manualshive.com logo in svg

D-Link xStack DGS-3427, Product Manual

The D-Link xStack DGS-3427 product manual is available for download free of charge from our website. This comprehensive manual provides users with detailed information on how to utilize all the features and functions of this advanced networking device. Don't forget to visit manualshive.com to access your copy today.

Share
Download
background image

xStack

®

 DGS-3400 Series Layer 2 Gigabit Ethernet Managed Sw itch 

393 

     

 

 

 

 

 

 

How ARP Spoofing Attacks a Network 

ARP spoofing, also known as ARP poisoning, is a method to attack an Ethernet network which may allow an attacker to sniff data 
frames on a LAN, modify the traffic, or stop the traffic altogether (known as a Denial of Service – DoS attack). The principle of 
ARP spoofing is to send the fake, or spoofed ARP messages to an Ethernet network. Generally, the aim is to associate the 
attacker's or random MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP 
address would be mistakenly re-directed to the node specified by the attacker.  

IP spoofing attack is caused by Gratuitous ARP that occurs when a host sends an ARP request to resolve its own IP address. 
Figure-4 shows a hacker within a LAN to initiate ARP spoofing attack.  

Figure 4 

 

In the Gratuitous ARP packet, the “Sender protocol address”  and  “Target protocol address”  are filled with the same source IP 
address  itself. The “Sender H/W Address”  and  “Target H/W address”  are filled with the same source MAC address itself. The 
destination MAC address is the Ethernet broadcast address (FF-FF-FF-FF-FF-FF). All nodes within the network will immediately 
update their own ARP table in accordance with the sender’s MAC and IP address. The format of Gratuitous ARP is shown in the 
following table

.  

Table 5 

 

Destination 

Address 

Source 

Address 

Ethernet 

Type 

H/W Type  Protocol 

Type 

H/W 

Address 

Length 

Protocol 

Address 

Length 

Operation 

Sender H/W 

Address 

Sender 

Protocol 

Address 

Target H/W 

Address 

Target 

Protocol 

Address 

(6-byte)  

(6-byte) 

(2-byte) 

(2-byte) 

(2-byte) 

(1-byte)  (1-byte) 

(2-byte) 

(6-byte) 

(4-byte) 

(6-byte) 

(4-byte) 

FF-FF-FF-FF-FF-FF 

00-20-5C-01-11-11  

0806 

 

 

 

 

ARP relay 

00-20-5C-01-11-11 

10.10.10.254  00-20-5C-01-11-11 

10.10.10.254 

Port1   00-20-5C-01-11-11 

Port2   00-20-5C-01-22-22 

 

Forwarding Table 

Ethernet Header 

Gratuitous ARP 

Summary of Contents for xStack DGS-3427

Page 1: ...xStack DGS 3400 Series Layer 2 Managed Gigabit Ethernet Switch i Web UI Reference Guide Product Model xStack DGS 3400 Series Layer 2 Managed Gigabit Ethernet Switch Release 2 7 ...

Page 2: ...sion of D Link Corporation is strictly forbidden Trademarks used in this text D Link and the D LINK logo are trademarks of D Link Corporation Microsoft and Windows are registered trademarks of Microsoft Corporation Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products D Link Corporation disclaims any proprietary...

Page 3: ... IPv6 Interface Settings 18 Stacking 21 Stacking Mode Settings 23 Force Master Role Settings 24 Box Information 24 Port Configuration 25 Port Configuration 25 Port Error Disabled 26 Port Description 27 Port Auto Negotiation Information 28 Port Details 29 Port Media Type 30 Cable Diagnostics 31 User Accounts 32 Password Encryption 33 Mirror 34 Port Mirror Global Settings 34 Port Mirror Settings 34 ...

Page 4: ...ver Manual Binding 75 DHCPv6 Server 76 DHCPv6 Server Global Settings 76 DHCPv6 Server Pool Settings 77 DHCPv6 Server Manual Binding Settings 78 DHCPv6 Server Dynamic Binding Settings 79 DHCPv6 Server Interface Settings 80 DHCPv6 Server Excluded Address Settings 81 Filter DHCP Server 82 Filter DHCP Server Global Settings 82 Filter DHCP Server Port Settings 83 Layer 2 Protocol Tunneling Settings 84 ...

Page 5: ...N 155 Subnet VLAN Settings 156 VLAN Precedence Settings 156 Trunking 158 Link Aggregation 159 LACP Port Settings 162 IGMP Snooping 164 IGMP Snooping Settings 164 Router Port Settings 166 IGMP Snooping Static Group Settings 168 ISM VLAN Settings 169 Limited IP Multicast Address Range Settings 172 MLD Snooping 174 MLD Snooping Settings 174 MLD Router Port Settings 177 Loop back Detection Global Sett...

Page 6: ...P MAC Port Binding 280 IMPB Global Settings 282 IMPB Port Settings 283 IMPB Entry Settings 285 DHCP Snoop Entries 286 MAC Block List 287 ND Snoop Entries 287 802 1X 288 802 1X Port Settings 293 Guest VLAN Settings 296 Authentication RADIUS Server Settings 297 802 1X User Settings 298 Initialize Port s 299 Reauthenticate Port s 300 Web based Access Control WAC 302 WAC Global Settings 303 WAC Port S...

Page 7: ...on 358 Port Utilization 359 Packets 360 Received RX 360 UMB Cast RX 362 Transmitted TX 364 Errors 366 Received RX 366 Transmitted TX 368 Packet Size 370 Browse Router Port 372 Browse MLD Router Port 373 VLAN Status 373 VLAN Status Port 374 Port Access Control 374 Authenticator State 374 Authenticator Statistics 375 Authenticator Session Statistics 375 Authenticator Diagnostics 376 RADIUS Authentic...

Page 8: ...tion Information 389 Current Configuration Settings 390 Appendix A 391 Mitigating ARP Spoofing Attacks Using Packet Content ACL 391 Appendix B 398 Switch Log Entries 398 Appendix C 409 Trap Logs 409 Glossary 414 ...

Page 9: ...r example use the copy command Boldface Typewriter Font Indicates commands and responses to prompts that must be typed exactly as printed in the manual Initial capital letter Indicates a window name Names of keys on the keyboard have initial capitals For example Click Enter Italics Indicates a window name or a field Also can indicate a variables or parameter that is replaced with an appropriate wo...

Page 10: ...ol The Web based management module and the Console program and Telnet are different ways to access the same internal switching software and configure it Thus all settings encountered in web based management are the same as those found in the console program Logging in to the Web Manager To begin managing the Switch simply run the browser installed on your computer and point it to the IP address yo...

Page 11: ...interface Three distinct areas divide the user interface as described in the table Figure 1 2 Main Web Manager window Area Function Area 1 Select the menu or window to display Open folders and click the hyperlinked menu buttons and subfolders contained within them to display menus Click the D Link logo to go to the D Link website Area 2 Presents a graphical near real time image of the front panel ...

Page 12: ...es 802 1p Settings Bandwidth Control HOL Prevention Settings and Schedule Settings ACL Contains the following menu pages and sub directories Time Range Access Profile Table ACL Flow Meter and CPU Interface Filtering Security Contains the following menu pages and sub directories Authorization Network State Settings Traffic Control Port Security IP MAC Port Binding 802 1X Web based Access Control WA...

Page 13: ... Settings MAC Notification Settings TFTP Services Multiple Image Services RCP Ping Test IPv6 Neighbor Route Redistribution Settings Static Default Route Settings Route Preference Settings Gratuitous ARP Settings Static ARP Settings DHCP Auto Configuration Settings DHCP BOOTP Relay DHCP BOOTP Local Relay Settings DHCPv6 Relay DHCP Server DHCPv6 Server Filter DHCP Server Layer 2 Protocol Tunneling S...

Page 14: ...ormation window shows the Switch s MAC Address assigned by the factory and unchangeable IP Address VLAN Name Subnet Mask Default Gateway Boot PROM Firmware Version Hardware Version and Serial Number This information is helpful to keep track of PROM and firmware updates and to obtain the Switch s MAC address for entry into another network device s address table if necessary The user may also enter ...

Page 15: ...ration is Enabled by default If you do not want to allow configuration of the system through Telnet choose Disabled Telnet TCP Port Number 1 65535 The TCP port number used for Telnet management of the Switch The well known TCP port for the Telnet protocol is 23 Web Status Web based management is Enabled by default If you choose to disable this by selecting Disabled you will lose the ability to con...

Page 16: ...ll briefly explain IPv6 its functionality and how IPv6 is implemented on this Switch Overview IP version 6 is the logical successor to IP version 4 It was known that IPv4 could not support the amount of addresses that would eventually be needed for not only each person but each device that would require an IP address and therefore a system with a larger pool of IP addresses was required IPv6 has a...

Page 17: ...et if they are necessary at all Authentication and Privacy Extension Support New authentication capabilities use extensions for data integrity and data confidentiality for IPv6 Flow Labeling This new capability allows packets to be streamlined into certain traffic flows if labeled by the sender In this way services such as real time services or non default quality of service can receive special at...

Page 18: ...s way router can process these packets more efficiently once the flow class has been identified and the rest of the packet header no longer needs to be fully processed just the flow label and the source address All flow label packets must have identical source and destination addresses Payload Length Known as the datagram length in IPv4 this 16 bit field specifies the length of the IPv6 data carri...

Page 19: ...eed the size of the Path MTU so the source node is required to split these packets into fragments in individual packets which will be rebuilt when it reaches its final destination Each of the packets that will be fragmented is given an Identification value by the source node It is essential that each of these Identification values is different than any other fragmented packet recently sent that in...

Page 20: ... to E000 3 global addresses are aggregated using these routing prefixes to produce unique IPv6 addresses which will limit global routing table entries The MAC address of the device is used to produce this address in this form Global Routing Prefix Site Level Aggregator MAC address first 3 bits FFFE MAC Address last 3 bits So if your MAC address looks like 00 0C 6E 6B EB 0C your IPv6 address may re...

Page 21: ...the reachability of routers as well as if changes occur within link layer addresses of nodes on the network or identical unicast addresses are present on the local link The functionality of the Neighbor Discovery feature is based on ICMPv6 packets Neighbor Solicitation and Router Advertisement messages circulating on the network When a node wishes to determine link layer addresses of other nodes o...

Page 22: ...ng multiple addresses to a single interface as well If multiple physical interfaces are considered as one interface on the Internet layer multiple unicast addresses may be allotted to multiple physical interfaces which would be beneficial for load sharing on these interfaces This is dependent on these unicast addresses having a scope smaller than the link local address if these unicast addresses a...

Page 23: ...t Mask 3 If accessing the Switch from a different subnet from the one it is installed on enter the IP address of the Default Gateway If managing the Switch from the subnet on which it is installed the user may leave the default address 0 0 0 0 in this field 4 If the Switch has no previously configured VLANs the user can use the default VLAN Name The default VLAN contains all of the Switch ports as...

Page 24: ...TCP IP in band via Web manager or Telnet Management stations that are on VLANs other than the one entered here will not be able to manage the Switch in band unless their IP addresses are entered in the Security IP Management window If VLANs have not yet been configured for the Switch the default VLAN contains all of the Switch s ports There are no entries in the Security IP Management table by def...

Page 25: ...on To change IP settings using the Web manager users must access the IP Address window Administration IP Address Open Administration folder and click Interface Settings to access two folders to set up IP interfaces on the Switch one for IPv4 addresses IPv4 Interface Settings and one for IPv6 addresses IPv6 Interface Settings IPv4 Interface Settings To view this window click Administration Interfac...

Page 26: ...his IP interface Subnet Mask This field allows the entry of a subnet mask to be applied to this IP interface VLAN Name This field displays the VLAN name directly associated with this interface Interface Admin State Use the pull down menu to enable or disable configuration on this interface Secondary Use the pull down menu to set the IP interface as True or False True will set the interface as seco...

Page 27: ... new IPv6 interface click the Add button which will display the following window Figure 2 7 IPv6 Interface Settings Add window To add an Interface enter an Interface Name in the field provided along with a corresponding VLAN Name set the Interface Admin State to Enabled and click Apply Newly created interfaces will appear in the IPv6 Interface Settings window To change the settings for a configure...

Page 28: ... Use this pull down menu to enable or disable the Automatic Link Local Address When enabled the switch will automatically create an IPv6 link local address for the switch Once the user enables this feature and clicks Apply an IPv6 address will be produced based on the MAC address of the switch and the new entry will appear in the following Link Local Address field Link local Address This field dis...

Page 29: ...onfigure a time between 0 and 4294967295 milliseconds On Link Flag Setting this field to Enabled will denote within the IPv6 packet that the IPv6 prefix configured here is assigned to this link local network Once traffic has been successfully sent to these nodes with this specific IPv6 prefix the nodes will be considered reachable on the link local network Autonomous Flag Setting this field to Ena...

Page 30: ...s then 3 seconds and no more than 75 3 4 of the MaxRtrAdvInterval The user may configure a time between 3 and 1350 seconds with a default setting of 198 seconds Click Apply to implement the changes Stacking From firmware release v2 00 of this Switch the xStack DGS 3400 series now supports switch stacking where a set of twelve switches can be combined to be managed by one IP address through Telnet ...

Page 31: ... its given Box ID and H Backup Master The Backup Master is the backup to the Primary Master and will take over the functions of the Primary Master if the Primary Master fails or is removed from the Stack It also monitors the status of neighboring switches in the stack will perform commands assigned to it by the Primary Master and will monitor the running status of the Primary Master The Backup Mas...

Page 32: ...k when it fails to receive heartbeat packets during its specified interval from a device or when one of the stacking ports links is down Once the device has been removed the remaining switches will update their stacking topology database to reflect the change Any one of the three roles Primary Master Backup Master or Slave may be removed from the stack yet different processes occur for each specif...

Page 33: ...Settings window Use the pull down menu choose Enabled and click Apply and the mater s priority become zero after the stacking has stabilized Information configured in this window is found in the Monitoring Stacking Information Box Information This window is used to configure stacking parameters associated with all switches in the xStack DGS 3400 Series The user may configure parameters such as box...

Page 34: ...nted until users physically save it using the Web GUI or the CLI Port Configuration Port Configuration Figure 2 14 Port Configuration window The following parameters can be configured Parameter Description Unit Select the unit to configure From To These two fields are use to select a port or range of ports To view this window click Administration Port Configuration Port Configuration as shown on t...

Page 35: ...ypes of gigabit connections 1000M Full_Master and 1000M Full_Slave Gigabit connections only support full duplex connections and take on certain characteristics that are different from the other choices listed The 1000M Full_Master and 1000M Full_Slave parameters refer to connections running a 1000BASE T cable for connection between the Switch port and other device capable of a gigabit connection T...

Page 36: ...led Connection This field will read the uplink status of the individual ports whether Enabled or Disabled Reason Describes the reason why the port has been error disabled such as a STP loopback occurrence Port Description Figure 2 16 Port Description window The following parameters can be configured The Switch supports a port description feature where the user may name various ports on the Switch ...

Page 37: ...ansport medium to be used whether Copper or Fiber Description Enter the description for the selected port s Click Apply to set the descriptions in the Port Description Table Port Auto Negotiation Information This window allows the user to view the current configurations of all the ports on the Switch Use the drop down menu to select which unit to view To view this window click Administration Port ...

Page 38: ...ion Table window Port Details This window is used to view detailed port information for individual ports on a particular unit Use the drop down menus to select the specific port of the unit you wish to view and click Find To view this window click Administration Port Configuration Port Details as shown below ...

Page 39: ...rt Details window Port Media Type This window is used to display the port media type available on each unit To view a particular switch in the stack use the drop down menu to select the unit To view this window click Administration Port Configuration Port Media Type as shown below ...

Page 40: ...iagnostics This window is used to control the cable diagnostics and determine where and what kind of errors have occurred on the cable This function is primarily used for administrators to view tests on copper cables To view this window click Administration Port Configuration Cable Diagnostics as shown below ...

Page 41: ...eges create new users and view existing User Accounts To view this window click Administration User Accounts as shown below Figure 2 21 User Accounts window To add a new user click the Add button and the window below displays Figure 2 22 User Accounts Add window To modify or delete an existing user click the Modify button for the corresponding user and the window below displays ...

Page 42: ...om the pull down menu Encrypt Password Enter the password for the type of encryption Click the Show All User Account Entries link to return to the User Accounts window Click Apply to implement the changes Click Delete in the User Account Modify Table window to remove the selected user account Password Encryption Password encryption allows the user to encrypt a password for additional security To v...

Page 43: ...his window click Administration Mirror Port Mirror Global Settings as shown below Figure 2 25 Port Mirror Global Settings window The following parameters can be configured Parameter Description Porting Mirror Global State Use the pull down menu to enable or disable the port mirror status Click Apply to implement the changes Port Mirror Settings The Switch supports up to four port mirror groups It ...

Page 44: ...dow Click View All to see all the entries Click to remove the corresponding entry To add a new mirror port click the Add button and the window below appears Figure 2 27 Port Mirroring Add window To modify an existing mirror port click the Modify button of the corresponding entry and the window below appears Figure 2 28 Port Mirroring Edit window The following parameters are displayed or can be con...

Page 45: ...note a target port and a source port cannot be the same port NOTE Except the master port of a trunking group target mirror ports cannot be members of a trunking group Attempting to do so will produce an error message and the configuration will not be set Mirroring within the Switch Stack Users may configure mirroring between switches in the switch stack but certain conditions and restrictions appl...

Page 46: ...dd window To modify an existing system log server click the Modify button of the corresponding entry and the window below appears Figure 2 31 Configure System Log Server Edit window The following parameters are displayed or can be configured Parameter Description Index 1 4 System log server settings index 1 4 Server IP The IPv4 address of the System log server Severity This drop down menu allows y...

Page 47: ...al7 UDP Port 514 or 6000 65535 Type the UDP port number used for sending Syslog messages The default is 514 Status Choose Enabled or Disabled to activate or deactivate To set the system log server configuration click Apply To return to the System Log Host window click the Show All System Log Servers link System Log Save Mode Settings This window may be used to choose a method for which to save the...

Page 48: ...ck the check box and enter the IPv4 address Click Apply to add the entry to the Syslog Source Interface Table Click to remove the corresponding entry System Severity Settings The Switch can be configured to allow alerts be logged or sent as a trap to an SNMP agent or both The level at which the alert triggers either a log entry or a trap message can be set as well Use this window to set the criter...

Page 49: ...events to the Switch s log or SNMP agent Select Notice to send notice warning error critical alert and emergency events to the Switch s log or SNMP agent Select Information to send information notice warning error critical alert and emergency events to the Switch s log or SNMP agent Select Debug to send debug information notice warning error critical alert and emergency events to the Switch s log ...

Page 50: ... of the primary server from which the SNTP information will be taken SNTP Secondary Server The IP address of the secondary server from which the SNTP information will be taken SNTP Poll Interval in Seconds 30 99999 The interval in seconds between requests for updated SNTP information Time Settings Set Current Time Year Enter the current year to update the system clock Month Enter the current month...

Page 51: ...nt of time that will constitute your local DST offset 30 60 90 or 120 minutes Time Zone Offset from GMT in HH MM Use these pull down menus to specify your local time zone s offset from Greenwich Mean Time GMT DST Repeating Settings Using repeating mode will enable DST seasonal time adjustment Repeating mode requires that the DST beginning and ending date be specified using a formula For example sp...

Page 52: ...l enable DST seasonal time adjustment Annual mode requires that the DST beginning and ending date be specified concisely For example specify to begin DST on April 3 and end DST on October 14 From Month Enter the month DST will start on each year From Day Enter the day of the month DST will start on each year From Time in HH MM Enter the time of day DST will start on each year To Month Enter the mo...

Page 53: ...stration MAC Notification Settings as shown on the right Global Settings The following parameters may be viewed and modified Parameter Description State Enable or disable MAC notification globally on the Switch Interval 1 2147483647 sec The time in seconds between notifications History size 1 500 The maximum number of entries listed in the history log used for notification Up to 500 entries can be...

Page 54: ...tack Log Enter the IP address of the TFTP server and the path and filename for the attack log on the TFTP server Unit Select the switch in the switch stack from which or to which to upload or download files Tick the ALL check box to denote all switches in the switch stack Image ID For firmware downloads select the Image ID of the firmware The Switch can hold two firmware images in its memory Image...

Page 55: ...ation Click Start to record the IP address of the TFTP server and to initiate the file transfer Multiple Image Services The Multiple Image Services folder allows users of the Switch to configure and view information regarding firmware located on the Switch The Switch allows two firmware images to be stored in its memory and either can be configured to be the boot up firmware for the Switch For inf...

Page 56: ...anagement interface SIM If the IP address has this letter attached to it it denotes a firmware upgrade through the Single IP Management feature User States the user who downloaded the firmware This field may read Anonymous or Unknown for users that are not identified Config Firmware Image The following window is used to configure firmware set in the Switch To view this window click Administration ...

Page 57: ...ystem should still be able to run an RCP client to copy firmware images configurations and logs between the switch and RCP server Figure 2 42 Remote Copy Protocol between an RCP server and an Ethernet Switch As illustrated in Figure 2 49 a user can a Upload a configuration file from the Switch to the RCP Server b Download a firmware file from the RCP Server to the Switch c Upload the Log file from...

Page 58: ...ess User Name and Both IP Address Enter the IP address of the global RCP server User Name Enter the remote user name Click Apply to implement the changes RCP Services This window is use to configure the services that provided by the RCP server To view this window click Administration RCP RCP Services as shown below Figure 2 44 RCP Server Settings window The following parameters can be configured P...

Page 59: ...tack Image ID Use the pull down menu to select the Image file ID Configuration ID Use the pull down menu to select the configuration file ID Filter This is used to filter the configuration data that relates to upload configuration Click Apply to implement the changes Ping Test Ping is a small program that sends ICMP Echo packets to the IP address you specify The destination node then responds to o...

Page 60: ...imeout Select a timeout period between 1 and 99 seconds for this Ping message to reach its destination Source IP Address Tick the check box and enter the source IP address of the ping packets Click Start to initiate the Ping program IPv6 Ping Test The following window is used to Ping an IPv6 address To view this window click Administration Ping Test IPv6 Ping Test as shown below Figure 2 46 IPv6 P...

Page 61: ... of routers as well as if changes occur within link layer addresses of nodes on the network or if identical unicast addresses are present on the local link The following two windows are used to view IPv6 neighbors and add or delete them from the Neighbor cache IPv6 Neighbor Settings The following window is used to view configure and delete current IPv6 neighbors of the Switch To view this window c...

Page 62: ...2 48 IPv6 Neighbor Settings Add window The following fields can be set or viewed Parameter Description Interface Name Enter the name of the Interface associated with this entry Neighbor IPv6 Address The IPv6 address of the neighbor entry Specify the address using the hexadecimal IPv6 Address IPv6 Address is hexadecimal number for example 1234 5D7F Link Layer MAC Address The MAC address of the IPv6...

Page 63: ... IPv4 static routes once a static route has been set the Switch will send an ARP request packet to the next hop router that has been set by the user Once an ARP response has been retrieved by the switch from that next hop the route becomes enabled If a response is not received from the next hop device after three ARP requests have been sent the configured static route will remain in a link down st...

Page 64: ...ary or Backup Status Displays whether the entry is Active or Inactive To remove an entry click the corresponding button To add a new entry click the Add button revealing the following window to configure Figure 2 51 Static Default Route Settings Add window The following fields can be set Parameter Description IP Address Allows the entry of an IP address that will be a static entry into the Switch ...

Page 65: ...Parameter Description IPv6 Address PrefixLen The IPv6 address and corresponding Prefix Length of the IPv6 static route entry Interface The IP Interface where the static IPv6 route is created Next Hop Address The corresponding IPv6 address for the next hop Gateway address in IPv6 format Metric 1 65535 The metric of the IPv6 interface entered into the table representing the number of routers between...

Page 66: ...ault Route fails the Backup Route will support the entry The Primary and Backup entries cannot have the same Gateway Click Apply to implement the changes To return to the IPv6 Static Default Route Settings window click the Show All IPv6 Static Default Route Entries link Route Preference Settings To view this window click Administration Route Preference Settings as shown below Figure 2 54 Route Pre...

Page 67: ...tatus up This is used to enable disable the sending of gratuitous ARP request packets while an IPIF interface comes up This is used to automatically announce the interface s IP address to other nodes By default the state is Disabled and only one ARP packet will be broadcast Send on Duplicate_IP_Detected This is used to enable disable the sending of gratuitous ARP request packets while a duplicate ...

Page 68: ...Entries link Static ARP Settings Address Resolution Protocol ARP is a TCP IP protocol that converts IP addresses into physical addresses This table allows network managers to view define modify and delete ARP information for specific devices Static entries can be defined in the ARP Table When static entries are defined a permanent entry is entered and is used to translate IP address to MAC address...

Page 69: ...a configuration file for use by a client see the DHCP server and or TFTP server software instructions The user may also consult the Upload screen description located in the Maintenance section of this manual If the Switch is unable to complete the DHCP auto configuration the previously saved configuration file present in the Switch s memory will be used To view this window click Administration DHC...

Page 70: ... per IPIF configured servers If the relay servers are determined based on option 60 then the IPIF configured servers will be ignored If the relay servers are not determined by option 60 then the IPIF configured servers will be used to determine the relay servers DHCP Client Identifier Option 61 State This function Enables or Disables the DHCP Client identifier option 61 state When option 61 State ...

Page 71: ...e it is invalid In packets received from DHCP servers the relay agent will drop invalid messages Disabled When the field is toggled to Disabled the relay agent will not check the validity of the packet s option 82 field DHCP Relay Agent Information Option 82 Policy This field can be toggled between Replace Drop and Keep by using the pull down menu It is used to set the Switches policy for handling...

Page 72: ...ormat 1 2 3 4 5 6 7 1 6 0 4 VLAN Module Port 1 byte 1 byte 1 byte 1 byte 2 bytes 1 byte 1 byte a Sub option type b Length c Circuit ID type d Length e VLAN the incoming VLAN ID of DHCP client packet f Module For a standalone switch the Module is always 0 For a stackable switch the Module is the Unit ID g Port The incoming port number of DHCP client packet port number starts from 1 Remote ID sub op...

Page 73: ...rameters can be configured or viewed Parameter Description Interface The IP interface on the Switch that will be connected directly to the client Server IP Enter the IP address of the DHCP BOOTP server Up to four server IPs can be configured per IP Interface Click Add to include this Server To remove an entry click the corresponding button DHCP Relay Option 60 Default Settings This window allows t...

Page 74: ... servers The system will relay the packet to all the matching servers To view this window click Administration DHCP BOOTP Relay DHCP Relay Option 60 Settings as shown below Figure 2 65 DHCP Relay Option 60 Table window To find a particular entry enter the correct IP Address or String and click Search Click the View All button to see all the entries in the table at the bottom half of the window To ...

Page 75: ...rs can be configured Parameter Description DHCP Relay Option 61 Default Use the pull down menu to choose either Relay or Drop When drop is specified the packet with no matching rules found will be dropped without further process When relay is selected the packet will be relayed based on the relay rules Enter the IP Address of the entry you wish to configure Click Apply to implement the changes DHC...

Page 76: ...ided Relay Rule Click the radio buttons to choose either Relay or Drop When drop is specified the packet with no matching rules found will be dropped without further process When relay is selected the packet will be relayed based on the relay rules Choose a method and enter the appropriate information into the box provided Click Apply to implement the changes DHCP BOOTP Local Relay Settings This w...

Page 77: ...ngs window The following fields can be configured Parameter Description Global State This field can be toggled between Enabled and Disabled using the pull down menu It is used to enable or disable the DHCPv6 Relay service on the Switch The default is Disabled Hops Count 1 32 This field allows an entry between 1 and 32 to define the maximum number of router hops DHCPv6 messages can be forwarded acr...

Page 78: ...rwarded across The default hop count is 4 State Use the pull down menu to enable or disable DHCPv6 relay on Click Apply to implement the changes To return to the DHCPv6 Relay Interface Settings window click the Show All DHCPv6 Relay Interface Entries link To see server addresses of an interface click the corresponding View button to see the following window Figure 2 74 DHCPv6 Relay Interface Setti...

Page 79: ... such as a DNS server or the IP address of the default route to another device on the network Users also have the ability to bind IP addresses within the DHCP pool to specific MAC addresses in order to keep consistent the IP addresses of devices that may be important to the upkeep of the network that require a static IP address The Switch supports 1024 DHCP pool entries along with eight pools DHCP...

Page 80: ...ck Administration DHCP Server DHCP Server Exclude Address Settings as shown below Figure 2 76 Create DHCP Excluded Address window The following parameters may be configured Parameter Description Begin Address Enter the starting IP address of the range of IP addresses to be excluded from the DHCP pool End Address Enter the final IP address of the range of IP addresses to be excluded from the DHCP p...

Page 81: ...l by entering a name of up to 12 alphanumeric characters into the Pool Name field and clicking Apply To remove an entry in the table click the corresponding button To configure the settings of a pool in the DHCP Server Pool Table click the corresponding Modify button to reveal the following window Figure 2 78 Config DHCP Pool window ...

Page 82: ...l grouping of networks The user may establish up to three Net BIOS Name Servers NetBIOS Node Type This field will allow users to set the type of node server for the previously configured Net BIOS Name server Using the pull down menu the user has four node type choices Broadcast Peer to Peer Mixed and Hybrid Default Router Enter the IP address of the default router for a DHCP Client Users must conf...

Page 83: ... window will allow users to view dynamically bound IP addresses of the DHCP server These IP addresses are ones that were allotted to clients on the local network and are now bound to the device stated by its MAC address To view this window click Administration DHCP Server DHCP Server Dynamic Binding as shown below Figure 2 80 DHCP Server Dynamic Binding Table window The following parameters may be...

Page 84: ...ll display in seconds the time remaining on the lease for this IP address To clear all entries click Clear All To see all the entries click the Show All DHCP Server Dynamic Binding Table Entries link DHCP Server Manual Binding The following windows will allow users to view and set manual DHCP entries Manual DHCP entries will bind an IP address with the MAC address of a client within a DHCP pool Th...

Page 85: ...rver In DHCPv6 server address pool function the user can configure a new address pool name and a range of available IPv6 addresses for address pool All IPv6 addresses in a DHCPv6 address pool are valid for assigning to the DHCPv6 clients The user also can use excluded address to reserve the IPv6 addresses that the user doesn t want to assign the IPv6 addresses to a client e g the IPv6 address of D...

Page 86: ... DHCPv6 Server DHCPv6 Server Pool Settings as shown below Figure 2 84 DHCPv6 Pool Table window To find the DHCPv6 server pool entries enter the Pool Name into the field and click Find Click View All to see all the entries To clear all Pool Name entries of this table click Clear All To create pool name click Add which will produce the following window to configure Figure 2 85 DHCPv6 Pool Table Add ...

Page 87: ...ient as default domain name DNS Server Enter the DNS server IPv6 address for this pool Users may specify up to two DNS server addresses Preferred Lifetime 60 4294967295 Enter the amount of time in seconds that the IPv6 address based on the specified pool remains in preferred state Valid Lifetime 60 4294967295 Enter the amount of time in seconds that the IPv6 address based on the specified pool rem...

Page 88: ... Parameter Description Pool Name Display the name of the DHCPv6 server pool IPv6 Address Enter the IPv6 address to be statically bound to a device Client DUID Enter the DUID of the device to be statically bound to the IPv6 address entered in the previous field The DUID format is 0 9 a f or A F Click Apply to implement the changes To remove any entry click the corresponding button To return to the ...

Page 89: ...Dynamic Biding Brief Table View window To return to the DHCPv6 Server Manual Binding Brief Table window click the Show DHCPv6 Server Dynamic Binding Brief Table link DHCPv6 Server Interface Settings This window displays the DHCPv6 server interface settings To view this window click Administration DHCPv6 Server DHCPv6 Server Interface Settings as shown below Figure 2 91 DHCPv6 Server Interface Tabl...

Page 90: ...dow click the Show DHCPv6 Server Interface Table link DHCPv6 Server Excluded Address Settings This window displays the DHCPv6 server excluded address information To view this window click Administration DHCPv6 Server DHCPv6 Server Excluded Address Settings as shown below Figure 2 93 DHCPv6 Server Excluded Address Brief Table window To find the DHCPv6 server excluded address entries enter the Pool ...

Page 91: ... response from a DHCP server on the locally attached network The DHCP server then replies to the client with its assigned IP address subnet mask DNS server and default gateway information This function allows DHCP server packets except those that have been IP client MAC bound to be filtered The DHCP Server Screening is used to configure the state of the function for filtering of DHCP server packet...

Page 92: ...HCP packets The same illegal DHCP server IP address that is detected will be logged only once regardless of how many illegal packets are sent The log can be suppressed by 1 minute 5 minutes or 30 minutes The default value is 5 minutes Click Apply to implement the changes Filter DHCP Server Port Settings This window is used to enable the settings for the Filter DHCP Server Port Settings To view thi...

Page 93: ...eck box to select all ports Click Apply to implement the changes Layer 2 Protocol Tunneling Settings The Layer 2 Protocol Tunneling L2PT supports traffic of multiple customers across service provider networks L2PT enables the BPDU s of the same customer s network to be multicast over specific VLANs in the service provider s network which in turn will ensure the same geographically dispersed custom...

Page 94: ... RSPAN will be mirrored toward the associated destination port There are three roles for switches in RSPAN Source switch The switch which has the monitored ports or VLANs on it is the source switch All packets on the source ports or VLANs are copied and sent to the destination switch When the mirrored packets are sent out from the source switch an RSPAN VLAN tag is added to every packet The incomi...

Page 95: ...re any modification or processing is performed by the switch A copy of each packet received by the source is sent to the destination port for that RSPAN session TX Source Ports The goal of TX source ports is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch Redirect Port RSPAN redirect function will work whe...

Page 96: ...ration Redirect Ports Action Add Add Redirect ports Delete Delete Redirect ports Redirect Port RSPAN redirect function will work when RSPAN is enabled and at least one RSPAN VLAN has been configured with redirect ports Click Apply to implement the changes To return to the RSPAN Settings window click the Show All RSPAN Table link To modify an existing entry of its source settings click the correspo...

Page 97: ...omain Names to Addresses Name to address translation is performed by a program called a Name server The client program is called a Name resolver A Name resolver may need to contact several Name servers to translate a name to an address The Domain Name System DNS servers are organized in a somewhat hierarchical fashion A single server often holds names for a single network which is connected to a r...

Page 98: ...er Allows the entry of the IP address of a primary domain name server DNS Secondary Name Server Allows the entry of the IP address of a secondary domain name server DNS DNSR Cache Status This can be toggled between Disabled and Enabled This determines if a DNS cache will be enabled on the Switch DNSR Static Table State This field can be toggled using the pull down menu between Disabled and Enabled...

Page 99: ...Name Server Timeout 1 60 Enter the maximum time waiting for a response from a specified name server The range is 1 to 60 seconds The default value is 3 Click Apply to implement changes made DNS Resolver Static Name Server Settings When adding a name server if one primary name server exists in the static name server table and a new primary name server is added the existing primary name server will ...

Page 100: ...namic name server table To view this window click Administration DNS Resolver DNS Resolver Dynamic Name Server Table as shown below Figure 2 107 DNS Resolver Dynamic Name Server Table window DNS Resolver Static Host Name Settings This window is used to create or delete a static host name entry of the Switch If the created host name entry exists in the dynamic host name table the existing dynamic h...

Page 101: ...host name IP Address Enter the host s IP address Click Apply to implement changes made DNS Resolver Dynamic Host Name Table This window is used to display or delete entries on the DNS Resolver Dynamic Host Name Table To view this window click Administration DNS Resolver DNS Resolver Dynamic Host Name Table as shown below Figure 2 110 DNS Resolver Dynamic Host Name Table window To remove an entry f...

Page 102: ...he Switch allows groups of users to be listed and configured with a shared set of privileges The SNMP version may also be set for a listed group of SNMP managers Thus you may create a group of SNMP managers that are allowed to view read only information or receive traps using SNMPv1 while assigning a higher level of security to another group granting read write privi leges using SNMPv3 Using SNMPv...

Page 103: ...to enable and disable trap settings for the SNMP function on the Switch To view this window for configuration click Administration SNMP Manager SNMP Trap Settings as shown below Figure 2 111 SNMP Trap Settings window To enable or disable the Traps State Authenticate Trap State and or Linkchange Trap State use the corresponding pull down menu to change and click Apply To enable or disable linkchang...

Page 104: ...ption User Name An alphanumeric string of up to 32 characters This is used to identify the SNMP users Group Name This name is used to specify the SNMP group created can request SNMP messages SNMP Version V3 Indicates that SNMP version 3 is in use Auth Protocol None Indicates that no authentication protocol is in use MD5 Indicates that the HMAC MD5 96 authentication level will be used SHA Indicates...

Page 105: ... level will be used This is only operable when V3 is selected in the SNMP Version field and the Encrypted check box has been ticked This field will require the user to enter a password SHA Specifies that the HMAC SHA authentication protocol will be used This is only operable when V3 is selected in the SNMP Version field and the Encrypted check box has been ticked This field will require the user t...

Page 106: ...which will reveal a new window Figure 2 116 SNMP View Table Configuration window The SNMP View created with this table maps SNMP users identified in the SNMP User Table to the views created in the previous window The following parameters can be configured Parameter Description View Name Type an alphanumeric string of up to 32 characters This is used to identify the new SNMP view being created Subt...

Page 107: ...vious menu To view this window click Administration SNMP Manager SNMP Group Table as shown below Figure 2 117 SNMP Group Table window To delete an existing SNMP Group Table entry click the corresponding under the Delete heading To display the current settings for an existing SNMP Group Table entry click the View button located under the Display heading which will show the following window Figure 2...

Page 108: ...hrough a combination of authentication and encrypting packets over the network Security Level The Security Level settings only apply to SNMPv3 NoAuthNoPriv Specifies that there will be no authorization and no encryption of packets sent between the Switch and a remote SNMP manager AuthNoPriv Specifies that authorization will be required but there will be no encryption of packets sent between the Sw...

Page 109: ...entify the group of MIB objects that a remote SNMP manager is allowed to access on the Switch The view name must exist in the SNMP View Table Access Right Read Only Specifies that SNMP community members using the community string created can only read the contents of the MIBs on the Switch Read Write Specifies that SNMP community members using the community string created can read from and write t...

Page 110: ...e used with a NoAuth NoPriv security level V3 Auth NoPriv To specify that the SNMP version 3 will be used with an Auth NoPriv security level V3 Auth Priv To specify that the SNMP version 3 will be used with an Auth Priv security level Community String SNMP V3 User Name Type in the community string or SNMP V3 user name as appropriate Click Apply to implement the changes To return to the SNMP Host T...

Page 111: ...NMP Host Table Entries link SNMP Engine ID The Engine ID is a unique identifier used for SNMP V3 implementations This is an alphanumeric string used to identify the SNMP engine on the Switch To view this window click Administration SNMP Manager SNMP Engine ID as shown below Figure 2 124 SNMP Engine ID window To change the Engine ID enter the new Engine ID in the space provided and click the Apply ...

Page 112: ...rt power consumption exceeds the per port power limit Active circuit protection automatically disables the port if there is a short Other ports will remain active Based on 802 3af at PDs receive power according to the following classification Class Maximum power available to PD 0 12 95W 1 3 84W 2 6 49W 3 12 95W To configure the PoE features on the DGS 3426P click Administration PoE The PoE System ...

Page 113: ...The PoE controller uses either Deny next port or Deny low priority port to offset the power limit being exceeded and keep the Switch s power at a usable level Use the drop down menu to select a Disconnect Method The default for the Power Disconnect Method is Deny next port Both Power Disconnection Methods are described below Deny next port After the power limit has been exceeded the next port atte...

Page 114: ...e switch stack for which to configure the PoE settings Users should note that not all switches in the xStack DGS 3400 series support PoE yet when they are configured in a stack the Primary Master switch will display the PoE settings to be configured for the stack whether or not the Switch is a PoE supported device However only PoE supported switches have the PoE capability in the switch stack From...

Page 115: ...ower to ports Power Limit This function is used to configure the per port power limit If a port exceeds its power limit it will shut down Based on 802 3af 802 3at there are different PD classes and power consumption ranges Class 0 0 44 12 95W Class 1 0 44 3 84W Class 2 3 84 6 49W Class 3 6 49 12 95W The following is the power limit applied to the port for these four classes For each class the powe...

Page 116: ...alyzer device must have an sFlow utility running on it to retrieve and analyze the data it receives from the sFlow agent The Switch itself will collect three types of packet data 1 It will take sample packets from the normal running traffic of the Switch based on a sampling interval configured by the user 2 The Switch will take a poll of the IF counters located on the switch 3 The Switch will also...

Page 117: ...ys the sFlow IPv4 address sFlow IPv6 Address This displays the sFlow IPv6 address Click Apply to implement the changes sFlow Analyzer Settings The following windows are used to configure the parameters for the remote sFlow Analyzer collector that will be used to gather and analyze sFlow Datagrams that originate from the Switch Users must have the proper sFlow software set on the Analyzer in order ...

Page 118: ...yzer Server This IP address is where sFlow datagrams will be sent for analysis Collector Port Displays the previously configured UDP port where sFlow datagrams will be sent for analysis Max Datagram Size This field displays the maximum number of data bytes in a single sFlow datagram that will be sent to this sFlow Analyzer Server Modify Click the Modify button to display the sFlow Counter Analyzer...

Page 119: ...efault setting of 400 seconds Infinite can be selected to ensure that it never times out Collector IPv4 Address Click the radio button and enter the IPv4 address of the sFlow Analyzer Server If this field is not specified the entry will become 0 0 0 0 and therefore the entry will be inactive Users must set this field Collector IPv6 Address Click the radio button and enter the IPv6 address of the s...

Page 120: ...RX TX Rate Displays the current rate op packet sampling being performed by the Switch for this port based on a multiple of 256 For example if a figure of 20 is in this field the switch will sample one out of every 5120 packets 20 x 256 5120 that pass through the individual port Max Header Size Displays the number of leading bytes of the sampled packet header This sampled header will be encapsulate...

Page 121: ...port Users may enter a value between 1 and 65535 An entry of 0 disables the packet sampling Since this is the default setting users are reminded to configure a rate here otherwise this function will not function TX Rate 0 65535 Enter the sampling rate of packet TX sampling here The configured rate value multiplied by 256 to get the percentage of packets sampled Max Header Size 18 256 This field wi...

Page 122: ...g Interval sec The Polling Interval displayed here is measured in seconds and will take a poll of the IF counters for the corresponding port every time the interval reaches 0 seconds To remove an entry click the corresponding button Click the Clear All button to delete all entries To add a new sFlow Counter Poller setting click the Add button which will display the following window to be configure...

Page 123: ...g Interval here The switch will take a poll of the IF counters every time this interval reaches 0 and this information will be included in the sFlow datagrams that will be sent to the sFlow Analyzer for examination Ticking the Disabled check box will disable the counter polling for this entry Click Apply to implement the changes IP Multicast VLAN Replication The following windows allow the user to...

Page 124: ...es IP Multicast VLAN Replication Settings This window allows the user to create an IP Multicast VLAN replication entry An IP Multicast VLAN Replication entry defines what traffic will be replicated and how the packet will be replicated To view this window click Administration IP Multicast VLAN Replication IP Multicast VLAN Replication Settings as shown below Figure 2 140 IP Multicast VLAN Replicat...

Page 125: ...n be entered Source IP Address A source IP Address can be specified Click Apply to implement the changes To return to the IP Multicast VLAN Replication Settings window click the Show All IP Multicast VLAN Replication Entries link The following table is used to set the Destination settings to view this window click the corresponding View button in the IP Multicast VLAN Replication Entries table as ...

Page 126: ... Replication entry will be displayed VID VLAN Name Select VID and enter an outgoing VLAN ID Select VLAN Name and enter an outgoing VLAN Name Port List e g 1 6 9 Enter the outgoing list of ports to be included in the destination settings Action Use the drop down menu to Add or Delete the destination Click Apply to implement the changes To return to the IP Multicast VLAN Replication Settings window ...

Page 127: ... 1 32 not including the Commander Switch numbered 0 There is no limit to the number of SIM groups in the same IP subnet broadcast domain however a single switch can only belong to one group If multiple VLANs are configured the SIM group will only utilize the Management VLAN on any switch SIM allows intermediate devices that do not support SIM This enables the user to manage switches that are more ...

Page 128: ...mprovements have been made including 1 The Commander Switch CS now has the capability to automatically rediscover member switches that have left the SIM group either through a reboot or web malfunction This feature is accomplished through the use of Discover packets and Maintenance packets that previously set SIM members will emit after a reboot Once a MS has had its MAC address and password saved...

Page 129: ...witches within the Single IP Group To have similar configurations on switches within the Single IP Group users can upload identical configuration files to the Single IP Group using the Configuration File Backup Restore window located under the Single IP heading on the switch and described later in this section Once this file is entered and uploaded to switches within the group most configurations ...

Page 130: ...Ex MS CaS The user may set the Discovery Interval from 30 to 90 seconds Hold Time This parameter may be set for the time in seconds the Switch will hold information sent to it from other switches utilizing the Discovery Interval The user may set the hold time from 100 to 255 seconds Click Apply to implement the settings changed After enabling the Switch to be a Commander Switch CS the Single IP Ma...

Page 131: ...sical port on the CS that the MS or CaS is connected to The CS will have no entry in this field Speed Displays the connection speed between the CS and the MS or CaS Remote Port Displays the number of the physical port on the MS or CaS to which the CS is connected The CS will have no entry in this field MAC Address Displays the MAC Address of the corresponding Switch Model Name Displays the full Mo...

Page 132: ...oup connect to other groups and devices Possible icons in this screen are as follows Icon Description Group Layer 2 commander switch Layer 3 commander switch Commander switch of other group Layer 2 member switch Layer 3 member switch Member switch of other group Layer 2 candidate switch Layer 3 candidate switch Unknown device Non SIM devices ...

Page 133: ...ation Setting the mouse cursor over a specific device in the topology window tool tip will display the same information about a specific device as the Tree view does See the window below for an example Figure 2 147 Device Information Utilizing the Tool Tip Setting the mouse cursor over a line between two devices will display the connection speed between the two devices as shown below ...

Page 134: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 125 Figure 2 148 Port Speed Utilizing the Tool Tip ...

Page 135: ...Description Device Name This field will display the Device Name of the switches in the SIM group configured by the user If no Device Name is configured by the name it will be given the name default and tagged with the last six digits of the MAC Address to identify it Module Name Displays the full module name of the switch that was right clicked MAC Address Displays the MAC Address of the correspon...

Page 136: ...he group information Member Switch Icon Figure 2 152 Right clicking a Member icon The following options may appear for the user to configure Collapse to collapse the group that will be represented by a single icon Expand to expand the SIM group in detail Remove from group remove a member from a group Configure launch the web management to configure the Switch Property to pop up a window to display...

Page 137: ...onfigurations as seen below Figure 2 155 Menu Bar of the Topology View The five menus on the menu bar are as follows File Print Setup will view the image to be printed Print Topology will print the topology map Preference will set display properties such as polling interval and the views to open at SIM startup Group Add to group add a candidate to a group Clicking this option will reveal the follo...

Page 138: ...s where the firmware resides and enter the Path Filename of the firmware Click Download to initiate the file transfer Figure 2 158 Firmware Upgrade window Configuration Backup Restore This window is used to upgrade configuration files from the Commander Switch to the Member Switch Member Switches will be listed in the table and will be specified by Port port on the CS where the MS resides MAC Addr...

Page 139: ...ability A router will not replace a route with a newly learned one if the new route has the same hop count sometimes referred to as cost So learned routes are retained until a new route with a lower hop count is learned When learned routes are entered into the routing table a timer is started This timer is restarted every time this route is advertised If the route is not advertised for a period of...

Page 140: ...Distance to Destination Network fields RIP 1 Route Interpretation RIP was designed to be used with classed address schemes and does not include an explicit subnet mask An extension to version 1 does allow routers to exchange subnetted addresses but only if the subnet mask used by the network is the same as the subnet mask used by the address This means the RIP version 1 cannot be used to propagate...

Page 141: ...erface on the Switch This window appears in table form listing settings for IP interfaces currently on the Switch To configure RIP settings for an individual interface click on the hyperlinked Interface Name To view this window click Administration RIP RIP RIP Interface Settings as shown below Figure 2 162 RIP Interface Settings window Click the hyperlinked name of the interface to configure the s...

Page 142: ...on the switch Interface Metric A read only field that denotes the Metric value of the current IP Interface setting Click Apply to implement the changes To return to the RIP Interface Settings window click the Show All RIP Interface Entries link RIPng The Switch supports Routing Information Protocol next generation RIPng RIPng is a routing protocol that exchanges routing information used to compute...

Page 143: ...ace Settings window To modify an entry click the corresponding Modify button to see the window as shown below Figure 2 166 RIPng Interface Settings Edit window The following settings can be configured Parameter Description Interface Name The name of the interface for the RIPng configuration State Enable or disable the RIPng state on the specific IP interface If the state is Disabled then RIPng pac...

Page 144: ...his IPv6 tunneling mechanism is one of D Link s strategies for solving the transition from IPv4 to IPv6 To configure the settings click Administration IP Tunnel Settings as shown below Figure 2 167 IPng Tunnel Settings window To remove an entry click the corresponding button To Add a new name of the interface click Add to see the window as shown below Figure 2 168 IPng Tunnel Settings Add window E...

Page 145: ...rement is that each site has a globally unique IPv4 address which is used to construct a 48 bit globally unique 6to4 IPv6 prefix It starts with the prefix 2002 16 ISATAP is used to configure an existing IPv6 tunnel as an IPv6 ISATAP tunnel on the Switch If this tunnel has previously been configured in another mode the tunnel s information will still exist in the database However whether the tunnel...

Page 146: ... a particular subnet although not necessarily VLANs can enhance performance by conserving bandwidth and improve security by limiting traffic to specific domains A VLAN is a collection of end nodes grouped by logic instead of physical location End nodes that frequently communicate with each other are assigned to the same VLAN regardless of where they are physically on the network Logically a VLAN c...

Page 147: ...an also provide a level of security to your network IEEE 802 1Q VLANs will only deliver packets between stations that are members of the VLAN Any port can be configured as either tagging or untagging The untagging feature of IEEE 802 1Q VLANs allows VLANs to work with legacy switches that don t recognize VLAN tags in packet headers The tagging feature allows VLANs to span multiple 802 1Q compliant...

Page 148: ... 802 1p tag The tag is contained in the following two octets and consists of 3 bits of user priority 1 bit of Canonical Format Identifier CFI used for encapsulating Token Ring packets so they can be carried across Ethernet backbones and 12 bits of VLAN ID VID The 3 bits of user priority are used by 802 1p The VID is the VLAN identifier and is used by the 802 1Q standard Because the VID is 12 bits ...

Page 149: ...Ns port based and MAC based VLANs were in common use These VLANs relied upon a Port VLAN ID PVID to forward packets A packet received on a given port would be assigned that port s PVID and then be forwarded to the port that corresponded to the packet s destination address found in the Switch s forwarding table If the PVID of the port that received the packet is different from the PVID of the port ...

Page 150: ...m an 802 1Q compliant network device to a non compliant network device Ingress Filtering A port on a switch where packets are flowing into the Switch and VLAN decisions must be made is referred to as an ingress port If ingress filtering is enabled for a port the Switch will examine the VLAN information in the packet header if present and decide whether or not to forward the packet If the packet is...

Page 151: ...s how VLANs segment networks The key point being that Port 1 will only transmit on VLAN 2 VLAN and Trunk Groups The members of a trunk group have the same VLAN setting Any VLAN setting on the members of a trunk group will apply to the other member ports NOTE In order to use VLAN segmentation in conjunction with port trunk groups first set the port trunk group s and then configure the VLAN settings...

Page 152: ...o assign a unique name and number to the new VLAN See the table below for a description of the parameters in the new window Figure 3 5 Current Static VLAN Entries Add window Click Apply to implement the changes To return to the Current Static VLAN Entries window click the Show All Static VLAN Entries link To change an existing 802 1Q VLAN entry click the Modify button of the corresponding entry in...

Page 153: ...e existing VLAN Port Settings Allows an individual port to be specified as member of a VLAN Tag Specifies the port as either 802 1Q tagging or 802 1Q untagged Checking the box will designate the port as Tagged None Allows an individual port to be specified as a non VLAN member Egress Select this to specify the port as a static member of the VLAN Egress member ports are ports that will be transmitt...

Page 154: ...ters can be configured Parameter Description VLAN Trunk Status Use the pull down menu to enable or disable VLAN trunk global status State Use the pull down menu to enable or disable VLAN trunk port state Member Ports Enter the ports for VLAN trunk Tick the All Ports check box to select all ports Click Apply to implement the changes ...

Page 155: ...mit_All which mean both tagged and untagged frames will be accepted Admit_All is enabled by default PVID The read only field in the 802 1Q Port Table shows the current PVID assignment for each port which may be manually assigned to a VLAN when created in the 802 1Q Port Settings table The Switch s default is to assign all ports to the default VLAN with a VID of 1 The PVID is used by the port to ta...

Page 156: ...therefore greatly expanding the VLAN network and enabling greater support of customers utilizing multiple VLANs on the network Double VLANs are basically VLAN tags placed within existing IEEE 802 1Q VLANs which we will call SPVIDs Service Provider VLAN IDs These VLANs are marked by a TPID Tagged Protocol ID configured in hex form to be encapsulated within the VLAN tag of the packet This identifies...

Page 157: ...l ports must be configured as Access Ports or Uplink ports Access ports can only be Ethernet ports while Uplink ports must be Gigabit ports 3 Provider Edge switches must allow frames of at least 1522 bytes or more due to the addition of the SPVID tag 4 Access Ports must be an un tagged port of the service provider VLANs Uplink Ports must be a tagged port of the service provider VLANs 5 The switch ...

Page 158: ...12 Double VLAN State Settings window Parameters shown in the previous window are explained below Parameter Description Double VLAN State Use the pull down menu to enable or disable the Double VLAN function on this Switch Enabling the Double VLAN will return all previous VLAN configurations to the factory default settings and remove Static VLAN configurations from the GUI SPVID The VLAN ID number o...

Page 159: ...ess ports are for connecting Switch VLANs to customer VLANs Unknown Ports These are the ports that are a part of the VLAN but have yet to be defined as Access or Uplink ports To return to the Double VLAN State Settings window click the Show Double VLAN Entries link To create a Double VLAN click the Add button revealing the following window for the user to configure Figure 3 14 Double VLAN State Se...

Page 160: ...r to choose the type of port being utilized by the Service Provider VLAN The user may choose Access Access ports are for connecting Switch VLANs to customer VLANs Uplink Uplink ports are for connecting Switch VLANs to the Provider VLANs on a remote source Port List Use the From and To fields to set a list of ports to be placed in or removed from the Service Provider VLAN The port list is specified...

Page 161: ...ess to be reauthenticated by entering it into the MAC Address field VLAN Name Enter the VLAN name of a previously configured VLAN Click Find Add or Delete All for changes to take effect To see all MAC based VLAN entries click the Show All MAC based VLAN Table link Protocol VLAN Protocol VLAN groups can be created on the Switch The purpose of these Protocol VLAN groups is to identify ingress untagg...

Page 162: ...a protocol group which is identified by an ID number Once the group has been created and configured then users must add it to a port or set of ports using the Protocol VLAN Port Settings window and configure the appropriate VLAN and priority tags for these untagged packets When these actions are completed and saved to the switch then the ingress and untagged packets can be appropriately dealt with...

Page 163: ...ol group to employ the Sub Network Access Protocol SNAP frame type For this frame type the protocol is identified by the 16 bit 2 octet IEEE802 3 type field in the packet header which is to be stated using the following Protocol Value IEEE802 3 LLC Choose this parameter if you wish this protocol group to employ the Link Logical Control LLC frame type For this frame type the protocol is identified ...

Page 164: ...e bottom half of the window will display correctly configured ports to Protocol Group configurations along with associated VLANs and priorities Users may use the Port List Search in the middle of the window to display configurations based on ports on the switch Clicking the Show All Protocol VLAN Port Table Entries link will display all Protocol VLAN Port Table entries Subnet VLAN Subnet VLAN is u...

Page 165: ... L2 Features VLAN Subnet VLAN Subnet VLAN Settings as shown below Figure 3 21 Subnet VLAN Settings window The following fields may be configured Parameter Description Action Use the pull down menu to add delete or find the subnet VLAN VLAN Use the pull down menu to select VLAN name or VID to enter in the field next to it Network Address Use the pull down menu to select IPv4 or IPv6 address to ente...

Page 166: ... may be configured Parameter Description Unit Select the switch in the switch stack to be modified From To These two fields allow the range of ports that will be included in the VLAN precedence VLAN Precedence Use the pull down menu to select the VLAN precedence as MAC based VLAN or Subnet VLAN Click Apply to implement the changes ...

Page 167: ...Trunk Groups Port trunk groups are used to combine a number of ports together to make a single high bandwidth data pipeline DGS 3400 Series supports up to 32 port trunk groups with 2 to 8 ports in each group A potential bit rate of 8000 Mbps can be achieved Figure 3 23 Example of Port Trunk Group ...

Page 168: ...urations must be identical Port locking port mirroring and 802 1X must not be enabled on the trunk group Further the LACP aggregated links must all be of the same speed and should be configured as full duplex The Master Port of the group is to be configured by the user and all configuration options including the VLAN configuration that can be applied to the Master Port are applied to the entire li...

Page 169: ...GS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 160 Figure 3 25 Link Aggregation Group Entries Add window To edit a port trunk group click the corresponding Modify button to see the window shown as below ...

Page 170: ...between Enabled and Disabled This is used to turn a port trunking group on or off This is useful for diagnostics to quickly isolate a bandwidth intensive network device or to have an absolute backup aggregation group that is not under automatic control Master Port Choose the Master Port for the trunk group using the pull down menu Unit Select the switch in the switch stack to be modified Member Po...

Page 171: ...gregation please refer back to the DGS 3400 Web Management Tool and select the Link Aggregation Algorithm located on that web page The description for this function may be found in the explanation for the Device Information window located earlier in this manual LACP Port Settings The LACP Port Settings window is used in conjunction with the Link Aggregation window to create port trunking groups on...

Page 172: ...arameter Description Unit Select the switch in the switch stack to be modified From To A consecutive group of ports may be configured starting with the selected port Mode Active Active LACP ports are capable of processing and sending LACP control frames This allows LACP compliant devices to negotiate the aggregated link so the group may be changed ...

Page 173: ...messages passing through the Switch In order to use IGMP Snooping it must first be enabled for the entire Switch see the Device Information window that opens when clicking the Web Management Tool at the top of the Web Manager menu in the left pane Users may then fine tune the settings for each VLAN using the IGMP Snooping Settings folder under L2 Features When enabled for IGMP snooping the Switch ...

Page 174: ...gs for Query Interval 1 65535 The Query Interval field is used to set the time in seconds between transmitting IGMP queries Entries between 1 and 65535 seconds are allowed Default 125 Max Response Time 1 25 This determines the maximum amount of time in seconds allowed before sending an IGMP response report The Max Response Time field allows an entry between 1 and 25 seconds Default 10 Robustness V...

Page 175: ...witch sends the first IGMP report from all hosts for a group to all the multicast routers The Switch does not send the remaining IGMP reports for the group to the multicast routers If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports the Switch forwards only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers If the multicast rout...

Page 176: ... To view this window click L2 Features IGMP Snooping Router Port Settings as shown below Figure 3 30 Router Port Settings window This window displays all of the current entries to the Switch s static router port table To modify an entry click the Modify button This will open the Router Port window as shown below Figure 3 31 Router Port Settings Edit window The following parameters can be set Param...

Page 177: ... to the router Port Settings window IGMP Snooping Static Group Settings This table is used to configure the current IGMP snooping static group information on the Switch To view this window click L2 Features IGMP Snooping IGMP Snooping Static Group Settings as shown below Figure 3 32 IGMP Snooping Static Group Settings window The following parameters can be configured Parameter Description VID The ...

Page 178: ...ping static group information Port List The ports that will belong to this group Action Specifies to Add or Delete the IGMP Static group entry Click Apply to implement the changes To return to the IGMP Snooping Static Group Settings window click the Show All IGMP Snooping Static Group Entries link ISM VLAN Settings In a switching environment multiple VLANs may exist Every time a multicast query pa...

Page 179: ...ch means that VLAN IDs VIDs and VLAN Names of 802 1q VLANs and ISM VLANs cannot be the same Once a VID or VLAN Name is chosen for any VLAN it cannot be used for any other VLAN 4 The normal display of configured VLANs will not display configured Multicast VLANs 5 Once an ISM VLAN is enabled the corresponding IGMP snooping state of this VLAN will also be enabled Users cannot disable the IGMP feature...

Page 180: ...ields Parameter Description VLAN Name Enter the name of the new Multicast VLAN to be created This name can be up to 32 characters in length This field will display the pre created name of a Multicast VLAN in the Modify window VID 2 4094 Add or edit the corresponding VLAN ID of the Multicast VLAN Users may enter a value between 2 and 4094 State Use the pull down menu to enable or disable the select...

Page 181: ...ist Settings Enter an existing VLAN Name and range and click Add To remove all entries click the Remove All button To return to the IGMP Snooping Multicast VLAN Table window click the Show IGMP Snooping Multicast VLAN Entries link Limited IP Multicast Address Range Settings This window allows the user to specify which multicast address es reports are to be received on specified ports on the Switch...

Page 182: ...ation Enter the multicast IP range of addresses Access Toggle the Access field to either Permit or Deny to limit or grant access to a specified range of Multicast addresses on a particular port or range of ports State Toggle the State field to either Enabled or Disabled for a given port or group of ports where access is to be either permitted or denied Click Apply to implement the new settings on ...

Page 183: ...CMPv6 packet header this message is sent by the router to ask if any link is requesting multicast data There are two types of MLD query messages emitted by the router The General Query is used to advertise all multicast addresses that are ready to send multicast data to all listening ports and the Multicast Specific query which advertises a specific multicast address that is also ready These two t...

Page 184: ...he window as shown below Figure 3 41 MLD Snooping Settings Edit window The following parameters may be viewed or modified Parameter Description VID This is the VLAN ID that along with the VLAN Name identifies the VLAN for which to modify the MLD Snooping Settings VLAN Name This is the VLAN Name that along with the VLAN ID identifies the VLAN for which to modify the MLD Snooping Settings Query Inte...

Page 185: ... Disabled Querier Router Behavior This read only field describes the current querier state of the Switch whether Querier which will send out Multicast Listener Query Messages to links or Non Querier which will not send out Multicast Listener Query Messages State Used to enable or disable MLD snooping for the specified VLAN This field is Disabled by default Fast Done This parameter allows the user ...

Page 186: ...ed by the port that port will be removed from being a router port To view this window click L2 Features MLD Snooping MLD Router Port Settings as shown below Figure 3 42 MLD Router Port Settings window To configure the router ports settings for a specified VLAN click its corresponding Modify button which will produce the following window for the user to configure Figure 3 43 MLD Router Port Setting...

Page 187: ...ng connected to a multicast enabled router This command will ensure that all packets with this router as its destination will reach the multicast enabled router Forbidden Click this option to designate a port or range of ports as being forbidden from being connected to multicast enabled routers This ensures that these configured forbidden ports will not send out routing packets Click Apply to impl...

Page 188: ...rectly connected to it This process is accomplished by the use of a Configuration Testing Protocol CTP packet that is generated by the switch Users may set the dispatching time interval of the CTP packet and once a CTP packet has returned to the port from where it originated the loop back detection function will disable this port until the anomaly has ceased and the loop back occurrence will be no...

Page 189: ...ort will have to wait before being recovered from a loop back detection shutdown The user may set a time between 60 and 1000000 seconds with a default setting of 60 seconds The user may also enter a time of 0 which means that the port can only be recovered manually by the user This is done by going to the Port Settings window Administration Port Configuration and manually enabling these ports Mode...

Page 190: ...g the MSTP on a network will have a single MSTP configuration that will have the following three attributes 1 A configuration name defined by an alphanumeric string of up to 32 characters defined in the MST Configuration Identification window in the Configuration Name field 2 A configuration revision number named here as a Revision Level and found in the MST Configuration Identification window and...

Page 191: ...rning Learning Learning No Yes Forwarding Forwarding Forwarding Yes Yes Table 3 3 Comparing Port States RSTP is capable of a more rapid transition to a forwarding state it no longer relies on timer configurations RSTP compliant bridges are sensitive to feedback from other RSTP compliant bridge links Ports do not need to wait for the topology to stabilize before transitioning to a forwarding state ...

Page 192: ...port level the settings are implemented on a per user defined group of ports basis STP Bridge Global Settings This window is used to configure the STP Bridge Global Settings on the Switch To view this window click L2 Features Spanning Tree STP Bridge Global Settings as shown below Figure 3 45 STP Bridge Global Settings window RSTP default Figure 3 46 STP Bridge Global Settings window MSTP ...

Page 193: ...e can be set from 1 to 10 seconds If the inputted Hello Time is more than 2 the Hello Time is also 2 This is the interval between two transmissions of BPDU packets sent by the Root Bridge to tell all other switches that it is indeed the Root Bridge This field will only appear here when STP or RSTP is selected for the STP Version For MSTP the Hello Time must be set on a port per port basis See the ...

Page 194: ...ll temporarily block STP switch wide when a BPDU packet has looped back If the Switch detects its own BPDU packet coming back it signifies a loop on the network STP is automatically blocked and an alert is sent to the administrator The default is Enabled LBD Recover Time Time allowed in seconds for recovery when an STP Loopback is detected After the timer has expired the Switch checks for an STP l...

Page 195: ...List This field displays the VLAN IDs associated with the specific MSTI Click to remove the entry Click the Add button will reveal the following window to configure Figure 3 49 MST Configuration Identification Add window Configure the following parameters to create a MSTI in the Switch Parameter Description MSTI ID Enter a number between 1 and 15 to set a new MSTI on the Switch Type Create is sele...

Page 196: ...n window To configure the parameters for a previously set MSTI click its hyperlinked MSTI ID number which will reveal the following window for configuration Figure 3 51 MST Configuration Identification Edit window The user may configure the following parameters for a MSTI on the Switch Parameter Description MSTI ID Displays the MSTI ID previously set by the user Type This field allows the user to ...

Page 197: ...tings for a particular MSTI Instance click its hyperlinked MSTI ID which will reveal the following window Figure 3 53 MSTP Port Information Edit window The user may configure the following parameters Parameter Description Instance ID Displays the MSTI ID of the instance being configured An entry of 0 in this field denotes the CIST default MSTI Internal Cost 0 Auto This parameter is set to represen...

Page 198: ...ck DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 189 Click Apply to implement the changes Click the Show MSTP Port Information Table Port 1 of Unit 1 to return to the MSTP Port Information window ...

Page 199: ...uration set on the Switch Instance Status Displays the current status of the corresponding MSTI ID Instance Priority Displays the priority of the corresponding MSTI ID The lowest priority will be the root bridge Click the Modify button to change the priority of the MSTI This will open the Instance ID Settings window to configure Figure 3 55 STP Instance Settings Edit window Parameter Description M...

Page 200: ...a root port concept A root port is a port of the group that is elected based on port priority and port cost to be the connection to the network for the group Redundant links will be blocked just as redundant links are blocked on the switch level The STP on the switch level blocks redundant links between switches and similar network devices The port level STP will block redundant links within an ST...

Page 201: ... from RSTP A p2p value of False indicates that the port cannot have p2p status Auto allows the port to have p2p status whenever possible and operate as if the p2p status were true If the port cannot maintain this status for example if the port is forced to half duplex operation the p2p status changes to operate as if the p2p value were false The default setting for this parameter is true State Thi...

Page 202: ...a unicast MAC address Click Add to implement the changes made To delete an entry in the Static Unicast Forwarding Table click the corresponding under the Delete heading Multicast Forwarding The following window describes how to set up Multicast Forwarding on the Switch To view this window click L2 Features Forwarding Filtering Multicast Forwarding as shown below Figure 3 58 Static Multicast Forwar...

Page 203: ...g dynamically or that can join the multicast group dynamically using GMRP The options are None No restrictions on the port dynamically joining the multicast group When None is chosen the port will not be a member of the Static Multicast Group Egress The port is a static member of the multicast group Click Apply to implement the changes made Click the Show All Multicast Forwarding Entries link to r...

Page 204: ...t the Switch to filter any multicast packets whose destination is an unregistered multicast group residing within the range of ports specified above but it will forward the multicast reserved address Click Apply to implement the changes LLDP The Link Layer Discovery Protocol LLDP allows stations attached to an IEEE 802 LAN to advertise to other stations attached to the same IEEE 802 LAN The major ...

Page 205: ...ll flood the LLDP packet to all ports that have the same port VLAN and will advertise to other stations attached to the same IEEE 802 LAN Message TX Interval 5 32768 This interval controls how often active ports retransmit advertisements to their neighbors To change the packet transmission interval enter a value in seconds 5 to 32768 Message TX Hold Multiplier 2 10 This function calculates the Tim...

Page 206: ...MP trap receiver s when an LLDP change is detected in an advertisement received on the port from an LLDP neighbor To set the LLDP Notification Interval enter a value in seconds 5 to 3600 Click Apply to implement the changes Basic LLDP Port Settings This window is used to display the LLDP port settings on the Switch The ports can be individually configured to send notifications to configured SNMP t...

Page 207: ...e local LLDP agent can only receive LLDP frames TX_and_RX The local LLDP agent can both transmit and receive LLDP frames Disabled The local LLDP agent can neither transmit nor receive LLDP frames The default value is TX_and_RX Port Description Used to enable or disable the port description on the Switch System Name Used to enable or disable the system name on the Switch System Description Used to ...

Page 208: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 199 Figure 3 63 802 1 Extension LLDP Port Settings window ...

Page 209: ...mitted on the port The default state is Disabled Protocol Identify Use the drop down menu to enable or disable the advertise Protocol Identity Select the protocol you wish to use EAPOL LACP GVRP STP or All This TLV optional data type indicates whether the corresponding Local System s Protocol Identity instance will be transmitted on the port The Protocol Identity TLV provides a way for stations to...

Page 210: ...HY Configuration Status This function indicates that the LLDP agent should transmit MAC PHY configuration status TLV It is possible for two ends of an IEEE 802 3 link to be configured with different duplex and or speed settings and still establish some limited network connectivity More precisely the information includes whether the port supports the auto negotiation function if the function is ena...

Page 211: ...s that LLDP agents should transmit Link Aggregation TLV This indicates the current link aggregation status of IEEE 802 3 MACs More precisely the information should include whether the port is capable of doing link aggregation whether the port is aggregated in an aggregated link and what is the aggregated port ID The default state is Disabled Maximum Frame Size The Maximum Frame Size indicates that...

Page 212: ...lect a range of ports to be configured Address Type Use the drop down menu to select either the IPv4 or IPv6 Address IPv4 IPv6 is a management IP so the IP information will be sent with the frame when the mgt_addr config is enabled Address Enter the management ip address or the ip address of the entity you wish to advertise to Port State Used to Enable or Disable the Port State for the LLDP Manage...

Page 213: ... neighbor detection activity LLDP Statistics and the settings for individual ports on the Switch Use the drop down menu to check a specific unit the information will be displayed in the lower half of the table To view this window click L2 Features LLDP LLDP Statistics as shown below Figure 3 66 LLDP Statistics System window ...

Page 214: ... following parameters can be set or displayed Parameter Description Address Type Use the drop down menu to toggle between IPV4 Address and IPV6 Address Address Enter the LLDP management address in this field Click Find to display the entry LLDP Local Port Table LLDP Local Port Table window displays the information on a per port basis currently available for populating outbound LLDP advertisements ...

Page 215: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 206 Figure 3 68 LLDP Local Port Brief Table window ...

Page 216: ... cl Figure 3 69 LLDP Local Port Table View Normal window To return to the previous window click the Show LLDP Local Port Brief Table link To view details of individual parameters click the hyperlinked see detailed or Show LLDP Local Port Detailed Table which will reveal the following window You may also click the View button under Detailed heading in the LLDP Local Port Brief Table window ...

Page 217: ...w LLDP Local Port Brief Table link To view the LLDP Local Port Normal Table window click the Show LLDP Local Port Normal Table link LLDP Remote Port Table This window displays port information learned from the neighbor The Switch receives packets from a remote station but is able to store the information as local To view this window click L2 Features LLDP LLDP Remote Port Table as shown below ...

Page 218: ...able View Normal window To return to the LLDP Local Remote Port Brief window click the Show LLDP Remote Port Brief Table link To view the LLDP Remote Port Detailed Table window click the Show LLDP Remote Port Detailed Table link or select a port and click View Detailed in the LLDP Remote Port Brief Table window which will display the following window Figure 3 73 LLDP Remote Port Table View Detaile...

Page 219: ...ider network may have VLAN ranges that overlap which might cause traffic to become mixed up So assigning a unique range of VLAN IDs to each customer might cause restrictions on some of their configurations requiring intense processing of VLAN mapping tables which may exceed the VLAN mapping limit Q in Q uses a single service provider VLAN SP VLAN for customers who have multiple VLANs Customer s VL...

Page 220: ...t a network to network interface specifies that communication between two specified networks will occur Missdrop Enable or Disable C VLAN based on SP VLAN assignment miss drop When enabled the tagged packet will be dropped if the VLAN translation look up misses When disabled the packet will not be dropped if the VLAN translation loop up misses and the packet will be added to an outer VLAN based on...

Page 221: ...U T G 8032 Ethernet Ring Protection Switching ERPS to provide a reliable mechanism of malfunction recovery in an Ethernet ring topology network ERPS Global Settings This window is used to enable global ERPS function on the Switch When both the global state and the specified ring ERPS state are enabled the specified ring will be activated The global ERPS function cannot be enabled when any ERPS rin...

Page 222: ...ERPS RAPS VLAN Settings as shown below Figure 3 77 ERPS RAPS VLAN Table window The following fields can be set Parameter Description R APS VID 1 4094 The R APS VLAN is the dedicated VLAN for transferring R APS message Enter the R APS VLAN ID between 1 and 4094 To search for specific VID enter the VLAN ID in the R APS VID 1 4094 field and click Find To see all the entries click View All To add a ne...

Page 223: ...rameters cannot be changed when the ring is activated The default ring state is Disabled West Click to specify the port as the west ring port To specify as a Virtual Channel tick the check and toggle from Port to Virtual Channel West Port If Port is set above enter the port to be configured East Click to specify the port as the east ring port To specify as a Virtual Channel tick the check and togg...

Page 224: ...timer is used during the protection switching process after the link failure recovers When the link node detects the recovery of the link it will report the link failure recovery event R APS PDU with NR flag and start the guard timer Before the guard timer expires all received R APS messages are ignored by this ring node except in the case where a burst of three R APS event messages that indicates...

Page 225: ...his is used to configure the state of topology change propagation for the sub ring This setting is applied on the interconnection node Click Apply to implement changes made DULD Settings The Switch features a D Link Unidirectional Link Detection DULD module The unidirectional link detection provides a mechanism that can be used to detect unidirectional link for Ethernet switches whose PHYs do not ...

Page 226: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 217 Figure 3 81 DULD Settings window The following fields can be set Parameter Description Unit Select the unit you wish to configure ...

Page 227: ...g application where multiple servers can share the same IP address and MAC address The requests from clients will be forwarded to all servers but will only be processed by one of them The server can work in two different modes unicast mode and multicast mode In unicast mode the client uses a unicast MAC address as the destination MAC to reach the server In multicast mode the client uses a multicas...

Page 228: ...Multicast FDB Entries To edit an entry click the corresponding Modify button in the NLB Multicast FDB Table window to see the window shown below Figure 3 84 NLB Multicast FDB Settings Edit window The following fields can be configured or viewed Parameter Description VLAN Name Display the VLAN of the NLB multicast FDB entry VID 1 4094 Display the VLAN ID of the NLB multicast FDB entry MAC Address D...

Page 229: ...hat allows network administrators a method of reserving bandwidth for important functions that require a large bandwidth or have a high priority such as VoIP voice over Internet Protocol web browsing applications file server applications or video conferencing Not only can a larger bandwidth be created but other less critical traffic can be limited so excessive bandwidth can be saved The Switch has...

Page 230: ...ackets being sent out utilizing the Access Profile commands Then on the receiving end the administrator instructs the Switch to examine packets for this tag acquires the tagged packets and maps them to a class queue on the Switch Then in turn the administrator will set a priority for this queue so that will be emptied before any other packet is forwarded This results in the end user receiving all ...

Page 231: ...he assigned weight For a configuration of 8 CoS queues A H with their respective weight value 8 1 When each queue has 10 outbound packets they are sent in the following sequence A1 B1 C1 D1 E1 F1 G1 H1 A2 B2 C2 D2 E2 F2 G2 A3 B3 C3 D3 E3 F3 A4 B4 C4 D4 E4 A5 B5 C5 D5 A6 B6 C6 A7 B7 A8 A9 B8 C7 D6 E5 F4 G3 H2 A10 B9 C8 D7 E6 F5 G4 B10 C9 D8 E7 F6 C10 D9 E8 D10 E9 F7 G5 H3 E10 F8 G6 F9 F10 G7 H4 G8 ...

Page 232: ... are given values from 0 to 7 with 0 being assigned to the lowest priority data and 7 assigned to the highest The highest priority tag 7 is generally only used for data associated with video or audio applications which are sensitive to even slight delays or for data from specified end users whose data transmissions warrant special consideration The Switch allows you to further tailor how priority ...

Page 233: ...ty To view this window click QoS 802 1p Settings 802 1p Default Priority Settings as shown below Figure 4 2 802 1p Default Priority window The following parameters can be configured Parameter Description Unit Use the pull down menu to choose the switch unit from the switch stack From To Enter a port range by using the pull down menus in the From and To fields Priority The priority tags are numbere...

Page 234: ... window click QoS 802 1p Settings 802 1p User Priority Settings as shown below Figure 4 3 802 1p User Priority window The following parameters can be configured Parameter Description Unit Use the pull down menu to choose the switch unit from the switch stack From To Enter a port range by using the pull down menus in the From and To fields Priority The priority tags are numbered from 0 the lowest p...

Page 235: ...ntrol The Bandwidth Control section includes Bandwidth Control Settings and Per Queue Bandwidth Control Settings Bandwidth Control is to limit a port s bandwidth The RX and TX rate can be configured separately Bandwidth Control Settings The bandwidth control settings are used to place a ceiling on the transmitting and receiving data rates for any selected port To view this window click QoS Bandwid...

Page 236: ...own menu allows a selection between RX receive TX transmit and Both This setting will determine whether the bandwidth ceiling is applied to receiving transmitting or both receiving and transmitting packets No Limit This drop down menu allows the user to specify that the selected port will have no bandwidth limit Enabled disables the limit Rate 64 10000000 This field allows the input of the data ra...

Page 237: ...nsmitted data rate Click Apply to set the bandwidth control for the selected ports Results of configured Bandwidth Settings will be displayed in the Bandwidth Control Table Per Queue Bandwidth Control Settings This window sets the bandwidth control for each specific queue on specified ports To view this window click QoS Bandwidth Control Per Queue Bandwidth Control Settings as shown below ...

Page 238: ... ports may be configured starting with the selected port Queue Use the pull down menu to select the priority queue from 0 to 6 Min Rate 64 10000000 Enter a value between 64 and 10000000 Kbit sec or tick the No Limit check box to specify the minimum rate of packets to be received Max Rate 64 10000000 Enter a value between 64 and 10000000 Kbit sec or tick the No Limit check box to specify the maximu...

Page 239: ...heduling Settings QoS can be customized by changing the output scheduling used for the hardware classes of service in the Switch As with any changes to QoS implementation careful consideration should be given to how network traffic in lower priority classes of service is affected Changes in scheduling may result in unacceptable levels of packet loss or significant transmission delay If choosing to...

Page 240: ...ure From To A consecutive group of ports may be configured starting with the selected port Class ID Select the class ID from Class 0 through Class 6 Max Packet 0 15 Specifies the maximum number of packets the above specified hardware priority class of service will be allowed to transmit before allowing the next lowest priority queue to transmit its packets A value between 0 and 15 can be specified...

Page 241: ...g packets until it is empty Once a priority class of service with a 0 in its Max Packet field is empty the remaining priority classes of service will reset the WRR cycle of forwarding packets starting with the highest available priority class of service Priority classes of service with an equal level of priority and equal entries in their Max Packet field will empty their fields based on hardware ...

Page 242: ... Managed Switch 233 Figure 4 8 QoS Scheduling Mechanism window The following parameters can be configured Parameter Description Unit Select the unit to configure From To A consecutive group of ports may be configured starting with the selected port ...

Page 243: ...ing modes Strict The highest class of service is the first to process traffic That is the highest class of service will finish before other queues empty Weight Fair Use the weighted round robin WRR algorithm to handle packets in an even distribution in priority classes of service Click Apply to allow changes to take effect ...

Page 244: ...s shown below Figure 5 1 Time Range Settings window The user may adjust the following parameters to configure a time range on the Switch Parameter Description Range Name Enter a name of no more than 32 alphanumeric characters that will be used to identify this time range on the Switch This range name will be used in the Access Profile Table window to identify the access profile and associated rule...

Page 245: ... the criteria the Switch will use to determine what to do with the frame The entire process is described below in two parts To view this window click ACL Access Profile Table as shown below Figure 5 2 Access Profile Table window To add an entry to the Access Profile Table window click the Add Profile button This will open the Access Profile Configuration window as shown below There are four Access...

Page 246: ...is option instructs the Switch to examine the VLAN identifier of each packet header and use this as the full or partial criterion for forwarding Source MAC Source MAC Mask Enter a MAC address mask for the source MAC address Destination MAC Destination MAC Mask Enter a MAC address mask for the destination MAC address 802 1p Selecting this option instructs the Switch to examine the 802 1p priority v...

Page 247: ...ress in each frame s header Select Packet Content to instruct the Switch to examine the packet header VLAN Selecting this option instructs the Switch to examine the VLAN part of each packet header and use this as the or part of the criterion for forwarding Source IP Mask Enter an IP address mask for the source IP address Destination IP Mask Enter an IP address mask for the destination IP address D...

Page 248: ...re parts of a packet that determine what to do with the packet The user may filter packets by filtering certain flag bits within the packets by checking the boxes corresponding to the flag bits of the TCP field The user may choose between urg urgent ack acknowledgement psh push rst reset syn synchronize fin finish Select UDP to use the UDP port number contained in an incoming packet as the forward...

Page 249: ... or Precedence bits field in IPv4 Flow Label Checking this field will instruct the Switch to examine the flow label field of the IPv6 header This flow label field is used by a source to label sequences of packets such as non default quality of service or real time service packets Source IPv6 Mask The user may specify an IP address mask for the source IPv6 address by checking the corresponding box ...

Page 250: ...the destination port in hex form hex 0x0 0xffff Click Apply to implement the changes To view the settings for a created profile click its corresponding View button in the Access Profile Table window revealing the following window Figure 5 8 Access Profile Entry Display IPv6 The window shown below is the Access Profile Configuration window for Packet Content Mask Figure 5 9 Access Profile Configura...

Page 251: ...ivided up into four chunks where each chunk represents 4 bytes Values within the packet header chunk to be identified are to be marked in hexadecimal form in the mask field The following table will help you identify the bytes in the respective chunks chunk0 chunk1 chunk2 chunk29 chunk30 b126 b2 b6 b114 b118 b122 chunk31 b127 b3 b7 b115 b119 b123 b0 b4 b8 b116 b120 b124 b1 b5 b9 b117 b121 b125 Chec...

Page 252: ...Figure 5 12 Access Rule Configuration window Ethernet The following parameters can be configured Parameter Description Profile ID This is the identifier number for this profile set Mode Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify that packets that match the access profile...

Page 253: ...ile will apply only to packets with this 802 1p priority value Ethernet Type Specifies that the access profile will apply only to packets with this hexadecimal 802 1Q Ethernet type value hex 0x0 0xffff in the packet header The Ethernet type value may be set in the form hex 0x0 0xffff which means the user may choose any combination of letters and numbers ranging from a f and from 0 9 Port The Acces...

Page 254: ...w the following window Figure 5 13 Access Rule Display window Ethernet To configure the Access Rule for IP open the Access Profile Table window and click Modify for an IP entry This will open the following window Figure 5 14 Access Rule Table window IP To create a new rule set for an access profile click the Add Rule button A new window is displayed To remove a previously created rule click the co...

Page 255: ...fier number for this access This value can be set from 1 to 128 Auto Assign Checking this field will instruct the Switch to automatically assign an Access ID for the rule being created Type Specifies the type of profile that is being created Priority 0 7 This parameter is specified if you want to re write the 802 1p default priority previously set in the Switch which is used to determine the CoS q...

Page 256: ...field of this window If not the user will be presented with an error message and the access rule will not be configured The port list is specified by listing the lowest switch number and the beginning port number on that switch separated by a colon Then the highest switch number and the highest port number of the range also separated by a colon are specified The beginning and end of the port list ...

Page 257: ...ule Display window IP To configure the Access Rule for IPv6 open the Access Profile Table window and click Modify for an IPv6 entry This will open the following window Figure 5 17 Access Rule Table IPv6 Click Add Rule to open the next window to configure the IPv6 entry for an access rule ...

Page 258: ...file that is being created Priority 0 7 This parameter is specified to re write the 802 1p default priority previously set in the Switch which is used to determine the CoS queue to which packets are forwarded to Once this field is specified packets accepted by the Switch that match this priority are forwarded to the CoS queue specified previously by the user replace priority Click the correspondin...

Page 259: ...Then the highest switch number and the highest port number of the range also separated by a colon are specified The beginning and end of the port list range are separated by a dash For example 1 3 specifies switch number 1 port 3 2 4 specifies switch number 2 port 4 1 3 2 4 specifies all of the ports between switch 1 port 3 and switch 2 port 4 in numerical order Entering all will denote all ports ...

Page 260: ...e 5 19 Access Rule Display window IPv6 The following window is the Access Rule table for Packet Content Figure 5 20 Access Rule Table window Packet Content Mask To remove a previously created rule select it and click the button To add a new Access Rule click the Add button ...

Page 261: ... any additional rule added see below Select Deny to specify that packets that match the access profile are not forwarded by the Switch and will be filtered Select Mirror to specify that packets that match the access profile are mirrored to a port defined in the Port Mirroring window Port Mirroring must be enabled and a target port must be set Access ID 1 128 Type in a unique identifier number for ...

Page 262: ... the end of the fourth chunk Port The Access Rule may be configured on a per port basis by entering the port number of the switch in the switch stack into this field When a range of ports is to be configured the Auto Assign check box MUST be ticked in the Access ID field of this window If not the user will be presented with an error message and the access rule will not be configured The beginning ...

Page 263: ...d to accept the biggest IP packet that is expected in the IP flow PIR Peak Information Rate This rate is measured in bytes of IP packets IP packet bytes are measured by taking the size of the IP header but not the link specific headers If the packet flow exceeds the PIR that packet flow is marked red The PIR must be configured to be equal or more than that of the CIR PBS Peak Burst Size Measured i...

Page 264: ...d Users may choose to either Permit or Drop exceeded packets Users may also choose to change the DSCP field of the packets Users may also choose to count exceeded packets by clicking the Counter check box If the counter is enabled the counter setting in the access profile will be disabled Users may only enable two counters for one flow meter at any given time To view this window click ACL ACL Flow...

Page 265: ... between 0 and 156249 IP flow rates at or below this level will be considered green IP flow rates that exceed this rate but not the PIR rate are considered yellow PIR The Peak information Rate IP flow rates that exceed this setting will be considered as red This field must be set at an equal or higher value than the CIR CBS The Committed Burst Size Used to gauge packets that are larger than the no...

Page 266: ...ction when a packet flow has been marked as a color based on the following fields Conform This field denotes the green packet flow Green packet flows may have their DSCP field rewritten to a value stated in this field Users may also choose to count green packets by ticking the Counter check box Exceed This field denotes the yellow packet flow Yellow packet flows may have excess packets permitted t...

Page 267: ...ltering mechanism to be enabled or disabled globally permitting the user to create various lists of rules without immediately enabling them Creating an access profile for the CPU is divided into two basic parts The first is to specify which part or parts of a frame the Switch will examine such as the MAC source address or the IP destination address The second part is entering the criteria the Swit...

Page 268: ...tent Mask and one for IPv6 You can switch between the four Access Profile Configuration windows by using the Type drop down menu The window shown below is the Ethernet CPU Interface Filtering Configuration window Figure 5 28 CPU Interface Filtering Configuration window Ethernet Parameter Description Profile ID 1 5 Type in a unique identifier number for this profile set This value can be set from 1...

Page 269: ...on MAC Mask Enter a MAC address mask for the destination MAC address Ethernet type Selecting this option instructs the Switch to examine the Ethernet type value in each frame s header Click Apply to set this entry in the Switch s memory To view the settings of a previously correctly created profile click View in the CPU Interface Filtering Table window to view the following window Figure 5 29 CPU ...

Page 270: ...der Select IPv6 to instruct the Switch to examine the IPv6 address in each frame s header VLAN Selecting this option instructs the Switch to examine the VLAN part of each packet header and use this as the or part of the criterion for forwarding Source IP Mask Enter an IP address mask for the source IP address Destination IP Mask Enter an IP address mask for the destination IP address DSCP Selectin...

Page 271: ...set syn synchronize fin finish src port mask Specify a TCP port mask for the source port in hex form hex 0x0 0xffff which you wish to filter dst port mask Specify a TCP port mask for the destination port in hex form hex 0x0 0xffff which you wish to filter Select UDP to use the UDP port number contained in an incoming packet as the forwarding criterion Selecting UDP requires that you specify a sour...

Page 272: ...address in each frame s header Class Checking this field will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 Flow Label Checking this field will instruct the Switch to examine the flow label field of the IPv6 header This flow label field is used by a source...

Page 273: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 264 Figure 5 33 CPU Interface Filtering Entry Display window IPv6 The window shown below is the Packet Content Mask configuration window ...

Page 274: ... Ethernet MAC Address IP address IPv6 address or packet content mask This will change the menu according to the requirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header Select IP to instruct the Switch to examine the IP address in each frame s header Select Packet Content Mask to specify a mask to hide the content of the packet h...

Page 275: ...Apply to implement changes made To view the settings of a previously correctly created profile click View in the CPU Interface Filtering Table window to view the following window Figure 5 35 CPU Interface Filtering Display window Packet Content To establish the rule for a previously created CPU Access Profile Figure 5 36 CPU Interface Filtering Table window In this window the user may add a rule t...

Page 276: ...tifier number for this profile set Mode Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify that packets that match the access profile are not forwarded by the Switch and will be filtered Access ID Type in a unique identifier number for this access and priority This value can be ...

Page 277: ...onfigured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch Click Apply to implement the changes To view the settings of a previously correctly configured rule click View in the CPU Interface Filtering Rule Table window to view the following window Figure 5 39 CPU Interface Filtering Rule Display window Ethernet The following win...

Page 278: ...of a name for a previously configured VLAN Source IP Source IP Address Enter an IP Address mask for the source IP address Destination IP Destination IP Address Enter an IP Address mask for the destination IP address DSCP 0 63 This field allows the user to enter a DSCP value in the space provided which will instruct the Switch to examine the DiffServ Code part of each packet header and use this as ...

Page 279: ...window is the CPU Interface Filtering Rule Table for IPv6 Figure 5 43 CPU Interface Filtering Rule Table window IPv6 To create a new rule set for an access profile click the Add Rule button A new window is displayed To remove a previously created rule click the corresponding button The following window is used for the IP Rule configuration ...

Page 280: ...ket header that is similar to the Type of Service ToS or Precedence bits field of IPv4 Flow Label Configuring this field in hex form will instruct the Switch to examine the flow label field of the IPv6 header This flow label field is used by a source to label sequences of packets such as non default quality of service or real time service packets Source IPv6 Address The user may specify an IP addr...

Page 281: ... Ethernet Managed Switch 272 Figure 5 45 CPU Interface Filtering Rule Display window IPv6 The following window is the CPU Interface Filtering Rule Table for Packet Content Figure 5 46 CPU Interface Filtering Rule Table window Packet Content ...

Page 282: ... Gigabit Ethernet Managed Switch 273 To remove a previously created rule select it and click the button To add a new Access Rule click the Add Rule button Figure 5 47 CPU Interface Filtering Rule Configuration window Packet Content ...

Page 283: ...n hex form to mask the packet from the beginning of the packet to the 15th byte value 16 31 Enter a value in hex form to mask the packet from byte 16 to byte 31 value 32 47 Enter a value in hex form to mask the packet from byte 32 to byte 47 value 48 63 Enter a value in hex form to mask the packet from byte 48 to byte 63 value 64 79 Enter a value in hex form to mask the packet from byte 64 to byte...

Page 284: ... Access Control MAC Safeguard Engine Traffic Segmentation Secure Socket Layer SSL Secure Shell SSH Compound Authentication Japanese Web based Access Control JWAC Authorization Attributes State Settings This window is used to Enable or Disable the Authorization Network State Settings To view this window click Security Authorization Attributes State Settings as shown below Figure 6 1 Authorization A...

Page 285: ... the type of action taken by the Traffic Control function in handling a Traffic Storm is one of the following None Will not send Storm trap warning messages regardless of action taken by the Traffic Control mechanism On a computer network packets such as Multicast packets and Broadcast packets continually flood the network as normal procedure At times this traffic may increase do to a malicious en...

Page 286: ...ffic to the port except STP BPDU packets which are essential in keeping the Spanning Tree operational on the Switch If the Countdown timer has expired and yet the Packet Storm continues the port will be placed in Shutdown Forever mode and is no longer operational until the user manually resets the port using the Storm Control Recover setting at the top of this window Choosing this option obligates...

Page 287: ...cription Unit Choose the Switch ID number of the Switch in the switch stack to be modified A given port s or a range of ports dynamic MAC address learning can be locked such that the current source MAC addresses entered into the MAC address forwarding table can not be changed once the port lock is enabled The port can be locked by using the Admin State pull down menu to Enabled and clicking Apply ...

Page 288: ...ecurity entries learned by the Switch and entered into the forwarding database This function is only operable if the Mode in the Port Security window is selected as Permanent or DeleteOnReset or in other words only addresses that are statically learned by the Switch can be deleted Once the entry has been defined by entering the correct information into the window above click the under the Delete h...

Page 289: ...uditing issue it also poses potential risk to the entire network Figure 6 5 Common IP Management IP Security Issues ARP spoofing attacks in which malicious users intercept traffic or interrupt connections by manipulating ARP packets are another serious challenge in securing today s network Further information on how ARP spoofing attacks work can be found in the Appendix Mitigating ARP Spoofing Att...

Page 290: ...rwise the DHCP server packets will be dropped DHCP snooping is generally considered to be more secure because it enforces all clients to acquire IP through the DHCP server Additionally it makes IP Information auditable because clients cannot manually configure their own IP address An example of DHCP snooping in which PC A and PC B get their IP addresses from a DHCP server is depicted below The swi...

Page 291: ...bal also cannot access the network To avoid this case do not write block FDB Not write blocking FDB can also avoid netcut attacks and recover attacks Figure 6 8 IPv4 and IPv6 Sharing When enabling Strict mode the Switch will stop writing dropped FDB entries on these ports If the Switch detects legal packets the Switch will need to create the FDB forwarding entries ACL mode always run under strict ...

Page 292: ... set on the Switch DHCP Snoop IPv4 Use the pull down menu to enable or disable the DHCP snooping state IPv4 for IP MAC port binding DHCP Snoop IPv6 Use the pull down menu to enable or disable the DHCP snooping state IPv6 for IP MAC port binding ND Snoop Use the pull down menu to enable or disable the ND snooping state for IP MAC port binding Click Apply to implement the settings made IMPB Port Set...

Page 293: ...e list If the IP MAC pair matches the white list entry the packets from that MAC address are unblocked If not the MAC address will stay blocked While the Strict state uses more CPU resources from checking every incoming ARP and IP packet it enforces better security and is thus the recommended setting Enabled Loose This mode provides a looser way of control If the user selects loose mode the Switch...

Page 294: ...is mode Stop Learning Threshold 0 500 Whenever a MAC address is blocked by the Switch it will be recorded in the Switch s L2 Forwarding Database FDB and associated with a particular port To prevent the Switch FDB from overloading in case of an ARP DoS attack the administrator can configure the threshold when a port should stop learning illegal MAC addresses Enter a Stop Learning threshold between ...

Page 295: ... to configure this entry for all ports on the Switch Click Add to create a new entry click Find to search for an entry click View All to display all entries and click Delete All to remove all entries on the window DHCP Snoop Entries This window is used to view DHCP Snooping entries on specific ports To view this window click Security IP MAC Port Binding DHCP Snoop Entries as shown below Figure 6 1...

Page 296: ... the appropriate fields and click Find To delete an entry click the Delete button next to the entry s port To delete all the entries in this window click Delete All ND Snoop Entries This table is used to view ND snooping entries on specific ports To view this window click Security IP MAC Port Binding NP Snoop Entries as shown below Figure 6 14 ND Snoop Entries window The following fields can be se...

Page 297: ... authorization is granted The 802 1x Access Control method holds three roles each of which are vital to creating and upkeeping a stable and working Access Control security method Figure 6 16 The three roles of 802 1X The following section will explain the three roles of Client Authenticator and Authentication Server in greater detail Authentication Server The Authentication Server is a remote devi...

Page 298: ...t Three steps must be implemented on the Switch to properly configure the Authenticator 1 The 802 1X State must be Enabled DGS 3400 Web Management Tool 2 The 802 1X settings must be implemented by port Security 802 1X Configure 802 1X Authenticator Parameter 3 A RADIUS server must be configured on the Switch Security 802 1X Authentic RADIUS Server Figure 6 18 The Authenticator Client The Client is...

Page 299: ...Control used on the Switch which are 1 Port based Access Control This method requires only one user to be authenticated per port by a remote RADIUS server to allow the remaining users on the same port access to the network 2 MAC based Access Control Using this method the Switch will automatically learn up to 128 MAC addresses by port and set them in a list Each MAC address must be authenticated by...

Page 300: ... and all subsequent traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized Hence if the Port is actually connected to a shared media LAN segment with more than one attached device successfully authenticating one of the attached devices effectively provides access to the LAN for all devices on the shared segment Clearly the...

Page 301: ...attached device that required access to the LAN The Switch would regard the single physical Port connecting it to the shared media segment as consisting of a number of distinct logical Ports each logical Port being independently controlled from the point of view of EAPOL exchanges and authorization state The Switch learns each attached devices individual MAC addresses and effectively creates a log...

Page 302: ...he Switch To supplement these circumstances this switch now implements Guest 802 1X VLANs These VLANs should have limited access rights and features separate from other VLANs on the network To implement Guest 802 1X VLANs the user must first create a VLAN on the network with limited rights and then enable it as an 802 1X guest VLAN Then the administrator must configure the guest accounts accessing...

Page 303: ...ayer 2 Gigabit Ethernet Managed Switch 294 Figure 6 24 Configure 802 1X Authenticator Parameter window To configure the settings by port click its corresponding Modify button which will display the following table to configure ...

Page 304: ...orized to disable 802 1X and cause the port to transition to the authorized state without any authentication exchange required This means the port transmits and receives normal traffic without 802 1X based authentication of the client If forceUnauthorized is selected the port will remain in the unauthorized state ignoring all attempts by the client to authenticate The Switch cannot provide authent...

Page 305: ... port that can be learned via 802 1X authentication Tick No Limit check box to support up to 128 users ReAuth Determines whether regular reauthentication will take place on this port The default setting is Disabled Forward EAPOL PDU This enables or disables the Switch retransmit EAPOL PDU Request on a per port basis Capability This allows the 802 1X Authenticator settings to be applied on a per po...

Page 306: ...ports to be enabled for the Guest 802 1x VLAN using the pull down menus Click Apply to implement the guest 802 1x VLAN settings entered Only one VLAN may be assigned as the 802 1X Guest VLAN Authentication RADIUS Server Settings The RADIUS feature of the Switch allows the user to facilitate centralized user administration as well as providing protection against a sniffing active hacker The Web Man...

Page 307: ...e is 2 Status This allows the user to set the RADIUS Server as Valid Enabled or Invalid Disabled Click Apply to implement the changes 802 1X User Settings This window allows the user to set different local users on the Switch and set a global limitation on the maximum number of users that can be learned via 802 1X authentication To view this window click Security 802 1X 802 1X User Settings as sho...

Page 308: ...of a port or group of ports The Initialize Port Table in the bottom half of the window displays the current status of the port s To initialize ports for the MAC side of 802 1X the user must first enable 802 1X by MAC address in the DGS 3400 Web Management Tool window Click Security 802 1X Initialize Port s as shown below Figure 6 30 Initialize Ports window MAC based 802 1X To initialize ports firs...

Page 309: ... the DGS 3400 Web Management Tool window before initializing ports Information in the Initialize Ports Table cannot be viewed before enabling 802 1X Reauthenticate Port s This window allows reauthentication of a port or group of ports by using the pull down menus From and To and clicking Apply The Reauthenticate Port Table displays the current status of the reauthenticated port s once Apply has be...

Page 310: ...enticate ports first choose the switch in the switch stack by using the pull down menu and then choose the range of ports in the From and To field Then the user must specify the MAC address to be reauthenticated by entering it into the MAC Address field and ticking the corresponding check box To begin the reauthentication click Apply ...

Page 311: ...enabled If not the user will be prompted with an error message and the Web based Access Control will not be enabled 6 If a RADIUS server is to be used for authentication the user must first establish a RADIUS Server with the appropriate parameters including the target VLAN before enabling the Web based Access Control on the Switch Web Based Authentication Login is a feature designed to authenticat...

Page 312: ...edirected to after successful authentication When the string is cleared the client will not be redirected to another URL after successful authentication Virtual IP Enter a virtual IPv4 address so that the TCP packets sent to the virtual IP will get a reply If the virtual IP is enabled the TCP packets sent to the virtual IP or physical IPIF s IP Interface s IP address will both get a reply When the...

Page 313: ... port cannot run at TCP port 443 HTTPS Specifies that the TCP port will run the WAC HTTPS protocol The default value is 443 HTTPS cannot run at TCP port 80 If no protocol is specified the protocol used is HTTP WAC Authorization Network Settings RADIUS Authorization Specifies to Enable or Disable RADIUS Authorization Local Authorization Specifies to Enable or Disable Local Authorization Click Apply...

Page 314: ...d of time a host will keep in authenticated state after it succeeds to authenticate Enter a value between 1 and 1440 minutes The default setting is 1440 minutes To maintain a constant Port Configuration tick the Infinite box in the WAC configuration window Idle Time 1 1440 min This parameter specifies the period of time during which there is no traffic for an authenticated host and the host will b...

Page 315: ...implement the changes WAC User Account This window is used to enable and configure Web based Access Control User Account Settings on the Switch To view this window click Security Web based Access control WAC WAC User Account as shown below Figure 6 35 WAC User Account window To create a new user account click Add the following window will be displayed for the user to configure Figure 6 36 WAC User...

Page 316: ...ld is case sensitive and must be a complete alphanumeric string Confirmation Confirm the new password entered above Entering a different password here from the one set above will result in a fail message VLAN Name Enter a VLAN to be associated with the WAC account VID 1 4094 Enter the VLAN ID to be associated with the WAC account Click Apply to implement the changes WAC Authentication State This w...

Page 317: ...ng or Blocked Click Find to display the Host table entries or click Delete to remove an entry Trust Host The Switch allows users to enter trusted host secure IP addresses and netmasks used for remote Switch management It should be noted that if one or more trusted hosts are enabled the Switch will immediately accept remote instructions from only the specified IP address or addresses If you enable ...

Page 318: ...t management of the Switch type the IP address of the station you are currently using in the first field as well as up to three additional IP addresses of trusted hosts Click the Apply button to assign trusted host status to the IP addresses This goes into effect immediately Click Delete All to remove all configured trusted hosts from this switch ...

Page 319: ...on Thus BPDU protection can only be enabled on SPT disabled port BPDU protection has high priority than FBPDU setting configured by configure STP command in determination of BPDU handling That is when FBPDU is configured to forward STP BPDU but BPDU protection is enabled then the port will not forward STP BPDU BPDU protection also has high priority than BPDU tunnel port setting in determination of...

Page 320: ...ttacker to sniff data frames on a LAN modify the traffic or stop the traffic altogether known as a Denial of Service DoS attack The principle of ARP spoofing is to send fake or spoofed ARP messages to an Ethernet network Generally the aim is to associate the attacker s or a random MAC address with the IP address of another node such as the default gateway Any traffic meant for that IP address woul...

Page 321: ... enter usernames and passwords for authentication the Switch contacts the TACACS XTACACS TACACS RADIUS server to verify and the server will respond with one of three messages The server verifies the username and password and the user is granted normal user privileges on the Switch The server will not accept the username and password and the user is denied access to the Switch The server doesn t re...

Page 322: ...itch 313 NOTE TACACS XTACACS and TACACS are separate entities and are not compatible The Switch and the server must be configured exactly the same using the same protocol For example if the Switch is set up for TACACS authentication so must be the host server ...

Page 323: ...5 seconds The default setting is 30 seconds User Attempts 1 255 This command will configure the maximum number of times the Switch will accept authentication attempts Users failing to be authenticated after the set amount of attempts will be denied access to the Switch and will be locked out of further authentication attempts Command line interface users will have to wait 60 seconds before another...

Page 324: ...d by the user See the Enable Method Lists window in this section for more information Click Apply to implement the changes Authentication Server Group This window will allow users to set up Authentication Server Groups on the Switch A server group is a technique used to group TACACS XTACACS TACACS RADIUS server hosts into user defined categories for authentication using method lists The user may d...

Page 325: ...ts window before adding hosts to the list Authentication Server Hosts must be configured for their specific protocol on a remote centralized server before this function can work properly NOTE The three built in server groups can only have server hosts running the same TACACS daemon TACACS XTACACS TACACS protocols are separate entities and are not compatible with each other Authentication Server Ho...

Page 326: ...is parameter if the server host utilizes the TACACS protocol RADIUS Enter this parameter if the server host utilizes the RADIUS protocol Port 1 65535 Enter a number between 1 and 65535 to define the virtual port number of the authentication protocol on a server host The default port number is 49 for TACACS XTACACS TACACS servers and 1813 for RADIUS servers but the user may set a unique port number...

Page 327: ...ACACS list the local account database set in the Switch is used to authenticate the user When the local method is used the privilege level will be dependant on the local account privilege configured on the Switch Successful login using any of these techniques will give the user a User privilege only If the user wishes to upgrade his or her status to the administrator level the user must use the En...

Page 328: ...k Apply to implement the changes To return to the Login Method Lists window click the Show All Authentication Login Method List Entries link Enable Method Lists This window is used to set up Method Lists to promote users with user level privileges to Administrator Admin level privileges using authentication methods on the Switch Once a user acquires normal user level privileges on the Switch he or...

Page 329: ...shown below Figure 6 52 Enable Method Lists window To delete an Enable Method List defined by the user click the under the Delete heading corresponding to the entry desired to be deleted To modify an Enable Method List click its hyperlinked Method List Name To configure a Method List click the Add button Both actions will result in the same window to configure Figure 6 53 Enable Method List Edit w...

Page 330: ...sly configured server group will require the user to be authenticated using a user defined server group previously configured on the Switch Click Apply to implement the changes To return to the Enable Method Lists window click the Show All Authentication Enable List Entries link Configure Local Enable Password This window will configure the locally enabled password for the Enable Admin command Whe...

Page 331: ...erver groups local enable local account on the Switch or no authentication none Because XTACACS and TACACS do not support the enable function the user must create a special account on the server host which has the username enable and a password configured by the administrator that will support the enable function This function becomes inoperable when the authentication policy is disabled To view t...

Page 332: ...n regarding events occurring on the Switch The following is a list of information that will be sent to the RADIUS server when an event triggers the Switch to send these informational packets Account Session ID Account Status Type Account Terminate Cause Account Authentic Account Delay Time Account Session Time Username Service Type NAS IP Address NAS Identifier Calling Station ID ...

Page 333: ...packets to a remote RADIUS server when a user either logs in logs out or times out on the Switch using the console Telnet or SSH System When enabled the Switch will send informational packets to a remote RADIUS server when system events occur on the Switch such as a system reset or system boot Remember this feature will not work properly unless a RADIUS Server has first been configured This RADIUS...

Page 334: ...ted on the Switch Once a MAC address has been discovered by the Switch the Switch will then query the remote RADIUS server with this potential MAC address using a RADIUS Access Request packet If a match is made with this MAC address the RADIUS server will return a notification stating that the MAC address has been accepted and is to be placed in the target VLAN If the VID for the target VLAN is no...

Page 335: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 326 Figure 6 58 MAC based Access Control Global Settings window ...

Page 336: ...previously configured Guest VLAN being used for this function Clicking the hyperlinked Guest VLAN ID will send the Web manager to Guest VLAN configuration window for MAC based Authentication Guest VLAN Member Ports Displays the list of ports that have been configured for the Guest VLAN Max User 1 4000 Specifies to set the maximum number of authorized clients on the device The default value is 1024...

Page 337: ...t a list of MAC addresses along with their corresponding target VLAN which will be authenticated for the Switch Once a queried MAC address is matched in this table it will be placed in the VLAN associated with it here The switch administrator may enter up to 1024 MAC addresses to be authenticated using the local method configured here To view this window click Security MAC based Access Control MAC...

Page 338: ...If the flooding has stopped the Switch will again begin accepting all packets Yet if the checking shows that there continues to be too many packets flooding the Switch it will stop accepting all ARP and IP broadcast packets and packets from untrusted IP addresses for double the time of the previous stop period This doubling of time for stopping these packets will continue until the maximum time ha...

Page 339: ...e Settings window The following parameters can be configured or viewed Parameter Description State Use the pull down menu to globally enable or disable Safeguard Engine settings for the Switch Rising Threshold 20 100 Used to configure the acceptable level of CPU utilization before the Safeguard Engine mechanism is enabled Once the CPU utilization reaches this percentage level the Switch will move ...

Page 340: ... current mode of the CPU Utilization Settings Click Apply to implement the changes Traffic Segmentation Traffic segmentation is used to limit traffic flow from a single port to a group of ports This method of segmenting the flow of traffic is similar to using VLANs to limit traffic but is more restrictive It provides a method of directing traffic that does not increase the overhead of the Master s...

Page 341: ...ed for encrypting the messages sent between client and host The Switch supports two types of cryptology algorithms Stream Ciphers There are two types of stream ciphers on the Switch RC4 with 40 bit keys and RC4 with 128 bit keys These keys are used to encrypt messages and need to be consistent between client and host for optimal use CBC Block Ciphers CBC refers to Cipher Block Chaining which means...

Page 342: ...ryption algorithms and key sizes to be used for an authentication session The Switch possesses four possible ciphersuites for the SSL function which are all enabled by default To utilize a particular ciphersuite disable the unwanted ciphersuites leaving the desired one for authentication When the SSL function has been enabled the web will become disabled To manage the Switch through the Web based ...

Page 343: ...lt Click Apply to implement the changes NOTE Certain implementations concerning the function and configuration of SSL are not available on the Web based management of this Switch and need to be configured using the command line interface NOTE Enabling the SSL command will disable the web based switch management To log on to the Switch again the header of the URL must begin with https Entering anyt...

Page 344: ...escription SSH Server Status Use the pull down menu to enable or disable SSH on the Switch The default is Disabled Max Session 1 8 Enter a value between 1 and 8 to set the number of users that may simultaneously access the Switch The default setting is 8 Connection TimeOut 120 600 Allows the user to set the connection timeout The user may set a time between 120 and 600 seconds The default setting ...

Page 345: ...e are three categories of algorithms listed and specific algorithms of each may be enabled or disabled by using their corresponding pull down menus All algorithms are enabled by default To view the following window click Security SSH SSH Authentication Mode and Algorithm Settings as shown below Figure 6 68 SSH Authentication Mode and Algorithm Settings window The following algorithms may be set Pa...

Page 346: ... or disable the Advanced Encryption Standard AES256 encryption algorithm with Cipher Block Chaining The default is Enabled ARC4 Use the pull down to enable or disable the Arcfour encryption algorithm with Cipher Block Chaining The default is Enabled Cast128 CBC Use the pull down to enable or disable the Cast128 encryption algorithm with Cipher Block Chaining The default is Enabled Twofish128 Use t...

Page 347: ...yperlinked User Name in the Current Accounts window which will reveal the following window to configure Figure 6 70 User Account Add Table window Once a User Account has been configured return to the SSH User Authentication window which now displays the newly created account as shown here Figure 6 71 SSH User Authentication Mode window To configure the SSH settings for this user click its hyperlin...

Page 348: ...tring of no more than 32 characters to identify the remote SSH user This parameter is only used in conjunction with the Host Based choice in the Auth Mode field Host IP Enter the corresponding IP address of the SSH user This parameter is only used in conjunction with the Host Based choice in the Auth Mode field Click Apply to implement the changes Compound Authentication Modern networks employ man...

Page 349: ...o create a white list that checks if the IP streams being sent by authorized hosts have been granted or not In the above diagram the Switch port has been configured to allow clients to authenticate using either JWAC If the client is in the IMPB table and tries to connect to the network using either of these supported authentication methods and the client is listed in the white list for legal IP MA...

Page 350: ...abled the client will stay at the guest VLAN otherwise it will stay at the original VLAN Click Apply to implement the changes Compound Authentication Settings This window is used to configure the authorization mode and authentication method of individual ports To view this window click Security Compound Authentication Compound Authentication Settings as shown below ...

Page 351: ...configure From To Select a port or range of ports to be configured Authorized Mode Use the drop down menu to select either Port Based or Host Based authorized mode Port Based If one of the attached hosts passes the authentication process all host on the same port will be granted access to the network If the user fails the authorization this port will keep trying until the next authentication Host ...

Page 352: ... pull down menu to enable or disable the function Click Apply to implement the changes Authentication Guest VLAN Settings This window is used to display and configure the Authentication Guest VLAN settings on the Switch To view this window click Security Compound Authentication Authentication Guest VLAN Settings as shown below Figure 6 79 Authentication Guest VLAN Settings window To configure a ne...

Page 353: ...le and configure Japanese Web based Access Control on the Switch Please note that JWAC and Web Authentication are mutually exclusive functions That is they cannot be enabled at the same time To use the JWAC feature computer users need to pass through the authentication process For this the authentication is similar to Web Authentication The RADIUS server will share the server configuration defined...

Page 354: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 345 Figure 6 81 JWAC Global State Configuration window ...

Page 355: ...Destination This parameter specifies the destination before an unauthenticated host is redirected to either the Quarantine Server or the JWAC Login Page Redirect Delay Time 0 10 sec This parameter specifies the Delay Time before an unauthenticated host is redirected to the Quarantine Server or JWAC Login Page Enter a value between 0 and 10 seconds A value of 0 indicates no delay in the redirect Vi...

Page 356: ...sends the HTTP request packets to a random Web server the Switch will handle this HTTP packet and send back a message to the host to allow it access to the Quarantine Server with the configured URL When a computer is connected to the specified URL the quarantine server will request the computer user to input the user name and password to complete the authentication process Update Server Configurat...

Page 357: ... DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 348 Figure 6 82 JWAC Port Table Parameter window To configure individual JWAC port settings click the Add button the following window will be displayed ...

Page 358: ...switch in the switch stack to configure Port List Lists the range of Ports that will be configured in this window State This parameter specifies the state of the configured ports Mode Use the drop down menu to select the mode choose either Port Based or Host Based Max Authenticating Host 0 50 This parameter specifies the maximum number of host process authentication attempts allowed on each port a...

Page 359: ... seconds Click Apply to implement changes made To return to the JWAC Port Table Parameter window click the Show JWAN All Ports Setting Entries link JWAC User Account This window is used to configure JWAC user accounts on the Switch To view this window click Security Japanese Web based Access Control JWAC JWAC User Account as shown below Figure 6 85 JWAC User Accounts window To configure JWAC user ...

Page 360: ...Enter the VLAN ID of the Account you wish to create Old Password Enter the original password of the user This field is case sensitive and must be a complete alphanumeric string New Password Enter a new password of the user This field is case sensitive and must be a complete alphanumeric string Confirm New Password Retype the new password entered in the previous field Click Apply to implement chang...

Page 361: ...he Port list information and click the Delete button JWAC Customize Page Language Settings This window is used to customize your JWAC language settings on the Switch Use the drop down menu to select either English or Japanese and click Apply To view this window click Security Japanese Web based Access Control JWAC JWAC Customize Page Language Settings as shown below Figure 6 90 JWAC Customize Page...

Page 362: ... Customize Page This window is used to customize fields in the JWAC Customize page To view this window click Security Japanese Web based Access Control JWAC JWAC Customize Page as shown below Figure 6 91 JWAC Customize Page window Enter the new information and click Apply ...

Page 363: ...atus Port Port Access Control MAC Address Table IGMP Snooping Group IGMP Snooping Data Driven Group MLD Snooping Group MLD Snooping Data Driven Group Trace Route Switch Logs Browse ARP Table Session Table IP Forwarding Table Routing Table MAC based Access Control Authentication Status Device Status This window displays the status of the physical attributes of the Switch including power sources and...

Page 364: ...on folder The number of switches in the switch stack up to 12 total are displayed in the upper right hand corner of your web browser The icons are in the same order as their respective Unit numbers with the Unit 1 switch corresponding to the icon in the upper left most corner of the icon group When the switches are properly interconnected through their optional Stacking Modules information about t...

Page 365: ...for the Switch This may be different from the values shown in the illustration Topology Show the current topology employed using this Switch My Box ID Displays the Box ID of the Switch currently in use Master ID Displays the Unit ID number of the Primary Master of the Switch stack Backup Master Displays the Unit ID of the Backup Master of the switch stack Box Count Displays the number of switches ...

Page 366: ... version of the installed module Serial The serial number of the module Description A brief description of the type of module DRAM Flash Utilization This window is used to display DRAM and Flash utilization information To view this window click Monitoring DRAM Flash Utilization as shown below Figure 7 5 DRAM Utilization window ...

Page 367: ... CPU utilization by port use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port Click Apply to implement the configured settings The window will automatically refresh with new updated statistics Change the view parameters as follows Parameter Description Time Interval Select the desired setting between 1s and 60s where s stands for secon...

Page 368: ...the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port Change the view parameters as follows Parameter Description Time Interval Select the desired setting between 1s and 60s where s stands for secon...

Page 369: ... to view these statistics for first select the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the window by simply clicking on a port To view this window click Monitoring Packets Received RX as shown below Figure 7 8 RX Packets Analysis ...

Page 370: ... Packets Counts the number of packets received on the port Unicast Counts the total number of good packets that were received by a unicast address Multicast Counts the total number of good packets that were received by a multicast address Broadcast Counts the total number of good packets that were received by a broadcast address Show Hide Check whether to display Bytes and Packets Clear Clicking t...

Page 371: ...nd then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the window by simply clicking on a port To view this window click Monitoring Packets UMB_cast RX as shown below Figure 7 10 Packets Analysis line graph for Unicast Multicast and Broadcast Packets To view the UMB Cast Table window click the View Table ...

Page 372: ...lue is 200 Unicast Counts the total number of good packets that were received by a unicast address Multicast Counts the total number of good packets that were received by a multicast address Broadcast Counts the total number of good packets that were received by a broadcast address Show Hide Check whether or not to display Multicast Broadcast and Unicast Packets Clear Clicking this button clears a...

Page 373: ... and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port To view this window click Monitoring Packets Transmitted TX as shown below Figure 7 12 TX Packets Analysis window line graph for Bytes and Packets To view the Transmitted TX Table window click the link View ...

Page 374: ...port Packets Counts the number of packets successfully sent on the port Unicast Counts the total number of good packets that were transmitted by a unicast address Multicast Counts the total number of good packets that were transmitted by a multicast address Broadcast Counts the total number of good packets that were transmitted by a broadcast address Show Hide Check whether or not to display Bytes...

Page 375: ...irst select the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the window by simply clicking on a port To view this window click Monitoring Errors Received RX as shown below Figure 7 14 RX Error Analysis window line graph To view the Rec...

Page 376: ... nor mal network occurrence OverSize Counts valid packets received that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Fragment The number of packets less than 64 bytes with either bad framing or an invalid CRC These are normally the result of collisions Jabber Counts invalid packets received that were longer than 1518 octets and less than the MA...

Page 377: ...ton instructs the Switch to display a line graph rather than a table View Line Chart Transmitted TX To select a port to view these statistics for first select the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the web page by simply clic...

Page 378: ...oundary LateColl Counts the number of times that a collision is detected later than 512 bit times into the transmission of a packet ExColl Excessive Collisions The number of packets for which transmission failed due to excessive collisions SingColl Single Collision Frames The number of successfully transmitted packets for which transmission is inhibited by more than one collision Coll An estimate ...

Page 379: ...are offered To select a port to view these statistics for first select the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port To view this window click Monitoring Packet Size as shown below Figure 7 ...

Page 380: ...00 The default value is 200 64 The total number of packets including bad packets received that were 64 octets in length excluding framing bits but including FCS octets 65 127 The total number of packets including bad packets received that were between 65 and 127 octets in length inclusive excluding framing bits but including FCS octets 128 255 The total number of packets including bad packets rece...

Page 381: ...nters on this window Clicking this button instructs the Switch to display a table rather than a line graph View Table Clicking this button instructs the Switch to display a line graph rather than a table View Line Chart Browse Router Port This displays which of the Switch s ports are currently configured as router ports A router port configured by a user using the console or Web based management i...

Page 382: ...by D and a Forbidden port is designated by F To search for a specific VLAN enter the VLAN Name or VLAN ID and click Find To view this window click Monitoring Browse MLD Router Port as shown below Figure 7 21 Browse MLD Snooping Router Port window VLAN Status This allows the VLAN status for each of the Switch s ports to be viewed by VLAN This window displays the ports on the Switch that are current...

Page 383: ... or by MAC address To enable 802 1X go to the DGS 3400 Web Management Tool window Authenticator State The following section describes the 802 1X Authenticator State on the Switch This window displays the Authenticator State for individual ports on a selected device In Port based mode if one of the attached hosts is successfully authorized all hosts on the same port will be granted access to the ne...

Page 384: ...ater than 7 it will be ignored In this case the switch still adopts the local setting The default priority is used to classify the priority for untagged packets The 802 1p priority is on per port basis However for host based authentication mode the assigned 802 1p will be assigned for each host MAC Authenticator Statistics This table contains the statistics objects for the Authenticator PAE associ...

Page 385: ...tication client on the client side of the RADIUS authentication protocol To view this window click Monitoring Port Access Control RADIUS Authentication as shown below Figure 7 28 RADIUS Authentication information window RADIUS Account Client This window shows managed objects used for managing RADIUS accounting clients and the current statistics associated with them To view this window click Monito...

Page 386: ...onses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses BadAuthenticators The number of RADIUS Accounting Response packets which contained invalid authenticators received from this server PendingRequests The number of RA...

Page 387: ... forwarding table to be browsed by Unit Port Select the unit of the switch in the switch stack and a port on that switch where to find the MAC address Find Allows the user to move to a sector of the database corresponding to a user defined port VLAN or MAC address VID The VLAN ID of the VLAN of which the port is a member VLAN Name The VLAN Name of the VLAN of which the port is a member MAC Address...

Page 388: ...iguration and other information concerning IGMP snooping may be found in Section 7 of this manual under IGMP Snooping IGMP Snooping Data Driven Group The dynamic IP Multicast Learning function is to forward un registered IP multicast data packets to router ports without any clients report on the IP multicast group To view this window click Monitoring IGMP Snooping Data Driven Group as shown below ...

Page 389: ...TE To configure MLD snooping for the xStack DGS 3400 Series switch go to the L2 Features folder and select MLD Snooping Configuration and other information concerning MLD snooping may be found in Section 7 of this manual under MLD Snooping MLD Snooping Data Driven Group To view this window click Monitoring MLD Snooping Data Driven Group as shown below Figure 7 34 MLD Snooping Data Driven Group Tab...

Page 390: ...et IP Address Click the radio button to enter the IP address of the computer to be traced Domain Name Enter the domain name of the host TTL 1 60 The time to live value of the trace route request This is the maximum number of routers the traceroute command will cross while seeking the network path between two devices Port 30000 64900 The virtual port number The port number must be above 1024 The va...

Page 391: ...equest This is the maximum number of routers the traceroute command will cross while seeking the network path between two devices Port 30000 64900 The virtual port number The port number must be above 1024 The value range is from 30000 to 64900 Timeout 1 65535 Defines the time out period while waiting for a response from the remote device The user may choose an entry between 1 and 65535 seconds Pr...

Page 392: ...s such as spoofing attacks Unit Choose the Unit ID of the switch in the switch stack for which to view the switch log Severity Tick the check boxes to specify the severity to be displayed Sequence A counter incremented whenever an entry to the Switch s history log is made The table displays the last entry highest sequence number first Time Displays the time in days hours and minutes since the Swit...

Page 393: ...e name into the Interface Name an IP Address or a MAC Address and click Find To clear the ARP Table click Clear All To view this table click Monitoring Browse ARP Table as shown below Figure 7 38 ARP Table window Session Table This window is used to display the current session table To view this window click Monitoring Session Table as shown below Figure 7 39 Current Session Table window ...

Page 394: ...ndow and click Find to begin your search The view this window click Monitoring IP Forwarding Table as shown below Figure 7 40 IP Forwarding Table window Routing Table Browse Routing Table This window shows the current IP routing table of the Switch To find a specific IP route enter an IP address along with a proper subnet mask in the two fields offered and click Find To view this window click Moni...

Page 395: ...n below Figure 7 42 IPv6 Routing Table window MAC based Access Control Authentication Status To clear MAC based Access Control Authentication entries enter the appropriate information and click Delete To view this table click Monitoring MAC Based Access Control Authentication Status as shown below Figure 7 43 MAC based Access Control Authentication State Table Settings window ...

Page 396: ...eset window Reboot System The following menu is used to restart the Switch Figure 8 2 Reboot System window Click the Yes radio button and the Switch saves the current configuration to non volatile RAM before restarting the Switch NOTE Only the Reset System option will enter the factory default parameters into the Switch s non volatile RAM and then restart the Switch All other options enter the fac...

Page 397: ...ting the Switch erases all settings in RAM and reloads the stored settings from the NV RAM Thus it is necessary to save all setting changes to NV RAM before rebooting the switch The save options allow one alternative configuration image to be stored To view this window click Save Services Save Changes as shown below Figure 8 3 Save Changes window The Save Changes options include Save Configuration...

Page 398: ...tes Update Time States the specific time the configuration file was downloaded to the Switch From States the origin of the firmware There are five ways configuration files may be uploaded to the Switch R If the IP address has this letter attached to it it denotes a configuration file upgrade through the Console Serial Port RS 232 T If the IP address has this letter attached to it it denotes a conf...

Page 399: ...on This field has three options for configuration Delete Select this option to delete the configuration file ID specified in the Configuration ID field above Boot_up Select this option to set the configuration file ID specified above as the boot up configuration file ID for the Switch This firmware will be set as the boot up configuration file ID after a Switch reboot has been performed The defaul...

Page 400: ...ss shown in Table1 Table 1 ARP Payload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address ARP request 00 20 5C 01 11 11 10 10 10 1 00 00 00 00 00 00 10 10 10 2 The ARP request will be encapsulated into an Ethernet frame and sent out As can be seen in Table 2 the Source Address in the Ethe...

Page 401: ...n Table 3 ARP Payload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address ARP reply 00 20 5C 01 11 11 10 10 10 1 00 00 00 00 00 00 10 10 10 2 When PC B replies to the query the Destination Address in the Ethernet frame will be changed to PC A s MAC address The Source Address will be change...

Page 402: ...ate ARP spoofing attack Figure 4 In the Gratuitous ARP packet the Sender protocol address and Target protocol address are filled with the same source IP address itself The Sender H W Address and Target H W address are filled with the same source MAC address itself The destination MAC address is the Ethernet broadcast address FF FF FF FF FF FF All nodes within the network will immediately update th...

Page 403: ... forwarding it man in the middle attack The hacker cheats the victim PC that it is a router and cheats the router that it is the victim As can be seen in Figure 5 all traffic will be then sniffed by the hacker but the users will not discover Figure 5 Prevent ARP Spoofing via Packet Content ACL D Link managed switches can effectively mitigate common DoS attacks caused by ARP spoofing via a unique P...

Page 404: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 395 Example topology ...

Page 405: ...unk3 Offset Chunk4 Offset Chunk5 Offset Chunk6 Offset Chunk7 Offset Chunk8 Offset Chunk9 Offset Chunk10 Offset Chunk11 Offset Chunk12 Offset Chunk13 Offset Chunk14 Offset Chunk15 Byte 127 3 7 11 15 19 23 27 31 35 39 43 47 51 55 59 Byte 128 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 Byte 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 Byte 2 6 10 14 18 22 26 30 34 38 42 46 50 54 58 62 Offset Chunk Off...

Page 406: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 397 ...

Page 407: ...rnal Power failed Critical Internal Power is recovered Unit unitID Internal Power is recovered Critical Redundant Power failed Unit unitID Redundant Power failed Critical Redundant Power is working Unit unitID Redundant Power is working Critical Side Fan failed Unit unitID Side Fan failed Critical Side Fan recovered Unit unitID Side Fan recovered Critical Back Fan failed Unit unitID Back Fan faile...

Page 408: ...loaded Log message successfully uploaded by console Username username IP ipaddr Informational by console and IP ipaddr MAC macaddr are XOR shown in log string which means if user login by console will no IP and MAC information for logging Log message upload was unsuccessful Log message upload by console was unsuccessful Username username IP ipaddr Warning by console and IP ipaddr MAC macaddr are X...

Page 409: ...ormational Web session timed out Web session timed out Username username Informational Successful login through Web SSL Successful login through Web SSL Username username IP ipaddr MAC macaddr Informational Login failed through Web SSL Login failed through Web SSL Username username IP ipaddr MAC macaddr Warning Logout through Web SSL Logout through Web SSL Username username IP ipaddr MAC macaddr I...

Page 410: ...name username IP ipaddr Informational SSH session timed out SSH session timed out Username username IP ipaddr Informational SSH server is enabled SSH server is enabled Informational SSH server is disabled SSH server is disabled Informational AAA Authentication Policy is enabled Authentication Policy is enabled Module AAA Informational Authentication Policy is disabled Authentication Policy is disa...

Page 411: ...ame username Warning Successful login through Console authenticated by AAA none method Successful login through Console authenticated by AAA none method Username username Informational Successful login through Web authenticated by AAA none method Successful login through Web from userIP authenticated by AAA none method Username username Informational Successful login through Web SSL authenticated ...

Page 412: ... server serverIP Username username Warning Login failed through Web SSL due to AAA server timeout or improper configuration Login failed through Web SSL from userIP due to AAA server timeout or improper configuration Username username Warning Successful login through Telnet authenticated by AAA server Successful login through Telnet from userIP authenticated by AAA server serverIP Username usernam...

Page 413: ...cal_enable method Successful Enable Admin through Web SSL from userIP authenticated by AAA local_enable method Username username Informational Enable Admin failed through Web SSL authenticated by AAA local_enable method Enable Admin failed through Web SSL from userIP authenticated by AAA local_enable method Username username Warning Successful Enable Admin through Telnet authenticated by AAA local...

Page 414: ...henticated by AAA server Successful Enable Admin through Console authenticated by AAA server serverIP Username username Informational Enable Admin failed through Console authenticated by AAA server Enable Admin failed through Console authenticated by AAA server serverIP Username username Warning Enable Admin failed through Console due to AAA server timeout or improper configuration Enable Admin fa...

Page 415: ...ut or improper configuration Username username Warning Successful Enable Admin through SSH authenticated by AAA server Successful Enable Admin through SSH from userIP authenticated by AAA server serverIP Username username Informational Enable Admin failed through SSH authenticated by AAA server Enable Admin failed through SSH from userIP authenticated by AAA server serverIP Username username Warni...

Page 416: ...nitID Password was changed by Username username IP ipaddr MAC macaddr Informational Dual Configuration Execution error encountered during system boot up Configuration had int syntax error and int execute error Warning Safeguard Engine Safeguard Engine is in normal mode Unit unitID Safeguard Engine enters NORMAL mode Informational Safeguard Engine is in filtering packet mode Unit unitID Safeguard E...

Page 417: ...a client host authenticated successful JWAC authenticated user Username string IP ipaddr MAC macaddr Port unitID portNum Warning When a client host fails to authenticate JWAC unauthenticated user User Name string IP ipaddr MAC macaddr Port unitID portNum Warning This log will be triggered when the number of authorized users reaches the maximum user limit on thewhole device JWAC enters stop learnin...

Page 418: ...1 70 3 2 16 1 2 0 1 1 3 6 1 4 1 171 11 70 7 2 16 1 2 0 1 PortLoopOccurredTrap This trap is sent when a Port loop occurs 1 3 6 1 4 1 171 11 70 1 2 16 1 2 0 0 3 1 3 6 1 4 1 171 11 70 2 2 16 1 2 0 0 3 1 3 6 1 4 1 171 11 70 3 2 16 1 2 0 0 3 1 3 6 1 4 1 171 11 70 7 2 16 1 2 0 0 3 PortLoopRestart This trap is sent when a Port loop restarts after the interval time 1 3 6 1 4 1 171 11 70 1 2 16 1 2 0 0 4 1...

Page 419: ...MAC based access control host is successfully logged in 1 3 6 1 4 1 171 12 35 11 1 0 1 MacBasedAuthLoggedFail This trap is sent when a MAC based access control host login fails 1 3 6 1 4 1 171 12 35 11 1 0 2 MacBasedAuthAgesOut This trap is sent when a MAC based access control host ages out 1 3 6 1 4 1 171 12 35 11 1 0 3 FilterDetectedTrap This trap is sent when an illegal DHCP server is detected ...

Page 420: ... 171 12 8 6 0 17 PowerStatusChg Power Status change notification The notification is issued when the swPowerStatus changes in the following cases lowVoltage overCurrent owVoltage working lowVoltage disconnect lowVoltage connect overCurrent lowVoltage overCurrent working overCurrent disconnect overCurrent connect working lowVoltage working overCurrent working connect working disconnect fail connect...

Page 421: ...s represented in the agent s configuration 1 3 6 1 6 3 1 1 5 3 linkUp A linkUp trap signifies that the sending protocol entity recognizes that one of the communication links represented in the agent s configuration has come up 1 3 6 1 6 3 1 1 5 4 authenticationFailure An authenticationFailure trap signifies that the sending protocol entity is the address of a protocol message that is not properly ...

Page 422: ...ng state to the Forwarding state or from the Forwarding state to the Blocking state The trap is not sent if a newRoot trap is sent for the same transition Implementation of this trap is optional 1 3 6 1 2 1 17 0 2 lldpRemTablesChange A lldpRemTablesChange notification is sent when the value of lldpStatsRemTableLastChangeTime changes It can be utilized by an NMS to trigger LLDP remote systems table...

Page 423: ...adcast storm Multiple simultaneous broadcasts that typically absorb available network bandwidth and can cause network failure console port The port on the Switch accepting a terminal or modem connector It changes the parallel arrangement of data within computers to the serial form used on data transmission links This port is most often used for dedicated local management CSMA CD Channel access met...

Page 424: ...ing TCP IP internets SNMP is presently implemented on a wide range of computers and networking equipment and may be used to manage many aspects of network and end station operation Spanning Tree Protocol STP A bridge based system for providing fault tolerance on networks STP works by allowing the user to implement parallel paths for network traffic and ensure that redundant paths are disabled when...

Reviews:

No comments

Related manuals for xStack DGS-3427

Barco ScreenPRO-II Brochure & Specs preview
ScreenPRO-II
Brand: Barco Pages: 6
Daxten SCOUTCOMBO - Installation Manual preview
SCOUTCOMBO -
Brand: Daxten Pages: 7
Xantech D5SH Installation Instructions Manual preview
D5SH
Brand: Xantech Pages: 20
Larson Electronics EXHL-TRN-LE1 Series Manual preview
EXHL-TRN-LE1 Series
Brand: Larson Electronics Pages: 2
Transition Networks SISTG1040-242-LRT Install Manuals preview
SISTG1040-242-LRT
Brand: Transition Networks Pages: 31
GarrettCom DS60s Installation And User Manual preview
DS60s
Brand: GarrettCom Pages: 39
Cabletron Systems SmartSwitch 2500 Reference Manual preview
SmartSwitch 2500
Brand: Cabletron Systems Pages: 402
OTS IES8242MPp9H-S-DR Quick Installation Manual preview
IES8242MPp9H-S-DR
Brand: OTS Pages: 3
Accton Technology EtherHub-24s Quick Installation Manual preview
EtherHub-24s
Brand: Accton Technology Pages: 7
IDT 89HPES12N3 User Manual preview
89HPES12N3
Brand: IDT Pages: 158
H3C S1850-X Series Installation Manual preview
S1850-X Series
Brand: H3C Pages: 27
Radio Shack 15-316 User Manual preview
15-316
Brand: Radio Shack Pages: 8
C&H Technologies M218 User Manual preview
M218
Brand: C&H Technologies Pages: 28
MiLAN MIL-S8TA User Manual preview
MIL-S8TA
Brand: MiLAN Pages: 13
Thinklogical TLX1280 Product Manual preview
TLX1280
Brand: Thinklogical Pages: 45
Elk Products ELK-M1DBHR Installation Manual preview
ELK-M1DBHR
Brand: Elk Products Pages: 2
Kramer VP-772T Quick Start Manual preview
VP-772T
Brand: Kramer Pages: 4
Angustos KVM-016 User Manual preview
KVM-016
Brand: Angustos Pages: 15

Brands by name

Popular brands

Load more brands