TP-Link Switches
TP-Link JetStream switches provide cost-effective enterprise switching solutions for SMB and enterprise deployments. The rXg supports managed JetStream switches with SSH connectivity, providing configuration synchronization, VLAN management, and 802.1X/MAB authentication capabilities.
Supported Models
| Model/Series | Notes |
|---|---|
| JetStream T1600G Series | Gigabit managed switches |
| JetStream T1700G Series | Gigabit managed PoE switches |
| JetStream T2600G Series | L2+ Gigabit managed switches |
| JetStream T2700G Series | L2+ Gigabit managed PoE switches |
| JetStream T3700G Series | L3 Gigabit managed switches |
| JetStream SG Series | Smart Gigabit switches with CLI support |
Note: Only models with SSH/Telnet CLI support are compatible. Web-only managed switches are not supported.
Features Supported
| Feature | Supported | Description |
|---|---|---|
| Config Sync | Yes | Automatic configuration synchronization from rXg |
| Auto Bootstrap | Yes | Zero-touch onboarding from factory-default state via Telnet fallback |
| SNMP Monitoring | Yes | CPU, memory, and port statistics collection |
| LLDP Neighbor Discovery | Yes | Automatic detection of connected devices |
| Switch Port Import | Yes | Automatic import and management of switch ports |
| 802.1X Authentication | Yes | Port-based network access control via dot1x |
| MAC Authentication Bypass (MAB) | Yes | MAC-based authentication for non-802.1X devices |
| Dynamic VLAN Assignment | Yes | RADIUS-assigned VLAN based on authentication |
| DHCP Snooping | No | Not currently implemented |
| Firmware Management | No | Manual firmware upgrades required |
| STP Protection | No | Not currently implemented |
| SPB-m Fabric | No | Not supported |
Prerequisites
Firmware Requirements
- JetStream firmware with SSH support
- SSH server must be enabled (automatically configured during bootstrap)
Network Requirements
- Management IP connectivity to rXg
- SSH access (TCP port 22) - configured during bootstrap
- Telnet access (TCP port 23) - required for initial bootstrap only
- SNMP access (UDP port 161)
- RADIUS connectivity (UDP ports 1812, 1813) - for 802.1X/MAB
Onboarding Process
Automatic Onboarding
TP-Link switches support automatic onboarding from factory-default state. The rXg detects factory-default switches by attempting SSH connection first, and if that fails (SSH not enabled), falls back to Telnet for initial configuration.
Prerequisites for Auto-Bootstrap:
- The switch must be connected to the network and have a management IP configured
- A switch record must exist in rXg with the switch's management IP
- Factory default credentials must be used (admin/admin) or pre-configured credentials
Auto-Bootstrap Process:
- The rXg attempts SSH connection to the switch
- If SSH fails and the switch has never been synced, Telnet connection is attempted
- Via Telnet, bootstrap configuration is automatically applied:
- SSH server enabled with multiple algorithm support (v1, v2)
- SSH encryption algorithms configured (AES128/192/256-CBC, 3DES-CBC, etc.)
- HTTPS secure server enabled
- SNMP community string configured
- Password updated if required by switch
- After Telnet bootstrap, reconnection via SSH is performed
- Additional configuration applied:
- Paging disabled (
no clipaging) - Console logging minimized
- Admin password set to configured value
- Paging disabled (
- Switch ports are automatically imported
Connection Methods:
The rXg attempts connection in the following order: 1. SSH with legacy algorithm support (diffie-hellman-group1-sha1, ssh-dss, aes256-cbc) 2. Telnet (as fallback for factory-default switches without SSH enabled)
Manual Onboarding
For manual configuration, connect to the switch via console and apply the bootstrap commands below.
Bootstrap Commands
Enable SSH Server:
enable
configure
ip ssh server
ip ssh version v1
ip ssh version v2
ip ssh algorithm AES128-CBC
ip ssh algorithm AES192-CBC
ip ssh algorithm AES256-CBC
ip ssh algorithm 3DES-CBC
ip ssh algorithm HMAC-SHA1
ip ssh algorithm HMAC-MD5
exit
Configure SNMP:
configure
snmp-server community <community-string> read-only
exit
Configure HTTPS (optional):
configure
ip http secure-server
ip http secure-protocol ssl3 tls1
exit
Configure Management User:
configure
user name admin password <password>
exit
Enable LLDP:
configure
lldp
exit
Save Configuration:
copy running-config startup-config
Configuration
Connection Settings
Configure the switch in the Network::Wired::Switches scaffold with:
- Host: Management IP address
- Username/Password: SSH credentials (default: admin/admin)
- Enable Password: If different from login password
- Management VLAN: VLAN for management traffic (default: 1)
- SNMP Community: Community string for monitoring (default: public)
RADIUS / AAA Configuration
When a RADIUS Server Option is active in rXg, the system configures RADIUS authentication:
System-Level Configuration:
radius-server host <rxg-ip> auth-port 1812 acct-port 1813 timeout 5 retransmit 2 key 0 <radius-secret>
dot1x system-auth-control
dot1x vlan-assignment
Port-Level Configuration for MAB:
Ports configured for MAC authentication receive:
interface gigabitEthernet <port>
dot1x
dot1x mab
dot1x port-method port-based
exit
Port-Level Configuration for 802.1X:
Ports configured for 802.1X authentication receive:
interface gigabitEthernet <port>
dot1x
exit
VLAN Configuration
VLANs are automatically managed through Switch Port Profiles:
- Access ports: Configured with native VLAN using
switchport pvid - Trunk ports: Configured with tagged VLANs using
switchport general allowed vlan X tagged - Native VLAN configured with
switchport general allowed vlan X untagged
VLAN Configuration Commands:
interface gigabitEthernet <port>
switchport general allowed vlan <vlan-list> tagged
switchport general allowed vlan <native-vlan> untagged
switchport pvid <native-vlan>
exit
Port Types
The rXg supports the following port naming conventions:
| Short Name | Full Name | Description |
|---|---|---|
| Gi | gigabitEthernet | 1 Gbps ports |
| Te | ten-gigabitEthernet | 10 Gbps ports |
| Fe | fastEthernet | 100 Mbps ports |
| Tw | two-gigabitEthernet | 2.5 Gbps ports |
Monitoring Capabilities
| Metric | Collection Method | Notes |
|---|---|---|
| CPU Usage | SNMP | Collected at configured monitoring interval |
| Memory Usage | SNMP | Collected at configured monitoring interval |
| Port Statistics | SNMP | Packets in/out, errors, discards |
| Port Status | SNMP | Up/down, speed, duplex |
| LLDP Neighbors | SNMP | Connected device discovery |
| MAC Address Table | SSH | Client discovery via show mac address-table |
| Device Info | SSH | Serial number, model, firmware version |
Troubleshooting
Common Issues
Issue: Switch shows offline in rXg
Symptom: Switch appears offline despite being reachable via ping
Cause: SSH connectivity issues or SNMP community mismatch
Resolution:
- Verify SSH credentials match switch configuration
- Check SNMP community string matches
- Ensure SSH is enabled on the switch (ip ssh server)
- Check for locked-out IP (60 second lockout after failed attempts)
Issue: Auto-bootstrap fails
Symptom: Switch detected but bootstrap doesn't complete Cause: SSH key generation or Telnet connectivity issues Resolution: - Verify Telnet is enabled on factory-default switch - Check factory default credentials (admin/admin) - Some switches require password change on first login - this is handled automatically - Try manual bootstrap via console if automated methods fail
Issue: Config sync shows differences but won't apply
Symptom: Config comparison shows changes needed but sync fails Cause: Session timeout or locked configuration Resolution: - Check for other active CLI sessions - Increase timeout setting on switch record - Reboot switch if sessions are stuck
Issue: 802.1X/MAB authentication not working
Symptom: Devices not authenticating on configured ports
Cause: RADIUS server configuration mismatch
Resolution:
- Verify RADIUS server IP and secret match rXg configuration
- Check dot1x system-auth-control is enabled
- Verify port is configured with dot1x and optionally dot1x mab
- Check RADIUS logs on rXg for authentication attempts
Issue: VLAN changes not applying
Symptom: VLAN configuration appears correct but traffic not working Cause: Native VLAN or PVID mismatch Resolution: - Verify both tagged VLAN and PVID are configured correctly - Check that VLAN exists in switch VLAN database - Ensure uplink ports have all required VLANs tagged
Diagnostic Commands
General:
show system-info
show running-config
show interface status
show vlan
SSH and Authentication:
show ip ssh
show dot1x
show radius statistics
VLAN and Ports:
show interface configuration
show mac address-table
show lldp neighbors-information
Known Limitations
- Firmware upgrades not supported via rXg (manual upgrade required)
- DHCP snooping not implemented
- STP protection features not implemented
- Some older models may have limited SSH algorithm support
- Password change prompt on first login requires Telnet fallback
Operational Caveats
- Default Credentials: Factory default is admin/admin. Some switches require password change on first login, which is handled automatically during Telnet bootstrap.
- SSH Algorithm Support: The rXg uses legacy SSH algorithms (diffie-hellman-group1-sha1, ssh-dss) for compatibility with older firmware. Modern algorithms are preferred when available.
- Telnet Fallback: For factory-default switches without SSH enabled, the rXg temporarily connects via Telnet to enable SSH, then reconnects securely.
- Temporary Password: During Telnet bootstrap, a temporary password derived from the switch IP is used if password change is required, then updated to the configured password after SSH reconnection.
- IP Lockout: TP-Link switches may temporarily lock out IP addresses (60 seconds) after multiple failed authentication attempts.
- LLDP: LLDP is automatically enabled during config sync if not already enabled.
- Paging: CLI paging is automatically disabled (
no clipaging) during connection to prevent session hangs.
