background image

xStack

® 

DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch 

 

194 

     

Authenticator Statistics 

Users can display tatistics objects for the Authenticator PAE associated with each port. An entry appears in this table for each port 
that supports the Authenticator function.  

To view the following window, click 

Monitoring > Port Access Control > Authenticator Statistics

 

Figure 7 - 19. Authenticator Statistics window 

The user may also select the desired time interval to update the statistics, between 

1s 

and 

60s

, where “s” stands for seconds. The 

default value is one second. 

The following fields can be viewed: 

Parameter                       Description 

Port 

The identification number assigned to the Port by the System in which the Port resides. 

Frames Rx 

The number of valid EAPOL frames that have been received by this Authenticator. 

Frames Tx 

The number of EAPOL frames that have been transmitted by this Authenticator. 

Rx Start 

The number of EAPOL Start frames that have been received by this Authenticator. 

TxReqId 

The number of EAP Req/Id frames that have been transmitted by this Authenticator. 

RxLogOff 

The number of EAPOL Logoff frames that have been received by this Authenticator. 

Summary of Contents for DGS-3200-16 - Switch - Stackable

Page 1: ...Manual ProductModel xStack DGS 3200 Series Layer2ManagedGigabit Ethernet Switch Release 1 35 ...

Page 2: ...ictly forbidden Trademarks used in this text D Link and the D LINK logo are trademarks of D Link Computer Corporation Microsoft and Windows are registered trademarks of Microsoft Corporation Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products D Link Computer Corporation disclaims any proprietary interest in tr...

Page 3: ...ation 4 Device Information 4 System Information 5 Serial Port Settings 6 IP Address 6 Setting the Switch s IP Address using the Console Interface 8 IPv6 Interface Settings 8 IPv6 Route Table 9 IPv6 Neighbor Settings 10 Port Configuration 11 Port Settings 11 Port Description 12 Port Error Disabled 12 Static ARP Settings 13 User Accounts 14 Admin and User Privileges 14 System Log Configuration 15 Sy...

Page 4: ... State Settings 34 SNMP View Table 34 SNMP Group Table 35 SNMP User Table 36 SNMP Community Table 37 SNMP Host Table 38 SNMP v6Host Table 39 SNMP Engine ID 40 SNMP Trap Configuration 40 RMON 40 Single IP Management 41 Single IP Settings 43 Topology 44 Firmware Upgrade 51 Configuration File Backup Restore 51 Upload Log File 51 Layer 2 Features 52 Jumbo Frame 52 Egress Filter Settings 53 802 1Q VLAN...

Page 5: ...81 STP Port Settings 82 MST Configuration Identification 84 STP Instance Settings 85 MSTP Port Information 86 Forwarding Filtering 87 Unicast Forwarding 87 Multicast Forwarding 87 Multicast Filtering Mode 88 QoS 89 Bandwidth Control 91 Traffic Control 92 802 1p Default Priority 94 802 1p User Priority 94 QoS Scheduling Mechanism 95 Security 96 Safeguard Engine 96 Trusted Host 98 IP MAC Port Bindin...

Page 6: ...n Policy and Parameter Settings 125 Application Authentication Settings 125 Authentication Server Group 126 Authentication Server Host 127 Login Method Lists 129 Enable Method Lists 130 Configure Local Enable Password 131 Enable Admin 131 MAC based Access Control 132 MAC based Access Control Settings 132 MAC based Access Control Local Settings 134 Web based Access Control WAC 134 WAC Global Settin...

Page 7: ...uthenticator Statistics 194 Authenticator Session Statistics 196 Authenticator Diagnostics 198 RADIUS Authentication 200 RADIUS Account Client 201 Browse ARP Table 203 Browse VLAN 203 Browse Router Port 204 Browse MLD Router Port 204 Browse Session Table 205 IGMP Snooping Group 205 MLD Snooping Group 206 WAC Authenticating State 207 JWAC Host Table 208 MAC Address Table 209 System Log 210 MAC base...

Page 8: ... viii Download Firmware 215 Reboot System 215 Appendix A Mitigating ARP Spoofing Attacks Using Packet Content ACL 216 Appendix B Switch Log Entries 223 Appendix C Trap Logs 234 Appendix D Password Recovery Procedure 237 Appendix E Glossary 238 Warranty Support 240 ...

Page 9: ...ssages or prompts appearing on screen For example You have mail Bold font is also used to represent filenames program names and commands For example use the copy command Boldface Typewriter Font Indicates commands and responses to prompts that must be typed exactly as printed in the manual Initial capital letter Indicates a window name Names of keys on the keyboard have initial capitals For exampl...

Page 10: ...ce any product except as explained in the system documentation Opening or removing covers that are marked with the triangular symbol with a lightning bolt may expose the user to electrical shock Only a trained service technician should service components inside these compartments If any of the following conditions occur unplug the product from the electrical outlet and replace the part or contact ...

Page 11: ...ong plugs to help ensure proper grounding Do not use adapter plugs or remove the grounding prong from a cable If using an extension cable is necessary use a 3 wire cable with properly grounded plugs Observe extension cable and power strip ratings Make sure that the total ampere rating of all products plugged into the extension cable or power strip does not exceed 80 percent of the ampere ratings l...

Page 12: ...After a component is inserted into the rack carefully extend the rail into a locking position and then slide the component into the rack Do not overload the AC supply branch circuit that provides power to the rack The total rack load should not exceed 80 percent of the branch circuit rating Ensure that proper airflow is provided to components in the rack Do not step on or stand on any component wh...

Page 13: ... the electronic components such as the microprocessor This can be done by periodically touching an unpainted metal surface on the chassis The following steps can also be taken prevent damage from electrostatic discharge ESD 1 When unpacking a static sensitive component from its shipping carton do not remove the component from the antistatic packing material until ready to install the component in ...

Page 14: ... different ways to access the same internal switching software and configure it Thus all settings encountered in web based management are the same as those found in the console program Logging onto the Web Manager To begin managing the Switch simply run the browser installed on your computer and point it to the IP address you have defined for the device The URL in the address bar should read somet...

Page 15: ...rea 1 Select the folder or window to display Open folders and click the hyperlinked window buttons and subfolders contained within them to display windows Area 2 Presents a graphical near real time image of the front panel of the Switch This area displays the Switch s ports and expansion modules and shows port activity depending on the specified mode Some management functions including port monito...

Page 16: ...and related windows Bandwidth Control Traffic Control 802 1p Default Priority 802 1p User Priority and QoS Scheduling Mechanism Security Contains the following main folders windows and related windows Safeguard Engine Trusted Host IP MAC Port Binding IMP Global Settings IMP Port Settings IMP Entry Settings DHCP Snooping Entries MAC Block List Port Security Port Security Settings Port Lock Entries ...

Page 17: ...Management Device Information This window contains the main settings for all major functions for the Switch It appears automatically when you log on to the Switch To return to the Device Information window after viewing other windows click the DGS 3200 10 DGS 3200 16 folder The Device Information window shows the Switch s MAC Address assigned by the factory and unchangeable the Boot PROM Version F...

Page 18: ...ing window click Configuration System Information Figure 2 2 System Information window The fields that can be configured are described below Parameter Description System Name Enter a system name for the Switch if so desired This name will identify it in the Switch network System Location Enter the location of the Switch if so desired System Contact Enter a contact name for the Switch if so desired...

Page 19: ...IP address has not yet been changed read the introduction of the DGS 3200 Series CLI Manual for more information TheWeb manager will display the Switch s current IP settings To view the following window click Configuration IP Address Figure 2 4 IP Address window To manually assign the Switch s IP address subnet mask and default gateway address 1 Click the Manual radio button at the top of the wind...

Page 20: ...ption is set the Switch will first look for a BOOTP server to provide it with this information before using the default or previously entered settings Subnet Mask A Bitmask that determines the extent of the subnet that the Switch is on Should be of the form xxx xxx xxx xxx where each xxx is a number represented in decimal between 0 and 255 The value should be 255 0 0 0 for a Class A network 255 25...

Page 21: ...tem ipaddress xxx xxx xxx xxx z Where the x s represent the IP address to be assigned to the IP interface named System and the z represents the corresponding number of subnets in CIDR notation The IP interface named System on the Switch can be assigned an IP address and subnet mask which can then be used to connect a management station to the Switch s Telnet or Web based management agent Successfu...

Page 22: ... 0 and 4294967295 This is the neighbor solicitation s retransmit timer in milliseconds The default is zero Automatic Link Local Address Toggle between Enabled and Disabled Enabling this is helpful when no external source of network addressing information is available Default Gateway Enter the IPv6 address of the default gateway Active This read only field indicates the status of this entry IPv6 Ro...

Page 23: ...IPv6 Neighbor Settings table entry enter the Interface Name select the desired State in the middle section of this window and then click the Find button To delete all the entries being displayed on the table at the bottom of this window click the Clear button The following parameters may be configured or viewed Parameter Description Interface Name Enter the name of the IPv6 neighbor To search for ...

Page 24: ...tch allows the user to configure three types of gigabit connections 1000M Full_Master 1000M Full_Slave and 1000M Full Gigabit connections only support full duplex connections and take on certain characteristics that are different from the other choices listed The 1000M Full_Master and 1000M Full_Slave parameters refer to connections running a 1000BASE T cable for connection between the Switch port...

Page 25: ...pports a port description feature where the user may name various ports To view the following window click Configuration Port Configuration Port Description Figure 2 10 Port Description window Use the From Port and To Port pull down menu to choose a port or range of ports to describe Users may then enter a description for the chosen port s If configuring the Combo ports the Medium Type defines the...

Page 26: ...es to MAC addresses To view the following window click Configuration Static ARP Settings Figure 2 12 Static ARP Settings window The following parameters may be configured or viewed Parameter Description ARP Aging Time 0 65535 The ARP entry age out time in seconds The default is 20 minutes IP Address The IP address of the ARP entry MAC Address The MAC address of the ARP entry After entering a globa...

Page 27: ...it button next to the entry in the table at the bottom of the window Enter an Old Password New Password and retype the new password in the Confirm Password field offered use the drop down menu to select the type of encryption desired Plain Text or Sha 1 and then click Apply The level of privilege Admin or User can be viewed in the Access Right column in the table at the bottom of the window NOTICE...

Page 28: ...Configuration System Log Configuration System Log Settings Figure 2 15 System Log Settings window Use the pull down menu to choose the method for saving the switch log to the flash memory The user has three options Time Interval Users who choose this method can configure a time interval by which the Switch will save the log files in the box adjacent to this configuration field The user may set a t...

Page 29: ...arning Informational and All Facility Use the drop down menu to select Local 0 Local 1 Local 2 Local 3 Local 4 Local 5 Local 6 or Local 7 Status Choose Enabled or Disabled to activate or deactivate To set the System Log Server configuration click Apply To delete an entry from the System Log Host List table click the corresponding Delete button next to the entry System Severity Settings The Switch ...

Page 30: ...than the hop count limit the packet is dropped The range is between 1 and 16 hops with a default value of 4 The relay time threshold sets the minimum time in seconds that the Switch will wait before forwarding a BOOTREQUEST packet If the value in the seconds field of the packet is less than the relay time threshold the packet will be dropped The range is between 0 and 65 535 seconds with a default...

Page 31: ...abled using the pull down menu It is used to enable or disable the Switches ability to check the validity of the packet s option 82 field Enabled When the field is toggled to Enabled the relay agent will check the validity of the packet s option 82 field If the switch receives a packet that contains the option 82 field from a DHCP client the switch drops the packet because it is invalid In packets...

Page 32: ... format 1 2 3 4 5 6 7 1 6 0 4 VLAN Module Port 1 byte 1 byte 1 byte 1 byte 2 bytes 1 byte 1 byte 1 Sub option type 2 Length 3 Circuit ID type 4 Length 5 VLAN the incoming VLAN ID of DHCP client packet 6 Module For a standalone switch the Module is always 0 for a stackable switch the Module is the Unit ID 7 Port The incoming port number of the DHCP client packet the port number starts from 1 Remote...

Page 33: ...0 DHCP BOOTP Relay Interface Settings window The following parameters may be configured or viewed Parameter Description Interface The IP interface on the Switch that will be connected directly to the Server Server IP Enter the IP address of the DHCP BOOTP server Up to four server IPs can be configured per IP Interface Click Apply to include this Server IP DHCP Local Relay Settings The DHCP local r...

Page 34: ... Switch For more information about loading a configuration file for use by a client see the DHCP server and or TFTP server software instructions The user may also consult the Upload Log File window description located in the Tools section of this manual If the Switch is unable to complete the DHCP auto configuration the previously saved configuration file present in the Switch s memory will be use...

Page 35: ...nt value representing the MAC address age out time in seconds The MAC Address Aging Time can be set to any value between 10 and 875 seconds The default setting is 300 seconds Click Apply to set the MAC Address Aging Time Web Settings Users can configure the Web settings on the Switch To view the following window click Configuration Web Settings Figure 2 24 Web Settings window The following paramet...

Page 36: ...rough Telnet choose Disabled Port 1 65535 The TCP port number used for Telnet management of the Switch The well known TCP port for the Telnet protocol is 23 Click Apply to set the Telnet setting Password Encryption Users can configure Password Encryption on the Switch To view the following window click Configuration Password Encryption Figure 2 26 Password Encryption window The following parameter...

Page 37: ...ng setting Firmware Information Users can view set the next boot up status and delete current firmware images stored on the Switch To set firmware as the boot up firmware the next time the Switch is restarted click the Set Boot button To remove the firmware from this window click the Delete button To view the following window click Configuration Firmware Information Figure 2 28 Firmware Informatio...

Page 38: ...ttached to it it denotes a firmware upgrade through the Secure Shell SSH SIM If the IP address has this letter attached to it it denotes a firmware upgrade through the Single IP Management feature User States the user who downloaded the firmware This field may read Anonymous or Unknown for users that are not identified Power Saving Settings This window allows the user to implement the Switch s bui...

Page 39: ... Size States the size of the corresponding firmware in bytes Update Time States the specific time the firmware version was downloaded to the Switch From States the IP address of the origin of the firmware There are five ways firmware may be downloaded to the Switch Boot up files are denoted by an asterisk next to the file R If the IP address has this letter attached to it it denotes a firmware upg...

Page 40: ...indow click Configuration SMTP Settings Figure 2 31 SMTP Settings window The following parameters may be configured or viewed Parameter Description SMTP State Use the radio button to enable or disable the SMTP service on this device SMTP Server Address Enter the IP address of the SMTP server on a remote device This will be the device that sends out the mail for you SMTP Server Port 1 65535 Enter t...

Page 41: ...IP Address by clicking its radio button and entering a number between 1 and 255 Click Start to initiate the Ping program The following parameters may be configured or viewed Parameter Description Target IP Address Enter an IP address to be Pinged Interface Name For IPv6 only enter the name of the interface to be Pinged Repeat Pinging for Enter the number of times desired to attempt to Ping either ...

Page 42: ...r Description Status SNTP State Use this radio button to enable or disable SNTP Current Time Displays the Current Time Time Source Displays the time source for the system SNTP Settings SNTP First Server The IP address of the primary server from which the SNTP information will be taken SNTP Secondary Server The IP address of the secondary server from which the SNTP information will be taken SNTP Po...

Page 43: ...rom GMT In HH MM Use these pull down menus to specify your local time zone s offset from Greenwich Mean Time GMT DST Repeating Settings Using repeating mode will enable DST seasonal time adjustment Repeating mode requires that the DST beginning and ending date be specified using a formula For example specify to begin DST on Saturday during the second week of April and end DST on Sunday during the ...

Page 44: ... each year Click Apply to implement changes made to this window MAC Notification Settings MAC Notification is used to monitor MAC addresses learned and entered into the forwarding database The MAC Notification Settings folder contains two windows MAC Notification Settings and MAC Notification Port Settings MAC Notification Global Settings This window allows you to globally set MAC notification on ...

Page 45: ...ure 2 36 MAC Notification Port Settings window To change MAC notification settings for a port or group of ports on the Switch configure the following parameters Parameter Description From Port Select a beginning port to enable for MAC notification using the pull down menu To Port Select an ending port to enable for MAC notification using the pull down menu State Enable MAC Notification for the por...

Page 46: ...s that are allowed to view read only information or receive traps using SNMPv1 while assigning a higher level of security to another group granting read write privi leges using SNMPv3 Using SNMPv3 individual users or groups of SNMP managers can be allowed to perform or be restricted from performing specific SNMP management functions The functions allowed or restricted are defined using the Object ...

Page 47: ... corresponding to the entry to delete To create a new entry enter the information above the table and then click the Apply button The SNMP Group created with this table maps SNMP users identified in the SNMP User Table to the views created in the previous window The following parameters can set Parameter Description View Name Type an alphanumeric string of up to 32 characters This is used to ident...

Page 48: ... Notify View Name Specify a SNMP group name for users that can receive SNMP trap messages generated by the Switch s SNMP agent Security Model SNMPv1 Specifies that SNMP version 1 will be used SNMPv2 Specifies that SNMP version 2c will be used The SNMPv2 supports both centralized and distributed network management strategies It includes improvements in the Structure of Management Information SMI an...

Page 49: ...Use the drop down menu to enable encryption for SNMP V3 This is only operable in SNMP V3 mode The choices are None Password or Key Auth Protocol MD5 Specifies that the HMAC MD5 96 authentication level will be used This field is only operable when V3 is selected in the SNMP Version field and the Encryption field has been checked This field will require the user to enter a password SHA Specifies tha...

Page 50: ...41 SNMP Community Table window The following parameters can set Parameter Description Community Name Type an alphanumeric string of up to 32 characters that is used to identify members of an SNMP community This string is used like a password to give remote SNMP managers access to MIB objects in the Switch s SNMP agent View Name Type an alphanumeric string of up to 32 characters that is used to ide...

Page 51: ...eters can set Parameter Description Host IP Address Type the IP address of the remote management station that will serve as the SNMP host for the Switch SNMP Version V1 To specifies that SNMP version 1 will be used V2c To specify that SNMP version 2c will be used V3 NoAuth NoPriv To specify that the SNMP version 3 will be used with a NoAuth NoPriv security level V3 Auth NoPriv To specify that the ...

Page 52: ...arameters can set Parameter Description Host IPv6 Address Type the IP address of the remote management station that will serve as the SNMP host for the Switch SNMP Version V1 To specifies that SNMP version 1 will be used V2c To specify that SNMP version 2c will be used V3 NoAuth NoPriv To specify that the SNMP version 3 will be used with a NoAuth NoPriv security level V3 Auth NoPriv To specify tha...

Page 53: ...ise number as assigned by IANA D Link is 171 The fifth octet is 03 to indicate the rest is the MAC address of this device The sixth to eleventh octets is the MAC address To implement your new settings click Apply SNMP Trap Configuration Users can enable and disable SNMP trap support and SNMP authentication failure trap support respectively To view the following window click Configuration SNMP Sett...

Page 54: ...including the Commander Switch numbered 0 There is no limit to the number of SIM groups in the same IP subnet broadcast domain however a single switch can only belong to one group If multiple VLANs are configured the SIM group will only utilize the default VLAN on any switch SIM allows intermediate devices that do not support SIM This enables the user to manage switches that are more than one hop ...

Page 55: ...g 4 The Commander Switch CS now has the capability to automatically rediscover member switches that have left the SIM group either through a reboot or web malfunction This feature is accomplished through the use of Discover packets and Maintenance packets that previously set SIM members will emit after a reboot Once a MS has had its MAC address and password saved to the CS s database if a reboot o...

Page 56: ...s parameter will make the Switch a Commander Switch CS The user may join other switches to this Switch over Ethernet to be part of its SIM group Choosing this option will also enable the Switch to be configured for SIM Group Name Enter a Group Name in this textbox This is optional Discovery Interval 30 90 The user may set the discovery protocol interval in seconds that the Switch will send out dis...

Page 57: ...d initiate and lead you to the Topology window as seen below Figure 2 50 Topology window The Topology window holds the following information on the Data tab Parameter Description Device Name This field will display the Device Name of the switches in the SIM group configured by the user If no device is configured by the name it will be given the name default and tagged with the last six digits of t...

Page 58: ...e full Model Name of the corresponding Switch To view the Topology View window open the View drop down menu in the toolbar and then click Topology which will open the following Topology Map This window will refresh itself periodically 20 seconds by default Figure 2 51 Topology View window This window will display how the devices within the Single IP Management Group connect to other groups and dev...

Page 59: ...tant role in configuration and in viewing device information Setting the mouse cursor over a specific device in the topology window tool tip will display the same information about a specific device as the Tree view does See the window below for an example Figure 2 52 Device Information Utilizing the Tool Tip Setting the mouse cursor over a line between two devices will display the connection spee...

Page 60: ...rious functions depending on the role of the Switch in the SIM group and the icon associated with it Group Icon Figure 2 54 Right Clicking a Group Icon The following options may appear for the user to configure Collapse To collapse the group that will be represented by a single icon Expand To expand the SIM group in detail Property To pop up a window to display the group information ...

Page 61: ...ess of the corresponding Switch Remote Port No Displays the number of the physical port on the MS or CaS that the CS is connected to The CS will have no entry in this field Local Port No Displays the number of the physical port on the CS that the MS or CaS is connected to The CS will have no entry in this field Port Speed Displays the connection speed between the CS and the MS or CaS Commander Swi...

Page 62: ...play the device information Candidate Switch Icon Figure 2 58 Right Clicking a Candidate icon The following options may appear for the user to configure Collapse To collapse the group that will be represented by a single icon Expand To expand the SIM group in detail Add to group Add a candidate to a group Clicking this option will reveal the following dialog box for the user to enter a password fo...

Page 63: ...ews to open at SIM startup Group Add to group Add a candidate to a group Clicking this option will reveal the following dialog box for the user to enter a password for authentication from the Candidate Switch before being added to the SIM group Click OK to enter the password or Cancel to exit the dialog box Figure 2 61 Input password dialog box Remove from Group Remove an MS from the group Device ...

Page 64: ...sted in the table and will be specified by Port port on the CS where the MS resides MAC Address Model Name and Version To specify a certain Switch for upgrading configuration files click its corresponding radio button under the Port heading To update the configuration file enter the Server IP Address where the file resides and enter the Path Filename of the configuration file Click Restore to init...

Page 65: ...ns for the Switch The Switch includes various functions for VLAN Trunking IGMP Snooping MLD Snooping Spanning Tree and Forwarding Filtering all discussed in detail Jumbo Frame The Switch supports jumbo frames Jumbo frames are Ethernet frames with more than 1 500 bytes of payload The Switch supports jumbo frames with a maximum frame size of 1536 bytes To view the following window click Layer 2 Feat...

Page 66: ...pliance with the IEEE 802 1p standard have the ability to recognize the priority level of data packets These devices can also assign a priority label or tag to packets Compliant devices can also strip priority tags from packets This priority tag determines the packet s degree of expeditiousness and determines the queue to which it will be assigned Priority tags are given values from 0 to 7 with 0 ...

Page 67: ...mation into the header of a packet Untagging The act of stripping 802 1Q VLAN information out of the packet header Ingress port A port on a switch where packets are flowing into the Switch and VLAN decisions must be made Egress port A port on a switch where packets are flowing out of the Switch either to another switch or to an end station and tagging decisions must be made IEEE 802 1Q tagged VLAN...

Page 68: ...et s EtherType field is equal to 0x8100 the packet carries the IEEE 802 1Q 802 1p tag The tag is contained in the following two octets and consists of 3 bits of user priority 1 bit of Canonical Format Identifier CFI used for encapsulating Token Ring packets so they can be carried across Ethernet backbones and 12 bits of VLAN ID VID The 3 bits of user priority are used by 802 1p The VID is the VLAN...

Page 69: ...ort based and MAC based VLANs were in common use These VLANs relied upon a Port VLAN ID PVID to forward packets A packet received on a given port would be assigned that port s PVID and then be forwarded to the port that corresponded to the packet s destination address found in the Switch s forwarding table If the PVID of the port that received the packet is different from the PVID of the port that...

Page 70: ... packets from an 802 1Q compliant network device to a non compliant network device Ingress Filtering A port on a switch where packets are flowing into the Switch and VLAN decisions must be made is referred to as an ingress port If ingress filtering is enabled for a port the Switch will examine the VLAN information in the packet header if present and decide whether or not to forward the packet If t...

Page 71: ... the destination lies on another port found through a normal forwarding table lookup the Switch then looks to see if the other port Port 10 is a member of VLAN 2 and can therefore receive VLAN 2 packets If Port 10 is not a member of VLAN 2 then the packet will be dropped by the Switch and will not reach its destination If Port 10 is a member of VLAN 2 the packet will go through This selective forw...

Page 72: ...VLAN or for editing the VLAN name in the Add Edit VLAN tab Advertisement Enabling this function will allow the Switch to send out GVRP packets to outside sources notifying that they may join the existing VLAN Port Shows all ports of the Switch for the ٛ onfiguration option Tagged Specifies the port as 802 1Q tagging Clicking the radio button will designate the port as tagged Untagged Specifies the...

Page 73: ...e set in the VLAN Batch Settings windows Parameter Description VID List e g 2 5 Enter a VLAN ID List that can be added deleted or configured Advertisement Enabling this function will allow the Switch to send out GVRP packets to outside sources notifying that they may join the existing VLAN Port List e g 1 5 Allows an individual port list to be added or deleted as a member of the VLAN Tagged Specif...

Page 74: ...n menu to designate the port as untagged Forbidden Specifies the port as not being a member of the VLAN and that the port is forbidden from becoming a member of the VLAN dynamically Use the drop down menu to designate the port as forbidden Click Apply to implement changes made NOTE The Switch supports up to 4k static VLAN entries ...

Page 75: ... an alphanumeric string of up to 32 characters Protocol This function maps packets to protocol defined VLANs by examining the type octet within the packet header to discover the type of protocol associated with it Use the drop down menu to toggle between Ethernet II IEEE802 3 LLC and IEEE802 3 SNAP Protocol Value Enter a value for the Group The protocol value is used to identify a protocol of the ...

Page 76: ...ets accepted by the Switch that match this priority are forwarded to the CoS queue specified previously by the user Click the corresponding box if you want to set the 802 1p default priority of a packet to the value entered in the Priority 0 7 field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its inco...

Page 77: ...r Description MAC Address Specify the MAC address to be reauthenticated by entering it into the MAC Address field VLAN Name Enter the VLAN name of a previously configured VLAN VLAN ID Click this button and enter the VLAN ID Click Find Add or Delete All for changes to take affect GVRP Settings Users can determine whether the Switch will share its VLAN configuration information with other GARP VLAN ...

Page 78: ...he port will compare the VID of the incoming packet to its PVID If the two are unequal the port will drop the packet If the two are equal the port will receive the packet GVRP The GARP VLAN Registration Protocol GVRP enables the port to dynamically become a member of a VLAN GVRP is Disabled by default Ingress Checking This drop down menu allows the user to enable the port to compare the VID tag of...

Page 79: ...nsmitted to a specific host destination address will always be transmitted over the same port in a trunk group This allows packets in a data stream to arrive in the same order they were sent NOTE If any ports within the trunk group become disconnected packets intended for the disconnected port will be load shared among the other linked ports of the link aggregation group Link aggregation allows se...

Page 80: ... aggregation group If two redundant link aggregation groups are configured on the Switch STP will block one entire group in the same way STP will block a single port that has a redundant link To view the following window click L2 Features Trunking Figure 3 16 Trunking window To configure port trunk groups click the Add button To modify an existing port trunk group click the Edit button correspondi...

Page 81: ...d on a port s in each intermediary switch you only need to create VLAN groups in the end devices A and B C D and E automatically allow frames with VLAN group tags 1 and 2 VLAN groups that are unknown to those switches to pass through their VLAN trunking port s Users can combine a number of VLAN ports together to create VLAN trunks To create VLAN Trunk Port settings on the Switch select the ports t...

Page 82: ...of ports may be configured ending with the selected port Mode Active Active LACP ports are capable of processing and sending LACP control frames This allows LACP compliant devices to negotiate the aggregated link so the group may be changed dynamically as needs require In order to utilize the ability to change an aggregated port group that is to add or subtract ports from the group at least one of...

Page 83: ...ed receiving ports into the Switch s Traffic Segmentation table IGMP Snooping Internet Group Management Protocol IGMP snooping allows the Switch to recognize IGMP queries and reports sent between network stations or devices and an IGMP host When enabled for IGMP snooping the Switch can open or close a port to a specific device based on IGMP messages passing through the Switch IGMP Snooping Setting...

Page 84: ...t data driven learning for IGMP snooping groups If data driven learning also known as dynamic IP multicast learning is enabled for a VLAN when the Switch receives IP multicast traffic on the VLAN an IGMP snooping group is created Learning of an entry is not activated by IGMP membership registration but activated by the traffic For an ordinary IGMP snooping entry the IGMP protocol will take care of...

Page 85: ...rts where the incoming multicast traffic is to be sent The source port cannot be a recipient port and if configured to do so will cause error messages to be produced by the switch Once properly configured the stream of multicast data will be relayed to the receiver ports in a much more timely and reliable fashion Restrictions and Provisos The Multicast VLAN feature of this Switch does have some re...

Page 86: ...he source IP address of incoming packets sent by the host before being forwarded to the source port Source Port e g 1 4 6 Enter a port or list of ports to be added to the Multicast VLAN Source ports shall be the tagged members of the multicast VLAN ISM Profile Settings Users can configure ISM profile settngs To view the following window click L2 Features IGMP Snooping ISM Profile Settings Figure 3...

Page 87: ...o remove an entry click the corresponding Delete button Figure 3 25 Multicast Address Group List Settings window Enter the multicast IP address list starting with the lowest in the range and then click Add To return to the IP Multicast Profile Settings window click the Previous button Limited Multicast Address Range Settings Users can configure the ports on the Switch that will be involved in the ...

Page 88: ... listening port The active listening ports are the only ones to receive multicast group data MLD Control Messages Three types of messages are transferred between devices using MLD snooping These three messages are all defined by four ICMPv6 packet headers labeled 130 131 132 and 143 1 Multicast Listener Query Similar to the IGMPv2 Host Membership Query for IPv4 and labeled as 130 in the ICMPv6 pac...

Page 89: ...for which to modify the MLD Snooping Settings VLAN Name This is the VLAN Name that along with the VLAN ID identifies the VLAN for which to modify the MLD Snooping Settings Done Timer Specifies the maximum amount of time a router can remain in the Switch after receiving a done message from the group without receiving a node listener report The user may specify a time between 1 and 16711450 with a d...

Page 90: ...n menu to select the Target Port to which frames will be copied which receives the copies from the source port 3 Select the Source Port Setting Direction Tx Egress Rx Ingress Both or None 4 Click Apply to let the changes take effect NOTE You cannot mirror a fast port onto a slower port For example if you try to mirror the traffic from a 100 Mbps port onto a 10 Mbps port this can cause throughput p...

Page 91: ... administrator The Loopback Detection port will restart change to discarding state when the Loopback Detection Recover Time times out The Loopback Detection function can be implemented on a range of ports at a time The user may enable or disable this function using the pull down menu To view the following window click L2 Features Loopback Detection Settings Figure 3 30 Loopback Detection Settings ...

Page 92: ...ssociated with them An MSTI ID will classify these instances MSTP will connect multiple spanning trees with a Common and Internal Spanning Tree CIST The CIST will automatically determine each MSTP region its maximum possible extent and will appear as one virtual bridge that runs a single spanning tree Consequentially frames assigned to different VLANs will follow different data routes within admin...

Page 93: ...1Q 2005 MSTP 802 1D 2004 RSTP 802 1D 1998 STP Forwarding Learning Disabled Disabled Disabled No No Discarding Discarding Blocking No No Discarding Discarding Listening No No Learning Learning Learning No Yes Forwarding Forwarding Forwarding Yes Yes Table 3 2 Comparing Port States RSTP is capable of a more rapid transition to a forwarding state it no longer relies on timer configurations RSTP compl...

Page 94: ...Settings window RSTP default Figure 3 33 STP Bridge Global Settings window MSTP Figure 3 34 STP Bridge Global Settings window STP Compatible See the table below for descriptions of the STP versions and corresponding setting options NOTE The Bridge Hello Time cannot be longer than the Bridge Max Age Otherwise a configuration error will occur Observe the following formulas when setting the above par...

Page 95: ... 1 2 The Hello Time can be set from 1 to 2 seconds This is the interval between two transmissions of BPDU packets sent by the Root Bridge to tell all other switches that it is indeed the Root Bridge This field will only appear here when STP or RSTP is selected for the STP Version For MSTP the Hello Time must be set on a port per port basis The default is 2 seconds Bridge Forward Delay 4 30 The For...

Page 96: ...Like edge ports P2P ports transition to a forwarding state rapidly thus benefiting from RSTP A P2P value of False indicates that the port cannot have P2P status Auto allows the port to have P2P status whenever possible and operate as if the P2P status were True If the port cannot maintain this status for example if the port is forced to half duplex operation the P2P status changes to operate as if...

Page 97: ...tification Figure 3 36 MST Configuration Identification window To modify an entry on the table at the bottom of the window click the corresponding Edit button To remove an entry on the table at the bottom of the window click the corresponding Delete button The window above contains the following information Parameter Description Configuration Name This name uniquely identifies the MSTI Multiple Sp...

Page 98: ... window To modify an entry on the table at the top of the window click the corresponding Edit button To view more information about an entry on the table at the top of the window click the corresponding View button The window above contains the following information Parameter Description MSTI ID Enter the MSTI ID in this field An entry of 0 denotes the CIST default MSTI Priority Enter the priority...

Page 99: ...Port number To modify the settings for a particular MSTI instance enter a value in the Instance ID field an Internal Path Cost and use the drop down menu to select a Priority The user may configure the following parameters Parameter Description Instance ID The MSTI ID of the instance to be configured Enter a value between 0 and 15 An entry of 0 in this field denotes the CIST default MSTI Internal ...

Page 100: ...ntry To delete an entry in the Static Unicast Forwarding Table click the corresponding Delete button Parameter Description VLAN ID VID The VLAN ID number of the VLAN on which the associated unicast MAC address resides MAC Address The MAC address to which packets will be statically forwarded This must be a unicast MAC address Port Allows the selection of the port number on which the MAC address ent...

Page 101: ...e click the corresponding Delete button Multicast Filtering Mode Users can configure the multicast filtering mode To view the following window click L2 Features Forwarding Filtering Multicast Filtering Mode Figure 3 41 Multicast Filtering Mode window Parameter Description VLAN Name The VLAN to which the specified filtering action applies Select the All option to apply the action to all VLANs on th...

Page 102: ...encing Not only can a larger bandwidth be created but other less critical traffic can be limited so excessive bandwidth can be saved The Switch has separate hardware queues on every physical port to which packets from various applications can be mapped to and in turn prioritized View the following map to see how the Switch implements basic 802 1P priority queuing Figure 4 1 An Example of the Defau...

Page 103: ... Priority 5 is assigned to the Switch s Q5 queue Priority 6 is assigned to the Switch s Q6 queue Priority 7 is assigned to the Switch s Q7 queue For strict priority based scheduling any packets residing in the higher priority classes of service are transmitted first Multiple strict priority classes of service are emptied based on their priority tags Only when these classes are empty are packets of...

Page 104: ...lows the input of the data rate that will be the limit for the selected port The user may choose a rate between 64 and 1024000 Kbits per second Effective RX If a RADIUS server has assigned the RX bandwidth then it will be the effective RX bandwidth The authentication with the RADIUS sever can be per port or per user For per user authentication there may be multiple RX bandwidths assigned if there ...

Page 105: ...port configured for traffic control and a packet storm continues that port will be placed in Shutdown Forever mode which will cause a warning message to be sent to the Trap Receiver Once in Shutdown Forever mode the only method of recovering the port is to manually recoup it using the Port Settings window in the Configuration folder Select the disabled port and return its State to Enabled status T...

Page 106: ...ontrol function to commence The configurable threshold range is from 512 to 1024000 with a default setting of 512 Kbps Storm Control Type Specifies the desired Storm Control Type None Broadcast Multicast Unknown Unicast Broadcast Multicast Broadcast Unknown Unicast Multicast Unknown Unicast and Broadcast Multicast Unknown Unicast Traffic Trap Settings Enable sending of Storm Trap messages when the...

Page 107: ... limit the value will be set at the default priority For example if the RADIUS assigns a limit of 8 and the default priority is 0 the effective priority will be 0 To implement a new default priority first choose a port range by using the From Port and To Port pull down menus and then use the Priority drop down menu to select a value from 0 to 7 Click Apply to implement the settings 802 1p User Pri...

Page 108: ...Parameter Description Strict The highest class of service is the first to process traffic That is the highest class of service will finish before other queues empty Weight Fair Use the weighted round robin WRR algorithm to handle packets in an even distribution in priority classes of service Max Packets 0 255 Specifies the maximum number of packets the above specified hardware priority class of se...

Page 109: ...eives too many packets to process or b exerts too much memory it will enter the Exhausted mode When in this mode the Switch will drop all ARP and IP broadcast packets and packets from untrusted IP addresses for a calculated time interval Every five seconds the Safeguard Engine will check to see if there are too many packets flooding the Switch If the threshold has been crossed the Switch will init...

Page 110: ...ode the Safeguard Engine will decrease the packet flow by half After returning to Normal mode the packet flow will be increased by 25 The switch will then return to its interval checking and dynamically adjust the packet flow to avoid overload of the Switch NOTICE When Safeguard Engine is enabled the Switch will allot bandwidth to various traffic flows ARP IP using the FFP Fast Filter Processor me...

Page 111: ...selected this function will instruct the Switch to minimize the IP and ARP traffic flow to the CPU by dynamically allotting an even bandwidth to all traffic flows Strict If selected this function will stop accepting all ARP packets not intended for the Switch and will stop receiving all unnecessary broadcast IP packets until the storm has subsided The default setting is Fuzzy mode Trusted Host Up ...

Page 112: ... IMP Entry Settings DHCP Snooping Entries and MAC Block List IMP Global Settings Users can enable or disable the Trap Log State and DHCP Snoop state on the Switch The Trap Log field will enable and disable the sending of trap log messages for IP MAC port binding When enabled the Switch will send a trap message to the SNMP agent and the Switch log when an ARP packet is received that doesn t match t...

Page 113: ...his mode provides a looser way of control If the user selects loose mode ARP packets and IP broadcast packets will be sent to the CPU The packets will still be forwarded by the hardware until a specific source MAC address is blocked by the software The port will check ARP packets and IP broadcast packets by IP MAC port binding entries When the packet is found by the entry the MAC address will be s...

Page 114: ...nd to the IP Address set above Mode Static or Auto will be displayed in this column Ports Specify the switch ports for which to configure this IP MAC binding entry IP Address MAC Address Click the All check box to configure this entry for all ports on the Switch Click Apply to implement changes Click Find to search for an entry Click Show All for the table to display all entries or Delete All to r...

Page 115: ...inding restrictions To find an unauthorized device that has been blocked by the IP MAC binding restrictions enter the VID and MAC Address in the appropriate fields and click Find To delete an entry click the Delete button next to the entry s port To delete all the entries in the window click Delete All Click View All for the table to display all entries To view the following window click Security ...

Page 116: ...lowing parameters can be set Parameter Description Port Security Trap Log Settings Use the radio button to enable or disable Port Security Traps and Log Settings on the Switch From Port The beginning port of a consecutive group of ports to be configured To Port The ending port of a consecutive group of ports to be configured Admin State This pull down menu allows the user to enable or disable Port...

Page 117: ...responding MAC address to be deleted Click the Next button to view the next page of entries listed in this table This window displays the following information Parameter Description VID The VLAN ID of the entry in the forwarding database table that has been permanently learned by the Switch VLAN Name The VLAN Name of the entry in the forwarding database table that has been permanently learned by t...

Page 118: ...HCP server screening or Disabled to disable it The default is Disabled After setting the previous parameters click Apply to allow your changes to be implemented DHCP Offer Filtering This function allows the user to not only restrict all DHCP Server packets but also to receive any specified DHCP server packet by any specified DHCP client it is useful when one or more DHCP servers are present on the...

Page 119: ...ess of the DHCP server to be filtered Client s MAC Address The MAC address of the DHCP client Only multiple legal DHCP servers on the network need to be entered in this field If there is only one iegal DHCP server on the network no input to this field is allowed Ports The port numbers of the filter DHCP server After setting the previous parameters click Apply to allow your changes to be implemente...

Page 120: ...US Server or local authentication on the Switch to be placed in a fully operational VLAN If authenticated and the authenticator posseses the VLAN placement information that client will be accepted into the fully operational target VLAN and normal switch functions will be open to the client If the authenticator does not have target VLAN placement information the client will be returned to its origi...

Page 121: ... is accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN EAPOL packets between the Client and the Server The following figure represents a basic EAPOL packet Figure 5 15 The EAPOL Packet Utilizing this method unauthorized devices are restricted from connecting to a LAN through a port to which the user is conn...

Page 122: ...es services Figure 5 17 The Authentication Server Authenticator The Authenticator the Switch is an intermediary between the Authentication Server and the Client The Authenticator serves two purposes when utilizing the 802 1X function The first purpose is to request certification information from the Client through EAPOL packets which is the only information allowed to pass through the Authenticato...

Page 123: ...hentication is made This port is locked until the point when a Client with the correct username and password and MAC address if 802 1X is enabled by MAC address is granted access and therefore successfully unlocks the port Once unlocked normal traffic is allowed to pass through the port The following figure displays a more detailed explanation of how the authentication process is completed between...

Page 124: ... the Port Based Network Access Control Port Based Network Access Control 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client Network access controlled port Network access uncontrolled port RADIUS Server Ethernet Switch Figure 5 21 Example of Typical Port Based Configuration Once the connected device has successfully been aut...

Page 125: ...he Switch would regard the single physical Port connecting it to the shared media segment as consisting of a number of distinct logical Ports each logical Port being independently controlled from the point of view of EAPOL exchanges and authorization state The Switch learns each attached devices individual MAC addresses and effectively creates a logical Port that the attached device can then use t...

Page 126: ... between the Authenticator and the authentication server The default setting is 30 seconds MaxReq 1 10 The maximum number of times that the Switch will retransmit an EAP Request to the client before it times out of the authentication sessions The default setting is 2 TxPeriod 1 65535 This sets the TxPeriod of time for the authenticator PAE state machine This value determines the period of an EAP R...

Page 127: ...applied on a per port basis Select Authenticator to apply the settings to the port When the setting is activated a user must pass the authentication process to gain access to the network Select None disable 802 1X functions on the port Direction Sets the administrative controlled direction to Both If Both is selected control is exerted over both incoming and outgoing traffic through the controlled...

Page 128: ... Port fields Next the user must specify the MAC address to be initialized by entering it into the MAC Address field and ticking the corresponding check box To begin the initialization click Apply NOTE The user must first globally enable 802 1X in the 802 1X Settings window Security 802 1X 802 1X Settings before initializing ports Information in the Initialize Port s windows cannot be viewed before...

Page 129: ...the user must first enable 802 1X by MAC address in the 802 1X Settings window To view the following window click Security 802 1X Reauthenticate Port s Figure 5 28 Reauthenticate Port s window for Host based 802 1X To reauthenticate ports first use the From Port and To Port drop down menus to choose the range of ports Then the user must specify the MAC address to be reauthenticated by entering it ...

Page 130: ...the desired RADIUS server to configure 1 2 or 3 and select either IPv4 Address or IPv6 Address IP Address Set the RADIUS server IP address Authentic Port 1 65535 Set the RADIUS authentic server s UDP port which is used to transmit RADIUS data between the Switch and the RADIUS server The default port is 1812 Accounting Port 1 65535 Set the RADIUS account server s UDP port which is used to transmit ...

Page 131: ...r choices on the Switch to create a three layered encryption code for secure communication between the server and the host The user may implement any one or combination of the ciphersuites available yet different ciphersuites will affect the security level and the performance of the secured connection The information included in the ciphersuites is not included with the Switch and requires downloa...

Page 132: ...lt setting is 600 seconds SSL Ciphersuite Settings RSA with RC4_128_MD5 This ciphersuite combines the RSA key exchange stream cipher RC4 encryption with 128 bit keys and the MD5 Hash Algorithm Use the radio buttons to enable or disable this ciphersuite This field is Enabled by default RSA with 3DES EDE CBC SHA This ciphersuite combines the RSA key exchange CBC Block Cipher 3DES_EDE encryption and ...

Page 133: ...rity hazards that now threaten network communications The steps required to use the SSH protocol for secure communication between a remote PC the SSH client and the Switch the SSH server are as follows 1 Create a user account with admin level access using the User Accounts window Configuration Port Configuration User Accounts This is identical to creating any other admin level User Account on the ...

Page 134: ...H authentication After the maximum number of attempts has been exceeded the Switch will be disconnected and the user must reconnect to the Switch to attempt another login The number of maximum attempts may be set between 2 and 20 The default setting is 2 Session Rekeying This field is used to set the time period that the Switch will change the security shell encryptions by using the pull down menu...

Page 135: ...192 encryption algorithm with Cipher Block Chaining The default is enabled AES256 CBC Use the check box to enable or disable the Advanced Encryption Standard AES 256 encryption algorithm with Cipher Block Chaining The default is enabled ARC4 Use the check box to enable or disable the Arcfour encryption algorithm with Cipher Block Chaining The default is enabled Cast128 CBC Use the check box to ena...

Page 136: ...istrator wishes to use a remote SSH server for authentication purposes Choosing this parameter requires the user to input the following information to identify the SSH user Host Name Enter an alphanumeric string of no more than 32 characters to identify the remote SSH user Host IP Enter the corresponding IP address of the SSH user Password This parameter should be chosen if the administrator wishe...

Page 137: ...on the Switch The server will not accept the username and password and the user is denied access to the Switch The server doesn t respond to the verification query At this point the Switch receives the timeout from the server and then moves to the next method of verification configured in the method list The Switch has four built in Authentication Server Groups one for each of the TACACS XTACACS T...

Page 138: ...locked out of further authentication attempts Command line interface users will have to wait 60 seconds before another authentication attempt Telnet and web users will be disconnected from the Switch The user may set the number of attempts from 1 to 255 The default setting is 3 Click Apply to implement changes made Application Authentication Settings Users can configure Switch configuration applic...

Page 139: ...g method lists The user may define the type of server group by protocol or by previously defined server group The Switch has three built in Authentication Server Groups that cannot be removed but can be modified Up to eight authentication server hosts may be added to any particular group To view the following window click Security Access Authentication Control Authentication Server Group Figure 5 ...

Page 140: ... Authentication Server Hosts must be configured for their specific protocol on a remote centralized server before this function can work properly NOTE The three built in server groups can only have server hosts running the same TACACS daemon TACACS XTACACS TACACS protocols are separate entities and are not compatible with each other Authentication Server Host User defined Authentication Server Hos...

Page 141: ...ACS or RADIUS servers only Specify an alphanumeric string up to 254 characters Port 1 65535 Enter a number between 1 and 65535 to define the virtual port number of the authentication protocol on a server host The default port number is 49 for TACACS XTACACS TACACS servers and 1813 for RADIUS servers but the user may set a unique port number for higher security Timeout 1 255 secs Enter the time in ...

Page 142: ...ured password set by the administrator To view the following window click Security Access Authentication Control Login Method Lists Figure 5 39 Login Method Lists window The Switch contains one Method List that is set and cannot be removed yet can be modified To delete a Login Method List defined by the user click the Delete button corresponding to the entry desired to be deleted To modify a Login...

Page 143: ...an Admin privilege NOTE To set the Local Enable Password see the next section entitled Local Enable Password To view the following window click Security Access Authentication Control Enable Method Lists Figure 5 40 Enable Method Lists window To delete an Enable Method List defined by the user click the Delete button corresponding to the entry desired to be deleted To modify an Enable Method List c...

Page 144: ...e set in the New Local Enabled field will result in a fail message Click Apply to implement changes made Enable Admin Users who have logged on to the Switch on the normal user level and wish to be promoted to the administrator level can use this window After logging on to the Switch users will have only user level privileges To gain access to administrator level privileges the user will open this ...

Page 145: ...a maximum of sixteen authenticated MAC addresses per physical port of a VLAN that is not a Guest VLAN Other MAC addresses attempting authentication on a port with the maximum number of authenticated MAC addresses will be blocked 4 Ports that have been enabled for Link Aggregation Port Security or GVRP authentication cannot be enabled for MAC based Authentication MAC based Access Control Settings T...

Page 146: ... on the Switch Password Enter the password for the RADIUS server which is to be used for packets being sent requesting authentication The default password is default Guest VLAN Name Enter the name of the previously configured Guest VLAN being used for this function Guest VLAN Member Ports e g 1 5 9 Enter the list of ports that have been configured for the Guest VLAN Guest VLAN ID 1 4904 Click the ...

Page 147: ...ion process of WAC by attempting to gain Web access D Link s implementation of WAC uses a virtual IP that is exclusively used by the WAC function and is not known by any other modules of the Switch In fact to avoid affecting a Switch s other features WAC will only use a virtual IP address to communicate with hosts Thus all authentication requests must be sent to a virtual IP address but not to the...

Page 148: ...xStack DGS 3200 Series Layer 2 Gigabit Ethernet Managed Switch 135 Figure 5 45 Six Basic Steps in a Successful Web Authentication Process ...

Page 149: ...dules of the Switch HTTP s Port 1 65535 Enter a HTTP port number Port 80 is the default Method Use this drop down menu to choose the authenticator for Web based Access Control The user may choose Local Choose this parameter to use the local authentication method of the Switch as the authenticating method for users trying to access the network via the switch This is in fact the username and passwor...

Page 150: ... web page yet does not receive a Fail Message the client will already be authenticated and therefore should refresh the current browser window or attempt to open a different web page WAC User Settings Users can view and set user accounts for Web authentication To view the following window click Security Web Authentication WAC User Settings Figure 5 47 WAC User Settings window To set the User Accou...

Page 151: ...ped VLAN ID 1 4094 Click the button and enter a VID in this field Click Apply to implement changes made WAC Port Settings Users can view and set port configurations for Web authentication To view the following window click Security Web Authentication WAC Port Settings Figure 5 48 WAC Port Settings window To set the WAC on individual ports for the Switch complete the following fields Parameter Desc...

Page 152: ...entication are mutually exclusive functions That is they cannot be enabled at the same time To use the JWAC feature computer users need to pass through two stages of authentication The first stage is to do the authentication with the quarantine server and the second stage is the authentication with the Switch For the second stage the authentication is similar to Web Authentication except that ther...

Page 153: ...ost is redirected to either the Quarantine Server or the JWAC Login Page Redirect Delay Time 0 10 This parameter specifies the Delay Time before an unauthenticated host is redirected to the Quarantine Server or JWAC Login Page Enter a value between 0 and 10 seconds A value of 0 indicates no delay in the redirect Quarantine Server Configuration Error Timeout 5 300 This parameter is used to set the ...

Page 154: ...e default value is 1440 A value of 0 indicates the authenticated host will never age out on the port MAC Authenticating Host 1 10 This parameter specifies the maximum number of host process authentication attempts allowed on each port at the same time The default value is 10 Enter a value between 1 and 10 attempts Idle Time 1 1440 If there is no traffic during the Idle Time parameter the host will...

Page 155: ...5 alphanumeric characters New Password Enter the password the administrator has chosen for the selected user This field is case sensitive and must be a complete alphanumeric string Confirm Password Retype the password entered in the previous field VID 1 4094 Enter a VLAN ID number between 1 and 4094 Click Apply to implement changes made JWAC Customize Page Language Users can configure JWAC page an...

Page 156: ...n click the Apply button Next enter a User Name and a Password and then click the Enter button Multiple Authentication Modern networks employ many authentication methods The Multiple Authentication methods supported by this Switch include 802 1X MAC based Access Control MBAC Web based Access Control WAC Japan Web based Access Control JWAC and IP MAC Port Binding IMPB The Multiple Authentication fe...

Page 157: ...h will try to authenticate the client using one of these methods and if the client passes they will be granted access to the network Any MAC 802 1X or JWAC Mode Figure 5 55 Any MAC 802 1X or JWAC Mode In the diagram above the Switch port has been configured to allow clients to authenticate using 802 1X MBAC or JWAC When a client tries to connect to the network the Switch will try to authenticate t...

Page 158: ... that checks if the IP streams being sent by authorized hosts have been granted or not In the above diagram the Switch port has been configured to allow clients to authenticate using 802 1X If the client is in the IMPB table and tries to connect to the network using this authentication method and the client is listed in the white list for legal IP MAC port checking access will be granted If a clie...

Page 159: ...Authorization Network State Settings for the Switch To view the following window click Security Multiple Authentication Authorization Network State Settings Figure 5 58 Authorization Network State Settings window Multiple Authentication Settings Users can configure multiple authentication methods for a port or ports To view the following window click Security Multiple Authentication Multiple Authe...

Page 160: ...access to the network If the user fails the authorization this port will keep trying the next authentication method When Host Based is selected users are authenticated individually Click Apply to implement the changes made Guest VLAN Users can assign ports to or remove ports from a guest VLAN To view the following window click Security Multiple Authentication Guest VLAN Figure 5 60 Guest VLAN wind...

Page 161: ...equest to the server If the Switch doesn t receive a response after N1 times the result is denied and the entry host MAC switch port number multicast group IP is put in the authentication failed list In general case when the multicast group port is already learned by the switch it won t do the authentication again It only processes the packet as standard IGMP authentication processes IGMP leaves a...

Page 162: ... entering the criteria the Switch will use to determine what to do with the frame The entire process is described below in two parts Users can display the currently configured Access Profiles on the Switch To view the following window click ACL Access Profile List one access profile of each type has been created for explanatory purposes Figure 6 1 Access Profile List window To add an entry to the ...

Page 163: ...he IPv4 address in each frame s header Select IPv6 ACL to instruct the Switch to examine the IPv6 address in each frame s header Select Packet Content to instruct the Switch to examine the packet content in each frame s header Source MAC Mask Enter a MAC address mask for the source MAC address Destination MAC Mask Enter a MAC address mask for the destination MAC address 802 1Q VLAN Selecting this ...

Page 164: ...n Select Profile ID Use the drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 200 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content This will change the window according to the requirements for the type of profile Select Ethernet ACL to instruct the Switch to examine the layer 2 part of ea...

Page 165: ...ing criterion Selecting TCP requires that you specify a source port mask and or a destination port mask src port mask Specify a TCP port mask for the source port in hex form hex 0x0 0xffff which you wish to filter dst port mask Specify a TCP port mask for the destination port in hex form hex 0x0 0xffff which you wish to filter flag bit The user may also identify which flag bits to filter Flag bits...

Page 166: ...ach frame s header Select Packet Content to instruct the Switch to examine the packet content in each frame s header IPv6 Class Ticking this check box will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 IPv6 Flow Label Ticking this check box will instruct t...

Page 167: ...escription Select Profile ID Use the drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 200 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content This will change the window according to the requirements for the type of profile Select Ethernet ACL to instruct the Switch to examine the layer 2 p...

Page 168: ...etwork attacks such as ARP Spoofing The Switch s implementation of Packet Content ACL enables inspection of any packet s specified content regardless of the protocol layer Click Apply to implement changes made To view the setting details for a created profile click the Show Details button for the corresponding entry on the Access Profile List window revealing the following window Figure 6 9 Access...

Page 169: ...ny additional rule added see below Select Deny to specify that packets that do not match the access profile are not forwarded by the Switch and will be filtered Select Mirror to specify that packets that match the access profile are mirrored to a port defined in the config mirror port command Port Mirroring must be enabled and a target port must be set Priority 0 7 Tick the corresponding check box...

Page 170: ...t sec ex If the user selects an Rx rate of 10 then the ingress rate is 640kbit sec The user many select a value between 1 and 156249 or tick the No Limit check box The default setting is No Limit Time Range Name Tick the check box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule wi...

Page 171: ...rding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues CoS queues and mapping for 802 1p see the QoS section of this manual Replace Priority Tick this check box to replace the Priority value in the adjacent field Replace DSCP 0 63 Select this ...

Page 172: ...nd the access rule will not be configured Ticking the All Ports check box will denote all ports on the Switch To view the settings of a previously correctly configured rule click the corresponding Show Details button on the Access Rule List window to view the following window Figure 6 15 Access Rule Detail Information window for IPv4 To establish the rule for a previously created Access Profile To...

Page 173: ... previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues CoS queues and mapping for 802 1p see the QoS section of this manual Replace Priority Tick this check box to replace the Priority value in the adjac...

Page 174: ... will be presented with an error message and the access rule will not be configured Ticking the All Ports check box will denote all ports on the Switch To view the settings of a previously correctly configured rule click the corresponding Show Details button on the Access Rule List window to view the following window Figure 6 18 Access Rule Detail Information window for IPv6 To establish the rule ...

Page 175: ... priority of a packet to the value entered in the Priority field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues CoS queues and mapping for 802 1p see the QoS sec...

Page 176: ...iltering This added feature increases the running security of the Switch by enabling the user to create a list of access rules for packets destined for the Switch s CPU interface Employed similarly to the Access Profile feature previously mentioned CPU interface filtering examines Ethernet IP and Packet Content Mask packet headers destined for the CPU and will either forward them or filter them ba...

Page 177: ...sponding Show Details button To add an entry to the CPU Acces Profile List click the Add ACL Profile button This will open the Add CPU ACL Profile window as shown below To remove all CPU Access Profile List entries click the Delete All button The Switch supports four CPU Access Profile types Ethernet or MAC address based profile configuration IP IPv4 address based profile configuration IPv6 addres...

Page 178: ... in each frame s header Select IPv6 to instruct the Switch to examine the IP address in each frame s header Select Packet Content Mask to specify a mask to hide the content of the packet header Source MAC Mask Enter a MAC address mask for the source MAC address Destination MAC Mask Enter a MAC address mask for the destination MAC address 802 1Q VLAN Selecting this option instructs the Switch to ex...

Page 179: ...he drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 5 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content mask This will change the menu according to the requirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header Select IPv4...

Page 180: ...o filter Flag bits are parts of a packet that determine what to do with the packet The user may filter packets by filtering certain flag bits within the packets by checking the boxes corresponding to the flag bits of the TCP field The user may choose between urg urgent ack acknowledgement psh push rst reset syn synchronize fin finish src port mask Specify a TCP port mask for the source port in hex...

Page 181: ...in each frame s header Select Packet Content Mask to specify a mask to hide the content of the packet header IPv6 Class Checking this field will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 IPv6 Flow Label Checking this field will instruct the Switch to e...

Page 182: ... ID Use the drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 5 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content mask This will change the menu according to the requirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header Se...

Page 183: ...his entry in the Switch s memory To view the settings of a previously correctly created profile click the corresponding Show Details button on the CPU Access Profile List window to view the following window Figure 6 30 CPU Access Profile Detail Information window for Packet Content To establish the rule for a previously created CPU Access Profile To configure the Access Rules for Ethernet open the...

Page 184: ...ckets that do not match the access profile are not forwarded by the Switch and will be filtered Ethernet Type 0 FFFF Enter the appropriate Ethernet Type information Time Range Name Tick the check box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch...

Page 185: ...e following parameters and click Apply Parameter Description Access ID 1 100 Type in a unique identifier number for this access This value can be set from 1 to 100 Action Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify that packets that do not match the access profile are not...

Page 186: ...ow Figure 6 36 CPU Access Rule Detail Information window for IPv4 To establish the rule for a previously created CPU Access Profile To configure the Access Rules for IP open the CPU Access Profile List window and click Add View Rules for an IPv6 entry This will open the following window Figure 6 37 CPU Access Rule List window for IPv6 To remove a previously created rule click the corresponding Del...

Page 187: ... real time service packets Time Range Name Tick the check box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch Ports Ticking the All Ports check box will denote all ports on the Switch To view the settings of a previously correctly configured rule ...

Page 188: ...ecified Offset 0 15 Enter a value in hex form to mask the packet from the beginning of the packet to the 15th byte Offset 16 31 Enter a value in hex form to mask the packet from byte 16 to byte 31 Offset 32 47 Enter a value in hex form to mask the packet from byte 32 to byte 47 Offset 48 63 Enter a value in hex form to mask the packet from byte 48 to byte 63 Offset 64 79 Enter a value in hex form ...

Page 189: ...2 alphanumeric characters that will be used to identify this time range on the Switch This range name will be used in the Access Profile table to identify the access profile and associated rule to be enabled during this time range Hours This parameter is used to set the time in the day that this time range is to be enabled using the following parameters Start Time Use this parameter to identify th...

Page 190: ... Port Browse Session Table IGMP Snooping Group MLD Snooping Group WAC Authenticating State JWAC Host Table MAC Address Table System Log MAC based Access Control State Device Environment The device environment feature displays the Switch internal temperature status This window is for the DGS 3200 16 only To view the following window click Monitoring Device Environment Figure 7 1 Device Environment ...

Page 191: ... 14 15 and 16 crosstalk errors cannot be recognized and the length cannot be obtained when the port is connected to a 1000Mbytes port which is either forced to 10 100Mbytes or powered down 2 If cable length is displayed as NA this means the cable length is Not Available 3 The cable length cannot exceed 80 meters if the port is connected to a powered off device or to a port which is configured to f...

Page 192: ...y to implement the configured settings The window will automatically refresh with new updated statistics Change the view parameters as follows Parameter Description Time Interval Select the desired setting between 1s and 60s where s stands for seconds The default value is one second Record Number Select number of times the Switch will be polled between 20 and 200 The default value is 200 Show Hide...

Page 193: ...Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port Change the view parameters as follows Parameter Description Port Use the drop down menu to choose the port that will display statistics Time Interval Select the desired setting between 1s and 60s where s stands for seconds The default value is one second Record Numb...

Page 194: ...ew these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Packet Size Figure 7 5 Packet Size window To view the Packet Size Table window click the link View Table which will show the following table Figure 7 6 Packet Size Ta...

Page 195: ...were betwe 255 octets in length inclusive excluding framing bits but including FCS octets 256 511 en 256 and The total number of packets including bad packets received that were betwe 511 octets in length inclusive excluding framing bits but including FCS octets 512 1023 512 and The total number of packets including bad packets received that were between 1023 octets in length inclusive excluding f...

Page 196: ...t to view these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Packets Received RX Figure 7 7 Received RX window for Bytes and Packets To view the Received RX Table window click View Table Figure 7 8 Received RX Table wind...

Page 197: ...ceived on the port Packets Counts the number of packets received on the port Unicast Counts the total number of good packets that were received by a unicast address Multicast Counts the total number of good packets that were received by a multicast address Broadcast Counts the total number of good packets that were received by a broadcast address Show Hide Check whether to display Bytes and Packet...

Page 198: ...ime graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Packets UMB_cast RX Figure 7 9 UMB_cast RX window for Unicast Multicast and Broadcast Packets To view the UMB_cast RX Table window click the View Table link Figure 7 10 UMB_cast RX Table window for Unicast Multicast and Broadcast Packets The following fields may be set o...

Page 199: ...ackets that were received by a broadcast address Show Hide Check whether or not to display Multicast Broadcast and Unicast Packets Clear Clicking this button clears all statistics counters on this window View Table Clicking this button instructs the Switch to display a table rather than a line graph View Graphic Clicking this button instructs the Switch to display a line graph rather than a table ...

Page 200: ...er of bytes successfully sent on the port Packets Counts the number of packets successfully sent on the port Unicast Counts the total number of good packets that were transmitted by a unicast address Multicast Counts the total number of good packets that were transmitted by a multicast address Broadcast Counts the total number of good packets that were transmitted by a broadcast address Show Hide ...

Page 201: ...rt to view these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Errors Received RX Figure 7 13 Received RX window for errors To view the Received RX Table window for errors click the link View Table which will show the fol...

Page 202: ...that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Fragment The number of packets less than 64 bytes with either bad framing or an invalid CRC These are normally the result of collisions Jabber Counts invalid packets received that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Drop The number o...

Page 203: ...the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Errors Transmitted TX Figure 7 15 Transmitted TX window for errors To view the Transmitted TX Table window click the link View Table which will show the following table Figure 7 16 Transmitted TX Table window for errors The following fields may be set or viewed...

Page 204: ...Coll Counts the number of times that a collision is detected later than 512 bit times into the transmission of a packet ExColl Excessive Collisions The number of packets for which transmission failed due to excessive collisions SingColl Single Collision Frames The number of successfully transmitted packets for which transmission is inhibited by more than one collision Collision An estimate of the ...

Page 205: ...ccess Control windows open the Monitoring folder and click Port Access Control There are seven monitoring windows in this section Authenticator State The following section describes the 802 1x Status on the Switch Users can view the Authenticator State To view the following windows click Monitoring Port Access Control Authenticator State Figure 7 17 Authenticator State window for Port based 802 1X...

Page 206: ...scription Auth PAE State The Authenticator PAE State value can be Initialize Disconnected Connecting Authenticating Authenticated Aborting Held Force_Auth Force_Unauth or N A N A Not Available indicates that the port s authenticator capability is disabled Backend State The Backend Authentication State can be Request Response Success Fail Timeout Idle Initialize or N A N A Not Available indicates t...

Page 207: ...stics between 1s and 60s where s stands for seconds The default value is one second The following fields can be viewed Parameter Description Port The identification number assigned to the Port by the System in which the Port resides Frames Rx The number of valid EAPOL frames that have been received by this Authenticator Frames Tx The number of EAPOL frames that have been transmitted by this Authen...

Page 208: ...frames other than Resp Id frames that have been received by this Authenticator Rx Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized Rx Error The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Last Version The protocol version number carried in the most rec...

Page 209: ...nticator Session Statistics window The user may select the desired time interval to update the statistics between 1s and 60s where s stands for seconds The default value is one second The following fields can be viewed Parameter Description Port The identification number assigned to the Port by the System in which the Port resides Octets Rx The number of octets received in user data frames on this...

Page 210: ...e Authentication Server is external to the Authenticator s System 2 Local Authentic Server The Authentication Server is located within the Authenticator s System Time The duration of the session in seconds Terminate Cause The reason for the session termination There are eight possible reasons for termination 1 Supplicant Logoff 2 Port Failure 3 Supplicant Restart 4 Reauthentication Failure 5 AuthC...

Page 211: ...wing fields can be viewed Parameter Description Port The identification number assigned to the Port by the System in which the Port resides Connect Enter Counts the number of times that the state machine transitions to the CONNECTING state from any other state Connect LogOff Counts the number of times that the state machine transitions from CONNECTING to DISCONNECTED as a result of receiving an EA...

Page 212: ...the Supplicant Responses Counts the number of times that the state machine sends an initial Access Request packet to the Authentication server i e executes sendRespToServer on entry to the RESPONSE state Indicates that the Authenticator attempted communication with the Authentication Server AccessChallenges Counts the number of times that the state machine receives an initial Access Challenge pack...

Page 213: ...e as sysName in MIB II ServerIndex The identification number assigned to each RADIUS Authentication server that the client shares a secret with AuthServerAddress The conceptual table listing the RADIUS authentication servers with which the client shares a secret ServerPortNumber The UDP port the client is using to send requests to this server RoundTripTime The time interval in hundredths of a seco...

Page 214: ...s counted as a retransmit as well as a timeout A send to a different server is counted as a Request as well as a timeout UnknownTypes The number of RADIUS packets of unknown type which were received from this server on the authentication port PacketsDropped The number of RADIUS packets of which were received from this server on the authentication port and dropped for some other reason RADIUS Accou...

Page 215: ... malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses BadAuthenticators The number of RADIUS Accounting Response packets which contained invalid authenticators received from this server PendingRequests The number of RADIUS Accounting Req...

Page 216: ... Show Static button to display static ARP table entries To clear the ARP Table click Clear All To view the following window click Monitoring Browse ARP Table Figure 7 24 Browse ARP Table window Browse VLAN Users can display the VLAN status for each of the Switch s ports viewed by VLAN Enter a VID VLAN ID in the field at the top of the window and click the Find button To view the following window c...

Page 217: ...rt Figure 7 26 Browse Router Port window Enter a VID VLAN ID in the field at the top of the window and click the Find button Browse MLD Router Port Users can display which of the Switch s ports are currently configured as router ports in IPv6 A router port configured by a user using the console or Web based management interfaces is displayed as a static router port designated by S A router port th...

Page 218: ...oping Group Figure 7 29 IGMP Snooping Group window The user may search the IGMP Snooping Group Table by either VLAN Name or VID List by entering it in the top left hand corner and clicking Find The following fields and settings can be viewed Parameter Description VID List VLAN Name The VID List or VLAN Name of the multicast group VID VLAN Name The VID or VLAN Name of the multicast group IP Address...

Page 219: ...ther VLAN Name or VID List present in the Switch by entering that VLAN Name VID List in the empty field shown below and clicking the Find button The following fields and settings can be viewed Parameter Description VID List VLAN Name The VID List or VLAN Name of the multicast group Source The source MAC address of the multicast group Group The multicast group Port Member The port members of this g...

Page 220: ... the desired range of ports and tick the appropriate check box es Authenticated Authenticating and Blocked MAC Address Enter the MAC address for the device whose WAC authenticating state will be removed Search Click this button to initiate a search Clear Click this button to delete the WAC authentication state information seleted above Refresh Click this button to refresh the values on this window...

Page 221: ...nge of ports Find Click this button to initiate the search function Clear Click this button to delete the Port List data at the top of the window View All Hosts Click this button to view all the JWAC hosts Clear All Hosts Click this button to delete all the JWAC hosts Authenticated Tick this check box to only show authenticated client hosts Authenticating Tick this check box to only show client ho...

Page 222: ...address table are described below Parameter Description Port The port to which the MAC address below corresponds VLAN Name Enter a VLAN Name for the forwarding table to be browsed by MAC Address Enter a MAC address for the forwarding table to be browsed by Find Allows the user to move to a sector of the database corresponding to a user defined port VLAN or MAC address Clear Dynamic Entries Clickin...

Page 223: ...he user to clear the Switch History Log The information in the table is categorized as Parameter Description Type Choose the type of log to view There are two choices Regular Log Choose this option to view regular switch log entries such as logins or firmware transfers Attack Log Choose this option to view attack log files such as spoofing attacks Index A counter incremented whenever an entry to t...

Page 224: ...e information To view the following window click Monitoring MAC based Access Control Authentication State Figure 7 35 MAC based Access Control Authentication State window To display MAC based Access Control Authentication State information select a port using the Port drop down menu and then click Apply Users may also want to adjust the Time Interval at the top of the window ...

Page 225: ...o save the configuration file indexed as Image file 1 To use this file for configuration it must be designated as the Boot configuration Save Configuration_ID_2 to save the configuration file indexed as Image file 2 To use this file for configuration it must be designated as the Boot configuration Save Log to save only the current log Save All to save the current configuration file indexed as Imag...

Page 226: ...ng window Figure 8 2 Save Configuration ID 2 window Save Log Open the Save drop down menu at the top of the Web manager and click Save Log to open the following window Figure 8 3 Save Log window Save All Open the Save drop down menu at the top of the Web manager and click Save All to open the following window Figure 8 4 Save All window ...

Page 227: ...address and file path name Select either IPv4 or IPv6 and then click Upload or Upload Attack Log Figure 8 6 Upload Log File window Reset The Reset function has several options when resetting the Switch Some of the current configuration parameters can be retained while resetting all other configuration parameters to their factory defaults NOTE Only the Reset System option will enter the factory def...

Page 228: ...nitiate the file transfer Reboot System The following window is used to restart the Switch Figure 8 9 Reboot System window Clicking the Yes radio button will instruct the Switch to save the current configuration to non volatile RAM before restarting the Switch Clicking the No radio button instructs the Switch not to save the current configuration before restarting the Switch All of the configurati...

Page 229: ...yload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address ARP request 00 20 5C 01 11 11 10 10 10 1 00 00 00 00 00 00 10 10 10 2 The ARP request will be encapsulated into an Ethernet frame and sent out As can be seen in Table 2 the Source Address in the Ethernet frame will be PC A s MAC add...

Page 230: ... the sender The ARP reply is in a form of Unicast communication Table 3 ARP Payload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address ARP reply 00 20 5C 01 11 11 10 10 10 1 00 00 00 00 00 00 10 10 10 2 When PC B replies to the query the Destination Address in the Ethernet frame will be c...

Page 231: ...e the Source Address of the Ethernet frame and find that the address is not in the Forwarding Table The switch will learn PC B s MAC and update its Forwarding Table Forwarding Table Port1 00 20 5C 01 11 11 Port2 00 20 5C 01 22 22 ...

Page 232: ... immediately update their own ARP table in accordance with the sender s MAC and IP address The format of Gratuitous ARP is shown in the following table Table 5 Destination Address Source Address Ethernet Type H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address 6 byte 6 byte 2 byte 2 byte 2...

Page 233: ...For the reason that basic ACL can only filter ARP packets based on packet type VLAN ID Source and Destination MAC information there is a need for further inspections of ARP packets To prevent ARP spoofing attack we will demonstrate here via using Packet Content ACL on the Switch to block the invalid ARP packets which contain faked gateway s MAC and IP binding Example topology ...

Page 234: ...Offset Chunk6 Offset Chunk7 Offset Chunk8 Offset Chunk9 Offset Chunk10 Offset Chunk11 Offset Chunk12 Offset Chunk13 Offset Chunk14 Offset Chunk15 Byte 127 3 7 11 15 19 23 27 31 35 39 43 47 51 55 59 Byte 128 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 Byte 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 Byte 2 6 10 14 18 22 26 30 34 38 42 46 50 54 58 62 Offset Chunk Offset Chunk16 Offset Chunk17 Offset...

Page 235: ......

Page 236: ...information for logging Side Fan failed Unit unitID Side Fan failed Critical For DGS 3200 16 Only Side Fan recovered Unit unitID Side Fan recovered Critical For DGS 3200 16 Only Up Down load Firmware upgraded successfully Unit unitID Firmware upgraded by console successfully Username username IP ipaddr MAC macaddr Informational by console and IP ipaddr MAC macaddr are XOR shown in log string which...

Page 237: ...ans if user login by console will no IP and MAC information for logging Interface Port link up Port unitID portNum link up link state Informational link state for ex 100Mbps FULL duplex Port link down Port unitID portNum link down Informational Console Successful login through Console Unit unitID Successful login through Console Username username Informational There are no IP and MAC if login by c...

Page 238: ...ved from ipAddress with invalid community string Informational STP Topology changed Topology changed Instance InstanceID port unitID portNum Informational Detected Topology changed port New Root selected CIST MIST Regional New root selected Instance InstanceID Root bridge MAC macaddr Priority value Informational root bridge MAC address and priority at the instance Spanning Tree Protocol is enabled...

Page 239: ... from userIP authenticated by AAA local method Username username MAC macaddr Warning Successful login through Web SSL authenticated by AAA local method Successful login through Web SSL from userIP authenticated by AAA local method Username username MAC macaddr Informational Login failed through Web SSL authenticated by AAA local method Login failed through Web SSL from userIP authenticated by AAA ...

Page 240: ...ddr Informational Successful login through Console authenticated by AAA server Successful login through Console authenticated by AAA server serverIP Username username Informational There are no IP and MAC if login by console Login failed through Console authenticated by AAA server Login failed through Console authenticated by AAA server serverIP Username username Warning There are no IP and MAC if...

Page 241: ...ed through Telnet from userIP authenticated by AAA server serverIP Username username MAC macaddr Warning Successful login through SSH authenticated by AAA server Successful login through SSH from userIP authenticated by AAA server serverIP Username username MAC macaddr Informational Successful Enable Admin through Console authenticated by AAA local_enable method Successful Enable Admin through Con...

Page 242: ... Username username Informational Successful Enable Admin through Web authenticated by AAA none method Successful Enable Admin through Web from userIP authenticated by AAA none method Username username MAC macaddr Informational Successful Enable Admin through Web SSL authenticated by AAA none method Successful Enable Admin through Web SSL from userIP authenticated by AAA none method Username userna...

Page 243: ... server timeout or improper configuration Username username MAC macaddr Warning Successful Enable Admin through Web SSL authenticated by AAA server Successful Enable Admin through Web SSL from userIP authenticated by AAA server serverIP Username username MAC macaddr Informational Enable Admin failed through Web SSL authenticated by AAA server Enable Admin failed through Web SSL from userIP authent...

Page 244: ...iled Warning protocol is one of TACACS XTACACS TACACS RADIUS AAA server ACK error AAA server serverIP Protocol protocol response is wrong Warning protocol is one of TACACS XTACACS TACACS RADIUS AAA does not support this functionality AAA doesn t support this functionality Informational IP MAC PORT Binding Unauthenticated IP address and discard by IP MAC port binding Unauthenticated IP MAC address ...

Page 245: ...out normally Username s IP s MAC s Port s Informational Logout forcibly JWAC host logout forcibly Username s IP s MAC s Port s Warning Age out JWAC host age out Username s IP s MAC s Port s Informational Loopback Detection Port loop occurred Port unitID portNum LBD loop occurred Port blocked Critical Port loop detection restarted after interval time Port unitID portNum LBD port recovered Loop dete...

Page 246: ...default priority will assign to the port Radius server ipaddr assigned 802 1p deafult priority priority to port unitID portNum account username Informational stand alone device port portNum stackable device Port unitID portNum 802 1X Authentication failure 802 1x Authentication failure for reason from Username username Port unitID portNum MAC macaddr Warning stand alone device port portNum stackab...

Page 247: ...uProtectChgToExhausted This trap indicates System change operation mode from normal to exhausted 1 3 6 1 4 1 171 12 19 4 1 0 1 SafeGuardChgToNormal This trap indicates System change operation mode from exhausted to normal 1 3 6 1 4 1 171 12 19 4 1 0 2 PktStormOccurred This trap is sent when a packet storm is detected by the packet storm mechanism and takes shutdown as an action 1 3 6 1 4 1 171 12 ...

Page 248: ...ember generates a link up notification 1 3 6 1 4 1 171 12 8 6 0 14 SingleIPMSAuthFail The commander switch will send swSingleIPMSAuthFail notification to the indicated host when its member generates an authentation failure notification 1 3 6 1 4 1 171 12 8 6 0 15 SingleIPMSnewRoot The commander switch will send swSingleIPMSnewRoot notification to the indicated host when its member generates a new ...

Page 249: ...a high capacity alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps 1 3 6 1 2 1 16 29 2 0 1 FallingAlarmTrap This trap is an SNMP notification that is generated when a high capacity alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps 1 3 6 1 2 1 16 29 2 0 2 newRoot The newRoot trap indicate...

Page 250: ...of the switch 2 Power on the Switch After the runtime image is loaded to 100 the Switch will allow 2 seconds for the user to press the hotkey Shift 6 to enter the Password Recovery Mode Once the Switch enters the Password Recovery Mode all ports on the Switch will be disabled Boot Procedure V1 00 B006 Power On Self Test 100 MAC Address 00 19 5B EC 32 15 H W Version A1 Please wait loading V1 35 B01...

Page 251: ...estination devices on the network broadcast storm Multiple simultaneous broadcasts that typically absorb available network bandwidth and can cause network failure console port The port on the Switch accepting a terminal or modem connector It changes the parallel arrangement of data within computers to the serial form used on data transmission links This port is most often used for dedicated local ...

Page 252: ...k Management Protocol A protocol originally designed to be used in managing TCP IP internets SNMP is presently implemented on a wide range of computers and networking equipment and may be used to manage many aspects of network and end station operation Spanning Tree Protocol STP A bridge based system for providing fault tolerance on networks STP works by allowing the user to implement parallel pat...

Page 253: ...ation pertaining to the product and in that case the product is being sold As Is without any warranty whatsoever including without limitation the Warranty as described herein notwithstanding anything stated herein to the contrary Submitting A Claim The customer shall return the product to the original purchase point based on its return policy In case the return policy period has expired and the pr...

Page 254: ...ms Inc Other trademarks or registered trademarks are the property of their respective owners Copyright Statement No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from D Link Corporation D Link Systems Inc as stipulated by the United ...

Page 255: ...Registration Register your D Link product online at http support dlink com register Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights ...

Page 256: ... the defective Hardware the price paid by the original purchaser for the defective Hardware will be refunded by D Link upon return to D Link of the defective Hardware All Hardware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of...

Page 257: ... not to be defective or non conforming What Is Not Covered This limited warranty provided by D Link does not cover Products that have been subjected to abuse accident alteration modification tampering negligence misuse faulty installation lack of reasonable care repair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been alte...

Page 258: ...ir respective proprietors Copyright Statement No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from D Link Corporation D Link International Ptd Ltd FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 ...

Page 259: ...e warranty period on this product U S and Canadian customers can contact D Link technical support through our website or by phone Tech Support for customers within the United States D Link Technical Support over the Telephone USA 877 DLINK 55 877 354 6555 D Link Technical Support over the Internet http support dlink com Tech Support for customers within Canada D Link Technical Support over the Tel...

Page 260: ... uk ftp ftp dlink co uk Technische Unterstützung Deutschland Web http www dlink de E Mail support dlink de Telefon 49 0 1805 2787 0 14 pro Minute Zeiten Mo Fr 09 00 17 30 Uhr Österreich Web http www dlink at E Mail support dlink at Telefon 43 0 820 480084 0 116 pro Minute Zeiten Mo Fr 09 00 17 30 Uhr Schweiz Web http www dlink ch E Mail support dlink ch Telefon 41 0 848 331100 0 08 CHF pro Minute ...

Page 261: ... www dlink nl 0 15ppm anytime Tech Support for customers within Belgium 070 66 06 40 www dlink be 0 175ppm peak 0 0875ppm off peak Tech Support for customers within Luxemburg 32 70 66 06 40 www dlink be Asistencia Técnica Asistencia Técnica Telefónica de D Link 34 902 30 45 45 0 067 min De Lunes a Viernes de 9 00 a 14 00 y de 15 00 a 18 00 http www dlink es Supporto tecnico Supporto Tecnico dal lu...

Page 262: ... PO PÁ od 09 00 do 17 00 Land Line 1 78 CZK min Mobile 5 40 CZK min Technikai Támogatás Tel 06 1 461 3001 Fax 06 1 461 3004 Land Line 14 99 HUG min Mobile 49 99 HUF min email support dlink hu URL http www dlink hu Teknisk Support D Link Teknisk telefon Support 820 00 755 Hverdager 08 00 20 00 D Link Teknisk Support over Internett http www dlink no Teknisk Support D Link teknisk support over telefo...

Page 263: ...εφαλληνίας 64 11251 Αθήνα Τηλ 210 86 11 114 Δευτέρα Παρασκευή 09 00 17 00 Φαξ 210 8611114 http www dlink gr support Assistência Técnica Assistência Técnica da D Link na Internet http www dlink pt e mail soporte dlink es Teknisk Support D Link Teknisk Support via telefon 0900 100 77 00 Vardagar 08 00 20 00 D Link Teknisk Support via Internet http www dlink se ...

Page 264: ...k biz hr Tehnična podpora Zahvaljujemo se vam ker ste izbrali D Link proizvod Za vse nadaljnje informacije podporo ter navodila za uporabo prosimo obiščite D Link ovo spletno stran www dlink eu www dlink biz sl Suport tehnica Vă mulţumim pentru alegerea produselor D Link Pentru mai multe informaţii suport şi manuale ale produselor vă rugăm să vizitaţi site ul D Link www dlink eu www dlink ro ...

Page 265: ...link co in support productsupport aspx Indonesia Malaysia Singapore and Thailand Tel 62 21 5731610 Indonesia Tel 1800 882 880 Malaysia Tel 65 6501 4200 Singapore Tel 66 2 719 8978 9 Thailand 24 7 for English Support Only http www dlink com sg support e mail support dlink com sg Korea Tel 82 2 2028 1815 Monday to Friday 9 00am to 6 00pm http www d link co kr e mail arthur d link co kr New Zealand T...

Page 266: ... 92 21 4548158 or 92 21 4548310 Monday to Friday 10 00am to 6 00pm http support dlink me com E mail zkashif dlink me com South Africa and Sub Sahara Region Tel 27 12 665 2165 08600 DLINK for South Africa only Monday to Friday 8 30am to 9 00pm South Africa Time http www d link co za Turkey Tel 90 212 2895659 Monday to Friday 9 00am to 6 00pm http www dlink com tr e mail turkiye dlink me com e mail ...

Page 267: ...ink D Link предоставляет бесплатную поддержку для клиентов в течение гарантийного срока Клиенты могут обратиться в группу технической поддержки D Link по телефону или через Интернет Техническая поддержка D Link 7 495 744 00 99 Техническая поддержка через Интернет http www dlink ru e mail support dlink ru ...

Page 268: ...s 06 00am a 19 00pm Costa Rica 0800 0521478 Lunes a Viernes 05 00am a 18 00pm Ecuador 1800 035465 Lunes a Viernes 06 00am a 19 00pm El Salvador 800 6335 Lunes a Viernes 05 00am a 18 00pm Guatemala 1800 8350255 Lunes a Viernes 05 00am a 18 00pm México 01800 1233201 Lunes a Viernes 06 00am a 19 00pm Panamá 011 008000525465 Lunes a Viernes 05 00am a 18 00pm Perú 0800 00968 Lunes a Viernes 06 00am a 1...

Page 269: ...il A D Link fornece suporte técnico gratuito para clientes no Brasil durante o período de vigência da garantia deste produto Suporte Técnico para clientes no Brasil Telefone São Paulo 11 2185 9301 Segunda à sexta Das 8h30 às 18h30 Demais Regiões do Brasil 0800 70 24 104 E mail e mail suporte dlinkbrasil com br ...

Page 270: ...方式與D Link台灣 地區技術支援工程師聯絡 D Link 免付費技術諮詢專線 0800 002 615 服務時間 週一至週五 早上9 00到晚上9 00 不含周六 日及國定假日 網 站 http www dlink com tw 電子郵件 dssqa_service dlink com tw 如果您是台灣地區以外的用戶 請參考D Link網站全球各地 分公司的聯絡資訊以取得相關支援服務 產品保固期限 台灣區維修據點查詢 請參考以下網頁說明 http www dlink com tw 產品維修 使用者可直接送至全省聯強直營維修站或請洽您的原購買經銷商 ...

Page 271: ...okumentasi pengguna dapat diperoleh pada situs web D Link Dukungan Teknis untuk pelanggan Dukungan Teknis D Link melalui telepon Tel 62 21 5731610 Dukungan Teknis D Link melalui Internet Email support dlink co id Website http support dlink co id ...

Page 272: ...Technical Support この度は弊社製品をお買い上げいただき 誠にありがとうご ざいます 下記弊社 Web サイトからユーザ登録及び新製品登録を 行っていただくと ダウンロードサービスにて サポート情報 ファームウェア ユーザマニュアルを ダウンロードすることができます ディーリンクジャパン Web サイト URL http www dlink jp com ...

Page 273: ...城区北三环东路 36 号 环球贸易中心 B 座 26F 02 05 室 邮编 100013 技术支持中心电话 8008296688 028 66052968 技术支持中心传真 028 85176948 维修中心地址 北京市东城区北三环东路 36 号 环球贸易中心 B 座 26F 02 05 室 邮编 100013 维修中心电话 010 58257789 维修中心传真 010 58257790 网址 http www dlink com cn 办公时间 周一到周五 早09 00到晚18 00 ...

Reviews: