Speed limit on D-Link switch ports

We will use the bandwidth capping command “config bandwidth_control
Write it in the following order:

config bandwidth_control PORTS rx_rate no_limit/VALUE 64-1024000 tx_rate no_limit/VALUE 64-1024000

The value is set in kilobits, for example, to limit the client at port 5 of the incoming rate to 50 megabit, use the command:

config bandwidth_control 5 tx_rate 51200

View bandwidth_control parameters:

show bandwidth_control 5

An example of limiting the incoming and outgoing speeds of 1 megabit per port from 1 to 24:

config bandwidth_control 1-24 tx_rate 1024 rx_rate 1024

To remove the limit use the command:

config bandwidth_control 1-24 tx_rate no_limit rx_rate no_limit

You can configure it via the web-interface by opening the menu “QoS” -> “Bandwidth Control” and you need to specify the parameters in the cells and click the “Apply “.

Configuring the D-Link DES-3528 Switch

Today I configured the next switch D-Link DES-3528.

I will lay out the configuration below and briefly describe it.
When typing commands, you can use the TAB key so that the switch offers options, and after any command through a space, you can write a question mark “?” and see possible subcommands.

To view the current switch configuration, use the command:

show config current_config

Let’s get started.
We connect to the switch with a console cable at the speed of 9600 or at the standard IP address 10.90.90.90 and add the administrator (initially the login without login and password):

create account admin admin

Enable password encryption so that it is not stored in the config file open:

enable password encryption

Add vlan for management and for users (I have 207 core for management, 226 for users, 25 use port as uplink):

create vlan core tag 207
config vlan core add tagged 25
create vlan local_smart tag 226
config vlan local_smart add untagged 1-28
config port_vlan 1-28 acceptable_frame admit_all pvid 226
config vlan default delete 1-28

Change the IP address of the switch and specify the gateway:

config ipif System ipaddress 192.168.0.50/24 vlan core
create iproute default 192.168.0.1 1 primary

Let’s enable the restriction of broadcast traffic on client ports:

config traffic control 1-24,26-28 broadcast enable action drop broadcast_threshold 100 countdown 0 time_interval 5

Enable loop protection on client ports:

enable loopdetect
config loopdetect recover_timer 300 interval 10 mode port-based
config loopdetect log state enable
config loopdetect ports 1-24,26-28 state enable
config loopdetect trap loop_detected

Enable traffic segmentation so that clients do not see each other:

config traffic_segmentation 1-24,26-28 forward_list 25
config traffic_segmentation 25 forward_list 1-24,26-28

We will enable DHCP server locks on the client side so that they do not distribute IP:

config filter dhcp_server ports 1-24,26-28 state enable
config filter dhcp_server illegal_server_log_suppress_duration 30min
config filter dhcp_server trap_log enable

Let’s specify which IPs are allowed to log on to the switch (so that users do not see it):

create trusted_host network 192.168.0.2/32 snmp telnet ssh http https ping
create trusted_host network 192.168.1.5/32 snmp telnet ssh http https ping

Set up SNMP if you need it:

enable snmp
delete snmp community public
delete snmp community private
delete snmp user initial
create snmp community NAME view CommunityView read_only

Turn on the protection against BPDU flood:

enable bpdu_protection
config bpdu_protection recovery_timer 2400
config bpdu_protection log none
config bpdu_protection ports 1-24,26-28 state enable
config bpdu_protection ports 1-28 mode drop

Enable switch protection so that if the processor is fully loaded, you can go to it:

config safeguard_engine state enable utilization rising 100 falling 95 trap_log enable mode fuzzy

If necessary, configure the time synchronization with the NTP server:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 10.0.0.18 poll-interval 5000

This completes the basic configuration of the D-Link DES-3528 switch.

Configuring the D-Link DES-3028 Switch

Today, I configured the next switch D-Link DES-3028, the firmware was 2.94.B07.

And so, connect the console cable to the switch and add the vlan control (I have it 207, 25 port uplink):

create vlan core tag 207
config vlan core add tagged 25

Assign the switch IP address:

config ipif System vlan core ipaddress 192.168.1.2/24 state enable

Let’s specify the default route:

create iproute default 192.168.1.1 1

Add the admin account:

create account admin NAME

Add a client VLAN (I have it 226), specify PVID and remove the standard VLAN:

create vlan local_smart tag 226
config vlan local_smart add tagged 25
config vlan local_smart add untagged 1-24,26-28
disable gvrp
config gvrp 1-28 state disable ingress_checking enable acceptable_frame admit_all pvid 226
config vlan default delete 1-28

Let’s configure protection against broadcast flooding:

config traffic trap both
config traffic control 1-24,26-28 broadcast enable multicast disable unicast disable action drop threshold 64 countdown 5 time_interval 5

Let’s configure the loop protection:

enable loopdetect
config loopdetect recover_timer 3000
config loopdetect interval 10
config loopdetect trap none
config loopdetect port 1-24,26-28 state enabled
config loopdetect port 25 state disabled

Let’s configure traffic segmentation, if it is necessary that users within the switchboard do not see each other:

config traffic_segmentation 1-24 forward_list 25
config traffic_segmentation 25 forward_list 1-24,26-28

Set up the time zone and time synchronization:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 7000

Let’s specify from what IP the access to WEB, telnet and SNMP of the switch is allowed:

create trusted_host 192.168.1.1
create trusted_host 192.168.5.20

Let’s configure the protection from DOS:

disable dos_prevention trap_log
config dos_prevention dos_type land_attack action drop state enable
config dos_prevention dos_type blat_attack action drop state enable
config dos_prevention dos_type smurf_attack action drop state enable
config dos_prevention dos_type tcp_null_scan action drop state enable
config dos_prevention dos_type tcp_xmascan action drop state enable
config dos_prevention dos_type tcp_synfin action drop state enable
config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state disable

For IP-MAC-Port Binding functions, we allow IP 0.0.0.0 (under it Windows tries to get IP):

config address_binding ip_mac ports 1-28 state disable allow_zeroip enable forward_dhcppkt enable

Configuring SNMP:

delete snmp community public
delete snmp community private
delete snmp user initial
create snmp community TEXT view CommunityView read_write
create snmp community TEXT view CommunityView read_only
config snmp system_name TEXT
config snmp system_location TEXT
config snmp system_contact TEXT

Let’s configure protection from third-party DHCP servers:

config filter dhcp_server ports 1-24,26-28 state enable
config filter dhcp_server trap_log enable
config filter dhcp_server illegal_server_log_suppress_duration 30min

From third-party DHCP servers can also be protected through ACL:

create access_profile ip udp src_port 0xFFFF profile_id 1
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 port 25 permit
config access_profile profile_id 1 add access_id 2 ip udp src_port 67 port 1-24,26-28 deny

We will configure protection against BPDU of garbage:

config bpdu_protection ports 1-24,26-28 mode drop

Turn on the function SAFEGUARD_ENGINE, so you can go to the switch at 100% CPU utilization:

config safeguard_engine state enable utilization rising 100 falling 95 trap_log enable mode fuzzy

Fine-Tuning FDB:

config fdb aging_time 300
config multicast port_filtering_mode 1-28 filter_unregistered_groups
disable flood_fdb
config flood_fdb log disable trap disable

Other small settings:

config serial_port baud_rate 9600 auto_logout 10_minutes
enable password encryption
config terminal_line default
enable clipaging
disable command logging
enable password_recovery
enable syslog
config log_save_timing on_demand

Done.