The expansion of large cities and the formation of agglomerations is one of the important trends in social development today. Moscow alone in 2019 should expand by 4 million square meters of housing (and this is not counting the 15 settlements that will join by 2020). Throughout this vast territory, telecom operators will have to provide users with access to the Internet. It can be both urban microdistricts with dense high-rise buildings, and more βdischargedβ cottage settlements. For these cases, the hardware requirements are somewhat different. We analyzed each of these scenarios and created a generic optical switch model, the T2600G-28SQ. In this post, we will analyze in detail the capabilities of the device, which will be of interest to telecom operators throughout Russia.
Place in the network
The T2600G-28SQ switch is designed both to work at the access layer in the network and to aggregate links from other access layer switches. It is a Layer 2600 switch that performs switching and static routing. If the operator has switched both aggregation and access (routing only in the core of the network), the T28G-XNUMXSQ will fit into any of the levels. In the case of dynamically routed aggregation, you still need to consider some restrictions on use cases.
The T2600G-28SQ is a complete active Ethernet switch without the additional limitations of xPON or similar technologies. For example, without the threat of a sharp drop in speed with an increase in the number of users or poor compatibility between equipment from different vendors and firmware. Both end users and underlying access switches with optical uplinks, such as the T2600G-28TS model, can connect to the device interfaces. The diagram below shows the most common examples of such connections.
Optical fiber or twisted pair can be used to access the end user's network. On the subscriber's side, the optical fiber can be terminated using a medium converter (media converter), for example, TP-Link MC220L; and using the optical interface in the SOHO router.
To connect a nearby client, you can use four RJ-45 ports operating at speeds of 10/100/1000 Mbps. If for some reason this is not enough, the operator can "convert" the optical interfaces of the switch to copper. This can be done using specialized "copper" SFPs with an RJ-45 connector. But such a solution cannot be called typical.
A few examples from practice
To complete the picture, here are some examples of using the T2600G-28SQ switches.
Moscow region provider , which, in addition to the Internet, provides telephony and cable TV services, uses the T2600G-28SQ at the access level when building networks in the private sector (cottages and townhouses). On the client side, the connection is made to routers with an SFP port, as well as to media converters. At the moment, SOHO routers with an SFP port are not mass-produced here, but we are certainly thinking about it.
Telecommunications operator from Pavlovo-Posadsky district uses T2600G-28SQ switches as a "small aggregation", using T2600G-28TS and T2500G-10TS switches on access.
Company group provide Internet access, TV, telephony, video surveillance systems in the southeast of the Moscow Region (Kolomna, Lukhovitsy, Zaraysk, Serebryanye Prudy, Ozyory). The approximate topology here is the same as that of the ISS: T2600G-28SQ at the aggregation level, and T2600G-28TS and T2500G-10TS at the access level.
Provider from Krasnoznamensk provides Internet access using a network with a deep penetration of optics. It is also based on the T2600G-28SQ.
In the following sections, we will briefly describe some of the features of the T2600G-28SQ. In order not to inflate the material, we left a number of options overboard: QinQ (VLAN VPN), routing, QoS, etc. We think that we can return to them in one of the following posts.
Switch Features
Redundancy - STP
STP - Spanning Tree Protocol. The spanning tree protocol has been known for a very long time, thanks to the respected Radya Perlman for this. In modern networks, administrators try to avoid the use of this protocol in every possible way. Yes, STP is not without flaws. And it is very good if there is an alternative to it. However, as is often the case, the alternative to this protocol will be highly vendor dependent. Therefore, until now, the Spanning Tree Protocol remains almost the only solution that is supported by almost all manufacturers, and is also known to all network administrators.
The TP-Link T2600G-28SQ switch supports three versions of STP: classic STP (IEEE 802.1D), RSTP (802.1W), and MSTP (802.1S).
Of these options, for most small Internet providers in Russia, the usual RSTP is quite suitable, which has one indisputable advantage over the classic version - a much shorter convergence time.
MSTP is by far the most flexible protocol, supporting virtual networks (VLANs) and allowing several different trees, which allows using all available backup paths. The administrator creates several different instances of the tree (up to eight), each serving a specific set of virtual networks.
Subtleties of MSTPNovice administrators need to be very careful when using MSTP. This is because the behavior of the protocol is different within a region and between regions. Therefore, when configuring switches, you should make sure that you stay within the same region.
What is this notorious region? A region in terms of MSTP is a set of switches connected to each other that have the following characteristics: region name, revision number, and distribution of virtual networks (VLANs) between protocol instances (instance).
Of course, the Spanning Tree protocol (any version) allows not only to deal with loops that occur when redundant channels are connected, but also to protect against cable switching errors when an engineer deliberately or unintentionally connects the wrong ports, creating a loop by his actions.
More experienced network administrators prefer to use a variety of additional options to protect the STP protocol from attacks or complex emergencies. The T2600G-28SQ offers a range of these features: Loop Protect and Root Protect, TC Guard, BPDU Protect and BPDU Filter.
Proper use of the options listed above, in conjunction with other supported security mechanisms, will stabilize the local network and make it more predictable.
Redundancy - LAG
LAG - Link Aggregation Group. This is a technology that allows you to combine several physical channels into one logical one. All other protocols stop using the physical channels included in the LAG separately and begin to "see" one logical interface. An example of such a protocol is STP.
Balancing user traffic between physical channels within the logical one is based on the hash sum. To calculate it, the MAC addresses of the sender, recipient, or a pair of them can be used; as well as the IP addresses of the sender, recipient, or a pair of them. Layer XNUMX protocol information (TCP/UDP ports) is not taken into account.
The T2600G-28SQ switch supports static and dynamic LAGs.
To coordinate the parameters of the dynamic group, the LACP protocol is used.
Security - Access Lists (ACLs)
Our T2600G-28SQ switch allows you to filter user traffic using Access Control Lists (ACLs).
Supported access lists can be of several different types: MAC and IP (IPv4/IPv6), combined, and also for performing content filtering. The number of access lists of each type supported depends on the SDM template currently in use, which we described in another section.
The operator can use this option to block various unwanted traffic on the network. An example of such traffic would be IPv6 packets (using the EtherType field) if the corresponding service is not provided; or block SMB on port 445. On a network with static DHCP/BOOTP addressing, traffic is not required, so using ACLs, the administrator can filter UDP datagrams on ports 67 and 68. You can also disable local IPoE traffic using ACLs. Such blocking may be required in the networks of operators using PPPoE.
The process of using access lists is extremely simple. After creating the list itself, you need to add the required number of entries to it, the type of which directly depends on the custom sheet.
Setting up access lists
It is worth noting that access lists can perform not only the usual operations of allowing or denying traffic, but also redirecting it, mirroring it, as well as re-marking it or limiting it in speed.
Once all required ACLs have been created, the administrator can set them up. You can attach an access list to either a direct physical port or to a specific virtual network.
Security - number of MAC addresses
Sometimes operators need to limit the number of MAC addresses that the switch will learn on a particular port. Access lists achieve this effect, but require explicit specification of the MAC addresses themselves. If you only need to limit the number of channel addresses, but not specify them explicitly, port security will come to the rescue.
Such a restriction may be required, for example, to protect against connecting an entire local network to one provider switch interface. Here it is worth mentioning that we are talking about a dial-up connection, because when connected using a router on the client side, the T2600G-28SQ will learn only one address - this is the MAC belonging to the WAN port of the client router.
There is a whole class of attacks against the switching table. It can be both table overflow and MAC spoofing. The port security option will protect against bridge table overflows and attacks aimed at intentionally retraining the switch, poisoning its bridge table.
It is impossible not to mention the simply failing client equipment. It is not uncommon for a malfunctioning computer network card or router to create a stream of frames with completely arbitrary sender and recipient addresses. Such a flow can easily deplete the CAM.
Another way to limit the number of bridge table entries in use is through the MAC VLAN Security tool, which allows an administrator to specify the maximum number of entries for a specific virtual network.
In addition to managing dynamic entries in the switching table, the administrator can also create static entries.
The maximum bridge table of the T2600G-28SQ model can accommodate up to 16K entries.
Another option designed to filter the transmission of user traffic is the Port Isolation function, which allows you to explicitly specify in which direction forwarding is allowed.
Safety - IMPB
In the vastness of our vast homeland, the approach of telecom operators to network security issues varies from complete disregard to the maximum possible use of all options supported by equipment.
The IPv4 IMPB (IP-MAC-Port Binding) and IPv6 IMPB functions allow you to protect yourself from a whole range of attacks related to IP and MAC address spoofing by subscribers by binding IP and MAC addresses of client equipment to the provider's switch interface. Such binding can be done manually, or using the ARP Scanning and DHCP Snooping functions.
IMPB basic settings
In fairness, it should be said that a special function, DHCP Filter, can be used to protect the DHCP protocol.
With this feature, the network administrator can manually specify the interfaces to which real DHCP servers are connected. This way, rogue DHCP servers can't sneak into the IP negotiation process.
Security - DoS Defend
The model under consideration allows you to protect users from several of the most well-known and previously widespread DoS attacks.
Most of these attacks are no longer a threat to devices with modern operating systems, however, our networks can still meet those for which the last software update was made many years ago.
DHCP support
The TP-Link T2600G-28SQ switch can act as a DHCP server or relay, and perform a variety of DHCP message filtering if another device acts as a server.
The easiest way to provide users with the IP parameters they need to operate is to use the switch's built-in DHCP server. With its help, the main parameters can already be given to subscribers.
We connected our Archer C6 SOHO router to one of the switch interfaces and verified that the client device successfully obtained an address.
It looks like this
The DHCP server built into the switch is perhaps not the most scalable and flexible solution: there is no support for non-standard options, there is no connection with IPAM. If the operator needs more control over the process of allocating IP addresses, then a dedicated DHCP server will be used.
T2600G-28SQ allows you to specify a separate dedicated DHCP server for each user subnet, to which messages of the discussed protocol will be redirected. The subnet is selected by specifying the appropriate L3 interface: VLAN (SVI), routed port or port-channel.
To test the functionality of the relay, we configured a separate router from another vendor to act as a DHCP server, the settings of which are presented below.
R1#sho run | s pool
ip dhcp pool test
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8The client router successfully obtained an IP address again.
R1#sho ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.0.2 010c.8063.f0c2.6a May 24 2019 05:07 PM AutomaticUnder the spoiler - the contents of the intercepted packet between the switch and a dedicated DHCP server.
Package contents
It should be noted that Option 82 is supported by the switch. When enabled, the Switch will add information about the user interface from which the DHCP Discover message was received. In addition, the T2600G-28SQ model allows you to configure the policy for processing the information added when inserting option No. 82. The presence of support for this option can be useful in a situation where the subscriber needs to be given the same IP address, regardless of what client identifier (client-id) reports about himself.
The figure below shows a DHCP Discover message (transmitted by relay) with option #82 added.
Message with option #82
Of course, option No. 82 can be controlled without configuring a full-fledged DHCP relay, the corresponding settings are presented in the βDHCP L2 Relayβ sub-item.
And now let's change the DHCP server settings to demonstrate the operation of option #82.
R1#sho run | s dhcp
ip dhcp pool test
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8
class option82_test
address range 192.168.0.222 192.168.0.222
ip dhcp class option82_test
relay agent information
relay-information hex 010e010c74702d6c696e6b5f746573740208000668ff7b66f675
R1#sho ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.0.222 010c.8063.f0c2.6a May 24 2019 05:33 PM AutomaticThat's about as
The DHCP interface relay function will be useful in a situation where the switch not only has an L3 interface connected to a specific network, but also this interface has an IP address. In the absence of an address on such an interface, the DHCP VLAN relay function will come to the rescue. The subnet information in this case is taken from the default interface, that is, the address spaces in several virtual networks will be the same (overlapping).
Often, operators also need to protect subscribers from erroneous or malicious inclusion of a DHCP server on client equipment. We decided to discuss this functionality in one of the sections devoted to security issues.
IEEE 802.1X
One way to authenticate users on a network is to use the IEEE 802.1X protocol. The popularity of this protocol in the networks of telecom operators in Russia is already on the decline, it is still used mainly in the local networks of large companies to authenticate internal users of the organization. The T2600G-28SQ switch has 802.1X support, so if necessary, the provider can easily use it.
The IEEE 802.1X protocol requires three participants: the client equipment (supplicant), the provider's access switch (authenticator), and the authentication server (usually a RADIUS server).
The basic configuration on the part of the operator is extremely simple. It is only required to specify the IP address of the RADIUS server used, on which the user database will be stored, as well as select the interfaces for which authentication is required.
Basic 802.1X setup
There is also some minor configuration required on the client side. All modern operating systems already contain the necessary software. But if necessary, you can install and use TP-Link 802.1x Client - an application that allows you to authenticate a client on the network.
When connecting the user's PC directly to the provider's network, the authentication settings must be activated for the network card used for the connection.
However, at present, not the user's computer is usually connected to the operator's network, but a SOHO router that ensures the functioning of the subscriber's local network (both wired and wireless segments). In this case, all 802.1X protocol settings must be made directly on the router.
It seems to us that in carrier networks this authentication method is undeservedly forgotten. Yes, hard binding of a subscriber to a switch port may be a simpler solution in terms of user equipment settings. But if the use of a login and password is necessary, then 802.1X will not be such a heavyweight protocol compared to the connections used based on PPTP / L2TP / PPPoE tunnels.
PPPoE ID Insertion
Many users not only in our country, but throughout the world still prefer to use extremely simple passwords. Yes, and cases of theft of credentials, alas, are not uncommon. If the operator uses the PPPoE protocol for user authentication in its network, then the TP-Link T2600G-28SQ switch will help solve the problem associated with the leakage of credentials. This is achieved by adding a special label to the PPPoE Active Discovery message. Thus, the provider can authenticate the subscriber not only by login and password, but also by additional data. Such additional data includes the MAC address of the client device, as well as the switch interface to which it is connected.
Some operators, in principle, want to prohibit the subscriber (a pair of login and password) from navigating the network. The PPPoE ID Insertion feature will help in this case too.
IGMP
IGMP (Internet Group Management Protocol) has been around for decades. Its popularity is quite understandable and easily explained. But IGMP interaction involves two parties: the user's PC (or any other device, for example, STB) and the IP router serving a certain network segment. Switches do not participate in this exchange in any way. However, the last statement is not entirely true. Or in modern networks is not true at all. Support for the IGMP protocol on the part of the switches is necessary in order to optimize the forwarding of multicast traffic. Listening to user traffic, the switch detects IGMP Report messages in it, with the help of which it determines the ports for forwarding multicast traffic. The described option is called IGMP Snooping.
Support for the IGMP protocol can be used not only to optimize traffic as such, but also to determine the subscribers who can be provided with a particular service, for example, IPTV. You can achieve the desired goal both by manually setting the filtering parameters, and by using authentication.
Support for multicast traffic on TP-Link switches is implemented quite flexibly. So, for example, all parameters can be set for each virtual network separately.
If multiple subnets are connected to the same interface of the router, where multicast recipients are located, then this router will be forced to send several copies of packets through this interface (one for each virtual network).
In this case, you can optimize the procedure for forwarding multicast traffic using the MVR technology - Multicast VLAN Registration.
The essence of the solution is that one virtual network is created that unites all recipients. However, this virtual network is only used for multicast traffic. This approach allows the router to send only one copy of the multicast traffic through the interface.
DDM, OAM and DLDP
DDM - Digital Diagnostic Monitoring. During the operation of optical modules, it is often necessary to monitor the state of the module itself, as well as the optical channel to which it is connected. The DDM function will help to cope with this task. With its help, the operator's engineers will be able to monitor the temperature of each module that supports this functionality, its voltage and current, as well as the power of the sent and received optical signals.
Setting threshold levels for the previously described parameters will allow you to generate an event if they go beyond the allowable range.
Setting DDM thresholds
Naturally, the administrator can view the current values ββof the specified parameters.
The TP-Link T2600G-28SQ switch has an active air cooling system. Moreover, we have never experienced overheating of SFP modules in our switches due to port density. However, if such a possibility is admitted purely in theory (for example, due to some problem inside the SFP module), then using DDM, the administrator will be immediately notified of a potentially dangerous situation. The danger here, obviously, is not for the switch itself, but for the diode / laser inside the SFP, since with an increase in its temperature, degradation of the power of the emitted optical signal can occur, which will lead to a decrease in the optical budget.
It is also worth noting here that TP-Link switches do not have a vendor lock βfunctionβ, that is, any compatible SFP modules are supported, which, of course, will be very convenient for network administrators.
OAM - Operation, Administration, and Maintenance (IEEE 802.3ah). OAM is the layer XNUMX protocol of the OSI model for monitoring and troubleshooting Ethernet networks. With this protocol, the switch can monitor the performance of a certain connection and errors, generate alerts so that the network administrator can manage the network more efficiently.
Basic OAM setup
Details of how OAM worksTwo neighboring devices that support OAM perform a periodic exchange of messages by sending OAMPDUs, which are of three types: Informational, Event Notification, and Loopback Control. With the help of informational OAMPDUs, neighboring switches send statistical information to each other, as well as data defined by the administrator. Also, this message type is used to maintain a connection via the OAM protocol. Event Notification messages are used by the connection monitoring function to notify the other side of failures that have occurred. Loopback Control messages are used to detect a loop on a line.
Below we decided to list the main features provided by the OAM protocol:
- environment monitoring (detection and counting of broken frames),
- RFI - Remote Failure Indication (sending notification of a failure on the channel),
- Remote Loopback (channel testing to measure delay, delay variation (jitter), number of lost frames).
Another option that is in demand on optical switches is the ability to detect problems on the communication channel, leading to the fact that the channel becomes simplex, that is, data can only be sent in one direction. Our switches use the Device Link Detection Protocol (DLDP) to detect unidirectional links. In fairness, it should be noted that the DLDP protocol is supported both on optical and copper interfaces, however, in our opinion, it will be most in demand when using fiber optic lines.
When a unidirectional link is detected, the switch can automatically turn off the problematic interface, which will rebuild the STP tree and use redundant communication channels.
In our arsenal, there are SFP modules that receive and transmit a signal over a single fiber. They work exclusively in pairs and use an optical signal at different wavelengths to transmit within the pair. An example is a pair of TL-SM321A and TL-SM321B. When using such modules, damage to one fiber will lead to the complete inoperability of the entire optical channel. However, DLDP will also be required on such channels, since, although this happens extremely rarely, the channel may have different transparency characteristics for different wavelengths. A more likely problem is the different transparency of the channel depending on the direction of light propagation. A reflectogram will help to detect these problems, but that's a completely different story.
LLDP
In large corporate or operator networks, problems periodically arise with outdated documentation for the network or inaccuracies in its compilation. A network administrator may be faced with a situation where it is necessary to find out which operator equipment is actually connected to a particular switch interface. LLDP - Link Layer Discovery Protocol (IEEE 802.1AB) will come to the rescue.
LLDP Functional Parameters
Our switches support the LLDP protocol, not only to discover neighboring switches or other network devices, but also to determine their capabilities.
The copper counterparts of our switch can use LLDP-MED to simplify the process of connecting IP phones. Also, with this option, the PoE switch can negotiate power settings with the powered device. We have already talked about this in some detail in one of our .
SDM and oversubscription
Almost all modern switches process passing frames and packets without the use of a central processor. Processing (checksum calculation, application of access lists and other security checks, as well as switching / routing decisions) is carried out using specialized chips, which allows achieving high speeds of user traffic. The discussed switch allows you to process traffic at the speed of the medium. This means that the performance of the device is sufficient to send data at the highest possible speeds of all ports simultaneously. The T2600G-28SQ model has 24 downlink ports (towards users) operating at 1 Gbps, as well as 4 uplink ports (towards the network core) at 10 Gbps. At the same time, the switch's cross-bus performance is 128 Gb / s, which is enough to handle the maximum amount of incoming traffic.
In fairness, it should be noted that the performance of the switching matrix is ββ95,2 million packets per second. That is, when using the minimum possible frames with a length of only 64 bytes, the total device performance will be 97,5 Gb / s. However, such a traffic profile is almost unbelievable for carrier networks.
What is an oversubscriptionAnother important issue is the ratio of uplink and downlink speeds (oversubscription). Here, obviously, everything depends on the topology. If the administrator uses all four 10 GE interfaces to connect to the network core and combines them using LAG (Link Aggregation Group) or Port-Channel technology, then the statistically obtained speed towards the core will be 40 Gbps, which will be more than enough to satisfy needs of all connected subscribers. Moreover, it is not necessary that all four uplinks are connected to the same physical device. The connection can be made to a stack of switches, or to two devices united in a cluster (using vPC technology or similar). There is no oversubscription in this case.
You can use all four uplinks at the same time not only by combining them using LAG. A similar effect can be achieved with a proper MSTP setup, but that's another story.
The second common L2 connection method is to use two independent LAGs (one to each aggregation switch). In this case, most likely, one of the virtual links will be blocked by the STP protocol (when using STP or RSTP). The oversubscription will be 5:6.
A more rare, but still quite probable situation: the T2600G-28SQ is connected by independent channels to the upstream switch or switches. The STP/RSTP protocol will leave only one such link in an unlocked state. The oversubscription will be 5:12.
Asterisk task: Calculate oversubscription for the situations described in the STP section, where we looked at an example topology when two access switches are connected to the same aggregation device and interconnected.
Programmable chips, which achieve such a high transfer rate, are a rather expensive resource, so we try to optimize their use by properly allocating resources between various functions. SDM - Switch Database Management is responsible for distribution.
Distribution is done using an SDM profile. There are currently three profiles available for use, listed below.
- Default offers a balanced solution for using MAC and IP access lists as well as ARP discovery entries.
- EnterpriseV4 allows you to maximize the resources available for use by MAC and IP access lists.
- EnterpriseV6 allocates some resources for use by IPv6 access lists.
The switch must be rebooted to apply the new profile.
Conclusion
In accordance with the original positioning, this switch is the best choice for telecom operators who are faced with the task of providing network access over long distances. The device can be used both at the access level, for example, in cottage settlements and townhouses, and for aggregating channels coming from access switches located in apartment buildings; that is, wherever remote object connections are required. When using optical communication channels, the connected subscriber can be located at a distance of up to several kilometers.
On the client side, optical links can be terminated on small switches with optical interfaces or on media converters.
A large number of supported protocols and options will allow the T2600G-28SQ to be used in an operator's Ethernet network with any topology and any set of technologies used and services provided. The switch is controlled remotely using a web interface or command line. If you need local settings, you can use the console port, in the T2600G-28SQ model there are two of them: RJ-45 and micro-USB. As a small fly in the ointment, we note the lack of support for stacking and a second power supply. True, usually outside the data centers of providers, the presence of a second electric line will be rare anyway.
Its advantages include a low price, a large number of subscriber optical ports, the presence of 10 GE optical uplinks, as well as four combo ports and traffic forwarding at medium speed.
Source: habr.com