Organization > Group >Settings > Device Management 

Actions > DHCP Snooping 

Prevent unauthorized DHCP servers offering IP addresses to DHCP clients. 

When this is enabled, DHCP server discovery messages will only be forwarded to switch ports that are configured with the  “Allow DHCP Server” option in port details.. 

Default setting: disabled

4

1: Logon to InControl and create a separate group for your Peplink switch. Add the switch serial number and follow the onscreen instructions.

2: Connect an active ethernet connection to one of the numbered switch ports 1 to 24.

3: The Switch will show online in InControl if InControl management is enabled on the switch and the switch is able to connect to the InControl servers (the marker on the map will change from red to green).

Tip: If a device appears offline in InControl ,check the following knowledge base article for a solution:

https://forum.peplink.com/t/faq-why-does-my-device-appear-offline-on-incontrol-2-even-though-the-device-has-an-internet-connection/ 

InControl management needs to be enabled to allow the Peplink Switch to be configured through InControl.This setting is enabled by default.

The settings can be changed in the local web interface of the Switch.

In Incontrol, browse to the Device Details page.
If it is not online, log on to the local web admin interface of the switch as described above.

Navigate to System > InControl, and then click the “Allow InControl Management” button.

Click the “Apply Changes” text on the top-right corner to save your changes.
When InControl management has been enabled you can access the web admin interface of the switch using InControl.
Select: Settings > Remote Web Admin to connect to the Switch’s web admin interface.

Organization > Group >Settings > Device Management

The InControl Group Settings device details shows tags, product name, uptime, online time clients and firmware for each device.
This pageview also allows you to configure switch specific options through the “actions “drop-down list.

Spanning Tree Protocol (STP) uses Spanning Tree Algorithm to avoid network loops in layer 2 devices. STP works when multiple switches are used with redundant links avoiding Broadcast Storms, Multiple Frame Copies & Database instability.

The priority field specifies the bridge priority for root switch election.
The switch with the lowest bridge priority is elected as the root switch (Default value: 32768).

Organization > Group > Network Settings > VLAN Networks

From the available InControl Group settings, the Network Settings > VLAN Networks has several Switch-specific settings and behaviors.

VLANs configured on a device but not on InControl are “device managed”, which means that InControl will not manage them. VLANs configured on both a device and InControl are “InControl managed”, which means that: InControl will control their Name and Captive Portal settings. Their IP and DHCP settings will be kept intact. When a VLAN is removed from InControl, it will be removed from the device as well.

If a VLAN gets defined on InControl, but not yet on the device, it will be defined on the device as well. 

Its IP address will follow the Default IP Address setting. The DHCP server will be enabled with default settings.

When a Switch is added to a group in InControl, a Management Port and Management VLAN are imported from the local Switch to InControl.

By default, this VLAN is applied on any device that is added to this group. Each VLAN can be applied to a selection of devices in the group by using tags. Tags can be configured in the device details.

Detailed management VLAN network settings:

To add a new VLAN click on the “Add VLAN Network” button in the Network settings > VLAN Networks section of InControl.

Enter the desired parameters and click “Save” to apply the settings.

This setting is only applicable to all Peplink SD Switches’ trunk ports which are configured with the “Accept Frame Type” option set to “All”. When any untagged frames or frames tagged as this VLAN enter into those trunk ports, they will be assigned to this VLAN. Any frames on this VLAN leaving from those trunk ports will be untagged.

By default, the default VLAN ID is set to 1. 

When any untagged frames or frames tagged as 1 enter into any Peplink SD Switch’s trunk ports which are configured with Accept Frame Type option set to “All”, the frames will be assigned to VLAN 1. Any frames on VLAN 1 leaving from those ports will be untagged. After review, this setting needs to be saved once to confirm. 

Tip 1: If you want untagged frames to be forwarded between trunk ports only and do not want them to leave from any access port, you could create an extra VLAN and set it as the default VLAN. 

Tip 2: If you do not want to accept any untagged frames, change all trunk ports’ Accept Frame Type option to “VLAN tagged only”.

The Device Details page shows the following detailed information about the the SD-Switch:

Device name, tags, location, and notes can be changed through the “Edit” link:

Select the Save button on the bottom of this page to save the settings and return to the device details page.

Or Cancel to discard changes and return to the Device Settings page.

The Port List Shows the available switch ports and their status. When hovering over an individual port additional information is shown for that particular port.

Port 1 through 24 are RJ45 ports (ethernet)

Port 25 and 26 are SFP+ ports (fibre)

Additional port details appear when clicking on an individual port from the device details page.

Single or multiple ports can be selected and edited.

^ Configurable options on SFP+ ports are similar as above; but configurable port speeds are between 100 Mbps Full Duplex up to 10 Gbps Full Duplex.

* Frame Type setting determines whether the frame should be accepted or discarded. 

This option is only configurable when Port Type is set to “Trunk” and “VLan Networks” is set to “All”. 

Available options are: 

• VLAN Tagged Only : Only accept frame types from VLANs( Tagged) 

• All: accept both tagged and untagged frames; when any untagged frames or frames tagged as this VLAN enter into those trunk ports, they will be assigned to this VLAN. Any frames on this VLAN leaving from those trunk ports will be untagged

* The option “Allow DHCP server” is only visible in the InControl port options when DHCP snooping on the switch is enabled on the switch.

When DHCP snooping is enabled on the switch, this option enables DHCP snooping for the individual ports, setting the option as per the default setting on the device “trusted or untrusted”.

The port list can be shown or hidden by clicking on the show/hide button under the ports.

This will show (or hide) a table showing port details.

IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form a single link layer interface, also known as a link aggregation group (LAG).

The maximum interfaces per LAG is 24. 

The advantages of link aggregation in contrast with connections using an individual port include:

• higher throughput speed compared to an individual port
• higher accessibility

To configure a Link Aggregation Group (LAG), click Edit after selecting multiple ports. Enable Link Aggregation by selecting the checkbox next to Link Aggregation. The LAG can be set to Active or Passive.

LACP needs to be set to active on 1 side at least for LACP to work.

Details of Connected Clients and Hourly, Daily, or Monthly Power Usage for each Port is shown in a graph on the same page.

Search through the SD Switch event logs, filter results by topic, time, client and details. 

Download the event log in .csv format.

View client details from client devices connected to the SD Switch.

The InControl settings section gives access to the Remote Web Interface of the Switch. You can also control firmware management for all devices in this InControl group and Device Tools. 

Settings > Remote Web Admin

Remote Web Admin opens the web admin interface of the SD Switch in a separate tab.

Settings > Firmware Management

The Device Details page shows the following detailed information about the SD-Switch.

When hovering over a port, a popup window with port details displays the following information:

VLANs are configured in the Configure > Network Settings section of the Switch web interface.

The default VLAN is marked with a * in the overview. VLANs that are managed by InControl are marked with a cogwheel.  To define a new VLAN select the “New LAN” option.

On the following screen, enter your desired parameters. 

⚠ This is a global value; when the VLAN is saved as Default VLAN it will be synchronised with InControl and applied to all the devices with a tag “SD switches” in the same InControl group!

*The IP address (optional) and the IP address for inter VLAN routing can be defined for each VLAN. The IP addresses need to be in the same subnet. 

Spanning Tree Protocol (STP) uses the spanning tree algorithm to avoid network loops in layer 2 devices. When multiple switches are used with redundant links, STP is utilized to avoid Broadcast Storms, Multiple Frame Copies, and Database instability.

A – Advanced feature. Click the button on the top right-hand corner to activate.

Loop Protection protects the network from loops by checking loop detection packets. The active ports send and detect the loop detection packets while the passive ports only detect the packets. Loop detection will occur when a port receives the same packet. When this happens, the port is disabled for the Recovery Time period in order to prevent the loop. Default Recovery Time is 180 seconds.

Per-port loop protection availability and active / passive mode can be defined in the Port Settings page.

When DHCP Snooping is enabled, the DHCP request messages will be forward to trusted ports only and only allow reply  packets rom trusted ports.

When DHCP snooping is enabled all ports are either configured to be “trusted” or “untrusted” ports by default.
Each switch port can then be configured to be a “trusted” or “untrusted” port.

QoS Classification prioritizes network traffic into 8 different categories of class of service (CoS) according to the tag protocol technologies being chosen. Each CoS provides different levels of priority and bandwidth limit.

QoS Classification supports DSCP or 802.1p PCP. Switching between them will automatically remove all DSCP / 802.1p PCP classification settings. Activating QoS Classification resets all related configurations such as Class of Services and DSCP Classification.

The Class of Services defines the bandwidth limit (in Mbps) of each CoS, which indicates the traffic priority.

The DSCP Classification is to define the mapping of DSCP values of the packets to CoS. Without explicit mapping configured, packets are classified as Default CoS.

Ingress ACL

Switch ports can be configured to limit access using an Ingress Access Control List (ACL).

The purpose of ingress (inbound) ACL is to specify the types of network traffic that are allowed in the device in the network.

Configurable Rule options:

Port-based Authentication (802.1.X)

The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated wired access to Ethernet networks. Access to the port can be denied if the authentication process fails.

After configuring your radius server with the required authentication methods, enable port authentication on the Peplink switch by selecting the checkbox and configuring the other required fields

A new configurable option “Authentication Method” will appear in “Port Settings” when this option is saved and applied. See Standalone menu options > Configure > Interfaces > Switch Ports.

With port mirroring enabled, the switch sends a copy of all network packets seen on one or more ports to another port, where the packet can be analyzed. The destination port is configured in this section. Mirror ports can be defined under the Port Settings page.

IGMP snooping allows us to constrain our multicast traffic by listening to IGMP traffic between the router and hosts. The switch maintains a map of which links need which IP multicast streams. Multicasts may be filtered from the links which do not need them and thus controls which ports receive specific multicast traffic.

To enable IGMP snooping tick the enable checkbox. IGMP snooping is on a per-LAN basis, add new entries to the IGMP snooping table to activate IGMP snooping on a particular LAN.

Configure an IGMP snooping querier to send membership queries. 

When an IGMP snooping querier is enabled, it sends out periodic IGMP queries that trigger IGMP report messages from hosts that want to receive IP multicast traffic.

For each port, you can set PoE scheduling, port type (Trunk and Access), as well as the VLAN which they belong to. 

Navigate to Configure > Switch Ports and then click the pen icon for the port you wish to configure.

On the following screen, enter your desired parameters.

The configurable settings are:

** PVID option is only configurable when Port Type is set to “Trunk”.

** Default CoS is only configurable when QoS Classification is enabled and default CoS is set to “Defined in Port Settings”. 

** Authentication Method is only visible after configuring Port-based 802.1X Authentication. The available options are:

• Forced Authorized – The port is forced to be in authorized state and network access is permitted.
• Forced Unauthorized – The port is forced to be in unauthorized and network access is prohibited.
• Port-based 802.1X – The port performs 802.1X authentication against a RADIUS authentication server. 

The port is in authorized state with successful authentication. Otherwise, it is in an unauthorized state. 

For aggregated ports, force authorized is used.

RSTP will be disabled when force unauthorized or port-based 802.1X is selected.

After making changes, click “Save” and then click the “Apply Changes” button on the top-right corner of the interface.

LACP (802.3ad) Configuration

LACP is part of the IEEE specification 802.3ad and allows you to bundle several physical ports to form a single logical channel.
Bundling multiple physical ports into a single logical link allows you to increase throughput beyond the limitations of a single connection and provides redundancy in case one link goes down.

Select multiple ports by clicking on them and selecting the Link Aggregation checkbox to enable link aggregation for the selected ports.

Batch Configuration

Configure multiple ports at once by selecting multiple ports.

This field allows you to choose the external access connection method which are: 

• Auto – Scan through all VLAN IDs (1-4094) to obtain a connection by DHCP.
• Custom – Connection will be obtained from the defined VLAN by the defined method (i.e. DHCP or Static IP).

The USB port on the switch allows you to connect a USB modem to allow remotely access the switch for OOBM (Out-of-band-management)  when it has lost all other external network access.

The connected USB Modem will remain in cold standby mode until the external access connection fails to contact the Peplink InControl server.
This option is only enabled when the SD Switch is configured through InControl.

A list of compatible USB modems are available on our website:

https://www.peplink.com/technology/4g3g-modem-support/

The RADIUS server on the SD-Switch allows you to configure multiple RADIUS server profiles. You may click “New Profile” to create to define the RADIUS server Authentication and Accounting profile. .

Authentication Server settings

Accounting Server settings

The Admin Security page allows you to configure the following settings:

Authentication by RADIUS

When this option is enabled, the web admin will authenticate using an external RADIUS server. Authenticated users are treated as “admin” users with full read-write permission. Local “admin” and “user” accounts will be disabled.
However, when the device fails to communicate with the RADIUS server, local accounts are enabled to allow emergency access.

The Authentication Protocols supported are MS-CHAPv2 and PAP.

Authentication by TACACS+

When this option is enabled, the web admin will authenticate using an external TACACS+ server. Authenticated users are treated as “admin” users with full read-write permission. Local “admin” and “user” accounts will be disabled.
However, when the device fails to communicate with the TACACS+ server, local accounts are enabled to allow emergency access.

Management Port Settings

Configure the management port IP address and subnet mask.

Other Web Admin Access Settings

Select the allowed VLAN network to manage the SD-Switch.

You can either click the Check for Firmware button to contact the firmware server to check for new firmware or manually upgrade the SD-Switch with a downloaded firmware file.

Firmware can be downloaded from the Peplink website: https://www.peplink.com/support/downloads/

This section allows you to select a Time Zone and configure a Time Server.

Schedules can be created and applied to port PoE settings.

Establish a Scheduling Profile

To Define a schedule, navigate to System > Schedule and then click the “New Schedule” button.

The following screen will appear. Enter the desired name and click the grid to define your schedule and then click “Save”. 

Click the “Apply Changes” text on the top-right corner to save your changes.

The feature Email Notification allows email to be sent to the listed recipient email addresses when the following events take place:

• Email notification test
• A new firmware version is available
• Health status changes for any USB Modem (OOBM)  connection

Click the button Test Email Notification and click Send Test Notification to send a testing email.

Remote Syslog allows syslog messages to be sent to a specified remote syslog server.
You can configure a remote syslog host either in the form of an IP address or a server domain name.
The default Syslog port used and configured is UDP 514; this is an option that can be configured to use a different port.

SNMP or Simple Network Management Protocol is an open standard that can be used to collect information about the SD Switch.

To add a community for either SNMPv1 or SNMPv2, click the Add SNMP Community button in the Community Name table, upon which the following screen is displayed:

To define a username for SNMPv3, click Add SNMP User in the SNMPv3 User Name table, upon which the following screen is displayed:

InControl is a cloud-based service which allows you to manage all of your Peplink and Pepwave devices with one unified system. With it, you can generate reports, gather statistics, and configure your devices automatically. All of this is now possible with InControl.

When the InControl settings is  configured to “enable!”  the device’s status information will be sent to the
Peplink InControl system and the switch can be managed from InControl. 

When this setting is configured as “enable (restricted to status reporting only)” the switch is managed through the local web interface but can be monitored from InControl.

When this setting is “disabled” the switch is managed completely from the local web admin interface.

This device’s usage data and configuration will be sent to the system if you enable the features in the system. Alternately, you could also privately host InControl. Simply check the box beside the “Privately Host InControl” open, and enter the IP Address of your InControl Host. You can sign up for an InControl account at https://incontrol2.peplink.com. You can register your devices under the account, monitor their status, see their usage reports, and receive offline notifications.

Backing up the Peplink SD Switch  settings immediately after successful completion of initial setup is strongly recommended. The functionality to download and upload Peplink Switch settings is found at System>Configuration.

Reboot the switch. For maximum reliability, the Peplink SD Switch Series stores two copies of firmware, and each copy can be a different version of firmware. You can select the firmware version you would like to reboot the device with. The firmware marked with (Running) is the current system boot up firmware.
Please note that a firmware upgrade will always replace the inactive firmware Partition.

The ping test tool sends pings to a destination of choice through a specific connection. You can specify the number of pings in the field Number of times to a maximum number of 10 times. Packet Size can be set to a maximum of 1472 bytes.
A system administrator can use the ping utility to manually check the connectivity of a particular LAN/WAN connection.

The traceroute test tool traces the routing path to a particular destination through a specific connection.
A system administrator can use the traceroute utility to analyze the connection path of a LAN/WAN connection.

Wake-on-LAN is a technology that allows a network professional to remotely power on a computer or to wake it up from sleep mode (if this is supported by the client device).
Select a client from the drop-down list and click Send to remotely power on the client device.

This page display the device’s system information.

This page shows the status of the SD-switch STP bridge ID and Root ID

This page lists all clients on LANs accessible to the SD-Switch. It lists client IP addresses from one or more VLANs, names, current download and upload rate, MAC address, VLAN, and Port used. Assign a name to a client by clicking on the Name field of the client and inputting a name.

The log section displays a list of events that has taken place on the SD-Switch. Check Auto Refresh to refresh log entries automatically. Click the Clear Log button to clear the log.

Usage reports show the bandwidth usage in MB or GB for all VLANs or individual VLANs. Choose between Hourly, Daily and Monthly usage reports.