI: Configure SNMPv3

Main UI: Configure SNMPv3

sFlow

CLI: Configure Statistical Packet-Based Sampling of Packet Flows with sFlow

Main UI: Configure Statistical Packet-based Sampling with sFlow

Time-Based Sampling of Counters with sFlow

CLI: Configure Time-Based Sampling of Counters with sFlow

Main UI: Configure Time-Based Sampling of Counters with sFlow

Chapter 20 DNS

Domain Name System Concepts

Specify Two DNS Servers

CLI: Specify Two DNS Servers

Main UI: Specify Two DNS Servers

Manually Add a Host Name and an IP Address

CLI: Manually Add a Host Name and an IP Address

Main UI: Manually Add a Host Name and an IP Address

Chapter 21 DHCP Server

Dynamic Host Configuration Protocol Concepts

Configure a DHCP Server in Dynamic Mode

CLI: Configure a DHCP Server in Dynamic Mode

Main UI: Configure a DHCP Server in Dynamic Mode

Configure a DHCP Server that Assigns a Fixed IP Address

CLI: Configure a DHCP Server that Assigns a Fixed IP Address

Main UI: Configure a DHCP Server that Assigns a Fixed IP Address

Chapter 22 DHCPv6 Server

Dynamic Host Configuration Protocol Version 6 Concepts

Configure DHCPv6 Prefix Delegation

CLI: Configure DHCPv6 Prefix Delegation

Main UI: Configure DHCPv6 Prefix Delegation

Configure a Stateless DHCPv6 Server

CLI: Configure a Stateless DHCPv6 Server

Main UI: Configure a Stateless DHCPv6 Server

Configure a Stateful DHCPv6 Server

CLI: Configure a Stateful DHCPv6 Server

Main UI: Configure a Stateful DHCPv6 Server

Configure the DHCPv6 Server.

Configure the DHCPv6 Relay.

Chapter 23 DVLANs and Private VLANs

Double VLANs

CLI: Enable a Double VLAN

Main UI: Enable a Double VLAN

Private VLAN Groups

CLI: Create a Private VLAN Group

Main UI: Create a Private VLAN Group

Chapter 24 STP

Spanning Tree Protocol Concepts

Configure Classic STP (802.1d)

CLI: Configure Classic STP (802.1d)

Main UI: Configure Classic STP (802.1d)

Configure Rapid STP (802.1w)

CLI: Configure Rapid STP (802.1w)

Main UI: Configure Rapid STP (802.1w)

Configure Multiple STP (802.1s)

CLI: Configure Multiple STP (802.1s)

Main UI: Configure Multiple STP (802.1s)

Configure PVSTP and PVRSTP

CLI: Configure PVSTP

Main UI: Configure PVSTP

Chapter 25 IPv6 Interface Configuration

Create an IPv6 Routing Interface

CLI: Create an IPv6 Routing Interface

Main UI: Create an IPv6 Routing Interface

Create an IPv6 Routing VLAN

CLI: Create an IPv6 Routing VLAN

Main UI: Create an IPv6 VLAN Routing Interface

Configure DHCPv6 Mode on the Routing Interface

CLI: Configure DHCPv6 mode on the routing interface

Main UI: Configure DHCPv6 mode on the routing interface

Chapter 26 PIM

Protocol Independent Multicast Concepts

PIM-DM

CLI: Configure PIM-DM

Main UI: Configure PIM-DM

PIM-SM

CLI: Configure PIM-SM

Main UI: Configure PIM-SM

Chapter 27 DHCP L2 Relay and L3 Relay

DHCP L2 Relay

CLI: Enable DHCP L2 Relay

Main UI: Enable DHCP L2 Relay

DHCP L3 Relay

Configure the DHCP L3 Server in a Windows Server Operating System

Configure a DHCP L3 Switch

Chapter 28 MLD

Multicast Listener Discovery Concepts

Configure MLD

CLI: Configure MLD

Main UI: Configure MLD

MLD Snooping

CLI: Configure MLD Snooping

Main UI: Configure MLD Snooping

Chapter 29 PTP End-to-End Transparent Clock

PTP Concepts

PTP Time Stamp Operation

PTP Transparent Clocks

Manage the PTP End-to-End Transparent Clock

CLI: Globally Disable PTP End-to-End Transparent Clock

CLI: Disable PTP End-to-End Transparent Clock for an Interface

CLI: Globally Reenable PTP End-to-End Transparent Clock

CLI: Reenable PTP End-to-End Transparent Clock for an Interface

CLI: Display the PTP End-to-End Transparent Clock Status

Chapter 30 Audio Video Bridging

AVB Concepts

MRP

MMRP

MVRP

MSRP

802.1AS

Main UM: Enable AVB on the Switch and Configure AVB on Interfaces 0/1 and 0/2

CLI: Enable AVB on the Switch and Configure AVB on Interfaces 0/1 and 0/2

Chapter 31 Link Dependency

Link Dependency Concepts

CLI: Create a Link State Group

Main UI: Create a Link State Group

Chapter 32 Captive Portals

Captive Portal Concepts

Captive Portal Configuration Concepts

Enable a Captive Portal

CLI: Enable a Captive Portal

Main UI: Enable a Captive Portal

Client Access, Authentication, and Control

Block a Captive Portal Instance

CLI: Block a Captive Portal Instance

Main UI: Block a Captive Portal Instance

Local Authorization, Create Users and Groups

CLI: Create Users and Groups

Main UI: Create Users and Groups

Remote Authorization (RADIUS) User Configuration

CLI: Configure RADIUS as the Verification Mode

Main UI: Configure RADIUS as the Verification Mode

SSL Certificates

Chapter 33 Override Factory Defaults

Override the Factory Default Configuration File

CLI: Install Another Factory Defaults Configuration File

CLI: Erase the Old Factory Default Configuration File

Chapter 34 NETGEAR SFP

Connect with a NETGEAR AGM731F SFP

Index