D-Link DES-3528 - xStack Switch - Stackable, User Manual, Page: 299 / 322

Share

Page: 299 / 322

D-Link DES-3528 - xStack Switch - Stackable User Manual Download Page 299

xStack

®

DES-3528/DES-3552 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual

298

Appendix A

Mitigating ARP Spoofing Attacks Using Packet

Content ACL

Address Resolution Protocol (ARP) is the standard method for finding a host's hardware address (MAC address)
when only its IP address is known. This protocol is vulnerable because it can spoof the IP and MAC information in the
ARP packets to attack a LAN (known as ARP spoofing). This document is intended to introduce ARP protocol, ARP
spoofing attacks, and the counter measure brought by D-Link's switches to counter the ARP spoofing attack.

•

How Address Resolution Protocol works

In the process of ARP, PC A will, firstly, issue an ARP request to query PC B’s MAC address. The network structure is
shown in Figure-1.

Figure-1

In the mean time, PC A’s MAC address will be written into the “Sender H/W Address” and its IP address will be written
into the “Sender Protocol Address” in ARP payload. As PC B’s MAC address is unknown, the “Target H/W Address”
will be “00-00-00-00-00-00” while PC B’s IP address will be written into the “Target Protocol Address”, shown in Table-
1.

H/W

type

Protocol

type

H/W

address

length

Protocol

address

length

Operation

Sender
H/W address

Sender

protocol

address

Target
H/W address

Target

protocol

address

ARP

request

00-20-5C-01-11-11

10.10.10.1

00-00-00-00-00-00

Table -1 (ARP Payload)

The ARP request will be encapsulated into Ethernet frame and sent out. As can be seen in Table-2, the “Source
Address” in the Ethernet frame will be PC A’s MAC address. Since an ARP request is sent via a broadcast, the
“Destination address” is in the format of an Ethernet broadcast (FF-FF-FF-FF-FF-FF).

10.10.10.2

Destination

Source address

Ether-type

ARP

FCS

«
...
297
298
299
300
301
...
»

Summary of Contents for DES-3528 - xStack Switch - Stackable

Page 1: ...User Manual Product Model xStack DES 3528 DES 3552 Series Layer 2 Managed Stackable Fast Ethernet Switch Release 2 0...

Page 2: ...sion of D Link Corporation is strictly forbidden Trademarks used in this text D Link and the D LINK logo are trademarks of D Link Corporation Microsoft and Windows are registered trademarks of Microso...

Page 3: ...r Accounts 23 System Log Configuration 24 System Log Settings 24 System Log Server 25 System Severity Settings 26 DHCP Relay 27 DHCP Relay Global Settings 27 DHCP Relay Interface Settings 30 DHCP Rela...

Page 4: ...ble 50 SNMP Engine ID 50 SNMP Trap Configuration 51 sFlow 51 sFlow Global State Settings 51 sFlow Analyzer Server Settings 52 sFlow Flow Sampler Settings 52 sFlow Counter Poller Settings 53 Stacking 5...

Page 5: ...gs 93 Port Trunking 94 LACP Port Settings 96 Traffic Segmentation 97 IGMP Snooping 98 IGMP Snooping Settings 98 IGMP Snooping Rate Limit Settings 100 IGMP Snooping Static Group Settings 101 IGMP Multi...

Page 6: ...ormation 131 LLDP Remote Port Information 132 CFM 133 CFM Port Settings 133 CFM CCM PDUs Forwarding Mode 133 CFM MPs Reply LTRs 134 CFM Mipccm List 134 Connectivity Fault Management Settings 135 CFM L...

Page 7: ...163 CoS Bandwidth Control Settings 164 SRED 165 SRED Settings 165 SRED Drop Counter 166 DSCP Trust Settings 167 DSCP Map Settings 168 802 1p Map Settings 170 Security 171 Safeguard Engine 171 Trusted...

Page 8: ...nable Password Settings 207 RADIUS Accounting Services 208 MAC based Access Control 209 MAC based Access Control Settings 209 MAC based Access Control Local Settings 211 Web Authentication 212 Web bas...

Page 9: ...Session Statistics 279 Authenticator Diagnostics 280 Browse ARP Table 282 Browse Route Table 282 Browse VLAN 282 Show VLAN Ports 283 Browse Voice VLAN Device 283 Browse DHCP Server Dynamic Binding 28...

Page 10: ...stem Log 293 Save Services and Tools 294 Save Configuration ID 1 294 Save Configuration ID 2 295 Save Log 295 Save All 295 Configuration File Backup Restore 296 Upload Log File 296 Reset 296 Download...

Page 11: ...mands For example use the copy command Boldface T ypewriter Font Indicates commands and responses to prompts that must be typed exactly as printed in the manual Initial capital letter Indicates a wind...

Page 12: ...different ways to access the same internal switching software and configure it Thus all settings encountered in web based management are the same as those found in the console program Login to Web Man...

Page 13: ...described in the table Figure 1 2 Main Web Manager page Area Function Area 1 Select the folder or window to be displayed The folder icons can be opened to display the hyperlinked window buttons and s...

Page 14: ...king LACP Port Settings Traffic Segmentation IGMP Snooping MLD Snooping Port Mirror Loopback Detection Settings BPDU Attack Protection Settings Spanning Tree Forwarding Filtering LLDP CFM and Ethernet...

Page 15: ...nts System Log Configuration System Severity Settings DHCP Relay DHCP Local Relay Settings DHCP Auto Configuration Settings MAC Address Aging Time Web Settings Telnet Settings Password Encryption Clip...

Page 16: ...dition this window displays the status of functions on the Switch to quickly assess their current global status Some functions are hyper linked to their configuration window for easy access from the D...

Page 17: ...ress has not yet been changed read the introduction of the DES 3528 DES 3552 Series CLI Manual for more information Click Configuration IP Address to display the following window Figure 2 4 IP Address...

Page 18: ...the Switch These fields should be of the form xxx xxx xxx xxx where each xxx is a number represented in decimal form between 0 and 255 This address should be a unique address on the network assigned f...

Page 19: ...xStack DES 3528 DES 3552 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual 18...

Page 20: ...e Toggle this field to either enable or disable a given port or group of ports Speed Duplex Toggle the Speed Duplex field to either select the speed and duplex half duplex state of the port Auto denot...

Page 21: ...ther configuration will result in a link down status for both ports Flow Control Displays the flow control scheme used for the various port configurations Ports configured for full duplex use 802 3x f...

Page 22: ...hould be nominated Copper The result will be displayed in the appropriate switch port number slot C for copper ports and F for fiber ports Figure 2 6 Port Description window The following parameters c...

Page 23: ...static entries are defined a permanent entry is entered and is used to translate IP address to MAC addresses To view this window click Configuration Static ARP Settings Figure 2 8 Static ARP Settings...

Page 24: ...cation method of the Switch or through the Access Authentication Control feature discussed later in this document Once the user has logged in to the Switch in the Operator level certain security scree...

Page 25: ...Yes Yes No Factory Reset Yes No No User Account Management Add Update Delete User Accounts Yes No No View User Accounts Yes No No Table 2 1 Admin Operator and User Privileges System Log Configuration...

Page 26: ...ssigned Facility values Processes and daemons that have not been explicitly assigned a Facility may use any of the local use facilities or they may use the user level Facility Those Facilities that ha...

Page 27: ...scribed below Parameter Description System Severity Choose how the alerts are used from the drop down menu Select Log to send the alert of the Severity Type configured to the Switch s log for analysis...

Page 28: ...ered the Switch will not process the value in the seconds field of the BOOTP or DHCP packet If a non zero value is entered the Switch will use that value along with the hop count to determine whether...

Page 29: ...enables or disables the DHCP option 60 state When option 60 is enabled if the packet does not have option 60 then the relay servers cannot be determined based on option 60 As a result the relay server...

Page 30: ...e Module is always 0 For a stackable switch the Module is the Unit ID g Port The incoming port number of DHCP client packet port number starts from 1 Remote ID sub option format default 1 2 3 4 5 2 8...

Page 31: ...t will be connected directly to the Server Server IP Enter the IP address of the DHCP server Up to four server IPs can be configured per IP Interface DHCP Relay Option 60 Default Settings This window...

Page 32: ...elow Figure 2 17 DHCP Relay Option 60 Settings window The following parameters may be configured Parameter Description String Enter the specified string up to a maximum of 255 alphanumeric characters...

Page 33: ...add a rule to the relay server based on option 61 The matching rule can be based on either the MAC address or the user specified string Only one relay server can be specified for a MAC address or a st...

Page 34: ...autoconfiguration function on the Switch will load a previously saved configuration file for current use When DHCP autoconfiguration is Enabled on the Switch the DHCP reply will contain a configurati...

Page 35: ...t for the web protocol is 80 To access this table click Configuration Web Settings Figure 2 23 Web Settings window Telnet Settings Telnet configuration is Enabled by default If you do not want to allo...

Page 36: ...reen allows the user to view information about current firmware images stored on the Switch To access this table click Configuration Firmware Information Figure 2 27 Firmware Information window This w...

Page 37: ...own for users that are unidentified Dual Configuration Settings The following window is used to manage configuration information in the Switch The DES 3528 DES 3552 Series has the capability to store...

Page 38: ...ve the circuit ID tag from the received PPPoE offer and session confirmation packet To view this window click Configuration PPPoE Circuit ID Insertion Settings as shown below Figure 2 29 PPPoE Circuit...

Page 39: ...or are displayed Parameter Description Status SNTP State Use the radius button to select an Enabled or Disabled SNTP state Current Time Displays the Current Time set on the Switch Time Source Displays...

Page 40: ...able the DST Settings Daylight Saving Time Offset in Minutes Use this pull down menu to specify the amount of time that will constitute your local DST offset 30 60 90 or 120 minutes Time Zone Offset f...

Page 41: ...ober 14 From Month Enter the month DST will start on each year From Day Enter the day of the week DST will start on each year From Time in HH MM Enter the time of day DST will start on each year To Mo...

Page 42: ...notification Up to 500 entries can be specified Click Apply to implement changes MAC Notification Port Settings To configure the MAC Notification Port Settings for the Switch click Configuration M AC...

Page 43: ...t and secondly if the per port power consumption exceeds the per port power limit Active circuit protection automatically disables the port if there is a short Other ports will remain active Based on...

Page 44: ...Port or Deny Low Priority Port to offset the power limit being exceeded and keeps the Switch s power at a usable level Use the drop down menu to select a Power Disconnect Method The default Power Disc...

Page 45: ...of supplying power Whether the disconnect method is set to deny low priority port the priority of each port will be used by the system to manage the supply of power to ports Power Limit This function...

Page 46: ...Switch allows groups of users to be listed and configured with a shared set of privileges The SNMP version may also be set for a listed group of SNMP managers Thus you may create a group of SNMP mana...

Page 47: ...B objects can be accessed by a remote SNMP manager To configure SNMP View Settings for the Switch click Configuration SNMP Settings SNMP View Table Figure 2 38 SNMP View Table window The following par...

Page 48: ...ceive SNMP trap messages generated by the Switch s SNMP agent User based Security Model SNMPv1 Specifies that SNMP version 1 will be used SNMPv2 Specifies that SNMP version 2c will be used The SNMPv2...

Page 49: ...MP V3 Encryption None Indicates that there is no SNMP V3 Encryption Password Indicates that there is SNMP V3 Encryption through a password Key Indicates that there is SNMP V3 Encryption through a key...

Page 50: ...munity entries click Configuration SNMP Settings SNMP Community Table Figure 2 41 SNMP Community Table window The following parameters can set Parameter Description Community Name Type an alphanumeric...

Page 51: ...P version 2 will be used SNMPV3 To specify that the SNMP version 3 will be used Security Level NoAuthNoPriv To specify a NoAuthNoPriv security level AuthNoPriv To specify an AuthNoPriv security level...

Page 52: ...echnology for monitoring traffic in data networks containing switches and routers The sFlow monitoring system consists of an sFlow Agent embedded in a switch or router or in a standalone probe and a c...

Page 53: ...d out When the analyzer server times out all of the flow samplers and counter pollers associated with this analyzer server will be deleted Infinite indicates that the analyzer server will never time o...

Page 54: ...lated and forwarded to the server Click Apply to implement the changes made sFlow Counter Poller Settings This window is used to create the sflow counter poller settings on the Switch Within the sflow...

Page 55: ...roles exist when stacking with the DES 3528 DES 3552 Series NOTE Only ports 27 and 28 of the DES 3528 Series or ports 51 and ports 52 of DES 3552 support stacking The other ports cannot be used for st...

Page 56: ...et on the newly added switch such as configured priority or MAC address Yet if adding two stacks together that have both previously undergone the election process and therefore both have a Primary Mas...

Page 57: ...Description Stacking Mode Click Enabled or Disabled to enable or disable the stacking function Current Box ID Use the dorp down menu to identify the Switch being configured The box ID is 1 8 New Box...

Page 58: ...S The SIM group is a group of switches that are managed as a single entity SIM switches may take on three different roles 1 Commander Switch CS This is a switch that has been manually configured as th...

Page 59: ...scovery process cannot occur 3 This version will support multiple switch upload and downloads for firmware configuration files and log files as follows Firmware The switch now supports multiple MS fir...

Page 60: ...terval 30 90 The user may set the discovery protocol interval in seconds that the Switch will send out discovery packets Returning information to a Commander Switch will include information about othe...

Page 61: ...identify it Remote Port Displays the number of the physical port on the CS that the MS or CaS is connected to The CS will have no entry in this field Speed Displays the connection speed between the C...

Page 62: ...Single IP Management Group are connected to other groups and devices Possible icons in this screen are as follows Icon Description Group Layer 2 commander switch Layer 3 commander switch Commander swi...

Page 63: ...ing the mouse cursor over a specific device in the topology window tool tip will display the same information about a specific device as the Tree view does See the window below for an example Figure 2...

Page 64: ...s in the SIM group configured by the user If no Device Name is configured by the name it will be given the name default and tagged with the last six digits of the MAC Address to identify it Module Nam...

Page 65: ...y To pop up a window to display the group information Member Switch Icon Figure 2 62 Right Clicking a Member icon The following options may appear for the user to configure Collapse To collapse the gr...

Page 66: ...indow contains a menu bar for device configurations as seen below Figure 2 65 Menu Bar of the Topology View The five menus on the menu bar are as follows File Print Setup Will view the image to be pri...

Page 67: ...re Upgrade Figure 2 68 Firmware Upgrade window Configuration File Backup Restore This screen is used to upgrade configuration files from the Commander Switch to the Member Switch using a TFTP server M...

Page 68: ...Layer 2 Stackable Fast Ethernet Managed Switch User Manual 67 save this file Click Upload to initiate the file transfer To view this window click Configuration Single IP Management Upload Log File Fig...

Page 69: ...t Mirror Loopback Detection Settings BPDU Attack Protection Settings Spanning Tree Forwarding Filtering LLDP CFM Ethernet OAM The following section will aid the user in configuring Layer 2 functions f...

Page 70: ...s given the lowest priority for delivery Strict mode and weighted round robin system are employed on the Switch to determine the rate at which the queues are emptied of packets The ratio used for clea...

Page 71: ...l connection and allows Spanning Tree to be enabled on all ports and work normally The IEEE 802 1Q standard restricts the forwarding of untagged packets to the VLAN of which the receiving port is a me...

Page 72: ...Q compliant Unfortunately not all network devices are 802 1Q compliant These devices are referred to as tag unaware 802 1Q devices are referred to as tag aware Prior to the adoption of 802 1Q VLANs po...

Page 73: ...Q tag from all packets that flow into and out of those ports If the packet doesn t have an 802 1Q VLAN tag the port will not alter the packet Thus all packets received by and forwarded by an untagging...

Page 74: ...If Port 10 is not a member of VLAN 2 then the packet will be dropped by the Switch and will not reach its destination If Port 10 is a member of VLAN 2 the packet will go through This selective forward...

Page 75: ...r the example below Figure 3 5 Double VLAN Example In this example the Service Provider Access Network switch Provider edge switch is the device creating and configuring Double VLANs with different SP...

Page 76: ...7 All packets sent from the CPU to the Access ports must be untagged 8 The following functions will not operate when the switch is in Double VLAN mode Guest VLANs Web based Access Control IP Multicas...

Page 77: ...e new VLAN See the table below for a description of the parameters in the new menu NOTE The Switch supports up to 4k static VLAN entries Figure 3 8 802 1Q VLAN window Edit window The following fields...

Page 78: ...will designate the port as untagged Forbidden Select this to specify the port as not being a member of the VLAN and that the port is forbidden from becoming a member of the VLAN dynamically Not Membe...

Page 79: ...h to send out GVRP packets to outside sources notifying that they may join the existing VLAN Port List e g 1 5 Allows an individual port list to be added or deleted as a member of the VLAN Tagged Spec...

Page 80: ...ice VLAN An IP phone and a PC connect to a HUB and the HUB connects to a switch that supports voice VLAN The received untagged traffic by the switch can come from the IP phone or the PC The switch che...

Page 81: ...C address of this voice device is aged out the voice VLAN aging timer will be started The port will be removed from the voice VLAN after expiration of voice VLAN aging timer Trap Log Use the pull down...

Page 82: ...ngs This window allows the user to configiure the user defined voice traffic s OUI There are some pre defined OUIs and when the user configures personal OUI these pre defined OUIs must be avoided Foll...

Page 83: ...based VLAN The IP address of customer A is 172 18 0 1 and IP address of customer B is 172 18 0 2 Both of them connect to the same port of the Switch through a HUB Customers can access Internet through...

Page 84: ...net VLAN Subnet VLAN Settings as shown below Figure 3 16 Subnet VLAN Settings window The following parameters can be configured Parameter Description VLAN Name The VLAN Name to be associated with the...

Page 85: ...lassification will be processed first If subnet based VLAN classification fails the MAC based VLAN classification will be executed To view this window click L2 Features Subnet VLAN VLAN Precedence Set...

Page 86: ...ce provider network may have VLAN ranges that overlap which might cause traffic to become mixed up So assigning a unique range of VLAN IDs to each customer might cause restrictions on some of their co...

Page 87: ...Priority Use Inner Priority This is the priority given to the inner tag that is copied to the outer tag if this setting is enabled Add Inner Tag hex 0x1 0xffff Deselect Disabled and enter an inner tag...

Page 88: ...up Settings supports multiple VLANs for each protocol and allows the user to configure the untagged ports of different protocols on the same physical port For example it allows the user to configure a...

Page 89: ...in the Switch which is used to determine the CoS queue to which packets are forwarded to Once this field is specified packets accepted by the Switch that match this priority are forwarded to the CoS...

Page 90: ...LAN has been configured with redirect ports To view this window click L2 Features RSPAN Settings as shown below Figure 3 22 RSPAN Settings window Enter the VLAN Name or VID and click Create To remove...

Page 91: ...ecify the range of ports that will be included in the Port based VLAN that you are creating using the 802 1Q Port Settings window PVID The read only field in the 802 1Q Port Table shows the current PV...

Page 92: ...time between the Switch receiving the information about becoming a member of the group and actually joining the group The default is 200 Leave Time 100 100000 The time in milliseconds that specifies t...

Page 93: ...ering it into the MAC Address field VID 1 4094 VLAN Name Enter the VID or VLAN name of a previously configured VLAN Click Find Add or Delete All for changes to take affect PVID Auto Assign Settings Th...

Page 94: ...tagged frames with any VID To view this window click L2 Features VLAN Trunk Settings Figure 3 29 VLAN Trunk Settings window The following fields can be set Parameter Description VLAN Trunk Global Stat...

Page 95: ...trunk group This allows packets in a data stream to arrive in the same order they were sent NOTE If any ports within the trunk group become disconnected packets intended for the disconnected port wil...

Page 96: ...STP will block one entire group in the same way STP will block a single port that has a redundant link To view the Trunking Settings window click L2 Features Port Trunking Figure 3 31 Port Trunking w...

Page 97: ...arting with the selected port Activity Active Active LACP ports are capable of processing and sending LACP control frames This allows LACP compliant devices to negotiate the aggregated link so the gro...

Page 98: ...other ports on that switch Select a port number from the drop down menu to display the forwarding ports To configure new forwarding ports for a particular port select a port from the menu and click Ap...

Page 99: ...lder When enabled for IGMP snooping the Switch can open or close a port to a specific multicast group member based on IGMP messages sent from the device to the IGMP host or vice versa The Switch monit...

Page 100: ...a Driven Group Expiry Time 1 65535 Allows the user to set the time that an IGMP Snooping data driven learning group will expire for the specified VLAN Default 260 Querier State Choose Enabled to enabl...

Page 101: ...w click L2 Features IGMP Snooping IGMP Snooping Rate Limit Settings as shown below Figure 3 36 IGMP Snooping Rate Limit Settings window The following parameters can be configured Parameter Description...

Page 102: ...mation and click Find To remove an entry enter the appropriate information and click Delete To modify an IGMP static group entry click the corresponding Edit button in the table To delete an IGMP stat...

Page 103: ...to enable or disable multicast VLAN for the chosen VLAN ISM Forward Unmatched When the Switch receives an IGMP packet it will match the packet against the multicast profile to determine the multicast...

Page 104: ...ofile Name drop down menu and click Add The new information will be displayed in the table Click Show IGMP Snooping Multicast VLAN Entries to return to the IGMP Snooping Multicast VLAN Settings window...

Page 105: ...the ports or VLAN ID on the Switch that will be involved in the Limited IP Multicast Range The user can configure the range of ports or VLAN ID that will send or receive the multicast packets To confi...

Page 106: ...t F iltering M ode enables the user to configure the VLANs on the switch that will be involved in the Multicast Filtering Mode To configure these settings click L2 F eatures I GMP S nooping Multicast...

Page 107: ...Control Packet Settings is used to discard the Layer 3 control packets sent to CPU from specific ports Figure 3 49 Method of dealing with the specified packet The above figure displays how the Switch...

Page 108: ...st group data MLD Control Messages Three types of messages are transferred between devices using MLD snooping These three messages are all defined by three ICMPv6 packet headers labeled 130 131 and 13...

Page 109: ...s for an existing entry click the corresponding Edit button which will display the following window Figure 3 52 MLD Snooping Settings Edit window The following parameters may be viewed or modified Par...

Page 110: ...rameter allows the user to enable the Fast Leave function When enabled this function will allow members of a multicast group to leave the group immediately without the implementation of the Last Membe...

Page 111: ...MLD Snooping Rate Limit Settings window The following parameters may be viewed or modified Parameter Description Port List Specifies a port or range ports to configure or display VLAN List Specifies...

Page 112: ...ch to configure the MLD snooping static group information Click Create to create a new entry To search for an entry enter the information and click Find To view all previously configured entries click...

Page 113: ...VLAN the user wishes to modify the MLD Snooping Settings for VID 2 4094 This is the VLAN ID that along with the VLAN Name identifies the VLAN the user wishes to modify the MLD Snooping Settings for St...

Page 114: ...9 Port Mirror window To configure a mirror port 1 Change the status to Enabled 2 Select the Source Port from where you want to the frames to come from 3 Select the Target Port which receives the copie...

Page 115: ...s function using the pull down menu To view this window click L2 Features Loopback Detection Settings Figure 3 60 Loopback Detection Settings window Parameter Description State Use the drop down menu...

Page 116: ...Parameter Description BPDU Protection Global State Use the drop down menu to enable or disable BPDU Attack Protection setting The default is Disabled Trap Status Select the trap status choose None At...

Page 117: ...Port Transition States An essential difference between the three protocols is in the way ports transition to a forwarding state and in the way this transition relates to the role of the port forwardi...

Page 118: ...will be protected against a loop occurring between switches Once a BPDU packet returns to the Switch this function will detect that there is an anomaly occurring and will place the receiving port in...

Page 119: ...on does not endlessly circulate through redundant paths in the network preventing the effective propagation of the new information Set by the Root Bridge this value will aid in determining that the Sw...

Page 120: ...packet and the information held for the port will age out The user may set a hop count from 6 to 40 The default is 20 NNI BPDU Address Configure NNI port address dot1d Specifies GVRP s bpdu MAC addre...

Page 121: ...or the group Redundant links will be blocked just as redundant links are blocked on the switch level The STP on the switch level blocks redundant links between switches and similar network devices The...

Page 122: ...cannot have p2p status Auto allows the port to have p2p status whenever possible and operate as if the p2p status were true If the port cannot maintain this status for example if the port is forced t...

Page 123: ...icular MSTI Type This field allows the user to choose a desired method for altering the MSTI settings The user has two choices Add VID Select this parameter to add VIDs to the MSTI ID in conjunction w...

Page 124: ...lues mean higher priorities for forwarding packets To view the following window click L2 Features Spanning Tree MSTP Port Information Figure 3 67 MSTP Port Information window The following parameters...

Page 125: ...ets will be statically forwarded This must be a unicast MAC address Drop Port Select Drop to drop the MAC address or select Port and enter the port number on which the MAC address entered above reside...

Page 126: ...information distributed via this protocol is stored by its recipients in a standard Management Information Base MIB making it possible for the information to be accessed by a Network Management System...

Page 127: ...d on the port from an LLDP neighbor To set the LLDP Notification Interval enter a value in seconds 5 to 3600 Click Apply to implement changes made LLDP Port Settings To view this window Click L2 Featu...

Page 128: ...ce that you want to add Action Used to Enable or Disable the advertise management address function base port Click Apply to implement changes made LLDP Management Address List To view this window Clic...

Page 129: ...andatory data types cannot be disabled There are also four data types which can be optionally selected These include Port Description System Name System Description and System Capability To view this...

Page 130: ...ick L2 Features LLDP LLDP Dot1 TLVs Settings Figure 3 74 LLDP Dot1 TLVs Settings window The following parameters can be set Parameter Description From Port To Port Use the pull down menu to select a r...

Page 131: ...3 link to be configured with different duplex and or speed settings and still establish some limited network connectivity More precisely the information includes whether the port supports the auto neg...

Page 132: ...half of the table To view this window click L2 Features LLDP LLDP Statistics System Figure 3 76 LLDP Statistics System window LLDP Local Port Information LLDP Local Port Information window displays th...

Page 133: ...w To return to the LLDP Local Port Information window click the Back button LLDP Remote Port Information This window displays port information learned from the neighbor The switch receives packets fro...

Page 134: ...age CCM Loopback Message and Response LBM LBR and Linktrace Message and Response LTM and LTR CFM Port Settings This table is used to enable or disable the connectivity fault management function on a p...

Page 135: ...able the CFM maintenance point reply Linktrace Response on the Switch To view this window click L2 Features CFM CFM MPs Reply LTRs as shown below Figure 3 84 CFM MPs Reply LTRs window Select Enable or...

Page 136: ...ish to create Level Enter the maintenance domain level Connectivity Fault Management Settings MD MD Enter the maintenance domain name you wish to configure MIP This setting controls the creation of MI...

Page 137: ...End Point between 1 and 8191 MD Max 22 characters The Maintenance Domain Name MA Max 22 characters The Maintenance Association Name MAC Address The destination MAC address LBMs Number 1 65535 The numb...

Page 138: ...ters can be configured Parameter Description MEP Name The name of the Maintenance End Point MEP ID 1 8191 The ID for the Maintenance End Point between 1 and 8191 MD Name The Maintenance Domain Name MA...

Page 139: ...r List window The following parameters can be configured Parameter Description Port List e g 1 5 10 Specifies which ports counter to show Tick All Ports and all ports will be shown State This drop dow...

Page 140: ...drop down menu to specify the port number Level 0 7 Specifies the MD Level If not specified all levels are shown Direction Tick the check box and select Inward or Outward facing MEP VLAN ID The VLAN...

Page 141: ...w this window click L2 Features Ethernet OAM Ethernet OAM Settings as shown below Figure 3 93 Ethernet OAM Settings window The following parameters can be configured Parameter Description From Port To...

Page 142: ...be configured Link Event Configures the Ethernet OAM critical link event Specify Link Monitor or Critical Link Event Link Monitor Indicates that the OAM entity can send and receive Event Notification...

Page 143: ...nitially be set using the console interface prior to connecting to it through the Ethernet If the Switch IP address has not yet been changed read the introduction of the DES 3528 DES 3552 Series CLI M...

Page 144: ...d to this IP interface VLAN Name This field states the VLAN Name directly associated with this interface Interface Admin State Use the pull down menu to enable or disable the IP interface Proxy ARP St...

Page 145: ...ddress to MAC address mapping and other hosts still had the old mapping in their ARP cache To view this window click L3 Features Gratuitous ARP Gratuitous ARP Global Settings as shown below Figure 4 5...

Page 146: ...configure the interval for the periodical sending of gratuitous ARP request packets By default the interval is 0 Click Apply to implement changes made ARP Spoofing Prevention Settings ARP spoofing al...

Page 147: ...server usually maintained by an ISP Domain Name Resolution The domain name system can be used by contacting the name servers one at a time or by asking the domain name system to do the complete name...

Page 148: ...implement changes made DNS Relay Static Settings To view this window click L3 Features DNS Relay DNS Relay Static Settings which will open the DNS Relay Static Settings window as seen below Figure 4...

Page 149: ...ire a static IP address To begin configuring the Switch as a DHCP Server open the L3 Features folder then the DHCP Server folder which will display five links to aid the user in configuring the DHCP s...

Page 150: ...alf of the window as shown below Figure 4 11 DHCP Server Excluded Address Settings DHCP Server Pool Settings The following windows will allow users to create and then set the parameters for the DHCP P...

Page 151: ...ext Server This field is used to identify the IP address of the device that has the previously stated boot file DNS Server Address Enter the IP address of a DNS server that is available to the DHCP cl...

Page 152: ...parameters may be configured Parameter Description Pool Name Enter the name of the DHCP pool within which will be created a manual DHCP binding entry IP Address Enter the IP address to be statically b...

Page 153: ...protocols along with other pertinent information Next the administrator must configure the Policy Route window to be enabled for this Access Profile and its associated rule and the Next Hop Router s I...

Page 154: ...ify this policy route Profile ID 1 14 Enter the Profile ID number of the Access Profile previously created which will be used to identify packets as following this Policy Route This access profile alo...

Page 155: ...ng Advantages of QoS QoS is an implementation of the IEEE 802 1p standard that allows network administrators a method of reserving bandwidth for important functions that require a large bandwidth or h...

Page 156: ...ministrator instructs the Switch to examine packets for this tag acquires the tagged packets and maps them to a class queue on the Switch Then in turn the administrator will set a priority for this qu...

Page 157: ...e sent in the following sequence A1 B1 C1 D1 E1 F1 G1 H1 A2 B2 C2 D2 E2 F2 G2 A3 B3 C3 D3 E3 F3 A4 B4 C4 D4 E4 A5 B5 C5 D5 A6 B6 C6 A7 B7 A8 A1 B1 C1 D1 E1 F1 G1 H1 For weighted round robin queuing if...

Page 158: ...limited bandwidth Rate This field allows you to enter the data rate in Kbits per second that will be the limit for the selected port The value must be a multiple of 64 between 64 and 1024000 Click App...

Page 159: ...acket storm discontinues before the Countdown timer expires the port will again allow all incoming traffic If this field times out and the packet storm continues the port will be placed in a Shutdown...

Page 160: ...ngs for this field are 0 5 30 minutes 0 is disable forever state port will not enter shutdown forever mode Time Interval The Interval will set the time between Multicast and Broadcast packet counts se...

Page 161: ...to any given port on the Switch The priority queues are numbered from 0 the lowest priority to 7 the highest priority Click Apply to implement your settings The following information is displayed in...

Page 162: ...the assignment of a user priority to each of the 802 1p priorities To view this window click QoS 802 1p User Priority Figure 5 6 802 1p User Priority window Once you have assigned a priority to the p...

Page 163: ...k performance especially during peak demand as bottlenecks can quickly develop if the QoS settings are not suitable To view this window click QoS QoS Scheduling Mechanism Figure 5 7 QoS Scheduling Mec...

Page 164: ...n below Figure 5 8 QoS Scheduling window The following parameters can be configured Parameter Description From Port To Port Enter the port or port list you wish to configure Class ID Select the Class...

Page 165: ...l Settings window The following parameters can be configured Parameter Description From Port To Port Enter the port or port list you wish to configure Class ID Select the Class ID from 0 6 to configur...

Page 166: ...ilization while minimizing frame loss This proactive approach starts discarding specific colored packets before the packet buffer becomes full If this queue depth is less than the threshold there is m...

Page 167: ...ckets it might also include yellow packets Threshold High Threshold High refers to the drop yellow or green packets depending on the drop mode Drop Rate Low There are eight drop rates as shown below t...

Page 168: ...es Layer 2 Stackable Fast Ethernet Managed Switch User Manual 167 DSCP Trust Settings This window is used to enable DSCP Trust Settings To view this window click QoS SRED DSCP Trust Settings Figure 5...

Page 169: ...port Then the packet will be processed base on the new DSCP By default the DSCP is mapped to the same DSCP The DSCP to color mapping is used to determine the initial color of the packet when the polic...

Page 170: ...space provided which will instruct the Switch to examine the DiffServ Code part of each packet header and use this as the or part of the criterion for forwarding The user may choose a value between 0...

Page 171: ...Description From port To port A consecutive group of ports may be configured starting with the selected port Priority List 0 7 This parameter is specified if you want to re write the 802 1p default pr...

Page 172: ...y packets to process or b exerts too much memory it will enter an Exhausted mode When in this mode the Switch only receives a small amount of ARP or IP broadcast packets for a calculated time interval...

Page 173: ...ll decrease by half of the level that caused the Switch to enter Exhausted mode After the packet flow has stabilized the rate will initially increase by 25 and then return to a normal packet flow To c...

Page 174: ...designated management stations only the chosen stations as defined by IP address will be allowed management privilege through the web manager or Telnet session To define a management station IP setti...

Page 175: ...binding configuration set on the Switch To view this window click Security IP MAC Port Binding IMP Binding Global Settings Figure 6 4 IMP Binding Global Settings window The following parameters can b...

Page 176: ...ket is not found by the entry the MAC address will be set to block Other packets will be dropped The default mode is strict if not specified The ports with strict mode will capture unicast DHCP packet...

Page 177: ...t is 500 Max Entry 1 50 Specifies the maximum number of IP MAC Port Binding entries By default The maximum entry for each port is No Limit IMP Binding Entry Settings This table is used to create Stati...

Page 178: ...d To delete an entry click the delete button next to the entry s port To delete all the entries in the Blocked Address Browser window click Clear All To view this window click Security IP MAC Port Bin...

Page 179: ...d ports Max Learning Address 0 64 The number of MAC addresses that will be in the MAC address forwarding table for the selected switch and group of ports Lock Address Mode This pull down menu allows y...

Page 180: ...HCP servers are present on the network and both provide DHCP services to different distinct groups of clients The first time the DHCP filter is enabled it will create both an access profile entry and...

Page 181: ...ss Duration The DHCP server filtering function filters any illegal DHCP server packets The DHCP server who sends the illegal packets will be logged This command is used to suppress the logging of DHCP...

Page 182: ...t Based and Host Based Access Control The IEEE 802 1X standard is a security measure for authorizing and authenticating users to gain access to various wired or wireless devices on a specified Local A...

Page 183: ...packets and in turn informs the Switch whether or not the Client is granted access to the LAN and or switches services Figure 6 15 The Authentication Server Authenticator The Authenticator the Switch...

Page 184: ...he LAN and or Switch through EAPOL packets and in turn will respond to requests from the Switch Figure 6 17 The Client Authentication Process Utilizing the three roles stated above the 802 1X protocol...

Page 185: ...nticated by the Switch using a remote RADIUS server before being allowed access to the Network Understanding 802 1X Port based and Host based Network Access Control The original intent behind the deve...

Page 186: ...orized and all subsequent traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized Hence if there are more than one device con...

Page 187: ...ogical Port can be seen as independently controlled from the point of view of EAPOL exchanges and authorization state The Switch learns each attached devices individual MAC addresses and effectively c...

Page 188: ...he port Authentication Protocol Choose the Auth Protocol either RADIUS EAP or Local Forward EAPOL PDU This enables or disables the Switch retransmit EAPOL PDU Request Max User 1 488 Specify the maximu...

Page 189: ...efault setting is 30 seconds ServerTimeout 1 65535 This value determines timeout conditions in the exchanges between the Authenticator and the authentication server The default setting is 30 seconds M...

Page 190: ...r The default setting is Auto Capability This allows the 802 1X Authenticator settings to be applied on a per port basis Select Authenticator to apply the settings to the port When the setting is acti...

Page 191: ...ver to configure 1 2 or 3 IP Address Set the RADIUS Server IP Authentic Port 1 65535 Set the RADIUS authentic server s UDP port The default port is 1812 Accounting Port 1 65535 Set the RADIUS account...

Page 192: ...width 100Mbps on an Ethernet port or 1Gbps on a Gigabit port of the port will be set to no_limited 2 To assign 802 1p default priority by RADIUS server proper parameters should be configured on the RA...

Page 193: ...er does not support the Tag field the Tunnel Private Group ID string will be dealt as VLAN name The definitions of the Tag field are Tag field value String field format 0x00 VLAN name ASCII 0x01 VLAN...

Page 194: ...ces on the Switch will need to be authenticated by a remote RADIUS Server or local authentication on the Switch to be placed in a fully operational VLAN If authenticated and the authenticator posseses...

Page 195: ...they exchange keys in looking for a match and therefore authentication to be accepted to negotiate encryptions on the following level 2 Encryption The second part of the ciphersuite that includes the...

Page 196: ...ers specific encryption algorithms and key sizes to be used for an authentication session The Switch possesses four possible ciphersuites for the SSL function which are all enabled by default To utili...

Page 197: ...r disable this ciphersuite This field is enabled by default RSA EXPORT with RC4 40 MD5 This ciphersuite combines the RSA Export key exchange and stream cipher RC4 encryption with 40 bit keys Use the p...

Page 198: ...s as to the method SSH will use to authorize the user which are Host Based Password and Public Key 3 Configure the encryption algorithm that SSH will use to encrypt and decrypt messages sent between t...

Page 199: ...ssword This parameter may be enabled if the administrator wishes to use a locally configured password for authentication on the Switch The default is enabled Public Key This parameter may be enabled i...

Page 200: ...he default is enabled Public Key Algorithm HMAC RSA Check the box to enable the HMAC Hash for Message Authentication Code mechanism utilizing the RSA encryption algorithm The default is enabled HMAC D...

Page 201: ...authentication Upon entry of this parameter the Switch will prompt the administrator for a password and then to re type the password for confirmation Public Key This parameter should be chosen if the...

Page 202: ...r doesn t respond to the verification query At this point the Switch receives the timeout from the server and then moves to the next method of verification configured in the method list The Switch has...

Page 203: ...n attempts Users failing to be authenticated after the set amount of attempts will be denied access to the Switch and will be locked out of further authentication attempts Command line interface users...

Page 204: ...tion Server Group This window will allow users to set up Authentication Server Groups on the Switch A server group is a technique used to group TACACS XTACACS TACACS RADIUS server hosts into user defi...

Page 205: ...CS daemon TACACS XTACACS TACACS protocols are separate entities and are not compatible with each other Authentication Server This window will set user defined Authentication Server Hosts for the TACAC...

Page 206: ...n on the same physical server host but remember that TACACS XTACACS TACACS are separate entities and are not compatible with each other Login Method Lists This command will configure a user defined or...

Page 207: ...tabase on the Switch none Adding this parameter will require no authentication to access the Switch Enable Method Lists The Enable Method List Settings window is used to set up Method Lists to promote...

Page 208: ...uthenticated using the RADIUS protocol from a remote RADIUS server tacacs Adding this parameter will require the user to be authenticated using the TACACS protocol from a remote TACACS server xtacacs...

Page 209: ...to send these informational packets Account Session ID Account Status Type Account Terminate Cause Account Authentic Account Delay Time Account Session Time Username Service Type NAS IP Address NAS Id...

Page 210: ...FDB of that port 2 If a port is granted clearance for a MAC address in a VLAN that is not a Guest VLAN other MAC addresses on that port must be authenticated for access and otherwise will be blocked b...

Page 211: ...ed Access Control Local Database Settings window RADIUS Use this method to utilize a remote RADIUS server as the authenticator for MAC based Access Control Remember the MAC list must be previously set...

Page 212: ...o unauthenticated state Hold Time 1 300 If a host fails to pass the authentication the next authentication will not started within the entered period of time unless the user clear the entry state manu...

Page 213: ...l IP is transformed into the physical IPIF IP interface address of the Switch to make the communication possible The host PC and other servers IP configurations do not depend on the virtual IP of WAC...

Page 214: ...xStack DES 3528 DES 3552 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual 213...

Page 215: ...cal authentication method of the Switch as the authenticating method for users trying to access the network via the switch This is in fact the username and password to access the Switch configured usi...

Page 216: ...ion Page field set will be prompted with an error message and Web based Access Control will not be enabled The URL should follow the form http s www dlink com NOTE The subnet of the IP address of the...

Page 217: ...ettings window To set the Web based Access Control for the Switch complete the following fields Parameter Description Port Settings From Port To Port Enter the Port range State Use the pull down menu...

Page 218: ...JWAC Japanese Web based Access Control The JWAC folder contains three windows JWAC Global Settings JWAC Port Settings JWAC User Settings JWAC Global Settings Use this window to enable and configure J...

Page 219: ...en redirect is disabled only access to the quarantine server and the JWAC login page from the unauthenticated host are allowed all other web access will be denied NOTE When enabling redirect to the qu...

Page 220: ...Switch will handle this HTTP packet and send back a message to the host to allow it access to the Quarantine Server with the configured URL When a computer is connected to the specified URL the quara...

Page 221: ...checked The default setting is Infinite Block Time 0 300 Seconds This parameter specifies the period of time a host will keep in a blocked state after it fails to authenticate Enter a value between 0...

Page 222: ...OS traffic NetBEUI has been the protocol of choice for small MS DOS and Windows based workgroups NetBIOS no longer lives strictly inside of the NetBEUI protocol Microsoft worked to create the internat...

Page 223: ...n a port The Multiple Authentication feature allows clients running different authentication methods to connect to the network using the same switch port The Multiple Authentication feature can be imp...

Page 224: ...ying one of the supported authentication methods The IMPB Table is used to create a white list that checks if the IP streams sent by authorized hosts have been granted or not In the above diagram the...

Page 225: ...not In the above diagram the Switch port has been configured to allow clients to authenticate using JWAC If a client passes IMPB authentication and JWAC authentication access will be granted If a cli...

Page 226: ...set Parameter Description VLAN Name VLAN ID 1 4094 Click the radio button and enter the VLAN name VLAN ID of a previously configured VLAN to which the failed authenticated web users will be allocated...

Page 227: ...based on the criteria specified in the access profile It tests packets against the conditions in an access list one by one The ACL consists of profiles and rules Generally speaking the profiles specif...

Page 228: ...source address or the IPv6 destination address at any one time Action Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional ru...

Page 229: ...ss Profile Lists Figure 7 2 Access Profile Lists To add an ACL Profile click the Add ACL Profile button which will display the window below There are four Access Profile Configuration pages one for Et...

Page 230: ...ach packet header Select IPv4 to instruct the Switch to examine the IPv4 address in each frame s header Select IPv6 to instruct the Switch to examine the IPv6 address in each frame s header Select Pac...

Page 231: ...g Delete button to view the specific configurations for an entry click the Show Details button To add a rule to the Access Profile entry click the Add View Rules button Figure 7 5 Access Profile List...

Page 232: ...t header Action Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify the packets...

Page 233: ...using the following equation 1 value 64Kbit sec ex If the user selects an Rx rate of 10 then the ingress rate is 640Kbit sec The user many select a value between 1 and 15624 or tick the No Limit check...

Page 234: ...or forwarding Source IP Mask Enter an IP address mask for the source IP address Destination IP Mask Enter an IP address mask for the destination IP address ICMP Type icmp Specifies that the Switch wil...

Page 235: ...n port in hex form hex 0x0 0xffff which you wish to filter Select UDP to use the UDP port number contained in an incoming packet as the forwarding criterion Selecting UDP requires that you specify a s...

Page 236: ...ifier number for this access This value can be set from 1 to 128 VLAN Name VLAN ID Allows the entry of a VLAN name or VLAN ID for a previously configured VLAN DSCP Selecting this option instructs the...

Page 237: ...the DSCP value in a packet that meets the selected criteria with the value entered in the adjacent field Replace ToS Precedence Select this option to instruct the Switch to replace the Type of Servic...

Page 238: ...eader that is similar to the Type of Service ToS or Precedence bits field in IPv4 IPv6 Flow Label Ticking this check box will instruct the Switch to examine the flow label field of the IPv6 header Thi...

Page 239: ...n entry click the Show D etails button To add a rule to the Access Profile entry click the Add View Rules button Figure 7 17 Access Profile List IPv6 To view the configurations for previously configur...

Page 240: ...ined in the config mirror port command Port Mirroring must be enabled and a target port must be set Priority 0 7 Enter a priority value if you want to re write the 802 1p default priority of a packet...

Page 241: ...rule will be implemented on the Switch Counter Enable or disable the counter settings Ports VLAN Name VLAN ID Use the pull down menu to select Ports VLAN Name or VLAN ID that the access rule will take...

Page 242: ...Allows users to examine up to 4 specified offset_chunks within a packet at one time and specifies the frame content offset and mask There are 4 chunk offsets and masks that can be configured A chunk m...

Page 243: ...Profile List entry in the Access Profile List table shown below To add another Access Profile click Add ACL Profile To delete a profile click the corresponding Delete button to view the specific conf...

Page 244: ...be set Priority 0 7 Enter a priority value if you want to re write the 802 1p default priority of a packet to the value entered in the Priority field which meets the criteria specified previously in...

Page 245: ...ever ARP is vulnerable as it can be easily spoofed and utilized to attack a LAN For a more detailed explanation on how ARP works and how to employ D Link s advanced unique Packet Content ACL to preven...

Page 246: ...st entries created on the Switch one CPU access profile of each type has been created for explanatory purposes To view the configurations for an entry click the corresponding Show Details button To ad...

Page 247: ...address in each frame s header Select Packet Content Mask to specify a mask to hide the content of the packet header Source MAC Mask Enter a MAC address mask for the source MAC address Destination MAC...

Page 248: ...uirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header Select IPv4 to instruct the Switch to examine the IPv4 address in each frame...

Page 249: ...he packets by checking the boxes corresponding to the flag bits of the TCP field The user may choose between urg urgent ack acknowledgement psh push rst reset syn synchronize fin finish src port mask...

Page 250: ...mask to hide the content of the packet header IPv6 Class Checking this field will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header tha...

Page 251: ...acket content mask This will change the menu according to the requirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header Select IPv4...

Page 252: ...To establish the rule for a previously created CPU Access Profile To configure the Access Rules for Ethernet open the CPU Access Profile List window and click Add View Rules for an Ethernet entry This...

Page 253: ...box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the S...

Page 254: ...rule added see below Select Deny to specify the packets that match the access profile are not forwarded by the Switch and will be filtered VLAN Name Enter a VLAN name that has been previously configu...

Page 255: ...Enter an IPv6 Class The class can be between 0 255 Flow Label Configuring this field in hex form will instruct the Switch to examine the flow label field of the IPv6 header This flow label field is u...

Page 256: ...view the following window Figure 7 45 CPU Access Rule Detail Information window for IPv6 To establish the rule for a previously created CPU Access Profile To configure the Access Rules for IP open th...

Page 257: ...name of the Time Range settings that has been previously configured in the Time R ange Settings window This will set specific times when this access rule will be implemented on the Switch Ports Specif...

Page 258: ...which will display the following window for the user to configure Figure 7 51 ACL Flow Meter Add window The following fields may be configured Parameter Description Profile ID Use the drop down menu t...

Page 259: ...say 1 means 64Kbps CBS Kbyte Specifies the Committed Burst Size of the packet Tha range is from 0 to 16384 The unit is Kbyte That is to say 1 means 1Kbyte This parameter is optional and the default v...

Page 260: ...able Browse VLAN Show VLAN Ports Browse Voice VLAN Device Browse DHCP Server Dynamic Binding Brwose DHCP Conflict IP Browse Session Table MLD Snooping IGMP Snooping Ethernet OAM JWAC Authentication St...

Page 261: ...e Diagnostics This window displays the details of copper cables attached to specific ports on the Switch If there is an error in the cable this feature can determine the type of error and the position...

Page 262: ...U Utilization Figure 8 3 CPU Utilization window To view the CPU utilization by port use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port...

Page 263: ...ort by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port Change the view parameters as follows Parameter D...

Page 264: ...user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the packet size windows click Monitoring Packet Size Figure 8 5 Packet Size window...

Page 265: ...ts 256 511 The total number of packets including bad packets received that were between 256 and 511 octets in length inclusive excluding framing bits but including FCS octets 512 1023 The total number...

Page 266: ...witch To select a port to view these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clic...

Page 267: ...r of bytes received on the port Packets Counts the number of packets received on the port Unicast Counts the total number of good packets that were received by a unicast address Multicast Counts the t...

Page 268: ...y also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following graph of UMB cast packets received on the Switch click Monitoring Packets U...

Page 269: ...s that were received by a broadcast address Show Hide Check whether or not to display Multicast Broadcast and Unicast Packets Clear Clicking this button clears all statistics counters on this window C...

Page 270: ...unts the number of bytes successfully sent on the port Packets Counts the number of packets successfully sent on the port Unicast Counts the total number of good packets that were transmitted by a uni...

Page 271: ...view these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the...

Page 272: ...ets received that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Fragment The number of packets less than 64 bytes with either bad framing or an inv...

Page 273: ...aph of error packets received on the Switch Click the Monitoring Errors Transmitted TX Figure 8 15 Transmitted TX window for errors To view the Transmitted TX Table window click the link View Table wh...

Page 274: ...SingColl Single Collision Frames The number of successfully transmitted packets for which transmission is inhibited by more than one collision Collision An estimate of the total number of collisions...

Page 275: ...resses The number of RADIUS Access Response packets received from unknown addresses Identifier The NAS Identifier of the RADIUS authentication client This is not necessarily the same as sysName in MIB...

Page 276: ...t packets destined for this server that have not yet timed out or received a response This variable is incremented when an Access Request is sent and decremented due to receipt of an Access Accept Acc...

Page 277: ...ceptual table listing the RADIUS accounting servers with which it shares a secret ServerPortNumber The UDP port it is using to send requests to this server RoundTripTime The time interval between the...

Page 278: ...802 1X Status on the Switch To view the Authenticator State click Monitoring Port Access Control Authenticator State Figure 8 19 Authenticator State window This window displays the Authenticator State...

Page 279: ...mber of EAP Req Id frames that have been transmitted by this Authenticator RxLogOff The number of EAPOL Logoff frames that have been received by this Authenticator Tx Req The number of EAP Request fra...

Page 280: ...on Port The identification number assigned to the Port by the System in which the Port resides Octets Rx The number of octets received in user data frames on this port during the session Octets Tx The...

Page 281: ...dow contains the diagnostic information regarding the operation of the Authenticator associated with each port An entry appears in this table for each port that supports the Authenticator function To...

Page 282: ...an EAPOL Start message being received from the Supplicant Authed LogOff Counts the number of times that the state machine transitions from AUTHENTICATED to DISCONNECTED as a result of an EAPOL Logoff...

Page 283: ...Clear All The view the Browse ARP Table window click Monitoring Browse ARP Table Figure 8 23 Browse ARP Table window Browse Route Table This window displays the current IP routing table of the Switch...

Page 284: ...ed to clients on the local network and are now bound to the device stated by its MAC address To view this window click Monitoring Browse DHCP Server Dynamic Binding Figure 8 28 Browse DHCP Server Dyna...

Page 285: ...e Session Table window click Monitoring Browse Session Table Figure 8 30 Browse Session Table window MLD Snooping Browse MLD Router Port This window displays which of the Switch s ports are currently...

Page 286: ...button The information of the MLD snooping group will display in the MLD Snooping Group Table To view this window click Monitoring MLD Snooping MLD Snooping Group as shown below Figure 8 32 MLD Snoopi...

Page 287: ...ng settings of the Switch Browse IGMP Router Port This window displays which of the Switch s ports are currently configured as router ports A router port configured by a user using the console or Web...

Page 288: ...IGMP Snooping Group window The following field can be viewed Parameter Description VLAN Name The VLAN ID of the multicast group VLAN List e g 1 4 6 The VLAN ports of the multicast group Group IP Addr...

Page 289: ...dow click Monitoring IGMP Snooping Browse IGMP Snooping Counter as shown below Figure 8 38 Browse IGMP Snooping Counter window Enter the VLAN Name VLAN List or Port List of the VLAN you wish to view a...

Page 290: ...Ethernet OAM Statistics This window displays the Ethernet OAM Statistic information on each port of the Switch To clear information for a particular port or list of ports enter the ports and click Cl...

Page 291: ...d Access Control authentication information Specify the port list you wish to view and click Find To remove an entry enter the appropriate information and click Clear Click View All Hosts to see all t...

Page 292: ...orresponds MAC Address Enter a MAC address for the forwarding table to be browsed by IP Address Enter an IP address for the forwarding table to be browsed by Find By Port Click this button to move to...

Page 293: ...rameter Description Port The port to which the MAC address below corresponds VLAN Name Enter a VLAN Name for the forwarding table to be browsed by MAC Address Enter a MAC address for the forwarding ta...

Page 294: ...w Clicking Clear will allow the user to clear the Switch History Log The information in the table is categorized as Parameter Description Type Choose the type of log to view There are two choices Regu...

Page 295: ...ry The options include Save Configuration_ID_1 to save the configuration file indexed as Image file 1 To use this file for configuration it must be designated as the Boot configuration Save Configurat...

Page 296: ...ck Save C onfiguration I D 2 to open the following window Figure 9 2 Save Configuration ID 2 window Save Log Open the Save drop down menu at the top of the Web manager and click Save Log to open the f...

Page 297: ...Server IP address and file path name and then click Upload or Upload Attack Log Figure 12 2 Upload Log File window Reset The Reset function has several options when resetting the Switch Some of the c...

Page 298: ...nd field Click Download to initiate the file transfer Reboot System The following window is used to restart the Switch Figure 12 5 Reboot System window Clicking the Yes radio button will instruct the...

Page 299: ...own in Figure 1 Figure 1 In the mean time PC A s MAC address will be written into the Sender H W Address and its IP address will be written into the Sender Protocol Address in ARP payload As PC B s MA...

Page 300: ...arding Table the switch will learn PC A s MAC and the associated port into its Forwarding Table Port1 00 20 5C 01 11 11 In addition when the switch receives the broadcast ARP request it will flood the...

Page 301: ...s Target H W address Target protocol address ARP reply 00 20 5C 01 11 11 10 10 10 1 00 20 5C 01 22 22 Table 3 ARP Payload When PC B replies the query the Destination Address in the Ethernet frame will...

Page 302: ...ateway Any traffic meant for that IP address would be mistakenly re directed to the node specified by the attacker IP spoofing attack is caused by Gratuitous ARP that occurs when a host sends an ARP r...

Page 303: ...a nonexistent or specified MAC address to the IP address of the network s default gateway The malicious attacker only needs to broadcast ONE Gratuitous ARP to the network claiming it is the gateway s...

Page 304: ...rnet the Sender MAC address and Sender IP address in the ARP protocol can pass through the switch In this example it is the gateway s ARP 2 The switch will deny all other ARP packets which claim they...

Page 305: ...nk24 Offset Chunk25 Offset Chunk26 Offset Chunk27 Offset Chunk28 Offset Chunk129 Offset Chunk30 Byte 63 67 71 75 79 83 87 91 95 99 103 107 111 115 119 123 Byte 64 68 72 76 80 84 88 92 96 100 104 108 1...

Page 306: ...xStack DES 3528 DES 3552 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual 305...

Page 307: ...red Critical Redundant Power failed Unit unitID Redundant Power failed Critical Redundant Power is working Unit unitID Redundant Power is working Critical Access flash failed Unit unitID Access flash...

Page 308: ...Successful login through Web Successful login through Web Username username IP ipaddr Informational Login failed through Web Login failed through Web Username username IP ipaddr Warning Logout through...

Page 309: ...licy is enabled Authentication Policy is enabled Module AAA Informational Authentication Policy is disabled Authentication Policy is disabled Module AAA Informational Successful login through Console...

Page 310: ...hrough Web SSL from userIP authenticated by AAA none method Username username Informational Successful login through Telnet authenticated by AAA none method Successful login through Telnet from userIP...

Page 311: ...l Enable Admin failed through Console authenticated by AAA local_enable method Enable Admin failed through Console authenticated by AAA local_enable method Username username Warning Successful Enable...

Page 312: ...through Web authenticated by AAA server Successful Enable Admin through Web from userIP authenticated by AAA server serverIP Username username Informational Enable Admin failed through Web authenticat...

Page 313: ...configuration Username username Warning Enable Admin failed through Telnet from user due to AAA server timeout or improper configuration Enable Admin failed through Telnet from userIP due to AAA serv...

Page 314: ...reated Creating IMPB entry Failed due to no ACL rule available IP ipaddr MAC macaddr Port unitID portNum Informational Port enter IMPB block state Port unitID portNum enter IMPB block state Informatio...

Page 315: ...vel VLAN vid Local Port portNum Direction direcrtion Warning CFM remote down CFM remote down MD Level level VLAN vid Local Port S Direction direcrtion Warning CFM error ccm CFM error ccm MD Level leve...

Page 316: ...6 1 6 3 1 1 5 1 None V2 RFC1907 SNMPv2 MIB Critical warmStart 1 3 6 1 6 3 1 1 5 2 None V2 RFC1907 SNMPv2 MIB Critical authenticationFailure 1 3 6 1 6 3 1 1 5 5 None V2 RFC1907 SNMPv2 MIB Informationa...

Page 317: ...StormCtrl MIB Warning swPktStormCleared 1 3 6 1 4 1 171 12 25 5 0 2 swPktStormCtrlPortIndex V2 PktStormCtrl MIB Warning swPktStormDisablePort 1 3 6 1 4 1 171 12 25 5 0 3 swPktStormCtrlPortIndex V2 Pkt...

Page 318: ...xStack DES 3528 DES 3552 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual 317 agentGratuitousARPTrap 1 3 6 1 4 1 171 12 1 7 2 0 5 agentNotifyPrefix V2 Genmgmt MIB Warning...

Page 319: ...omatically map an IP address to a given MAC address each time a device is started In addition the protocol can assign the subnet mask and default gateway to a device bridge A device that interconnects...

Page 320: ...also main port and standby port RJ 45 Standard 8 wire connectors for IEEE 802 3 10BASE T networks RMON Remote Monitoring A subset of SNMP MIB II that allows monitoring and management capabilities by a...

Page 321: ...rogram on another device VLAN Virtual L AN A group of location and topology independent devices that communicate as if they are on a common physical LAN VLT Virtual LAN Trunk A Switch to Switch link w...

Page 322: ...rminal emulation to the console port of the switch 2 Power on the switch After the runtime image is loaded to 100 the Switch will allow 2 seconds for the user to press the hotkey Shift 6 to enter the...

Reviews:

No comments