background image

xStack

®

 DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch 

 

264 

MAC-based Access Control (MAC) 

The MAC-based Access Control feature will allow users to configure a list of MAC addresses, either locally or on a remote 
RADIUS server, to be authenticated by the Switch and given access rights based on the configurations set on the Switch of the 
target VLAN where these authenticated users are placed.  

For local authentication on the Switch, the user must enter a list of MAC addresses to be accepted through this mechanism using 
the MAC-based Access Control Local Database Settings window, as seen below. The user may enter up to 128 MAC addresses 
locally on the Switch. Once a MAC addresses has been authenticated by the Switch on the local side, the port where that MAC 
address resides will be placed in the previously configured target VLAN, where the rights and privileges are set by the switch 
administrator. If the VLAN Name for the target VLAN is not found by the Switch, the Switch will return the port containing that 
MAC address to the originating VLAN. If the MAC address is not found and the port is in the Guest VLAN, it will remain in the 
Guest VLAN, with the associated rights. If the port is not in the guest VLAN, this MAC address will be blocked by the Switch. 

For remote RADIUS server authentication, the user must first configure the RADIUS server with a list of MAC addresses and 
relative target VLANs that are to be authenticated on the Switch. Once a MAC address has been discovered by the Switch, the 
Switch will then query the remote RADIUS server with this potential MAC address, using a RADIUS Access Request packet. If a 
match is made with this MAC address, the RADIUS server will return a notification stating that the MAC address has been 
accepted and is to be placed in the target VLAN. If the VID for the target VLAN is not found, the Switch will return the port 
containing the MAC address to the original VLAN. If the MAC address is not found, and if the port is in the Guest VLAN, it will 
remain in the Guest VLAN, with the associated rights. If the port is not in the guest VLAN, this MAC address will be blocked by 
the Switch. 

Notes about MAC-based Access Control 

There are certain limitations and regulations regarding the MAC-based Access Control: 

1.

 

Once this feature is enabled for a port, the Switch will clear the FDB of that port. 

2.

 

MAC-based Access Control is its own entity and is not dependant on other authentication functions on the Switch, such 
as 802.1X, Web-Based authentication etc. 

3.

 

Ports that have been enabled for Link Aggregation, stacking, 802.1X authentication, 802.1X Guest VLAN, Port Security, 
GVRP or Web-based authentication cannot be enabled for the MAC-based Authentication. 

 

MAC-based Access Control Global Settings 

The following window is used to set the parameters for the MAC-based Access Control function on the Switch. Here the user can 
set the state, password, authentication method, as well as create, configure or delete Guest VLANs. 

To view this window, click 

Security > MAC Based Access Control > MAC Based Access Control Global Settings

, as shown 

below: 

Summary of Contents for xStack

Page 1: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch User Manual Product Model xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch Release 2 6 i...

Page 2: ...ion of D Link Corporation is strictly forbidden Trademarks used in this text D Link and the D LINK logo are trademarks of D Link Corporation Microsoft and Windows are registered trademarks of Microsof...

Page 3: ...9 Address Format 9 Types 10 ICMPv6 11 Neighbor Discovery 11 Neighbor Unreachability Detection 11 Duplicate Address Detection DAD 12 Assigning IP Addresses 12 IP Interface Setup 12 IP Address 13 Settin...

Page 4: ...tings 43 Routing Table 45 IPv4 Static Default Route Settings 45 IPv6 Static Default Route Settings 46 Gratuitous ARP Settings 47 Static ARP Settings 49 DHCP Auto Configuration Settings 50 DHCP BOOTP R...

Page 5: ...sFlow Analyzer Settings 83 sFlow Sampler Settings 85 sFlow Poller Settings 86 IP Multicast VLAN Replication 88 IP Multicast VLAN Replication Global Settings 88 IP Multicast VLAN Replication Settings...

Page 6: ...Settings 127 Router Port Settings 129 IGMP Snooping Static Group Settings 130 ISM VLAN Settings 132 Restrictions and Provisos 132 Limited IP Multicast IGMP Filtering Address Range Settings 134 MLD Sno...

Page 7: ...174 Understanding IEEE 802 1p Priority 176 Bandwidth Control 176 QoS Scheduling Mechanism 178 QoS Output Scheduling 179 Configuring the Combination Queue 180 802 1p Default Priority 181 802 1p User P...

Page 8: ...Server Host 255 Login Method Lists 257 Enable Method Lists 258 Configure Local Enable Password 260 Enable Admin 261 RADIUS Accounting Settings 262 MAC based Access Control MAC 264 Notes about MAC bas...

Page 9: ...Router Port 307 Browse MLD Router Port 307 VLAN Status 308 VLAN Status Port 308 Port Access Control 309 Authenticator State 309 Authenticator Statistics 311 Authenticator Session Statistics 311 Authe...

Page 10: ...Appendix A 322 Mitigating ARP Spoofing Attacks Using Packet Content ACL 322 Appendix B 329 Switch Log Entries 329 Appendix C 340 Trap Logs 340 Glossary 345...

Page 11: ...xample use the copy command Boldface Typewriter Font Indicates commands and responses to prompts that must be typed exactly as printed in the manual Initial capital letter Indicates a window name Name...

Page 12: ...ss the same internal switching software and configure it Thus all settings encountered in web based management are the same as those found in the console program Logging in to the Web Manager To begin...

Page 13: ...Figure 1 2 Main Web Manager window Area Function Area 1 Select the menu or window to display Open folders and click the hyperlinked menu buttons and subfolders contained within them to display menus...

Page 14: ...and windows Bandwidth Control QoS Scheduling Mechanism QoS Output Scheduling 802 1p Default Priority and 802 1p User Priority ACL Contains the following folders and windows Time Range Access Profile T...

Page 15: ...ort Mirroring System Log System Severity Settings SNTP Settings MAC Notification Settings TFTP Services Multiple Image Services Ping Test IPv6 Neighbor Routing Table Gratuitous ARP Settings Static ARP...

Page 16: ...assess their current global status Some Functions are hyper linked for easy access from the Device Information window Many miscellaneous functions are enabled and disabled in the Device Information w...

Page 17: ...rough the Web interface as soon as these settings are applied Web TCP Port Number 1 65535 The TCP port number used for Web based management of the Switch The well known TCP port for the Telnet protoco...

Page 18: ...he Capabilities for IP Addressing IPv6 has increased the size of the IP address from 32 bits to 128 bits As a result the addressing hierarchy has been greatly expanded more nodes now have the capabili...

Page 19: ...ave an identical set of options In this way router can process these packets more efficiently once the flow class has been identified and the rest of the packet header no longer needs to be fully proc...

Page 20: ...ed the size of the Path MTU so the source node is required to split these packets into fragments in individual packets which will be rebuilt when it reaches its final destination Each of the packets t...

Page 21: ...to E000 3 global addresses are aggregated using these routing prefixes to produce unique IPv6 addresses which will limit global routing table entries The MAC address of the device is used to produce t...

Page 22: ...he reachability of routers as well as if changes occur within link layer addresses of nodes on the network or identical unicast addresses are present on the local link The functionality of the Neighbo...

Page 23: ...g multiple addresses to a single interface as well If multiple physical interfaces are considered as one interface on the Internet layer multiple unicast addresses may be allotted to multiple physical...

Page 24: ...ropriate IP Address and Subnet Mask 3 If accessing the Switch from a different subnet from the one it is installed on enter the IP address of the Default Gateway If managing the Switch from the subnet...

Page 25: ...in the Security IP Management window If VLANs have not yet been configured for the Switch the default VLAN contains all of the Switch s ports There are no entries in the Security IP Management table...

Page 26: ...Interface Settings and one for IPv6 addresses IPv6 Interface Settings IPv4 Interface Settings To view this window click Administration Interface Settings IPv4 Interface Settings as shown below Figure...

Page 27: ...associated with this interface Interface Admin State Use the pull down menu to enable or disable configuration on this interface Click Apply to implement changes made NOTE The Switch s factory default...

Page 28: ...pull down menu to enable or disable the Automatic Link Local Address When enabled the switch will automatically create an IPv6 link local address for the switch Once the user enables this feature and...

Page 29: ...has been successfully sent to these nodes with this specific IPv6 prefix the nodes will be considered reachable on the link local network Autonomous Flag Setting this field to Enabled will denote that...

Page 30: ...tacking From firmware release v2 00 of this Switch the xStack DGS 3400 series now supports switch stacking where a set of twelve switches can be combined to be managed by one IP address through Telnet...

Page 31: ...p Master is promoted to the Primary Master or if the Backup Master fails or is removed from the switch stack If both Primary and Backup masters fail or are removed from the Switch stack it will determ...

Page 32: ...e previous Primary Master to avoid conflict within the stack and the network itself If both the Primary Master and the Backup Master are removed the election process is immediately processed and a new...

Page 33: ...switch stack Auto will automatically assign a box number to the switch in the switch stack Priority Displays the priority ID of the Switch The lower the number the higher the priority The box switch w...

Page 34: ...configurations Ports configured for full duplex use 802 3x flow control half duplex ports use backpressure flow control and Auto ports use an automatic selection of the two The default is Disabled Lea...

Page 35: ...a master physical layer by a local source The slave setting 1000M Full_S uses loop timing where the timing comes form a data stream received from the master If one connection is set for 1000M Full_M...

Page 36: ...d and then the From and To pull down menu to choose a port or range of ports to describe Users may then enter a description for the chosen port s Click Apply to set the descriptions in the Port Descri...

Page 37: ...ndow allows the user to view the current configurations of all the ports on the Switch Use the drop down menu to select which unit to view To view this window click Administration Port Configuration P...

Page 38: ...sed to view detailed port information for individual ports on a particular unit Use the drop down menus to select the specific port of the unit you wish to view and click Find To view this window clic...

Page 39: ...e This window is used to display the port media type available on each unit To view a particular switch in the stack use the drop down menu to select the unit To view this window click Administration...

Page 40: ...ow click Administration Port Configuration Cable Diagnostics as shown below Figure 2 19 Cable Diagnostics window User Accounts Use the User Account Management window to control user privileges create...

Page 41: ...ivilege Admin Operator or User can be viewed in the Access Right field Click Show All User Account Entries to return to the User Accounts window Password Encryption Password Encryption Status can be E...

Page 42: ...be copied which receives the copies from the source port 2 Select the Source Direction Ingress Egress or Both and change the Status drop down menu to Enabled 3 Click Apply to let the changes take eff...

Page 43: ...for the mirroring function the primary master will disable the mirroring function for the whole stack 3 Stacking ports cannot be source ports or target mirror ports System Log This section contains i...

Page 44: ...y use the user level Facility Those Facilities that have been designated are shown in the following Bold font means the facility values that the Switch currently now Numerical Facility Code Facility 0...

Page 45: ...les in the box adjacent to this configuration field The user may set a time between 1 and 65535 minutes The default setting is one minute On Demand Users who choose this method will only save log file...

Page 46: ...sending the log entry or trap message as defined by the Severity Name Select critical to send only critical events to the Switch s log or SNMP agent Choose warning to send critical and warning events...

Page 47: ...om which the SNTP information will be taken SNTP Poll Interval in Seconds 30 99999 The interval in seconds between requests for updated SNTP information Current Time Set Current Time Year Enter the cu...

Page 48: ...start on From Day of Week Enter the day of the week that DST will start on From Month Enter the month DST will start on From Time in HH MM Enter the time of day that DST will start on To Which Day En...

Page 49: ...conds between notifications History size The maximum number of entries listed in the history log used for notification Up to 500 entries can be specified Port Settings To change MAC notification setti...

Page 50: ...he file transfer Upload Configuration Enter the IP address of the TFTP server and the path and filename for the switch settings on the TFTP server Click Start to record the IP address of the TFTP serv...

Page 51: ...emory and either can be configured to be the boot up firmware for the Switch For information regarding firmware images located on the Switch click the Firmware Information link The default setting wil...

Page 52: ...The Switch allows two firmware images to be stored in its memory and either can be configured to be the boot up firmware for the Switch The user may select a boot up firmware image for the Switch in...

Page 53: ...he ping program to keep sending ICMP Echo packets to the specified IP address until the program is stopped The user may opt to choose a specific number of times to ping the Target IP Address by clicki...

Page 54: ...size between 1 and 6000 bytes with a default setting of 100 bytes Timeout Select a timeout period between 1 and 10 seconds for this Ping message to reach its destination If the packet fails to find th...

Page 55: ...Displays the IPv6 address of the neighbor device Link Layer Address Displays the MAC address of the corresponding IPv6 device Interface Displays the Interface name associated with this IPv6 address St...

Page 56: ...ARP requests have been sent the configured static route will remain in a link down status The Switch also supports a floating static route which means that the user may create an alternative static ro...

Page 57: ...he IP address above Gateway Allows the entry of an IP address of a gateway for the IP route above Metric 1 65535 Allows the entry of a routing protocol metric representing the number of routers betwee...

Page 58: ...fy the address and mask information using the format as IPv6 address prefix length IPv6 address is hexadecimal number prefix length is decimal number for example 1234 5D7F 32 Clicking the default chec...

Page 59: ...ress Gratuitous ARP Learning This is used to enable disable updating ARP cache based on the received gratuitous ARP packet If a switch receives a gratuitous ARP packet it should add or update the ARP...

Page 60: ...re 2 46 Static ARP Settings window To add a new entry click the Add button revealing the following window to configure Figure 2 47 Static ARP Settings Add window To modify a current entry click the co...

Page 61: ...the previously saved configuration file present in the Switch s memory will be used To view this window click Administration DHCP Auto Configuration Settings as shown below Figure 2 49 DHCP Auto Confi...

Page 62: ...rmation Option 82 State This field can be toggled between Enabled and Disabled using the pull down menu It is used to enable or disable the DHCP Agent Information Option 82 on the Switch The default i...

Page 63: ...from the DHCP client Keep The option 82 field will be retained if the option 82 field already exists in the packet received from the DHCP client Click Apply to implement any changes that have been mad...

Page 64: ...rmat 1 2 3 4 5 6 7 1 6 0 4 VLAN Module Port 1 byte 1 byte 1 byte 1 byte 2 bytes 1 byte 1 byte a Sub option type b Length c Circuit ID type d Length e VLAN the incoming VLAN ID of DHCP client packet f...

Page 65: ...2 52 DHCP BOOTP Relay Interface Settings window The following parameters may be configured or viewed Parameter Description Interface The IP interface on the Switch that will be connected directly to t...

Page 66: ...same relay server and the same string can be specified with multiple relay servers The system will relay the packet to all the matching servers To view this window click Administration DHCP BOOTP Rela...

Page 67: ...out further process When relay is selected the packet will be relayed based on the relay rules Enter the IP Address of the entry you wish to configure Click Apply to implement changes made DHCP Relay...

Page 68: ...d network This device is known as the DHCP client and when enabled it will emit query messages on the network before any IP parameters are set When the DHCP server receives this request it returns a r...

Page 69: ...may set a time between 500 and 2000 milliseconds that the Switch will wait before timing out a ping packet The default setting is 500 milliseconds Click Apply to implement changes made DHCP Server Ex...

Page 70: ...12 alphanumeric characters into the Pool Name field and clicking Apply Once created users can modify the settings of a poll by clicking its corresponding Modify button To view the following window cl...

Page 71: ...st names to IP addresses within a general grouping of networks The user may establish up to three Net BIOS Name Servers NetBIOS Node Type This field will allow users to set the type of node server for...

Page 72: ...stated by its MAC address To view this window click Administration DHCP Server DHCP Server Dynamic Binding as shown below Figure 2 64 DHCP Server Dynamic Binding Table window The following parameters...

Page 73: ...aining on the lease for this IP address DHCP Server Manual Binding The following windows will allow users to view and set manual DHCP entries Manual DHCP entries will bind an IP address with the MAC a...

Page 74: ...bound to be filtered The DHCP Server Screening is used to configure the state of the function for filtering of DHCP server packets and to add or delete the DHCP server client binding entry This comma...

Page 75: ...scription State Used to Enable or Disable the Filter DHCP Server Port State Settings PortList Specifies the ports that will enable or disable the filter DHCP server Filter DHCP Server Port Settings Ac...

Page 76: ...orts on which the BPDU Tunneling will be enabled or disabled Type Use the drop down menu to select the configuration type Tunnel Specifies that the BPDU is received from a tunnel port this packets DA...

Page 77: ...n A switch can be have the role of an RSAPN VLAN intermediate switch as well as the role of source switch for another RSPAN VLAN Destination Switch The port which is directly connected to a network an...

Page 78: ...tion port for that RSPAN session Tx Source Ports The goal of Tx source ports is to monitor as much as possible all the packets sent by the source interface after all modification and processing is per...

Page 79: ...monitor as much as possible all the packets received by the source interface or VLAN before any modification or processing is performed by the switch A copy of each packet received by the source is se...

Page 80: ...e Switch allows groups of users to be listed and configured with a shared set of privileges The SNMP version may also be set for a listed group of SNMP managers Thus you may create a group of SNMP man...

Page 81: ...o enable and disable trap settings for the SNMP function on the Switch To view this window for configuration click Administration SNMP Manager SNMP Trap Settings as shown below Figure 2 73 SNMP Trap S...

Page 82: ...ption User Name An alphanumeric string of up to 32 characters This is used to identify the SNMP users Group Name This name is used to specify the SNMP group created can request SNMP messages SNMP Vers...

Page 83: ...evel will be used This is only operable when V3 is selected in the SNMP Version field and the Encrypted check box has been ticked This field will require the user to enter a password SHA Specifies tha...

Page 84: ...iew Table Configuration window The SNMP View created with this table maps SNMP users identified in the SNMP User Table to the views created in the previous window The following parameters can set Para...

Page 85: ...MP Manager SNMP Group Table as shown below Figure 2 79 SNMP Group Table window To delete an existing SNMP Group Table entry click the corresponding under the Delete heading To display the current sett...

Page 86: ...a combination of authentication and encrypting packets over the network Security Level The Security Level settings only apply to SNMPv3 NoAuthNoPriv Specifies that there will be no authorization and n...

Page 87: ...the group of MIB objects that a remote SNMP manager is allowed to access on the Switch The view name must exist in the SNMP View Table Access Right Read Only Specifies that SNMP community members usi...

Page 88: ...oAuth NoPriv security level V3 Auth NoPriv To specify that the SNMP version 3 will be used with an Auth NoPriv security level V3 Auth Priv To specify that the SNMP version 3 will be used with an Auth...

Page 89: ...k 802 3af capable devices The DGS 3426P includes the following PoE features Auto discovery recognizes the connection of a PD Powered Device and automatically sends power to it The Auto disable feature...

Page 90: ...user may configure a Power Limit between 37 and 370W for the DGS 3426P The default setting is 370W Disconnect Method The PoE controller uses either Deny next port or Deny low priority port to offset...

Page 91: ...rs should note that not all switches in the xStack DGS 3400 series support PoE yet when they are configured in a stack the Primary Master switch will display the PoE settings to be configured for the...

Page 92: ...onfigure the per port power limit If a port exceeds its power limit it will shut down Based on 802 3af 802 3at there are different PD classes and power consumption ranges Class 0 0 44 12 95W Class 1 0...

Page 93: ...utility running on it to retrieve and analyze the data it receives from the sFlow agent The Switch itself will collect three types of packet data 1 It will take sample packets from the normal running...

Page 94: ...emote sFlow Analyzer collector that will be used to gather and analyze sFlow Datagrams that originate from the Switch Users must have the proper sFlow software set on the Analyzer in order to receive...

Page 95: ...Analyzer Add window The following fields can be set or modified Parameter Description Analyzer Server 1 4 Enter an integer from 1 to 4 to denote the sFlow Analyzer to be added Up to four entries can b...

Page 96: ...this sampling mechanism will be sent Configured Rate Displays the configured rate of packet sampling for this port based on a multiple of 256 For example if a figure of 20 is in this field the switch...

Page 97: ...packets 20 x 256 5120 that pass through the individual port Users may enter a value between 1 and 65535 An entry of 0 disables the packet sampling Since this is the default setting users are reminded...

Page 98: ...window will be produced for the user to configure Delete Click the corresponding button of the entry to be deleted To delete all the entries in the table click the Clear All button To add a new sFlow...

Page 99: ...ng fields may be set Parameter Description IP Multicast VLAN Replication State Enable or Disable the IP Multicast VLAN Replication State on the Switch TTL TTL specifies whether to decrease the time to...

Page 100: ...ation entry The traffic is described by a source VLAN a list of Multicast Group addresses and an optional source IP address associated with the multicast group Figure 2 99 IP Multicast VLAN Replicatio...

Page 101: ...tination entries can be defined and each destination entry specifies the VLAN and the outgoing port on which the traffic will be replicated The outgoing port must be a member port of the VLAN whether...

Page 102: ...1 32 not including the Commander Switch numbered 0 There is no limit to the number of SIM groups in the same IP subnet broadcast domain however a single switch can only belong to one group If multiple...

Page 103: ...provements have been made including 1 The Commander Switch CS now has the capability to automatically rediscover member switches that have left the SIM group either through a reboot or web malfunction...

Page 104: ...nfigurations on switches within the Single IP Group users can upload identical configuration files to the Single IP Group using the Configuration File Backup Restore window located under the Single IP...

Page 105: ...This parameter may be set for the time in seconds the Switch will hold information sent to it from other switches utilizing the Discovery Interval The user may set the hold time from 100 to 255 second...

Page 106: ...nnection speed between the CS and the MS or CaS Remote Port Displays the number of the physical port on the MS or CaS to which the CS is connected The CS will have no entry in this field MAC Address D...

Page 107: ...96 Icon Description Group Layer 2 commander switch Layer 3 commander switch Commander switch of other group Layer 2 member switch Layer 3 member switch Member switch of other group Layer 2 candidate...

Page 108: ...ion Setting the mouse cursor over a specific device in the topology window tool tip will display the same information about a specific device as the Tree view does See the window below for an example...

Page 109: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 98 Figure 2 106 Port Speed Utilizing the Tool Tip...

Page 110: ...escription Device Name This field will display the Device Name of the switches in the SIM group configured by the user If no Device Name is configured by the name it will be given the name default and...

Page 111: ...e group information Member Switch Icon Figure 2 110 Right clicking a Member icon The following options may appear for the user to configure Collapse to collapse the group that will be represented by a...

Page 112: ...nfigurations as seen below Figure 2 113 Menu Bar of the Topology View The five menus on the menu bar are as follows File Print Setup will view the image to be printed Print Topology will print the top...

Page 113: ...where the firmware resides and enter the Path Filename of the firmware Click Download to initiate the file transfer Figure 2 116 Firmware Upgrade window Configuration Backup Restore This window is use...

Page 114: ...rom SIM member switches to a specified PC To upload a log file enter the IP address of the SIM member switch and then enter the path on your PC to which to save this file Click Upload to initiate the...

Page 115: ...mains A VLAN is a collection of end nodes grouped by logic instead of physical location End nodes that frequently communicate with each other are assigned to the same VLAN regardless of where they are...

Page 116: ...be configured as either tagging or untagging The untagging feature of IEEE 802 1Q VLANs allows VLANs to work with legacy switches that don t recognize VLAN tags in packet headers The tagging feature...

Page 117: ...g 4094 unique VLANs can be identified The tag is inserted into the packet header making the entire packet longer by 4 octets All of the information originally contained in the packet is retained Figur...

Page 118: ...enabled will put the VID number priority and other VLAN information into the header of all packets that flow into and out of it If a packet has previously been tagged the port will not alter the pack...

Page 119: ...n Port 1 that is a member of VLAN 2 If the destination lies on another port found through a normal forwarding table lookup the Switch then looks to see if the other port Port 10 is a member of VLAN 2...

Page 120: ...ries window lists all previously configured VLANs by VLAN ID and VLAN Name To delete an existing 802 1Q VLAN click the corresponding button under the Delete heading To create a new 802 1Q VLAN click t...

Page 121: ...N name in the Modify window Advertisement Enabling this function will allow the Switch to send out GVRP packets to outside sources notifying that they may join the existing VLAN Port Settings Allows a...

Page 122: ...P enables the port to dynamically become a member of a VLAN GVRP is Disabled by default Ingress Check This field can be toggled using the space bar between Enabled and Disabled Enabled enables the por...

Page 123: ...s side Not only will over complication be avoided but also now the administrator has over 4000 VLANs in which over 4000 VLANs can be placed therefore greatly expanding the VLAN network and enabling gr...

Page 124: ...rresponding TPID on the Service Provider s edge switch 2 All ports must be configured as Access Ports or Uplink ports Access ports can only be Ethernet ports while Uplink ports must be Gigabit ports 3...

Page 125: ...11 Double VLAN State Settings window Parameters shown in the previous window are explained below Parameter Description Double VLAN State Use the pull down menu to enable or disable the Double VLAN fu...

Page 126: ...ider VLANs on a remote source Access Ports These are the ports that are set as access ports on the Switch Access ports are for connecting Switch VLANs to customer VLANs Unknown Ports These are the por...

Page 127: ...e the Tagged Protocol ID of the Service Provider VLAN in hex form Port Type Allows the user to choose the type of port being utilized by the Service Provider VLAN The user may choose Access Access por...

Page 128: ...ly Parameter Description MAC Address Specify the MAC address to be reauthenticated by entering it into the MAC Address field VLAN Name Enter the VLAN name of a previously configured VLAN Click Find Ad...

Page 129: ...protocol group which is identified by an ID number Once the group has been created and configured then users must add it to a port or set of ports using the Protocol VLAN Port Settings window and con...

Page 130: ...3 SNAP Choose this parameter if you wish this protocol group to employ the Sub Network Access Protocol SNAP frame type For this frame type the protocol is identified by the 16 bit 2 octet IEEE802 3 ty...

Page 131: ...or which to add or remove from the selected ports Ticking the Select All Groups check box will apply all Protocol VLAN groups to the ports listed in the Port List field VLAN ID VLAN Name Use this fiel...

Page 132: ...runk Groups Port trunk groups are used to combine a number of ports together to make a single high bandwidth data pipeline DGS 3400 Series supports up to 32 port trunk groups with 2 to 8 ports in each...

Page 133: ...e enabled on the trunk group Further the LACP aggregated links must all be of the same speed and should be configured as full duplex The Master Port of the group is to be configured by the user and al...

Page 134: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 123 Figure 3 22 Link Aggregation Group Configuration window...

Page 135: ...olute backup aggregation group that is not under automatic control Master Port Choose the Master Port for the trunk group using the pull down menu Unit Select the switch in the switch stack to be modi...

Page 136: ...nd select the Link Aggregation Algorithm located on that web page The description for this function may be found in the explanation for the Device Information window located earlier in this manual LAC...

Page 137: ...rameter Description Unit Select the switch in the switch stack to be modified From To A consecutive group of ports may be configured starting with the selected port Mode Active Active LACP ports are c...

Page 138: ...es and an IGMP host When enabled for IGMP snooping the Switch can open or close a port to a specific device based on IGMP messages passing through the Switch In order to use IGMP Snooping it must firs...

Page 139: ...g an IGMP response report The Max Response Time field allows an entry between 1 and 25 seconds Default 10 Robustness Variable Adjust this variable according to expected packet loss If packet loss on t...

Page 140: ...tings Click the Show All IGMP Snooping Entries link to return to the IGMP Snooping Settings window Router Port Settings A static router port is a port that has a multicast router attached to it Genera...

Page 141: ...k this option to not set these ports as router ports Static Click this option to designate a range of ports as being connected to a multicast enabled router This command will ensure that all packets w...

Page 142: ...nter the appropriate information and click Find to display all current entries on the Switch click View All To add a new entry click Add the following window will be displayed Figure 3 30 IGMP Static...

Page 143: ...the multicast traffic is entering the switch and then set the ports where the incoming multicast traffic is to be sent The source port cannot be a recipient port and if configured to do so will cause...

Page 144: ...Multicast VLAN Settings window Add Enter a name for the ISM VLAN into the VLAN Name field and choose a VID between 2 and 4094 Entries in these two fields must not have been previously configured on th...

Page 145: ...oping Multicast VLAN Table which will reveal the following window to be configured Figure 3 35 IGMP Snooping Multicast VLAN Group List Settings Enter an existing VLAN Name and range and click Add To r...

Page 146: ...escription Unit Select the switch in the switch stack to be modified From To Enter the port range for which to begin the Limited IP Multicast Range configuration Enter the multicast IP range of addres...

Page 147: ...wo types of MLD query messages emitted by the router The General Query is used to advertise all multicast addresses that are ready to send multicast data to all listening ports and the Multicast Speci...

Page 148: ...eners The Max Response Time field allows an entry between 1 and 25 seconds Default 10 Robustness Variable Provides fine tuning to allow for expected packet loss on a subnet The user may choose a value...

Page 149: ...are no more listeners present of a group on a network Calculated as robustness variable query interval 1 query interval Querier Present Interval The amount of time that must pass before a multicast ro...

Page 150: ...router attached to them There are four options for which to configure these ports None Click this option to not set these ports as router ports Static Click this option to designate a range of ports...

Page 151: ...the port from where it originated the loop back detection function will disable this port until the anomaly has ceased and the loop back occurrence will be noted in the Switch s log Once the loop bac...

Page 152: ...r a time in seconds that a port will have to wait before being recovered from a loop back detection shutdown The user may set a time between 60 and 1000000 seconds with a default setting of 60 seconds...

Page 153: ...TP Bridge Global Settings window 3 A 4096 element table defined here as a VID List in the MST Configuration Identification window which will associate each of the possible 4096 VLANs supported by the...

Page 154: ...col introduces two new variables the edge port and the point to point P2P port Edge Port The edge port is a configurable designation used for a port that is directly connected to a segment where a loo...

Page 155: ...tings This window is used to configure the STP Bridge Global Settings on the Switch To view this window click L2 Features Spanning Tree STP Bridge Global Settings as shown below Figure 3 42 STP Bridge...

Page 156: ...can be set from 1 to 10 seconds If the inputted Hello Time is more than 2 the Hello Time is also 2 This is the interval between two transmissions of BPDU packets sent by the Root Bridge to tell all o...

Page 157: ...he count can be specified from 1 to 10 The default is 6 Forwarding BPDU This field can be Enabled or Disabled When Enabled it allows the forwarding of STP BPDU packets from other network devices The d...

Page 158: ...onfigured name set on the Switch to uniquely identify the MSTI Multiple Spanning Tree Instance If a configuration name is not set this field will show the MAC address to the device running MSTP This f...

Page 159: ...ure the following parameters to configure the CIST on the Switch Parameter Description MSTI ID The MSTI ID of the CIST is 0 and cannot be altered Type This field allows the user to choose a desired me...

Page 160: ...nt changes made MSTP Port Information This window displays the current MSTP Port Information and can be used to update the port configuration for an MSTI ID If a loop occurs the MSTP function will use...

Page 161: ...ng is 0 auto There are two options 0 auto Selecting this parameter for the internalCost will set quickest route automatically and optimally for an interface The default value is derived from the media...

Page 162: ...itch Instance Status Displays the current status of the corresponding MSTI ID Instance Priority Displays the priority of the corresponding MSTI ID The lowest priority will be the root bridge Click App...

Page 163: ...s may be configured starting with the selected port External Cost This defines a metric that indicates the relative cost of forwarding packets to the specified port list Port cost can be set automatic...

Page 164: ...True and False to set the restricted role state of the packet The default value is False Restricted Tcn Toggle between True and False to set the restricted TCN of the packet The default value is Fals...

Page 165: ...o be modified VID The VLAN ID of the VLAN the corresponding MAC address belongs to Multicast MAC Address The MAC address of the static source of multicast packets This must be a multicast MAC address...

Page 166: ...ch to forward a multicast packet whose destination is an unregistered multicast group residing within the range of ports specified above Filter Unregistered Groups This will instruct the Switch to fil...

Page 167: ...ther stations attached to the same IEEE 802 LAN Message TX Interval 5 32768 This interval controls how often active ports retransmit advertisements to their neighbors To change the packet transmission...

Page 168: ...neighbor To set the LLDP Notification Interval enter a value in seconds 5 to 3600 Click Apply to implement changes made Basic LLDP Port Settings This window is used to display the LLDP port settings...

Page 169: ...gent can only receive LLDP frames TX_and_RX The local LLDP agent can both transmit and receive LLDP frames Disabled The local LLDP agent can neither transmit nor receive LLDP frames The default value...

Page 170: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 159 Figure 3 60 802 1 Extension LLDP Port Settings window The following parameters can be set...

Page 171: ...The default state is Disabled Protocol Identify Use the drop down menu to enable or disable the advertise Protocol Identity Select the protocol you wish to use EAPOL LACP GVRP STP or All This TLV opti...

Page 172: ...nfigured MAC PHY Configuration Status This function indicates that the LLDP agent should transmit MAC PHY configuration status TLV It is possible for two ends of an IEEE 802 3 link to be configured wi...

Page 173: ...tion indicates that LLDP agents should transmit Link Aggregation TLV This indicates the current link aggregation status of IEEE 802 3 MACs More precisely the information should include whether the por...

Page 174: ...elect a range of ports to be configured Address Type Use the drop down menu to select either the IPv4 or IPv6 Address IPv4 IPv6 is a management IP so the IP information will be sent with the frame whe...

Page 175: ...neighbor detection activity LLDP Statistics and the settings for individual ports on the Switch Use the drop down menu to check a specific unit the information will be displayed in the lower half of t...

Page 176: ...following parameters can be set or displayed Parameter Description Address Type Use the drop down menu to toggle between IPV4 Address and IPV6 Address Address Enter the LLDP management address in this...

Page 177: ...s Layer 2 Gigabit Ethernet Managed Switch 166 Figure 3 65 LLDP Local Port Table window To view Normal or Detailed information on a per port basis click the corresponding View button which will display...

Page 178: ...tch 167 Figure 3 66 LLDP Local Port Table View Normal window To return to the previous window click the Show LLDP Local Port Brief Table button To view details of individual parameters click the hyper...

Page 179: ...l Port Information window click the Show LLDP Local Port Normal Table button LLDP Remote Port Table This window displays port information learned from the neighbor The Switch receives packets from a r...

Page 180: ...e displayed in the lower half of the table To view the settings for an individual port select the port and click View Normal which will display the following window Figure 3 69 LLDP Remote Port Table...

Page 181: ...ame service provider network may have VLAN ranges that overlap which might cause traffic to become mixed up So assigning a unique range of VLAN IDs to each customer might cause restrictions on some of...

Page 182: ...cation between the specified user and a specified network will occur NNI To select a network to network interface specifies that communication between two specified networks will occur Missdrop Enable...

Page 183: ...ich the tagged packets will be added Action Specify if you want SPVID packets to be added or replaced SVID 1 4094 This configures the VLAN to join the Service Providers VLAN as a tagged member Priorit...

Page 184: ...02 1p standard that allows network administrators a method of reserving bandwidth for important functions that require a large bandwidth or have a high priority such as VoIP voice over Internet Protoc...

Page 185: ...ckets being sent out utilizing the Access Profile commands Then on the receiving end the administrator instructs the Switch to examine packets for this tag acquires the tagged packets and maps them to...

Page 186: ...e assigned weight For a configuration of 8 CoS queues A H with their respective weight value 8 1 When each queue has 10 outbound packets they are sent in the following sequence A1 B1 C1 D1 E1 F1 G1 H1...

Page 187: ...o the highest The highest priority tag 7 is generally only used for data associated with video or audio applications which are sensitive to even slight delays or for data from specified end users whos...

Page 188: ...m To A consecutive group of ports may be configured starting with the selected port Type This drop down menu allows a selection between RX receive TX transmit and Both This setting will determine whet...

Page 189: ...ion careful consideration should be given to how network traffic in lower priority queues is affected Changes in scheduling may result in unacceptable levels of packet loss or significant transmission...

Page 190: ...ecks can quickly develop if the QoS settings are not suitable To view this window click QoS QoS Output Scheduling as shown below Figure 4 4 QoS Output Scheduling window The following values may be ass...

Page 191: ...with a 0 in its Max Packet field this class of service will automatically begin forwarding packets until it is empty Once a priority class of service with a 0 in its Max Packet field is empty the rem...

Page 192: ...e numbered from 0 the lowest priority to 7 the highest priority To view this window click QoS 802 1p Default Priority as shown below Figure 4 6 802 1p Default Priority window The user may adjust the f...

Page 193: ...implement changes made 802 1p User Priority The xStack DGS 3400 Series allows the assignment of a class of service to each of the 802 1p priorities To view this window click QoS 802 1p User Priority a...

Page 194: ...Commands To view this window click ACL Time Range as shown below Figure 5 1 Time Range Settings window The user may adjust the following parameters to configure a time range on the Switch Parameter D...

Page 195: ...MAC source address or the IP destination address The second part is entering the criteria the Switch will use to determine what to do with the frame The entire process is described below in two parts...

Page 196: ...ch to examine the packet header VLAN Selecting this option instructs the Switch to examine the VLAN identifier of each packet header and use this as the full or partial criterion for forwarding Source...

Page 197: ...ruct the Switch to examine the IPv6 address in each frame s header Select Packet Content to instruct the Switch to examine the packet header Source IP Mask Enter an IP address mask for the source IP a...

Page 198: ...ket that determine what to do with the packet The user may filter packets by filtering certain flag bits within the packets by checking the boxes corresponding to the flag bits of the TCP field The us...

Page 199: ...cket header Class Checking this field will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS...

Page 200: ...ddress IP address packet content mask or IPv6 This will change the menu according to the requirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each...

Page 201: ...Apply to implement changes made To view the settings for a created profile click its corresponding button in the Access Profile Table window revealing the following window Figure 5 10 Access Profile E...

Page 202: ...nd a target port must be set Access ID Type in a unique identifier number for this access This value can be set from 1 to 128 Auto Assign Checking this field will instruct the Switch to automatically...

Page 203: ...rror message and the access rule will not be configured The port list is specified by listing the lowest switch number and the beginning port number on that switch separated by a colon Then the highes...

Page 204: ...Access Rule for IP open the Access Profile Table window and click Modify for an IP entry This will open the following window Figure 5 14 Access Rule Table window IP To create a new rule set for an ac...

Page 205: ...utomatically assign an Access ID for the rule being created Type Specifies the type of profile that is being created Priority 0 7 This parameter is specified if you want to re write the 802 1p default...

Page 206: ...The port list is specified by listing the lowest switch number and the beginning port number on that switch separated by a colon Then the highest switch number and the highest port number of the rang...

Page 207: ...Rule Display window IP To configure the Access Rule for IPv6 open the Access Profile Table window and click Modify for an IPv6 entry This will open the following window Figure 5 17 Access Rule Table...

Page 208: ...determine the CoS queue to which packets are forwarded to Once this field is specified packets accepted by the Switch that match this priority are forwarded to the CoS queue specified previously by th...

Page 209: ...specifies switch number 1 port 3 2 4 specifies switch number 2 port 4 1 3 2 4 specifies all of the ports between switch 1 port 3 and switch 2 port 4 in numerical order Entering all will denote all po...

Page 210: ...the Packet Content Mask adjust the following parameters and click Apply Parameter Description Profile ID This is the identifier number for this profile set Mode Select Permit to specify that the pack...

Page 211: ...r a value in hex form to mask the packet from the end of the second chunk to the end of the third chunk Chunk 4 Enter a value in hex form to mask the packet from the end of the third chunk to the end...

Page 212: ...the packet flow exceeds the PIR that packet flow is marked red The PIR must be configured to be equal or more than that of the CIR PBS Peak Burst Size Measured in bytes the PBS is associated with the...

Page 213: ...tting in the access profile will be disabled Users may only enable two counters for one flow meter at any given time To view this window click ACL ACL Flow Meter as shown below Figure 5 23 ACL Flow Me...

Page 214: ...t or below this level will be considered green IP flow rates that exceed this rate but not the PIR rate are considered yellow PIR The Peak information Rate IP flow rates that exceed this setting will...

Page 215: ...n marked as a color based on the following fields Conform This field denotes the green packet flow Green packet flows may have their DSCP field rewritten to a value stated in this field Users may also...

Page 216: ...ng mechanism to be enabled or disabled globally permitting the user to create various lists of rules without immediately enabling them Creating an access profile for the CPU is divided into two basic...

Page 217: ...ation windows by using the Type drop down menu The window shown below is the Ethernet CPU Interface Filtering Configuration window Figure 5 28 CPU Interface Filtering Configuration window Ethernet Par...

Page 218: ...ucts the Switch to examine the Ethernet type value in each frame s header Click Apply to set this entry in the Switch s memory To view the settings of a previously correctly created profile click in t...

Page 219: ...will apply an ICMP type value or specify Code to further specify that the access profile will apply an ICMP code value Select IGMP to instruct the Switch to examine the Internet Group Management Proto...

Page 220: ...bit Ethernet Managed Switch 209 Figure 5 31 CPU Interface Filtering Entry Display window IP The window shown below is the Packet Content Mask configuration window Figure 5 32 CPU Interface Filtering C...

Page 221: ...hide the content of the packet header Select IPv6 to instruct the Switch to examine the IPv6 address in each frame s header Offset This field will instruct the Switch to mask the packet header beginn...

Page 222: ...e Ethernet IP IPv6 or Packet Content Each entry will open a new and unique window as shown in the examples below Figure 5 35 CPU Interface Filtering Table Ethernet To create a new rule set for an acce...

Page 223: ...Address for the source MAC address Destination MAC Destination MAC Address Enter a MAC Address mask for the destination MAC address Ethernet Type Specifies that the access profile will apply only to p...

Page 224: ...match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify that packets that match the access profile are not forwarded by the Switch...

Page 225: ...configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch To view the settings of a previously correctly configured rule click i...

Page 226: ...Gigabit Ethernet Managed Switch 215 To remove a previously created rule select it and click the button To add a new Access Rule click the Add Rule button Figure 5 42 CPU Interface Filtering Rule Confi...

Page 227: ...value in hex form to mask the packet from the beginning of the packet to the 15th byte value 16 31 Enter a value in hex form to mask the packet from byte 16 to byte 31 value 32 47 Enter a value in hex...

Page 228: ...Switch 217 Figure 5 44 CPU Interface Filtering Rule Table window IPv6 To remove a previously created rule select it and click the button To add a new Access Rule click the Add Rule button Figure 5 45...

Page 229: ...rt of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 Flow Label 0 FFFFF This field will instruct the Switch to examine the flow label field of the IPv6 h...

Page 230: ...Access Authentication Control MAC based Access Control MAC Safeguard Engine Traffic Segmentation SSL SSH Compound Authentication Japanese WAC JWAC Authorization Network State Settings This window is...

Page 231: ...ified using the Countdown field Figure 6 2 Traffic Control Settings window If this field times out and the packet storm continues the port will be placed in a Shutdown Forever mode which will produce...

Page 232: ...er setting at the top of this window Choosing this option obligates the user to configure the Interval setting as well which will provide packet count samplings from the Switch s chip to determine if...

Page 233: ...rts from connecting to the Switch s locked ports and gaining access to the network To view this window click Security Port Security Port Security Entries as shown below Figure 6 3 Port Security Settin...

Page 234: ...earned by the Switch can be deleted Once the entry has been defined by entering the correct information into the window above click the under the Delete heading of the corresponding MAC address to be...

Page 235: ...ddress manually and cause conflict with other resources such as other PCs core switches routers or servers Not only does this duplicate IP create an auditing issue it also poses potential risk to the...

Page 236: ...d DHCP server s IP MAC pair must be configured on the switch s IMPB while list first otherwise the DHCP server packets will be dropped DHCP snooping is generally considered to be more secure because i...

Page 237: ...Use the pull down menu to enable or disable the DHCP Snooping option for IP MAC Binding Once this is enabled the Switch will automatically learn IP MAC pairs from snooping the DHCP packets and save t...

Page 238: ...ill stay blocked While the Strict state uses more CPU resources from checking every incoming ARP and IP packet it enforces better security and is thus the recommended setting Enabled Loose This mode p...

Page 239: ...ked by the Switch it will be recorded in the Switch s L2 Forwarding Database FDB and associated with a particular port To prevent the Switch FDB from overloading in case of an ARP DoS attack the admin...

Page 240: ...ew entry click Find to search for an entry click View All to display all entries and click Delete All to remove all entries on the window DHCP Snooping Entries This window is used to view DHCP Snoopin...

Page 241: ...based access control model This is accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN EAPOL packets between...

Page 242: ...tication Server and the Client The Authenticator serves two purposes when utilizing 802 1X The first purpose is to request certification information from the Client through EAPOL packets which is the...

Page 243: ...Process The D Link implementation of 802 1X allows network administrators to choose between two types of Access Control used on the Switch which are 1 Port Based Access Control This method requires o...

Page 244: ...Configuration Once the connected device has successfully been authenticated the Port then becomes Authorized and all subsequent traffic on the Port is not subject to access control restriction until...

Page 245: ...order to successfully make use of 802 1X in a shared media LAN segment it would be necessary to create logical Ports one for each attached device that required access to the LAN The Switch would regar...

Page 246: ...te RADIUS Server or local authentication on the Switch to be placed in a fully operational VLAN If authenticated and the authenticator posseses the VLAN placement information that client will be accep...

Page 247: ...t of the Guest VLAN Be sure that these ports are configured for this VLAN or users will be prompted with an error message Disabled ports Selecting this option will disable ports listed in the Port Lis...

Page 248: ...h The user may toggle between switches in the switch stack by using the Unit pull down menu To view this window click Security 802 1X Configure 802 1X Authenticator Parameter as shown below Figure 6 2...

Page 249: ...tate Select forceAuthorized to disable 802 1X and cause the port to transition to the authorized state without any authentication exchange required This means the port transmits and receives normal tr...

Page 250: ...he Switch will retransmit an EAP Request to the client before it times out of the authentication sessions The default setting is 2 ReAuthPeriod 1 65535 A constant that defines a nonzero number of seco...

Page 251: ...mum number of users to be allowed Check the No Limit check box to specify that there will be the maximum number of users By default there is no limit User Name Enter the User Name of the new profile t...

Page 252: ...e From and To field Then the user must specify the MAC address to be initialized by entering it into the MAC Address field and ticking the corresponding check box To begin the initialization click App...

Page 253: ...enticate Port window NOTE The user must first globally enable 802 1X in the DGS 3400 Web Management Tool window before initializing ports Information in the Initialize Ports Table cannot be viewed bef...

Page 254: ...h ForceUnauth and N A BackendState The Backend State will display one of the following Request Response Success Fail Timeout Idle Initialize and N A PortStatus The status of the controlled port can be...

Page 255: ...ounting Port Set the RADIUS account server s UDP port The default port is 1813 Key Set the key the same as that of the RADIUS server Confirm Key Confirm the shared key is the same as that of the RADIU...

Page 256: ...entication based on a local database or be a RADIUS client and perform the authentication process via the RADIUS protocol with the remote RADIUS server To the right there is an example of the basic si...

Page 257: ...ate is Disabled Redirection Path Enter a redirection path that the client will be redirected to after successful authentication When the string is cleared the client will not be redirected to another...

Page 258: ...uration RADIUS Authorization Specifies to Enable or Disable RADIUS Authorization Local Authorization Specifies to Enable or Disable Local Authorization Click Apply to implement changes made WAC Port S...

Page 259: ...From To Enter the range of ports you wish to configure State Enable or Disable the WAC port settings on the specified ports Aging Time 1 1440 min This parameter specifies the period of time a host wi...

Page 260: ...specifies the period of time a host will keep in a blocked state after it fails to authenticate Enter a value between 0 and 300 seconds The default setting is 0 seconds Click Apply to implement change...

Page 261: ...ng Confirmation Confirm the new password entered above Entering a different password here from the one set above will result in a fail message VLAN Name Enter a VLAN to be associated with the WAC acco...

Page 262: ...that if one or more trusted hosts are enabled the Switch will immediately accept remote instructions from only the specified IP address or addresses If you enable this feature be sure to first enter t...

Page 263: ...n the Switch The server will not accept the username and password and the user is denied access to the Switch The server doesn t respond to the verification query At this point the Switch receives the...

Page 264: ...ween 0 and 255 seconds The default setting is 30 seconds User Attempts 1 255 This command will configure the maximum number of times the Switch will accept authentication attempts Users failing to be...

Page 265: ...d List configured by the user See the Enable Method Lists window in this section for more information Click Apply to implement changes made Authentication Server Group This window will allow users to...

Page 266: ...r specific protocol on a remote centralized server before this function can work properly NOTE The three built in server groups can only have server hosts running the same TACACS daemon TACACS XTACACS...

Page 267: ...s parameter if the server host utilizes the TACACS protocol RADIUS Enter this parameter if the server host utilizes the RADIUS protocol Port 1 65535 Enter a number between 1 and 65535 to define the vi...

Page 268: ...CS list the local account database set in the Switch is used to authenticate the user When the local method is used the privilege level will be dependant on the local account privilege configured on t...

Page 269: ...this parameter will require no authentication to access the Switch Enable Method Lists This window is used to set up Method Lists to promote users with user level privileges to Administrator Admin lev...

Page 270: ...wn below Figure 6 45 Enable Method Lists window To delete an Enable Method List defined by the user click the under the Delete heading corresponding to the entry desired to be deleted To modify an Ena...

Page 271: ...from a remote TACACS server server_group Adding a previously configured server group will require the user to be authenticated using a user defined server group previously configured on the Switch Cl...

Page 272: ...rver groups local enable local account on the Switch or no authentication none Because XTACACS and TACACS do not support the enable function the user must create a special account on the server host w...

Page 273: ...regarding events occurring on the Switch The following is a list of information that will be sent to the RADIUS server when an event triggers the Switch to send these informational packets Account Se...

Page 274: ...ackets to a remote RADIUS server when a user either logs in logs out or times out on the Switch using the console Telnet or SSH System When enabled the Switch will send informational packets to a remo...

Page 275: ...the Switch Once a MAC address has been discovered by the Switch the Switch will then query the remote RADIUS server with this potential MAC address using a RADIUS Access Request packet If a match is...

Page 276: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 265 Figure 6 51 MAC based Access Control Global Settings window...

Page 277: ...perlinked Guest VLAN ID will send the Web manager to Guest VLAN configuration window for MAC based Authentication Guest VLAN Member Ports Displays the list of ports that have been configured for the G...

Page 278: ...following window is used to set a list of MAC addresses along with their corresponding target VLAN which will be authenticated for the Switch Once a queried MAC address is matched in this table it wil...

Page 279: ...f the flooding has stopped the Switch will again begin accepting all packets Yet if the checking shows that there continues to be too many packets flooding the Switch it will stop accepting all ARP an...

Page 280: ...Description State Use the pull down menu to globally enable or disable Safeguard Engine settings for the Switch Rising Threshold 20 100 Used to configure the acceptable level of CPU utilization befor...

Page 281: ...affic segmentation is used to limit traffic flow from a single port to a group of ports This method of segmenting the flow of traffic is similar to using VLANs to limit traffic but is more restrictive...

Page 282: ...d for encrypting the messages sent between client and host The Switch supports two types of cryptology algorithms Stream Ciphers There are two types of stream ciphers on the Switch RC4 with 40 bit key...

Page 283: ...lgorithms and key sizes to be used for an authentication session The Switch possesses four possible ciphersuites for the SSL function which are all enabled by default To utilize a particular ciphersui...

Page 284: ...ment of this Switch and need to be configured using the command line interface NOTE Enabling the SSL command will disable the web based switch management To log on to the Switch again the header of th...

Page 285: ...ly access the Switch The default setting is 8 Connection TimeOut 120 600 Allows the user to set the connection timeout The user may set a time between 120 and 600 seconds The default setting is 120 se...

Page 286: ...d Algorithm Settings window The following algorithms may be set Parameter Description Authentication Algorithm Password This field may be Enabled or Disabled to choose if the administrator wishes to u...

Page 287: ...is Enabled Cast128 CBC Use the pull down to enable or disable the Cast128 encryption algorithm with Cipher Block Chaining The default is Enabled Twofish128 Use the pull down to enable or disable the...

Page 288: ...ser To configure the parameters for a SSH user click on the hyperlinked User Name in the Current Accounts window which will reveal the following window to configure NOTE To set the SSH User Authentica...

Page 289: ...r a password and then to re type the password for confirmation Public Key This parameter should be chosen if the administrator wishes to use the public key on a SSH server for authentication Host Name...

Page 290: ...set Parameter Description Unit Choose the Unit ID of the switch in the switch stack you wish to configure From To Select a port or range of ports to be configured Authorized Mode Use the drop down me...

Page 291: ...ds need to be passed If either authentication method fails the client will be denied access Click Apply to implement changes made Authentication Guest VLAN Settings This window is used to display and...

Page 292: ...s window to enable and configure Japanese Web based Access Control on the Switch Please note that JWAC and Web Authentication are mutually exclusive functions That is they cannot be enabled at the sam...

Page 293: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 282 Figure 6 69 JWAC Global State Configuration window...

Page 294: ...authentication When redirect is disabled only access to the quarantine server and the JWAC login page from the unauthenticated host are allowed all other web access will be denied NOTE When enabling...

Page 295: ...ver URL If the Redirect is enabled and the Redirect Destination is the Quarantine Server when an unauthenticated host sends the HTTP request packets to a random Web server the Switch will handle this...

Page 296: ...DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 285 Figure 6 70 JWAC Port Table Parameter window To configure individual JWAC port settings click the Add button the following window will be di...

Page 297: ...st Lists the range of Ports that will be configured in this window State This parameter specifies the state of the configured ports Mode Use the drop down menu to select the mode choose either Port Ba...

Page 298: ...made JWAC User Account This window is used to configure JWAC user accounts on the Switch To view this window click Security JWAC JWAC User Account as shown below Figure 6 73 JWAC User Accounts window...

Page 299: ...1 4094 Enter the VLAN ID of the Account you wish to create Old Password Enter the original password of the user This field is case sensitive and must be a complete alphanumeric string New Password En...

Page 300: ...language settings on the Switch Use the drop down menu to select either English or Japanese and click Apply To view this window click Security JWAC JWAC Customize Page Language Settings as shown below...

Page 301: ...MAC Based Control Authentication Status Device Status This window displays the status of the physical attributes of the Switch including power sources and fans To view this window click Monitoring Dev...

Page 302: ...ed through their optional Stacking Modules information about the resulting switch stack is displayed under the Stack Information link To view this window click Monitoring Stacking Information as shown...

Page 303: ...f the Switch stack Backup Master Displays the Unit ID of the Backup Master of the switch stack Box Count Displays the number of switches in the switch stack Stacking Device This window is used to disp...

Page 304: ...CPU utilization by port use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port Click Apply to implement the configured settings The window...

Page 305: ...he Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack a...

Page 306: ...to view these statistics for first select the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time...

Page 307: ...Packets Counts the number of packets received on the port Unicast Counts the total number of good packets that were received by a unicast address Multicast Counts the total number of good packets that...

Page 308: ...nd then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the window by simply clicking on a port To view thi...

Page 309: ...ue is 200 Unicast Counts the total number of good packets that were received by a unicast address Multicast Counts the total number of good packets that were received by a multicast address Broadcast...

Page 310: ...and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or switch stack at the top of the web page by simply clicking on a port To view...

Page 311: ...ort Packets Counts the number of packets successfully sent on the port Unicast Counts the total number of good packets that were transmitted by a unicast address Multicast Counts the total number of g...

Page 312: ...rst select the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user may also use the real time graphic of the Switch and or sw...

Page 313: ...nor mal network occurrence OverSize Counts valid packets received that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Fragment The number of packets...

Page 314: ...icking this button instructs the Switch to display a line graph rather than a table Transmitted TX To select a port to view these statistics for first select the Switch in the switch stack by using th...

Page 315: ...undary LateColl Counts the number of times that a collision is detected later than 512 bit times into the transmission of a packet ExColl Excessive Collisions The number of packets for which transmiss...

Page 316: ...re offered To select a port to view these statistics for first select the Switch in the switch stack by using the Unit pull down menu and then select the port by using the Port pull down menu The user...

Page 317: ...t including FCS octets 128 255 The total number of packets including bad packets received that were between 128 and 255 octets in length inclusive excluding framing bits but including FCS octets 256 5...

Page 318: ...y F To search for a specific VLAN enter the VLAN Name or VLAN ID and click Find To view this window click Monitoring Browse Router Port as shown below Figure 7 19 Browse IGMP Snooping Router Port wind...

Page 319: ...that are currently Egress E or Tag T ports To search for a specific VLAN enter the VLAN Name or VLAN ID and click Find To view this window click Monitoring VLAN Status as shown below Figure 7 21 VLAN...

Page 320: ...ays the Authenticator State for individual ports on a selected device In Port based mode if one of the attached hosts is successfully authorized all hosts on the same port will be granted access to th...

Page 321: ...ssigned Priority Displays the assigned priority If a port is authenticated and the authorization is enabled the 802 1p default priority can be controlled by the RADIUS server via the passing value The...

Page 322: ...or the Authenticator PAE associated with each port An entry appears in this table for each port that supports the Authenticator function Enter the ports you wish to view and click Search To view this...

Page 323: ...n in the top left hand corner The following information is displayed Parameter Description InvalidServerAddresses The number of RADIUS Accounting Response packets received from unknown addresses Ident...

Page 324: ...d when an Accounting Request is sent and decremented due to receipt of an Accounting Response a timeout or a retransmission Timeouts The number of accounting timeouts to this server After a timeout th...

Page 325: ...ng table to be browsed by VLAN ID 1 4094 Enter a VLAN ID for the forwarding table to be browsed by MAC Address Enter a MAC address for the forwarding table to be browsed by Unit Port Select the unit o...

Page 326: ...by entering it in the top left hand corner and clicking Find To view all entries click View All Entry NOTE To configure IGMP snooping for the xStack DGS 3400 Series switch go to the L2 Features folde...

Page 327: ...console manager Click Next to go to the next page of the Switch History Log Clicking Clear will allow the user to clear the Switch History Log The information in the table is categorized as Parameter...

Page 328: ...the ARP Table click Clear All To view this table click Monitoring Browse ARP Table as shown below Figure 7 33 ARP Table window MAC based Access Control Authentication Status To clear MAC based Access...

Page 329: ...figuration parameters to their factory defaults NOTE Only the Reset System option will enter the factory default parameters into the Switch s non volatile RAM and then restart the Switch All other opt...

Page 330: ...though require you to restart the Switch before they will take effect Restarting the Switch erases all settings in RAM and reloads the stored settings from the NV RAM Thus it is necessary to save all...

Page 331: ...es Update Time States the specific time the configuration file was downloaded to the Switch From States the origin of the firmware There are five ways configuration files may be uploaded to the Switch...

Page 332: ...n This field has three options for configuration Delete Select this option to delete the configuration file ID specified in the Configuration ID field above Boot_up Select this option to set the confi...

Page 333: ...s shown in Table1 Table 1 ARP Payload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address...

Page 334: ...le 3 ARP Payload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address ARP reply 00 20 5C 01...

Page 335: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch Forwarding Table Port1 00 20 5C 01 11 11 Port2 00 20 5C 01 22 22 324...

Page 336: ...nodes within the network will immediately update their own ARP table in accordance with the sender s MAC and IP address The format of Gratuitous ARP is shown in the following table Gratuitous ARP Tabl...

Page 337: ...a unique Package Content ACL For the reason that basic ACL can only filter ARP packets based on packet type VLAN ID Source and Destination MAC information there is a need for further inspections of AR...

Page 338: ...Offset Chunk4 Offset Chunk5 Offset Chunk6 Offset Chunk7 Offset Chunk8 Offset Chunk9 Offset Chunk10 Offset Chunk11 Offset Chunk12 Offset Chunk13 Offset Chunk14 Offset Chunk15 Byte 127 3 7 11 15 19 23 2...

Page 339: ...xStack DGS 3400 Series Layer 2 Gigabit Ethernet Managed Switch 328...

Page 340: ...n by console there will no IP and MAC information for logging Configuration and log saved to flash Unit unitID Configuration and log saved to flash by console Username username IP ipaddr MAC macaddr I...

Page 341: ...iguration upload by console was unsuccessful Username username IP ipaddr MAC macaddr Warning by console and IP ipaddr MAC macaddr are XOR shown in log string which means if user login by console will...

Page 342: ...gin through Web Username username Informational Login failed through Web Login failed through Web Username username Warning Logout through Web Logout through Web Username username Informational Web se...

Page 343: ...through SSH Login failed through SSH Username username IP ipaddr Warning Logout through SSH Logout through SSH Username username IP ipaddr Informational SSH session timed out SSH session timed out Us...

Page 344: ...l method Login failed through SSH from userIP authenticated by AAA local method Username username MAC macaddr Warning Successful login through Console authenticated by AAA none method Successful login...

Page 345: ...name username MAC macaddr Informational Login failed through Web SSL authenticated by AAA server Login failed through Web SSL from userIP authenticated by AAA server serverIP Username username MAC mac...

Page 346: ...userIP authenticated by AAA local_enable method Username username MAC macaddr Informational Enable Admin failed through Web authenticated by AAA local_enable method Enable Admin failed through Web fro...

Page 347: ...AA none method Username username MAC macaddr Informational Successful Enable Admin through Telnet authenticated by AAA none method Successful Enable Admin through Telnet from userIP authenticated by A...

Page 348: ...n Username username MAC macaddr Warning Successful Enable Admin through Telnet authenticated by AAA server Successful Enable Admin through Telnet from userIP authenticated by AAA server serverIP Usern...

Page 349: ...ic IMPB Dynamic IMPB entry conflicts with static IMPB ipaddr MAC macaddr Port unitID portNum Warning IMPB entry cannot be created in ACL mode due to no ACL rules IMPB entry cannot be created in ACL mo...

Page 350: ...packet received Interface string VRID id receives a VRRP authentication fail packet Warning string is interface name Invalid virtual IP packet received Interface string VRID id receives an invalid VRR...

Page 351: ...trap is sent when a Port loop restarts after the interval time 1 3 6 1 4 1 171 11 70 1 2 16 1 2 0 0 4 1 3 6 1 4 1 171 11 70 2 2 16 1 2 0 0 4 1 3 6 1 4 1 171 11 70 3 2 16 1 2 0 0 4 1 3 6 1 4 1 171 11...

Page 352: ...once to the trap receivers within the log ceasing unauthorized duration 1 3 6 1 4 1 171 12 37 100 0 1 SingleIPMSColdStart Commander switch will send swSingleIPMSColdStart notification to indicated hos...

Page 353: ...lowVoltage connect overCurrent connect working connect disconnect disconnect lowVoltage disconnect overCurrent disconnect working disconnect connect 1 3 6 1 4 1 171 12 11 2 2 2 0 1 PowerFailure Power...

Page 354: ...he address of a protocol message that is not properly authenticated While implementations of the SNMP must be capable of generating this trap they must also be capable of suppressing the emission of s...

Page 355: ...t Managed Switch 344 lldpRemTablesChange A lldpRemTablesChange notification is sent when the value of lldpStatsRemTableLastChangeTime changes It can be utilized by an NMS to trigger LLDP remote system...

Page 356: ...dcast storm Multiple simultaneous broadcasts that typically absorb available network bandwidth and can cause network failure console port The port on the Switch accepting a terminal or modem connector...

Page 357: ...ng TCP IP internets SNMP is presently implemented on a wide range of computers and networking equipment and may be used to manage many aspects of network and end station operation Spanning Tree Protoc...

Reviews: