D-Link DGS-3200-16 - Switch - Stackable Скачать руководство пользователя | Manualshive

Страница: 124 / 273

background image

xStack

®

DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch

111

Understanding 802.1X Port-based and Host-based Network Access Control

The original intent behind the development of 802.1X was to leverage the characteristics of point-to-point in LANs. As any single
LAN segment in such infrastructures has no more than two devices attached to it, one of which is a Bridge Port. The Bridge Port
detects events that indicate the attachment of an active device at the remote end of the link, or an active device becoming inactive.
These events can be used to control the authorization state of the Port and initiate the process of authenticating the attached device
if the Port is unauthorized. This is the Port-Based Network Access Control.

Port-Based Network Access Control

…

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

Network access controlled port

Network access uncontrolled port

RADIUS

Server

Ethernet Switch

Figure 5 - 21. Example of Typical Port-Based Configuration

Once the connected device has successfully been authenticated, the Port then becomes Authorized, and all subsequent traffic on
the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized. Hence, if the
Port is actually connected to a shared media LAN segment with more than one attached device, successfully authenticating one of
the attached devices effectively provides access to the LAN for all devices on the shared segment. Clearly, the security offered in
this situation is open to attack.

«
...
122
123
124
125
126
...
»

Содержание DGS-3200-16 - Switch - Stackable

Страница 1: ...Manual ProductModel xStack DGS 3200 Series Layer2ManagedGigabit Ethernet Switch Release 1 35 ...

Страница 2: ...ictly forbidden Trademarks used in this text D Link and the D LINK logo are trademarks of D Link Computer Corporation Microsoft and Windows are registered trademarks of Microsoft Corporation Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products D Link Computer Corporation disclaims any proprietary interest in tr...

Страница 3: ...ation 4 Device Information 4 System Information 5 Serial Port Settings 6 IP Address 6 Setting the Switch s IP Address using the Console Interface 8 IPv6 Interface Settings 8 IPv6 Route Table 9 IPv6 Neighbor Settings 10 Port Configuration 11 Port Settings 11 Port Description 12 Port Error Disabled 12 Static ARP Settings 13 User Accounts 14 Admin and User Privileges 14 System Log Configuration 15 Sy...

Страница 4: ... State Settings 34 SNMP View Table 34 SNMP Group Table 35 SNMP User Table 36 SNMP Community Table 37 SNMP Host Table 38 SNMP v6Host Table 39 SNMP Engine ID 40 SNMP Trap Configuration 40 RMON 40 Single IP Management 41 Single IP Settings 43 Topology 44 Firmware Upgrade 51 Configuration File Backup Restore 51 Upload Log File 51 Layer 2 Features 52 Jumbo Frame 52 Egress Filter Settings 53 802 1Q VLAN...

Страница 5: ...81 STP Port Settings 82 MST Configuration Identification 84 STP Instance Settings 85 MSTP Port Information 86 Forwarding Filtering 87 Unicast Forwarding 87 Multicast Forwarding 87 Multicast Filtering Mode 88 QoS 89 Bandwidth Control 91 Traffic Control 92 802 1p Default Priority 94 802 1p User Priority 94 QoS Scheduling Mechanism 95 Security 96 Safeguard Engine 96 Trusted Host 98 IP MAC Port Bindin...

Страница 6: ...n Policy and Parameter Settings 125 Application Authentication Settings 125 Authentication Server Group 126 Authentication Server Host 127 Login Method Lists 129 Enable Method Lists 130 Configure Local Enable Password 131 Enable Admin 131 MAC based Access Control 132 MAC based Access Control Settings 132 MAC based Access Control Local Settings 134 Web based Access Control WAC 134 WAC Global Settin...

Страница 7: ...uthenticator Statistics 194 Authenticator Session Statistics 196 Authenticator Diagnostics 198 RADIUS Authentication 200 RADIUS Account Client 201 Browse ARP Table 203 Browse VLAN 203 Browse Router Port 204 Browse MLD Router Port 204 Browse Session Table 205 IGMP Snooping Group 205 MLD Snooping Group 206 WAC Authenticating State 207 JWAC Host Table 208 MAC Address Table 209 System Log 210 MAC base...

Страница 8: ... viii Download Firmware 215 Reboot System 215 Appendix A Mitigating ARP Spoofing Attacks Using Packet Content ACL 216 Appendix B Switch Log Entries 223 Appendix C Trap Logs 234 Appendix D Password Recovery Procedure 237 Appendix E Glossary 238 Warranty Support 240 ...

Страница 9: ...ssages or prompts appearing on screen For example You have mail Bold font is also used to represent filenames program names and commands For example use the copy command Boldface Typewriter Font Indicates commands and responses to prompts that must be typed exactly as printed in the manual Initial capital letter Indicates a window name Names of keys on the keyboard have initial capitals For exampl...

Страница 10: ...ce any product except as explained in the system documentation Opening or removing covers that are marked with the triangular symbol with a lightning bolt may expose the user to electrical shock Only a trained service technician should service components inside these compartments If any of the following conditions occur unplug the product from the electrical outlet and replace the part or contact ...

Страница 11: ...ong plugs to help ensure proper grounding Do not use adapter plugs or remove the grounding prong from a cable If using an extension cable is necessary use a 3 wire cable with properly grounded plugs Observe extension cable and power strip ratings Make sure that the total ampere rating of all products plugged into the extension cable or power strip does not exceed 80 percent of the ampere ratings l...

Страница 12: ...After a component is inserted into the rack carefully extend the rail into a locking position and then slide the component into the rack Do not overload the AC supply branch circuit that provides power to the rack The total rack load should not exceed 80 percent of the branch circuit rating Ensure that proper airflow is provided to components in the rack Do not step on or stand on any component wh...

Страница 13: ... the electronic components such as the microprocessor This can be done by periodically touching an unpainted metal surface on the chassis The following steps can also be taken prevent damage from electrostatic discharge ESD 1 When unpacking a static sensitive component from its shipping carton do not remove the component from the antistatic packing material until ready to install the component in ...

Страница 14: ... different ways to access the same internal switching software and configure it Thus all settings encountered in web based management are the same as those found in the console program Logging onto the Web Manager To begin managing the Switch simply run the browser installed on your computer and point it to the IP address you have defined for the device The URL in the address bar should read somet...

Страница 15: ...rea 1 Select the folder or window to display Open folders and click the hyperlinked window buttons and subfolders contained within them to display windows Area 2 Presents a graphical near real time image of the front panel of the Switch This area displays the Switch s ports and expansion modules and shows port activity depending on the specified mode Some management functions including port monito...

Страница 16: ...and related windows Bandwidth Control Traffic Control 802 1p Default Priority 802 1p User Priority and QoS Scheduling Mechanism Security Contains the following main folders windows and related windows Safeguard Engine Trusted Host IP MAC Port Binding IMP Global Settings IMP Port Settings IMP Entry Settings DHCP Snooping Entries MAC Block List Port Security Port Security Settings Port Lock Entries ...

Страница 17: ...Management Device Information This window contains the main settings for all major functions for the Switch It appears automatically when you log on to the Switch To return to the Device Information window after viewing other windows click the DGS 3200 10 DGS 3200 16 folder The Device Information window shows the Switch s MAC Address assigned by the factory and unchangeable the Boot PROM Version F...

Страница 18: ...ing window click Configuration System Information Figure 2 2 System Information window The fields that can be configured are described below Parameter Description System Name Enter a system name for the Switch if so desired This name will identify it in the Switch network System Location Enter the location of the Switch if so desired System Contact Enter a contact name for the Switch if so desired...

Страница 19: ...IP address has not yet been changed read the introduction of the DGS 3200 Series CLI Manual for more information TheWeb manager will display the Switch s current IP settings To view the following window click Configuration IP Address Figure 2 4 IP Address window To manually assign the Switch s IP address subnet mask and default gateway address 1 Click the Manual radio button at the top of the wind...

Страница 20: ...ption is set the Switch will first look for a BOOTP server to provide it with this information before using the default or previously entered settings Subnet Mask A Bitmask that determines the extent of the subnet that the Switch is on Should be of the form xxx xxx xxx xxx where each xxx is a number represented in decimal between 0 and 255 The value should be 255 0 0 0 for a Class A network 255 25...

Страница 21: ...tem ipaddress xxx xxx xxx xxx z Where the x s represent the IP address to be assigned to the IP interface named System and the z represents the corresponding number of subnets in CIDR notation The IP interface named System on the Switch can be assigned an IP address and subnet mask which can then be used to connect a management station to the Switch s Telnet or Web based management agent Successfu...

Страница 22: ... 0 and 4294967295 This is the neighbor solicitation s retransmit timer in milliseconds The default is zero Automatic Link Local Address Toggle between Enabled and Disabled Enabling this is helpful when no external source of network addressing information is available Default Gateway Enter the IPv6 address of the default gateway Active This read only field indicates the status of this entry IPv6 Ro...

Страница 23: ...IPv6 Neighbor Settings table entry enter the Interface Name select the desired State in the middle section of this window and then click the Find button To delete all the entries being displayed on the table at the bottom of this window click the Clear button The following parameters may be configured or viewed Parameter Description Interface Name Enter the name of the IPv6 neighbor To search for ...

Страница 24: ...tch allows the user to configure three types of gigabit connections 1000M Full_Master 1000M Full_Slave and 1000M Full Gigabit connections only support full duplex connections and take on certain characteristics that are different from the other choices listed The 1000M Full_Master and 1000M Full_Slave parameters refer to connections running a 1000BASE T cable for connection between the Switch port...

Страница 25: ...pports a port description feature where the user may name various ports To view the following window click Configuration Port Configuration Port Description Figure 2 10 Port Description window Use the From Port and To Port pull down menu to choose a port or range of ports to describe Users may then enter a description for the chosen port s If configuring the Combo ports the Medium Type defines the...

Страница 26: ...es to MAC addresses To view the following window click Configuration Static ARP Settings Figure 2 12 Static ARP Settings window The following parameters may be configured or viewed Parameter Description ARP Aging Time 0 65535 The ARP entry age out time in seconds The default is 20 minutes IP Address The IP address of the ARP entry MAC Address The MAC address of the ARP entry After entering a globa...

Страница 27: ...it button next to the entry in the table at the bottom of the window Enter an Old Password New Password and retype the new password in the Confirm Password field offered use the drop down menu to select the type of encryption desired Plain Text or Sha 1 and then click Apply The level of privilege Admin or User can be viewed in the Access Right column in the table at the bottom of the window NOTICE...

Страница 28: ...Configuration System Log Configuration System Log Settings Figure 2 15 System Log Settings window Use the pull down menu to choose the method for saving the switch log to the flash memory The user has three options Time Interval Users who choose this method can configure a time interval by which the Switch will save the log files in the box adjacent to this configuration field The user may set a t...

Страница 29: ...arning Informational and All Facility Use the drop down menu to select Local 0 Local 1 Local 2 Local 3 Local 4 Local 5 Local 6 or Local 7 Status Choose Enabled or Disabled to activate or deactivate To set the System Log Server configuration click Apply To delete an entry from the System Log Host List table click the corresponding Delete button next to the entry System Severity Settings The Switch ...

Страница 30: ...than the hop count limit the packet is dropped The range is between 1 and 16 hops with a default value of 4 The relay time threshold sets the minimum time in seconds that the Switch will wait before forwarding a BOOTREQUEST packet If the value in the seconds field of the packet is less than the relay time threshold the packet will be dropped The range is between 0 and 65 535 seconds with a default...

Страница 31: ...abled using the pull down menu It is used to enable or disable the Switches ability to check the validity of the packet s option 82 field Enabled When the field is toggled to Enabled the relay agent will check the validity of the packet s option 82 field If the switch receives a packet that contains the option 82 field from a DHCP client the switch drops the packet because it is invalid In packets...

Страница 32: ... format 1 2 3 4 5 6 7 1 6 0 4 VLAN Module Port 1 byte 1 byte 1 byte 1 byte 2 bytes 1 byte 1 byte 1 Sub option type 2 Length 3 Circuit ID type 4 Length 5 VLAN the incoming VLAN ID of DHCP client packet 6 Module For a standalone switch the Module is always 0 for a stackable switch the Module is the Unit ID 7 Port The incoming port number of the DHCP client packet the port number starts from 1 Remote...

Страница 33: ...0 DHCP BOOTP Relay Interface Settings window The following parameters may be configured or viewed Parameter Description Interface The IP interface on the Switch that will be connected directly to the Server Server IP Enter the IP address of the DHCP BOOTP server Up to four server IPs can be configured per IP Interface Click Apply to include this Server IP DHCP Local Relay Settings The DHCP local r...

Страница 34: ... Switch For more information about loading a configuration file for use by a client see the DHCP server and or TFTP server software instructions The user may also consult the Upload Log File window description located in the Tools section of this manual If the Switch is unable to complete the DHCP auto configuration the previously saved configuration file present in the Switch s memory will be use...

Страница 35: ...nt value representing the MAC address age out time in seconds The MAC Address Aging Time can be set to any value between 10 and 875 seconds The default setting is 300 seconds Click Apply to set the MAC Address Aging Time Web Settings Users can configure the Web settings on the Switch To view the following window click Configuration Web Settings Figure 2 24 Web Settings window The following paramet...

Страница 36: ...rough Telnet choose Disabled Port 1 65535 The TCP port number used for Telnet management of the Switch The well known TCP port for the Telnet protocol is 23 Click Apply to set the Telnet setting Password Encryption Users can configure Password Encryption on the Switch To view the following window click Configuration Password Encryption Figure 2 26 Password Encryption window The following parameter...

Страница 37: ...ng setting Firmware Information Users can view set the next boot up status and delete current firmware images stored on the Switch To set firmware as the boot up firmware the next time the Switch is restarted click the Set Boot button To remove the firmware from this window click the Delete button To view the following window click Configuration Firmware Information Figure 2 28 Firmware Informatio...

Страница 38: ...ttached to it it denotes a firmware upgrade through the Secure Shell SSH SIM If the IP address has this letter attached to it it denotes a firmware upgrade through the Single IP Management feature User States the user who downloaded the firmware This field may read Anonymous or Unknown for users that are not identified Power Saving Settings This window allows the user to implement the Switch s bui...

Страница 39: ... Size States the size of the corresponding firmware in bytes Update Time States the specific time the firmware version was downloaded to the Switch From States the IP address of the origin of the firmware There are five ways firmware may be downloaded to the Switch Boot up files are denoted by an asterisk next to the file R If the IP address has this letter attached to it it denotes a firmware upg...

Страница 40: ...indow click Configuration SMTP Settings Figure 2 31 SMTP Settings window The following parameters may be configured or viewed Parameter Description SMTP State Use the radio button to enable or disable the SMTP service on this device SMTP Server Address Enter the IP address of the SMTP server on a remote device This will be the device that sends out the mail for you SMTP Server Port 1 65535 Enter t...

Страница 41: ...IP Address by clicking its radio button and entering a number between 1 and 255 Click Start to initiate the Ping program The following parameters may be configured or viewed Parameter Description Target IP Address Enter an IP address to be Pinged Interface Name For IPv6 only enter the name of the interface to be Pinged Repeat Pinging for Enter the number of times desired to attempt to Ping either ...

Страница 42: ...r Description Status SNTP State Use this radio button to enable or disable SNTP Current Time Displays the Current Time Time Source Displays the time source for the system SNTP Settings SNTP First Server The IP address of the primary server from which the SNTP information will be taken SNTP Secondary Server The IP address of the secondary server from which the SNTP information will be taken SNTP Po...

Страница 43: ...rom GMT In HH MM Use these pull down menus to specify your local time zone s offset from Greenwich Mean Time GMT DST Repeating Settings Using repeating mode will enable DST seasonal time adjustment Repeating mode requires that the DST beginning and ending date be specified using a formula For example specify to begin DST on Saturday during the second week of April and end DST on Sunday during the ...

Страница 44: ... each year Click Apply to implement changes made to this window MAC Notification Settings MAC Notification is used to monitor MAC addresses learned and entered into the forwarding database The MAC Notification Settings folder contains two windows MAC Notification Settings and MAC Notification Port Settings MAC Notification Global Settings This window allows you to globally set MAC notification on ...

Страница 45: ...ure 2 36 MAC Notification Port Settings window To change MAC notification settings for a port or group of ports on the Switch configure the following parameters Parameter Description From Port Select a beginning port to enable for MAC notification using the pull down menu To Port Select an ending port to enable for MAC notification using the pull down menu State Enable MAC Notification for the por...

Страница 46: ...s that are allowed to view read only information or receive traps using SNMPv1 while assigning a higher level of security to another group granting read write privi leges using SNMPv3 Using SNMPv3 individual users or groups of SNMP managers can be allowed to perform or be restricted from performing specific SNMP management functions The functions allowed or restricted are defined using the Object ...

Страница 47: ... corresponding to the entry to delete To create a new entry enter the information above the table and then click the Apply button The SNMP Group created with this table maps SNMP users identified in the SNMP User Table to the views created in the previous window The following parameters can set Parameter Description View Name Type an alphanumeric string of up to 32 characters This is used to ident...

Страница 48: ... Notify View Name Specify a SNMP group name for users that can receive SNMP trap messages generated by the Switch s SNMP agent Security Model SNMPv1 Specifies that SNMP version 1 will be used SNMPv2 Specifies that SNMP version 2c will be used The SNMPv2 supports both centralized and distributed network management strategies It includes improvements in the Structure of Management Information SMI an...

Страница 49: ...Use the drop down menu to enable encryption for SNMP V3 This is only operable in SNMP V3 mode The choices are None Password or Key Auth Protocol MD5 Specifies that the HMAC MD5 96 authentication level will be used This field is only operable when V3 is selected in the SNMP Version field and the Encryption field has been checked This field will require the user to enter a password SHA Specifies tha...

Страница 50: ...41 SNMP Community Table window The following parameters can set Parameter Description Community Name Type an alphanumeric string of up to 32 characters that is used to identify members of an SNMP community This string is used like a password to give remote SNMP managers access to MIB objects in the Switch s SNMP agent View Name Type an alphanumeric string of up to 32 characters that is used to ide...

Страница 51: ...eters can set Parameter Description Host IP Address Type the IP address of the remote management station that will serve as the SNMP host for the Switch SNMP Version V1 To specifies that SNMP version 1 will be used V2c To specify that SNMP version 2c will be used V3 NoAuth NoPriv To specify that the SNMP version 3 will be used with a NoAuth NoPriv security level V3 Auth NoPriv To specify that the ...

Страница 52: ...arameters can set Parameter Description Host IPv6 Address Type the IP address of the remote management station that will serve as the SNMP host for the Switch SNMP Version V1 To specifies that SNMP version 1 will be used V2c To specify that SNMP version 2c will be used V3 NoAuth NoPriv To specify that the SNMP version 3 will be used with a NoAuth NoPriv security level V3 Auth NoPriv To specify tha...

Страница 53: ...ise number as assigned by IANA D Link is 171 The fifth octet is 03 to indicate the rest is the MAC address of this device The sixth to eleventh octets is the MAC address To implement your new settings click Apply SNMP Trap Configuration Users can enable and disable SNMP trap support and SNMP authentication failure trap support respectively To view the following window click Configuration SNMP Sett...

Страница 54: ...including the Commander Switch numbered 0 There is no limit to the number of SIM groups in the same IP subnet broadcast domain however a single switch can only belong to one group If multiple VLANs are configured the SIM group will only utilize the default VLAN on any switch SIM allows intermediate devices that do not support SIM This enables the user to manage switches that are more than one hop ...

Страница 55: ...g 4 The Commander Switch CS now has the capability to automatically rediscover member switches that have left the SIM group either through a reboot or web malfunction This feature is accomplished through the use of Discover packets and Maintenance packets that previously set SIM members will emit after a reboot Once a MS has had its MAC address and password saved to the CS s database if a reboot o...

Страница 56: ...s parameter will make the Switch a Commander Switch CS The user may join other switches to this Switch over Ethernet to be part of its SIM group Choosing this option will also enable the Switch to be configured for SIM Group Name Enter a Group Name in this textbox This is optional Discovery Interval 30 90 The user may set the discovery protocol interval in seconds that the Switch will send out dis...

Страница 57: ...d initiate and lead you to the Topology window as seen below Figure 2 50 Topology window The Topology window holds the following information on the Data tab Parameter Description Device Name This field will display the Device Name of the switches in the SIM group configured by the user If no device is configured by the name it will be given the name default and tagged with the last six digits of t...

Страница 58: ...e full Model Name of the corresponding Switch To view the Topology View window open the View drop down menu in the toolbar and then click Topology which will open the following Topology Map This window will refresh itself periodically 20 seconds by default Figure 2 51 Topology View window This window will display how the devices within the Single IP Management Group connect to other groups and dev...

Страница 59: ...tant role in configuration and in viewing device information Setting the mouse cursor over a specific device in the topology window tool tip will display the same information about a specific device as the Tree view does See the window below for an example Figure 2 52 Device Information Utilizing the Tool Tip Setting the mouse cursor over a line between two devices will display the connection spee...

Страница 60: ...rious functions depending on the role of the Switch in the SIM group and the icon associated with it Group Icon Figure 2 54 Right Clicking a Group Icon The following options may appear for the user to configure Collapse To collapse the group that will be represented by a single icon Expand To expand the SIM group in detail Property To pop up a window to display the group information ...

Страница 61: ...ess of the corresponding Switch Remote Port No Displays the number of the physical port on the MS or CaS that the CS is connected to The CS will have no entry in this field Local Port No Displays the number of the physical port on the CS that the MS or CaS is connected to The CS will have no entry in this field Port Speed Displays the connection speed between the CS and the MS or CaS Commander Swi...

Страница 62: ...play the device information Candidate Switch Icon Figure 2 58 Right Clicking a Candidate icon The following options may appear for the user to configure Collapse To collapse the group that will be represented by a single icon Expand To expand the SIM group in detail Add to group Add a candidate to a group Clicking this option will reveal the following dialog box for the user to enter a password fo...

Страница 63: ...ews to open at SIM startup Group Add to group Add a candidate to a group Clicking this option will reveal the following dialog box for the user to enter a password for authentication from the Candidate Switch before being added to the SIM group Click OK to enter the password or Cancel to exit the dialog box Figure 2 61 Input password dialog box Remove from Group Remove an MS from the group Device ...

Страница 64: ...sted in the table and will be specified by Port port on the CS where the MS resides MAC Address Model Name and Version To specify a certain Switch for upgrading configuration files click its corresponding radio button under the Port heading To update the configuration file enter the Server IP Address where the file resides and enter the Path Filename of the configuration file Click Restore to init...

Страница 65: ...ns for the Switch The Switch includes various functions for VLAN Trunking IGMP Snooping MLD Snooping Spanning Tree and Forwarding Filtering all discussed in detail Jumbo Frame The Switch supports jumbo frames Jumbo frames are Ethernet frames with more than 1 500 bytes of payload The Switch supports jumbo frames with a maximum frame size of 1536 bytes To view the following window click Layer 2 Feat...

Страница 66: ...pliance with the IEEE 802 1p standard have the ability to recognize the priority level of data packets These devices can also assign a priority label or tag to packets Compliant devices can also strip priority tags from packets This priority tag determines the packet s degree of expeditiousness and determines the queue to which it will be assigned Priority tags are given values from 0 to 7 with 0 ...

Страница 67: ...mation into the header of a packet Untagging The act of stripping 802 1Q VLAN information out of the packet header Ingress port A port on a switch where packets are flowing into the Switch and VLAN decisions must be made Egress port A port on a switch where packets are flowing out of the Switch either to another switch or to an end station and tagging decisions must be made IEEE 802 1Q tagged VLAN...

Страница 68: ...et s EtherType field is equal to 0x8100 the packet carries the IEEE 802 1Q 802 1p tag The tag is contained in the following two octets and consists of 3 bits of user priority 1 bit of Canonical Format Identifier CFI used for encapsulating Token Ring packets so they can be carried across Ethernet backbones and 12 bits of VLAN ID VID The 3 bits of user priority are used by 802 1p The VID is the VLAN...

Страница 69: ...ort based and MAC based VLANs were in common use These VLANs relied upon a Port VLAN ID PVID to forward packets A packet received on a given port would be assigned that port s PVID and then be forwarded to the port that corresponded to the packet s destination address found in the Switch s forwarding table If the PVID of the port that received the packet is different from the PVID of the port that...

Страница 70: ... packets from an 802 1Q compliant network device to a non compliant network device Ingress Filtering A port on a switch where packets are flowing into the Switch and VLAN decisions must be made is referred to as an ingress port If ingress filtering is enabled for a port the Switch will examine the VLAN information in the packet header if present and decide whether or not to forward the packet If t...

Страница 71: ... the destination lies on another port found through a normal forwarding table lookup the Switch then looks to see if the other port Port 10 is a member of VLAN 2 and can therefore receive VLAN 2 packets If Port 10 is not a member of VLAN 2 then the packet will be dropped by the Switch and will not reach its destination If Port 10 is a member of VLAN 2 the packet will go through This selective forw...

Страница 72: ...VLAN or for editing the VLAN name in the Add Edit VLAN tab Advertisement Enabling this function will allow the Switch to send out GVRP packets to outside sources notifying that they may join the existing VLAN Port Shows all ports of the Switch for the ٛ onfiguration option Tagged Specifies the port as 802 1Q tagging Clicking the radio button will designate the port as tagged Untagged Specifies the...

Страница 73: ...e set in the VLAN Batch Settings windows Parameter Description VID List e g 2 5 Enter a VLAN ID List that can be added deleted or configured Advertisement Enabling this function will allow the Switch to send out GVRP packets to outside sources notifying that they may join the existing VLAN Port List e g 1 5 Allows an individual port list to be added or deleted as a member of the VLAN Tagged Specif...

Страница 74: ...n menu to designate the port as untagged Forbidden Specifies the port as not being a member of the VLAN and that the port is forbidden from becoming a member of the VLAN dynamically Use the drop down menu to designate the port as forbidden Click Apply to implement changes made NOTE The Switch supports up to 4k static VLAN entries ...

Страница 75: ... an alphanumeric string of up to 32 characters Protocol This function maps packets to protocol defined VLANs by examining the type octet within the packet header to discover the type of protocol associated with it Use the drop down menu to toggle between Ethernet II IEEE802 3 LLC and IEEE802 3 SNAP Protocol Value Enter a value for the Group The protocol value is used to identify a protocol of the ...

Страница 76: ...ets accepted by the Switch that match this priority are forwarded to the CoS queue specified previously by the user Click the corresponding box if you want to set the 802 1p default priority of a packet to the value entered in the Priority 0 7 field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its inco...

Страница 77: ...r Description MAC Address Specify the MAC address to be reauthenticated by entering it into the MAC Address field VLAN Name Enter the VLAN name of a previously configured VLAN VLAN ID Click this button and enter the VLAN ID Click Find Add or Delete All for changes to take affect GVRP Settings Users can determine whether the Switch will share its VLAN configuration information with other GARP VLAN ...

Страница 78: ...he port will compare the VID of the incoming packet to its PVID If the two are unequal the port will drop the packet If the two are equal the port will receive the packet GVRP The GARP VLAN Registration Protocol GVRP enables the port to dynamically become a member of a VLAN GVRP is Disabled by default Ingress Checking This drop down menu allows the user to enable the port to compare the VID tag of...

Страница 79: ...nsmitted to a specific host destination address will always be transmitted over the same port in a trunk group This allows packets in a data stream to arrive in the same order they were sent NOTE If any ports within the trunk group become disconnected packets intended for the disconnected port will be load shared among the other linked ports of the link aggregation group Link aggregation allows se...

Страница 80: ... aggregation group If two redundant link aggregation groups are configured on the Switch STP will block one entire group in the same way STP will block a single port that has a redundant link To view the following window click L2 Features Trunking Figure 3 16 Trunking window To configure port trunk groups click the Add button To modify an existing port trunk group click the Edit button correspondi...

Страница 81: ...d on a port s in each intermediary switch you only need to create VLAN groups in the end devices A and B C D and E automatically allow frames with VLAN group tags 1 and 2 VLAN groups that are unknown to those switches to pass through their VLAN trunking port s Users can combine a number of VLAN ports together to create VLAN trunks To create VLAN Trunk Port settings on the Switch select the ports t...

Страница 82: ...of ports may be configured ending with the selected port Mode Active Active LACP ports are capable of processing and sending LACP control frames This allows LACP compliant devices to negotiate the aggregated link so the group may be changed dynamically as needs require In order to utilize the ability to change an aggregated port group that is to add or subtract ports from the group at least one of...

Страница 83: ...ed receiving ports into the Switch s Traffic Segmentation table IGMP Snooping Internet Group Management Protocol IGMP snooping allows the Switch to recognize IGMP queries and reports sent between network stations or devices and an IGMP host When enabled for IGMP snooping the Switch can open or close a port to a specific device based on IGMP messages passing through the Switch IGMP Snooping Setting...

Страница 84: ...t data driven learning for IGMP snooping groups If data driven learning also known as dynamic IP multicast learning is enabled for a VLAN when the Switch receives IP multicast traffic on the VLAN an IGMP snooping group is created Learning of an entry is not activated by IGMP membership registration but activated by the traffic For an ordinary IGMP snooping entry the IGMP protocol will take care of...

Страница 85: ...rts where the incoming multicast traffic is to be sent The source port cannot be a recipient port and if configured to do so will cause error messages to be produced by the switch Once properly configured the stream of multicast data will be relayed to the receiver ports in a much more timely and reliable fashion Restrictions and Provisos The Multicast VLAN feature of this Switch does have some re...

Страница 86: ...he source IP address of incoming packets sent by the host before being forwarded to the source port Source Port e g 1 4 6 Enter a port or list of ports to be added to the Multicast VLAN Source ports shall be the tagged members of the multicast VLAN ISM Profile Settings Users can configure ISM profile settngs To view the following window click L2 Features IGMP Snooping ISM Profile Settings Figure 3...

Страница 87: ...o remove an entry click the corresponding Delete button Figure 3 25 Multicast Address Group List Settings window Enter the multicast IP address list starting with the lowest in the range and then click Add To return to the IP Multicast Profile Settings window click the Previous button Limited Multicast Address Range Settings Users can configure the ports on the Switch that will be involved in the ...

Страница 88: ... listening port The active listening ports are the only ones to receive multicast group data MLD Control Messages Three types of messages are transferred between devices using MLD snooping These three messages are all defined by four ICMPv6 packet headers labeled 130 131 132 and 143 1 Multicast Listener Query Similar to the IGMPv2 Host Membership Query for IPv4 and labeled as 130 in the ICMPv6 pac...

Страница 89: ...for which to modify the MLD Snooping Settings VLAN Name This is the VLAN Name that along with the VLAN ID identifies the VLAN for which to modify the MLD Snooping Settings Done Timer Specifies the maximum amount of time a router can remain in the Switch after receiving a done message from the group without receiving a node listener report The user may specify a time between 1 and 16711450 with a d...

Страница 90: ...n menu to select the Target Port to which frames will be copied which receives the copies from the source port 3 Select the Source Port Setting Direction Tx Egress Rx Ingress Both or None 4 Click Apply to let the changes take effect NOTE You cannot mirror a fast port onto a slower port For example if you try to mirror the traffic from a 100 Mbps port onto a 10 Mbps port this can cause throughput p...

Страница 91: ... administrator The Loopback Detection port will restart change to discarding state when the Loopback Detection Recover Time times out The Loopback Detection function can be implemented on a range of ports at a time The user may enable or disable this function using the pull down menu To view the following window click L2 Features Loopback Detection Settings Figure 3 30 Loopback Detection Settings ...

Страница 92: ...ssociated with them An MSTI ID will classify these instances MSTP will connect multiple spanning trees with a Common and Internal Spanning Tree CIST The CIST will automatically determine each MSTP region its maximum possible extent and will appear as one virtual bridge that runs a single spanning tree Consequentially frames assigned to different VLANs will follow different data routes within admin...

Страница 93: ...1Q 2005 MSTP 802 1D 2004 RSTP 802 1D 1998 STP Forwarding Learning Disabled Disabled Disabled No No Discarding Discarding Blocking No No Discarding Discarding Listening No No Learning Learning Learning No Yes Forwarding Forwarding Forwarding Yes Yes Table 3 2 Comparing Port States RSTP is capable of a more rapid transition to a forwarding state it no longer relies on timer configurations RSTP compl...

Страница 94: ...Settings window RSTP default Figure 3 33 STP Bridge Global Settings window MSTP Figure 3 34 STP Bridge Global Settings window STP Compatible See the table below for descriptions of the STP versions and corresponding setting options NOTE The Bridge Hello Time cannot be longer than the Bridge Max Age Otherwise a configuration error will occur Observe the following formulas when setting the above par...

Страница 95: ... 1 2 The Hello Time can be set from 1 to 2 seconds This is the interval between two transmissions of BPDU packets sent by the Root Bridge to tell all other switches that it is indeed the Root Bridge This field will only appear here when STP or RSTP is selected for the STP Version For MSTP the Hello Time must be set on a port per port basis The default is 2 seconds Bridge Forward Delay 4 30 The For...

Страница 96: ...Like edge ports P2P ports transition to a forwarding state rapidly thus benefiting from RSTP A P2P value of False indicates that the port cannot have P2P status Auto allows the port to have P2P status whenever possible and operate as if the P2P status were True If the port cannot maintain this status for example if the port is forced to half duplex operation the P2P status changes to operate as if...

Страница 97: ...tification Figure 3 36 MST Configuration Identification window To modify an entry on the table at the bottom of the window click the corresponding Edit button To remove an entry on the table at the bottom of the window click the corresponding Delete button The window above contains the following information Parameter Description Configuration Name This name uniquely identifies the MSTI Multiple Sp...

Страница 98: ... window To modify an entry on the table at the top of the window click the corresponding Edit button To view more information about an entry on the table at the top of the window click the corresponding View button The window above contains the following information Parameter Description MSTI ID Enter the MSTI ID in this field An entry of 0 denotes the CIST default MSTI Priority Enter the priority...

Страница 99: ...Port number To modify the settings for a particular MSTI instance enter a value in the Instance ID field an Internal Path Cost and use the drop down menu to select a Priority The user may configure the following parameters Parameter Description Instance ID The MSTI ID of the instance to be configured Enter a value between 0 and 15 An entry of 0 in this field denotes the CIST default MSTI Internal ...

Страница 100: ...ntry To delete an entry in the Static Unicast Forwarding Table click the corresponding Delete button Parameter Description VLAN ID VID The VLAN ID number of the VLAN on which the associated unicast MAC address resides MAC Address The MAC address to which packets will be statically forwarded This must be a unicast MAC address Port Allows the selection of the port number on which the MAC address ent...

Страница 101: ...e click the corresponding Delete button Multicast Filtering Mode Users can configure the multicast filtering mode To view the following window click L2 Features Forwarding Filtering Multicast Filtering Mode Figure 3 41 Multicast Filtering Mode window Parameter Description VLAN Name The VLAN to which the specified filtering action applies Select the All option to apply the action to all VLANs on th...

Страница 102: ...encing Not only can a larger bandwidth be created but other less critical traffic can be limited so excessive bandwidth can be saved The Switch has separate hardware queues on every physical port to which packets from various applications can be mapped to and in turn prioritized View the following map to see how the Switch implements basic 802 1P priority queuing Figure 4 1 An Example of the Defau...

Страница 103: ... Priority 5 is assigned to the Switch s Q5 queue Priority 6 is assigned to the Switch s Q6 queue Priority 7 is assigned to the Switch s Q7 queue For strict priority based scheduling any packets residing in the higher priority classes of service are transmitted first Multiple strict priority classes of service are emptied based on their priority tags Only when these classes are empty are packets of...

Страница 104: ...lows the input of the data rate that will be the limit for the selected port The user may choose a rate between 64 and 1024000 Kbits per second Effective RX If a RADIUS server has assigned the RX bandwidth then it will be the effective RX bandwidth The authentication with the RADIUS sever can be per port or per user For per user authentication there may be multiple RX bandwidths assigned if there ...

Страница 105: ...port configured for traffic control and a packet storm continues that port will be placed in Shutdown Forever mode which will cause a warning message to be sent to the Trap Receiver Once in Shutdown Forever mode the only method of recovering the port is to manually recoup it using the Port Settings window in the Configuration folder Select the disabled port and return its State to Enabled status T...

Страница 106: ...ontrol function to commence The configurable threshold range is from 512 to 1024000 with a default setting of 512 Kbps Storm Control Type Specifies the desired Storm Control Type None Broadcast Multicast Unknown Unicast Broadcast Multicast Broadcast Unknown Unicast Multicast Unknown Unicast and Broadcast Multicast Unknown Unicast Traffic Trap Settings Enable sending of Storm Trap messages when the...

Страница 107: ... limit the value will be set at the default priority For example if the RADIUS assigns a limit of 8 and the default priority is 0 the effective priority will be 0 To implement a new default priority first choose a port range by using the From Port and To Port pull down menus and then use the Priority drop down menu to select a value from 0 to 7 Click Apply to implement the settings 802 1p User Pri...

Страница 108: ...Parameter Description Strict The highest class of service is the first to process traffic That is the highest class of service will finish before other queues empty Weight Fair Use the weighted round robin WRR algorithm to handle packets in an even distribution in priority classes of service Max Packets 0 255 Specifies the maximum number of packets the above specified hardware priority class of se...

Страница 109: ...eives too many packets to process or b exerts too much memory it will enter the Exhausted mode When in this mode the Switch will drop all ARP and IP broadcast packets and packets from untrusted IP addresses for a calculated time interval Every five seconds the Safeguard Engine will check to see if there are too many packets flooding the Switch If the threshold has been crossed the Switch will init...

Страница 110: ...ode the Safeguard Engine will decrease the packet flow by half After returning to Normal mode the packet flow will be increased by 25 The switch will then return to its interval checking and dynamically adjust the packet flow to avoid overload of the Switch NOTICE When Safeguard Engine is enabled the Switch will allot bandwidth to various traffic flows ARP IP using the FFP Fast Filter Processor me...

Страница 111: ...selected this function will instruct the Switch to minimize the IP and ARP traffic flow to the CPU by dynamically allotting an even bandwidth to all traffic flows Strict If selected this function will stop accepting all ARP packets not intended for the Switch and will stop receiving all unnecessary broadcast IP packets until the storm has subsided The default setting is Fuzzy mode Trusted Host Up ...

Страница 112: ... IMP Entry Settings DHCP Snooping Entries and MAC Block List IMP Global Settings Users can enable or disable the Trap Log State and DHCP Snoop state on the Switch The Trap Log field will enable and disable the sending of trap log messages for IP MAC port binding When enabled the Switch will send a trap message to the SNMP agent and the Switch log when an ARP packet is received that doesn t match t...

Страница 113: ...his mode provides a looser way of control If the user selects loose mode ARP packets and IP broadcast packets will be sent to the CPU The packets will still be forwarded by the hardware until a specific source MAC address is blocked by the software The port will check ARP packets and IP broadcast packets by IP MAC port binding entries When the packet is found by the entry the MAC address will be s...

Страница 114: ...nd to the IP Address set above Mode Static or Auto will be displayed in this column Ports Specify the switch ports for which to configure this IP MAC binding entry IP Address MAC Address Click the All check box to configure this entry for all ports on the Switch Click Apply to implement changes Click Find to search for an entry Click Show All for the table to display all entries or Delete All to r...

Страница 115: ...inding restrictions To find an unauthorized device that has been blocked by the IP MAC binding restrictions enter the VID and MAC Address in the appropriate fields and click Find To delete an entry click the Delete button next to the entry s port To delete all the entries in the window click Delete All Click View All for the table to display all entries To view the following window click Security ...

Страница 116: ...lowing parameters can be set Parameter Description Port Security Trap Log Settings Use the radio button to enable or disable Port Security Traps and Log Settings on the Switch From Port The beginning port of a consecutive group of ports to be configured To Port The ending port of a consecutive group of ports to be configured Admin State This pull down menu allows the user to enable or disable Port...

Страница 117: ...responding MAC address to be deleted Click the Next button to view the next page of entries listed in this table This window displays the following information Parameter Description VID The VLAN ID of the entry in the forwarding database table that has been permanently learned by the Switch VLAN Name The VLAN Name of the entry in the forwarding database table that has been permanently learned by t...

Страница 118: ...HCP server screening or Disabled to disable it The default is Disabled After setting the previous parameters click Apply to allow your changes to be implemented DHCP Offer Filtering This function allows the user to not only restrict all DHCP Server packets but also to receive any specified DHCP server packet by any specified DHCP client it is useful when one or more DHCP servers are present on the...

Страница 119: ...ess of the DHCP server to be filtered Client s MAC Address The MAC address of the DHCP client Only multiple legal DHCP servers on the network need to be entered in this field If there is only one iegal DHCP server on the network no input to this field is allowed Ports The port numbers of the filter DHCP server After setting the previous parameters click Apply to allow your changes to be implemente...

Страница 120: ...US Server or local authentication on the Switch to be placed in a fully operational VLAN If authenticated and the authenticator posseses the VLAN placement information that client will be accepted into the fully operational target VLAN and normal switch functions will be open to the client If the authenticator does not have target VLAN placement information the client will be returned to its origi...

Страница 121: ... is accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN EAPOL packets between the Client and the Server The following figure represents a basic EAPOL packet Figure 5 15 The EAPOL Packet Utilizing this method unauthorized devices are restricted from connecting to a LAN through a port to which the user is conn...

Страница 122: ...es services Figure 5 17 The Authentication Server Authenticator The Authenticator the Switch is an intermediary between the Authentication Server and the Client The Authenticator serves two purposes when utilizing the 802 1X function The first purpose is to request certification information from the Client through EAPOL packets which is the only information allowed to pass through the Authenticato...

Страница 123: ...hentication is made This port is locked until the point when a Client with the correct username and password and MAC address if 802 1X is enabled by MAC address is granted access and therefore successfully unlocks the port Once unlocked normal traffic is allowed to pass through the port The following figure displays a more detailed explanation of how the authentication process is completed between...

Страница 124: ... the Port Based Network Access Control Port Based Network Access Control 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client 802 1X Client Network access controlled port Network access uncontrolled port RADIUS Server Ethernet Switch Figure 5 21 Example of Typical Port Based Configuration Once the connected device has successfully been aut...

Страница 125: ...he Switch would regard the single physical Port connecting it to the shared media segment as consisting of a number of distinct logical Ports each logical Port being independently controlled from the point of view of EAPOL exchanges and authorization state The Switch learns each attached devices individual MAC addresses and effectively creates a logical Port that the attached device can then use t...

Страница 126: ... between the Authenticator and the authentication server The default setting is 30 seconds MaxReq 1 10 The maximum number of times that the Switch will retransmit an EAP Request to the client before it times out of the authentication sessions The default setting is 2 TxPeriod 1 65535 This sets the TxPeriod of time for the authenticator PAE state machine This value determines the period of an EAP R...

Страница 127: ...applied on a per port basis Select Authenticator to apply the settings to the port When the setting is activated a user must pass the authentication process to gain access to the network Select None disable 802 1X functions on the port Direction Sets the administrative controlled direction to Both If Both is selected control is exerted over both incoming and outgoing traffic through the controlled...

Страница 128: ... Port fields Next the user must specify the MAC address to be initialized by entering it into the MAC Address field and ticking the corresponding check box To begin the initialization click Apply NOTE The user must first globally enable 802 1X in the 802 1X Settings window Security 802 1X 802 1X Settings before initializing ports Information in the Initialize Port s windows cannot be viewed before...

Страница 129: ...the user must first enable 802 1X by MAC address in the 802 1X Settings window To view the following window click Security 802 1X Reauthenticate Port s Figure 5 28 Reauthenticate Port s window for Host based 802 1X To reauthenticate ports first use the From Port and To Port drop down menus to choose the range of ports Then the user must specify the MAC address to be reauthenticated by entering it ...

Страница 130: ...the desired RADIUS server to configure 1 2 or 3 and select either IPv4 Address or IPv6 Address IP Address Set the RADIUS server IP address Authentic Port 1 65535 Set the RADIUS authentic server s UDP port which is used to transmit RADIUS data between the Switch and the RADIUS server The default port is 1812 Accounting Port 1 65535 Set the RADIUS account server s UDP port which is used to transmit ...

Страница 131: ...r choices on the Switch to create a three layered encryption code for secure communication between the server and the host The user may implement any one or combination of the ciphersuites available yet different ciphersuites will affect the security level and the performance of the secured connection The information included in the ciphersuites is not included with the Switch and requires downloa...

Страница 132: ...lt setting is 600 seconds SSL Ciphersuite Settings RSA with RC4_128_MD5 This ciphersuite combines the RSA key exchange stream cipher RC4 encryption with 128 bit keys and the MD5 Hash Algorithm Use the radio buttons to enable or disable this ciphersuite This field is Enabled by default RSA with 3DES EDE CBC SHA This ciphersuite combines the RSA key exchange CBC Block Cipher 3DES_EDE encryption and ...

Страница 133: ...rity hazards that now threaten network communications The steps required to use the SSH protocol for secure communication between a remote PC the SSH client and the Switch the SSH server are as follows 1 Create a user account with admin level access using the User Accounts window Configuration Port Configuration User Accounts This is identical to creating any other admin level User Account on the ...

Страница 134: ...H authentication After the maximum number of attempts has been exceeded the Switch will be disconnected and the user must reconnect to the Switch to attempt another login The number of maximum attempts may be set between 2 and 20 The default setting is 2 Session Rekeying This field is used to set the time period that the Switch will change the security shell encryptions by using the pull down menu...

Страница 135: ...192 encryption algorithm with Cipher Block Chaining The default is enabled AES256 CBC Use the check box to enable or disable the Advanced Encryption Standard AES 256 encryption algorithm with Cipher Block Chaining The default is enabled ARC4 Use the check box to enable or disable the Arcfour encryption algorithm with Cipher Block Chaining The default is enabled Cast128 CBC Use the check box to ena...

Страница 136: ...istrator wishes to use a remote SSH server for authentication purposes Choosing this parameter requires the user to input the following information to identify the SSH user Host Name Enter an alphanumeric string of no more than 32 characters to identify the remote SSH user Host IP Enter the corresponding IP address of the SSH user Password This parameter should be chosen if the administrator wishe...

Страница 137: ...on the Switch The server will not accept the username and password and the user is denied access to the Switch The server doesn t respond to the verification query At this point the Switch receives the timeout from the server and then moves to the next method of verification configured in the method list The Switch has four built in Authentication Server Groups one for each of the TACACS XTACACS T...

Страница 138: ...locked out of further authentication attempts Command line interface users will have to wait 60 seconds before another authentication attempt Telnet and web users will be disconnected from the Switch The user may set the number of attempts from 1 to 255 The default setting is 3 Click Apply to implement changes made Application Authentication Settings Users can configure Switch configuration applic...

Страница 139: ...g method lists The user may define the type of server group by protocol or by previously defined server group The Switch has three built in Authentication Server Groups that cannot be removed but can be modified Up to eight authentication server hosts may be added to any particular group To view the following window click Security Access Authentication Control Authentication Server Group Figure 5 ...

Страница 140: ... Authentication Server Hosts must be configured for their specific protocol on a remote centralized server before this function can work properly NOTE The three built in server groups can only have server hosts running the same TACACS daemon TACACS XTACACS TACACS protocols are separate entities and are not compatible with each other Authentication Server Host User defined Authentication Server Hos...

Страница 141: ...ACS or RADIUS servers only Specify an alphanumeric string up to 254 characters Port 1 65535 Enter a number between 1 and 65535 to define the virtual port number of the authentication protocol on a server host The default port number is 49 for TACACS XTACACS TACACS servers and 1813 for RADIUS servers but the user may set a unique port number for higher security Timeout 1 255 secs Enter the time in ...

Страница 142: ...ured password set by the administrator To view the following window click Security Access Authentication Control Login Method Lists Figure 5 39 Login Method Lists window The Switch contains one Method List that is set and cannot be removed yet can be modified To delete a Login Method List defined by the user click the Delete button corresponding to the entry desired to be deleted To modify a Login...

Страница 143: ...an Admin privilege NOTE To set the Local Enable Password see the next section entitled Local Enable Password To view the following window click Security Access Authentication Control Enable Method Lists Figure 5 40 Enable Method Lists window To delete an Enable Method List defined by the user click the Delete button corresponding to the entry desired to be deleted To modify an Enable Method List c...

Страница 144: ...e set in the New Local Enabled field will result in a fail message Click Apply to implement changes made Enable Admin Users who have logged on to the Switch on the normal user level and wish to be promoted to the administrator level can use this window After logging on to the Switch users will have only user level privileges To gain access to administrator level privileges the user will open this ...

Страница 145: ...a maximum of sixteen authenticated MAC addresses per physical port of a VLAN that is not a Guest VLAN Other MAC addresses attempting authentication on a port with the maximum number of authenticated MAC addresses will be blocked 4 Ports that have been enabled for Link Aggregation Port Security or GVRP authentication cannot be enabled for MAC based Authentication MAC based Access Control Settings T...

Страница 146: ... on the Switch Password Enter the password for the RADIUS server which is to be used for packets being sent requesting authentication The default password is default Guest VLAN Name Enter the name of the previously configured Guest VLAN being used for this function Guest VLAN Member Ports e g 1 5 9 Enter the list of ports that have been configured for the Guest VLAN Guest VLAN ID 1 4904 Click the ...

Страница 147: ...ion process of WAC by attempting to gain Web access D Link s implementation of WAC uses a virtual IP that is exclusively used by the WAC function and is not known by any other modules of the Switch In fact to avoid affecting a Switch s other features WAC will only use a virtual IP address to communicate with hosts Thus all authentication requests must be sent to a virtual IP address but not to the...

Страница 148: ...xStack DGS 3200 Series Layer 2 Gigabit Ethernet Managed Switch 135 Figure 5 45 Six Basic Steps in a Successful Web Authentication Process ...

Страница 149: ...dules of the Switch HTTP s Port 1 65535 Enter a HTTP port number Port 80 is the default Method Use this drop down menu to choose the authenticator for Web based Access Control The user may choose Local Choose this parameter to use the local authentication method of the Switch as the authenticating method for users trying to access the network via the switch This is in fact the username and passwor...

Страница 150: ... web page yet does not receive a Fail Message the client will already be authenticated and therefore should refresh the current browser window or attempt to open a different web page WAC User Settings Users can view and set user accounts for Web authentication To view the following window click Security Web Authentication WAC User Settings Figure 5 47 WAC User Settings window To set the User Accou...

Страница 151: ...ped VLAN ID 1 4094 Click the button and enter a VID in this field Click Apply to implement changes made WAC Port Settings Users can view and set port configurations for Web authentication To view the following window click Security Web Authentication WAC Port Settings Figure 5 48 WAC Port Settings window To set the WAC on individual ports for the Switch complete the following fields Parameter Desc...

Страница 152: ...entication are mutually exclusive functions That is they cannot be enabled at the same time To use the JWAC feature computer users need to pass through two stages of authentication The first stage is to do the authentication with the quarantine server and the second stage is the authentication with the Switch For the second stage the authentication is similar to Web Authentication except that ther...

Страница 153: ...ost is redirected to either the Quarantine Server or the JWAC Login Page Redirect Delay Time 0 10 This parameter specifies the Delay Time before an unauthenticated host is redirected to the Quarantine Server or JWAC Login Page Enter a value between 0 and 10 seconds A value of 0 indicates no delay in the redirect Quarantine Server Configuration Error Timeout 5 300 This parameter is used to set the ...

Страница 154: ...e default value is 1440 A value of 0 indicates the authenticated host will never age out on the port MAC Authenticating Host 1 10 This parameter specifies the maximum number of host process authentication attempts allowed on each port at the same time The default value is 10 Enter a value between 1 and 10 attempts Idle Time 1 1440 If there is no traffic during the Idle Time parameter the host will...

Страница 155: ...5 alphanumeric characters New Password Enter the password the administrator has chosen for the selected user This field is case sensitive and must be a complete alphanumeric string Confirm Password Retype the password entered in the previous field VID 1 4094 Enter a VLAN ID number between 1 and 4094 Click Apply to implement changes made JWAC Customize Page Language Users can configure JWAC page an...

Страница 156: ...n click the Apply button Next enter a User Name and a Password and then click the Enter button Multiple Authentication Modern networks employ many authentication methods The Multiple Authentication methods supported by this Switch include 802 1X MAC based Access Control MBAC Web based Access Control WAC Japan Web based Access Control JWAC and IP MAC Port Binding IMPB The Multiple Authentication fe...

Страница 157: ...h will try to authenticate the client using one of these methods and if the client passes they will be granted access to the network Any MAC 802 1X or JWAC Mode Figure 5 55 Any MAC 802 1X or JWAC Mode In the diagram above the Switch port has been configured to allow clients to authenticate using 802 1X MBAC or JWAC When a client tries to connect to the network the Switch will try to authenticate t...

Страница 158: ... that checks if the IP streams being sent by authorized hosts have been granted or not In the above diagram the Switch port has been configured to allow clients to authenticate using 802 1X If the client is in the IMPB table and tries to connect to the network using this authentication method and the client is listed in the white list for legal IP MAC port checking access will be granted If a clie...

Страница 159: ...Authorization Network State Settings for the Switch To view the following window click Security Multiple Authentication Authorization Network State Settings Figure 5 58 Authorization Network State Settings window Multiple Authentication Settings Users can configure multiple authentication methods for a port or ports To view the following window click Security Multiple Authentication Multiple Authe...

Страница 160: ...access to the network If the user fails the authorization this port will keep trying the next authentication method When Host Based is selected users are authenticated individually Click Apply to implement the changes made Guest VLAN Users can assign ports to or remove ports from a guest VLAN To view the following window click Security Multiple Authentication Guest VLAN Figure 5 60 Guest VLAN wind...

Страница 161: ...equest to the server If the Switch doesn t receive a response after N1 times the result is denied and the entry host MAC switch port number multicast group IP is put in the authentication failed list In general case when the multicast group port is already learned by the switch it won t do the authentication again It only processes the packet as standard IGMP authentication processes IGMP leaves a...

Страница 162: ... entering the criteria the Switch will use to determine what to do with the frame The entire process is described below in two parts Users can display the currently configured Access Profiles on the Switch To view the following window click ACL Access Profile List one access profile of each type has been created for explanatory purposes Figure 6 1 Access Profile List window To add an entry to the ...

Страница 163: ...he IPv4 address in each frame s header Select IPv6 ACL to instruct the Switch to examine the IPv6 address in each frame s header Select Packet Content to instruct the Switch to examine the packet content in each frame s header Source MAC Mask Enter a MAC address mask for the source MAC address Destination MAC Mask Enter a MAC address mask for the destination MAC address 802 1Q VLAN Selecting this ...

Страница 164: ...n Select Profile ID Use the drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 200 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content This will change the window according to the requirements for the type of profile Select Ethernet ACL to instruct the Switch to examine the layer 2 part of ea...

Страница 165: ...ing criterion Selecting TCP requires that you specify a source port mask and or a destination port mask src port mask Specify a TCP port mask for the source port in hex form hex 0x0 0xffff which you wish to filter dst port mask Specify a TCP port mask for the destination port in hex form hex 0x0 0xffff which you wish to filter flag bit The user may also identify which flag bits to filter Flag bits...

Страница 166: ...ach frame s header Select Packet Content to instruct the Switch to examine the packet content in each frame s header IPv6 Class Ticking this check box will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 IPv6 Flow Label Ticking this check box will instruct t...

Страница 167: ...escription Select Profile ID Use the drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 200 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content This will change the window according to the requirements for the type of profile Select Ethernet ACL to instruct the Switch to examine the layer 2 p...

Страница 168: ...etwork attacks such as ARP Spoofing The Switch s implementation of Packet Content ACL enables inspection of any packet s specified content regardless of the protocol layer Click Apply to implement changes made To view the setting details for a created profile click the Show Details button for the corresponding entry on the Access Profile List window revealing the following window Figure 6 9 Access...

Страница 169: ...ny additional rule added see below Select Deny to specify that packets that do not match the access profile are not forwarded by the Switch and will be filtered Select Mirror to specify that packets that match the access profile are mirrored to a port defined in the config mirror port command Port Mirroring must be enabled and a target port must be set Priority 0 7 Tick the corresponding check box...

Страница 170: ...t sec ex If the user selects an Rx rate of 10 then the ingress rate is 640kbit sec The user many select a value between 1 and 156249 or tick the No Limit check box The default setting is No Limit Time Range Name Tick the check box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule wi...

Страница 171: ...rding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues CoS queues and mapping for 802 1p see the QoS section of this manual Replace Priority Tick this check box to replace the Priority value in the adjacent field Replace DSCP 0 63 Select this ...

Страница 172: ...nd the access rule will not be configured Ticking the All Ports check box will denote all ports on the Switch To view the settings of a previously correctly configured rule click the corresponding Show Details button on the Access Rule List window to view the following window Figure 6 15 Access Rule Detail Information window for IPv4 To establish the rule for a previously created Access Profile To...

Страница 173: ... previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues CoS queues and mapping for 802 1p see the QoS section of this manual Replace Priority Tick this check box to replace the Priority value in the adjac...

Страница 174: ... will be presented with an error message and the access rule will not be configured Ticking the All Ports check box will denote all ports on the Switch To view the settings of a previously correctly configured rule click the corresponding Show Details button on the Access Rule List window to view the following window Figure 6 18 Access Rule Detail Information window for IPv6 To establish the rule ...

Страница 175: ... priority of a packet to the value entered in the Priority field which meets the criteria specified previously in this command before forwarding it on to the specified CoS queue Otherwise a packet will have its incoming 802 1p user priority re written to its original value before being forwarded by the Switch For more information on priority queues CoS queues and mapping for 802 1p see the QoS sec...

Страница 176: ...iltering This added feature increases the running security of the Switch by enabling the user to create a list of access rules for packets destined for the Switch s CPU interface Employed similarly to the Access Profile feature previously mentioned CPU interface filtering examines Ethernet IP and Packet Content Mask packet headers destined for the CPU and will either forward them or filter them ba...

Страница 177: ...sponding Show Details button To add an entry to the CPU Acces Profile List click the Add ACL Profile button This will open the Add CPU ACL Profile window as shown below To remove all CPU Access Profile List entries click the Delete All button The Switch supports four CPU Access Profile types Ethernet or MAC address based profile configuration IP IPv4 address based profile configuration IPv6 addres...

Страница 178: ... in each frame s header Select IPv6 to instruct the Switch to examine the IP address in each frame s header Select Packet Content Mask to specify a mask to hide the content of the packet header Source MAC Mask Enter a MAC address mask for the source MAC address Destination MAC Mask Enter a MAC address mask for the destination MAC address 802 1Q VLAN Selecting this option instructs the Switch to ex...

Страница 179: ...he drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 5 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content mask This will change the menu according to the requirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header Select IPv4...

Страница 180: ...o filter Flag bits are parts of a packet that determine what to do with the packet The user may filter packets by filtering certain flag bits within the packets by checking the boxes corresponding to the flag bits of the TCP field The user may choose between urg urgent ack acknowledgement psh push rst reset syn synchronize fin finish src port mask Specify a TCP port mask for the source port in hex...

Страница 181: ...in each frame s header Select Packet Content Mask to specify a mask to hide the content of the packet header IPv6 Class Checking this field will instruct the Switch to examine the class field of the IPv6 header This class field is a part of the packet header that is similar to the Type of Service ToS or Precedence bits field in IPv4 IPv6 Flow Label Checking this field will instruct the Switch to e...

Страница 182: ... ID Use the drop down menu to select a unique identifier number for this profile set This value can be set from 1 to 5 Select ACL Type Select profile based on Ethernet MAC Address IPv4 address IPv6 address or packet content mask This will change the menu according to the requirements for the type of profile Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header Se...

Страница 183: ...his entry in the Switch s memory To view the settings of a previously correctly created profile click the corresponding Show Details button on the CPU Access Profile List window to view the following window Figure 6 30 CPU Access Profile Detail Information window for Packet Content To establish the rule for a previously created CPU Access Profile To configure the Access Rules for Ethernet open the...

Страница 184: ...ckets that do not match the access profile are not forwarded by the Switch and will be filtered Ethernet Type 0 FFFF Enter the appropriate Ethernet Type information Time Range Name Tick the check box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch...

Страница 185: ...e following parameters and click Apply Parameter Description Access ID 1 100 Type in a unique identifier number for this access This value can be set from 1 to 100 Action Select Permit to specify that the packets that match the access profile are forwarded by the Switch according to any additional rule added see below Select Deny to specify that packets that do not match the access profile are not...

Страница 186: ...ow Figure 6 36 CPU Access Rule Detail Information window for IPv4 To establish the rule for a previously created CPU Access Profile To configure the Access Rules for IP open the CPU Access Profile List window and click Add View Rules for an IPv6 entry This will open the following window Figure 6 37 CPU Access Rule List window for IPv6 To remove a previously created rule click the corresponding Del...

Страница 187: ... real time service packets Time Range Name Tick the check box and enter the name of the Time Range settings that has been previously configured in the Time Range Settings window This will set specific times when this access rule will be implemented on the Switch Ports Ticking the All Ports check box will denote all ports on the Switch To view the settings of a previously correctly configured rule ...

Страница 188: ...ecified Offset 0 15 Enter a value in hex form to mask the packet from the beginning of the packet to the 15th byte Offset 16 31 Enter a value in hex form to mask the packet from byte 16 to byte 31 Offset 32 47 Enter a value in hex form to mask the packet from byte 32 to byte 47 Offset 48 63 Enter a value in hex form to mask the packet from byte 48 to byte 63 Offset 64 79 Enter a value in hex form ...

Страница 189: ...2 alphanumeric characters that will be used to identify this time range on the Switch This range name will be used in the Access Profile table to identify the access profile and associated rule to be enabled during this time range Hours This parameter is used to set the time in the day that this time range is to be enabled using the following parameters Start Time Use this parameter to identify th...

Страница 190: ... Port Browse Session Table IGMP Snooping Group MLD Snooping Group WAC Authenticating State JWAC Host Table MAC Address Table System Log MAC based Access Control State Device Environment The device environment feature displays the Switch internal temperature status This window is for the DGS 3200 16 only To view the following window click Monitoring Device Environment Figure 7 1 Device Environment ...

Страница 191: ... 14 15 and 16 crosstalk errors cannot be recognized and the length cannot be obtained when the port is connected to a 1000Mbytes port which is either forced to 10 100Mbytes or powered down 2 If cable length is displayed as NA this means the cable length is Not Available 3 The cable length cannot exceed 80 meters if the port is connected to a powered off device or to a port which is configured to f...

Страница 192: ...y to implement the configured settings The window will automatically refresh with new updated statistics Change the view parameters as follows Parameter Description Time Interval Select the desired setting between 1s and 60s where s stands for seconds The default value is one second Record Number Select number of times the Switch will be polled between 20 and 200 The default value is 200 Show Hide...

Страница 193: ...Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port Change the view parameters as follows Parameter Description Port Use the drop down menu to choose the port that will display statistics Time Interval Select the desired setting between 1s and 60s where s stands for seconds The default value is one second Record Numb...

Страница 194: ...ew these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Packet Size Figure 7 5 Packet Size window To view the Packet Size Table window click the link View Table which will show the following table Figure 7 6 Packet Size Ta...

Страница 195: ...were betwe 255 octets in length inclusive excluding framing bits but including FCS octets 256 511 en 256 and The total number of packets including bad packets received that were betwe 511 octets in length inclusive excluding framing bits but including FCS octets 512 1023 512 and The total number of packets including bad packets received that were between 1023 octets in length inclusive excluding f...

Страница 196: ...t to view these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Packets Received RX Figure 7 7 Received RX window for Bytes and Packets To view the Received RX Table window click View Table Figure 7 8 Received RX Table wind...

Страница 197: ...ceived on the port Packets Counts the number of packets received on the port Unicast Counts the total number of good packets that were received by a unicast address Multicast Counts the total number of good packets that were received by a multicast address Broadcast Counts the total number of good packets that were received by a broadcast address Show Hide Check whether to display Bytes and Packet...

Страница 198: ...ime graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Packets UMB_cast RX Figure 7 9 UMB_cast RX window for Unicast Multicast and Broadcast Packets To view the UMB_cast RX Table window click the View Table link Figure 7 10 UMB_cast RX Table window for Unicast Multicast and Broadcast Packets The following fields may be set o...

Страница 199: ...ackets that were received by a broadcast address Show Hide Check whether or not to display Multicast Broadcast and Unicast Packets Clear Clicking this button clears all statistics counters on this window View Table Clicking this button instructs the Switch to display a table rather than a line graph View Graphic Clicking this button instructs the Switch to display a line graph rather than a table ...

Страница 200: ...er of bytes successfully sent on the port Packets Counts the number of packets successfully sent on the port Unicast Counts the total number of good packets that were transmitted by a unicast address Multicast Counts the total number of good packets that were transmitted by a multicast address Broadcast Counts the total number of good packets that were transmitted by a broadcast address Show Hide ...

Страница 201: ...rt to view these statistics for select the port by using the Port pull down menu The user may also use the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Errors Received RX Figure 7 13 Received RX window for errors To view the Received RX Table window for errors click the link View Table which will show the fol...

Страница 202: ...that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Fragment The number of packets less than 64 bytes with either bad framing or an invalid CRC These are normally the result of collisions Jabber Counts invalid packets received that were longer than 1518 octets and less than the MAX_PKT_LEN Internally MAX_PKT_LEN is equal to 1536 Drop The number o...

Страница 203: ...the real time graphic of the Switch at the top of the web page by simply clicking on a port To view the following windows click Monitoring Errors Transmitted TX Figure 7 15 Transmitted TX window for errors To view the Transmitted TX Table window click the link View Table which will show the following table Figure 7 16 Transmitted TX Table window for errors The following fields may be set or viewed...

Страница 204: ...Coll Counts the number of times that a collision is detected later than 512 bit times into the transmission of a packet ExColl Excessive Collisions The number of packets for which transmission failed due to excessive collisions SingColl Single Collision Frames The number of successfully transmitted packets for which transmission is inhibited by more than one collision Collision An estimate of the ...

Страница 205: ...ccess Control windows open the Monitoring folder and click Port Access Control There are seven monitoring windows in this section Authenticator State The following section describes the 802 1x Status on the Switch Users can view the Authenticator State To view the following windows click Monitoring Port Access Control Authenticator State Figure 7 17 Authenticator State window for Port based 802 1X...

Страница 206: ...scription Auth PAE State The Authenticator PAE State value can be Initialize Disconnected Connecting Authenticating Authenticated Aborting Held Force_Auth Force_Unauth or N A N A Not Available indicates that the port s authenticator capability is disabled Backend State The Backend Authentication State can be Request Response Success Fail Timeout Idle Initialize or N A N A Not Available indicates t...

Страница 207: ...stics between 1s and 60s where s stands for seconds The default value is one second The following fields can be viewed Parameter Description Port The identification number assigned to the Port by the System in which the Port resides Frames Rx The number of valid EAPOL frames that have been received by this Authenticator Frames Tx The number of EAPOL frames that have been transmitted by this Authen...

Страница 208: ...frames other than Resp Id frames that have been received by this Authenticator Rx Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized Rx Error The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Last Version The protocol version number carried in the most rec...

Страница 209: ...nticator Session Statistics window The user may select the desired time interval to update the statistics between 1s and 60s where s stands for seconds The default value is one second The following fields can be viewed Parameter Description Port The identification number assigned to the Port by the System in which the Port resides Octets Rx The number of octets received in user data frames on this...

Страница 210: ...e Authentication Server is external to the Authenticator s System 2 Local Authentic Server The Authentication Server is located within the Authenticator s System Time The duration of the session in seconds Terminate Cause The reason for the session termination There are eight possible reasons for termination 1 Supplicant Logoff 2 Port Failure 3 Supplicant Restart 4 Reauthentication Failure 5 AuthC...

Страница 211: ...wing fields can be viewed Parameter Description Port The identification number assigned to the Port by the System in which the Port resides Connect Enter Counts the number of times that the state machine transitions to the CONNECTING state from any other state Connect LogOff Counts the number of times that the state machine transitions from CONNECTING to DISCONNECTED as a result of receiving an EA...

Страница 212: ...the Supplicant Responses Counts the number of times that the state machine sends an initial Access Request packet to the Authentication server i e executes sendRespToServer on entry to the RESPONSE state Indicates that the Authenticator attempted communication with the Authentication Server AccessChallenges Counts the number of times that the state machine receives an initial Access Challenge pack...

Страница 213: ...e as sysName in MIB II ServerIndex The identification number assigned to each RADIUS Authentication server that the client shares a secret with AuthServerAddress The conceptual table listing the RADIUS authentication servers with which the client shares a secret ServerPortNumber The UDP port the client is using to send requests to this server RoundTripTime The time interval in hundredths of a seco...

Страница 214: ...s counted as a retransmit as well as a timeout A send to a different server is counted as a Request as well as a timeout UnknownTypes The number of RADIUS packets of unknown type which were received from this server on the authentication port PacketsDropped The number of RADIUS packets of which were received from this server on the authentication port and dropped for some other reason RADIUS Accou...

Страница 215: ... malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses BadAuthenticators The number of RADIUS Accounting Response packets which contained invalid authenticators received from this server PendingRequests The number of RADIUS Accounting Req...

Страница 216: ... Show Static button to display static ARP table entries To clear the ARP Table click Clear All To view the following window click Monitoring Browse ARP Table Figure 7 24 Browse ARP Table window Browse VLAN Users can display the VLAN status for each of the Switch s ports viewed by VLAN Enter a VID VLAN ID in the field at the top of the window and click the Find button To view the following window c...

Страница 217: ...rt Figure 7 26 Browse Router Port window Enter a VID VLAN ID in the field at the top of the window and click the Find button Browse MLD Router Port Users can display which of the Switch s ports are currently configured as router ports in IPv6 A router port configured by a user using the console or Web based management interfaces is displayed as a static router port designated by S A router port th...

Страница 218: ...oping Group Figure 7 29 IGMP Snooping Group window The user may search the IGMP Snooping Group Table by either VLAN Name or VID List by entering it in the top left hand corner and clicking Find The following fields and settings can be viewed Parameter Description VID List VLAN Name The VID List or VLAN Name of the multicast group VID VLAN Name The VID or VLAN Name of the multicast group IP Address...

Страница 219: ...ther VLAN Name or VID List present in the Switch by entering that VLAN Name VID List in the empty field shown below and clicking the Find button The following fields and settings can be viewed Parameter Description VID List VLAN Name The VID List or VLAN Name of the multicast group Source The source MAC address of the multicast group Group The multicast group Port Member The port members of this g...

Страница 220: ... the desired range of ports and tick the appropriate check box es Authenticated Authenticating and Blocked MAC Address Enter the MAC address for the device whose WAC authenticating state will be removed Search Click this button to initiate a search Clear Click this button to delete the WAC authentication state information seleted above Refresh Click this button to refresh the values on this window...

Страница 221: ...nge of ports Find Click this button to initiate the search function Clear Click this button to delete the Port List data at the top of the window View All Hosts Click this button to view all the JWAC hosts Clear All Hosts Click this button to delete all the JWAC hosts Authenticated Tick this check box to only show authenticated client hosts Authenticating Tick this check box to only show client ho...

Страница 222: ...address table are described below Parameter Description Port The port to which the MAC address below corresponds VLAN Name Enter a VLAN Name for the forwarding table to be browsed by MAC Address Enter a MAC address for the forwarding table to be browsed by Find Allows the user to move to a sector of the database corresponding to a user defined port VLAN or MAC address Clear Dynamic Entries Clickin...

Страница 223: ...he user to clear the Switch History Log The information in the table is categorized as Parameter Description Type Choose the type of log to view There are two choices Regular Log Choose this option to view regular switch log entries such as logins or firmware transfers Attack Log Choose this option to view attack log files such as spoofing attacks Index A counter incremented whenever an entry to t...

Страница 224: ...e information To view the following window click Monitoring MAC based Access Control Authentication State Figure 7 35 MAC based Access Control Authentication State window To display MAC based Access Control Authentication State information select a port using the Port drop down menu and then click Apply Users may also want to adjust the Time Interval at the top of the window ...

Страница 225: ...o save the configuration file indexed as Image file 1 To use this file for configuration it must be designated as the Boot configuration Save Configuration_ID_2 to save the configuration file indexed as Image file 2 To use this file for configuration it must be designated as the Boot configuration Save Log to save only the current log Save All to save the current configuration file indexed as Imag...

Страница 226: ...ng window Figure 8 2 Save Configuration ID 2 window Save Log Open the Save drop down menu at the top of the Web manager and click Save Log to open the following window Figure 8 3 Save Log window Save All Open the Save drop down menu at the top of the Web manager and click Save All to open the following window Figure 8 4 Save All window ...

Страница 227: ...address and file path name Select either IPv4 or IPv6 and then click Upload or Upload Attack Log Figure 8 6 Upload Log File window Reset The Reset function has several options when resetting the Switch Some of the current configuration parameters can be retained while resetting all other configuration parameters to their factory defaults NOTE Only the Reset System option will enter the factory def...

Страница 228: ...nitiate the file transfer Reboot System The following window is used to restart the Switch Figure 8 9 Reboot System window Clicking the Yes radio button will instruct the Switch to save the current configuration to non volatile RAM before restarting the Switch Clicking the No radio button instructs the Switch not to save the current configuration before restarting the Switch All of the configurati...

Страница 229: ...yload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address ARP request 00 20 5C 01 11 11 10 10 10 1 00 00 00 00 00 00 10 10 10 2 The ARP request will be encapsulated into an Ethernet frame and sent out As can be seen in Table 2 the Source Address in the Ethernet frame will be PC A s MAC add...

Страница 230: ... the sender The ARP reply is in a form of Unicast communication Table 3 ARP Payload H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address ARP reply 00 20 5C 01 11 11 10 10 10 1 00 00 00 00 00 00 10 10 10 2 When PC B replies to the query the Destination Address in the Ethernet frame will be c...

Страница 231: ...e the Source Address of the Ethernet frame and find that the address is not in the Forwarding Table The switch will learn PC B s MAC and update its Forwarding Table Forwarding Table Port1 00 20 5C 01 11 11 Port2 00 20 5C 01 22 22 ...

Страница 232: ... immediately update their own ARP table in accordance with the sender s MAC and IP address The format of Gratuitous ARP is shown in the following table Table 5 Destination Address Source Address Ethernet Type H W Type Protocol Type H W Address Length Protocol Address Length Operation Sender H W Address Sender Protocol Address Target H W Address Target Protocol Address 6 byte 6 byte 2 byte 2 byte 2...

Страница 233: ...For the reason that basic ACL can only filter ARP packets based on packet type VLAN ID Source and Destination MAC information there is a need for further inspections of ARP packets To prevent ARP spoofing attack we will demonstrate here via using Packet Content ACL on the Switch to block the invalid ARP packets which contain faked gateway s MAC and IP binding Example topology ...

Страница 234: ...Offset Chunk6 Offset Chunk7 Offset Chunk8 Offset Chunk9 Offset Chunk10 Offset Chunk11 Offset Chunk12 Offset Chunk13 Offset Chunk14 Offset Chunk15 Byte 127 3 7 11 15 19 23 27 31 35 39 43 47 51 55 59 Byte 128 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 Byte 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 Byte 2 6 10 14 18 22 26 30 34 38 42 46 50 54 58 62 Offset Chunk Offset Chunk16 Offset Chunk17 Offset...

Страница 235: ......

Страница 236: ...information for logging Side Fan failed Unit unitID Side Fan failed Critical For DGS 3200 16 Only Side Fan recovered Unit unitID Side Fan recovered Critical For DGS 3200 16 Only Up Down load Firmware upgraded successfully Unit unitID Firmware upgraded by console successfully Username username IP ipaddr MAC macaddr Informational by console and IP ipaddr MAC macaddr are XOR shown in log string which...

Страница 237: ...ans if user login by console will no IP and MAC information for logging Interface Port link up Port unitID portNum link up link state Informational link state for ex 100Mbps FULL duplex Port link down Port unitID portNum link down Informational Console Successful login through Console Unit unitID Successful login through Console Username username Informational There are no IP and MAC if login by c...

Страница 238: ...ved from ipAddress with invalid community string Informational STP Topology changed Topology changed Instance InstanceID port unitID portNum Informational Detected Topology changed port New Root selected CIST MIST Regional New root selected Instance InstanceID Root bridge MAC macaddr Priority value Informational root bridge MAC address and priority at the instance Spanning Tree Protocol is enabled...

Страница 239: ... from userIP authenticated by AAA local method Username username MAC macaddr Warning Successful login through Web SSL authenticated by AAA local method Successful login through Web SSL from userIP authenticated by AAA local method Username username MAC macaddr Informational Login failed through Web SSL authenticated by AAA local method Login failed through Web SSL from userIP authenticated by AAA ...

Страница 240: ...ddr Informational Successful login through Console authenticated by AAA server Successful login through Console authenticated by AAA server serverIP Username username Informational There are no IP and MAC if login by console Login failed through Console authenticated by AAA server Login failed through Console authenticated by AAA server serverIP Username username Warning There are no IP and MAC if...

Страница 241: ...ed through Telnet from userIP authenticated by AAA server serverIP Username username MAC macaddr Warning Successful login through SSH authenticated by AAA server Successful login through SSH from userIP authenticated by AAA server serverIP Username username MAC macaddr Informational Successful Enable Admin through Console authenticated by AAA local_enable method Successful Enable Admin through Con...

Страница 242: ... Username username Informational Successful Enable Admin through Web authenticated by AAA none method Successful Enable Admin through Web from userIP authenticated by AAA none method Username username MAC macaddr Informational Successful Enable Admin through Web SSL authenticated by AAA none method Successful Enable Admin through Web SSL from userIP authenticated by AAA none method Username userna...

Страница 243: ... server timeout or improper configuration Username username MAC macaddr Warning Successful Enable Admin through Web SSL authenticated by AAA server Successful Enable Admin through Web SSL from userIP authenticated by AAA server serverIP Username username MAC macaddr Informational Enable Admin failed through Web SSL authenticated by AAA server Enable Admin failed through Web SSL from userIP authent...

Страница 244: ...iled Warning protocol is one of TACACS XTACACS TACACS RADIUS AAA server ACK error AAA server serverIP Protocol protocol response is wrong Warning protocol is one of TACACS XTACACS TACACS RADIUS AAA does not support this functionality AAA doesn t support this functionality Informational IP MAC PORT Binding Unauthenticated IP address and discard by IP MAC port binding Unauthenticated IP MAC address ...

Страница 245: ...out normally Username s IP s MAC s Port s Informational Logout forcibly JWAC host logout forcibly Username s IP s MAC s Port s Warning Age out JWAC host age out Username s IP s MAC s Port s Informational Loopback Detection Port loop occurred Port unitID portNum LBD loop occurred Port blocked Critical Port loop detection restarted after interval time Port unitID portNum LBD port recovered Loop dete...

Страница 246: ...default priority will assign to the port Radius server ipaddr assigned 802 1p deafult priority priority to port unitID portNum account username Informational stand alone device port portNum stackable device Port unitID portNum 802 1X Authentication failure 802 1x Authentication failure for reason from Username username Port unitID portNum MAC macaddr Warning stand alone device port portNum stackab...

Страница 247: ...uProtectChgToExhausted This trap indicates System change operation mode from normal to exhausted 1 3 6 1 4 1 171 12 19 4 1 0 1 SafeGuardChgToNormal This trap indicates System change operation mode from exhausted to normal 1 3 6 1 4 1 171 12 19 4 1 0 2 PktStormOccurred This trap is sent when a packet storm is detected by the packet storm mechanism and takes shutdown as an action 1 3 6 1 4 1 171 12 ...

Страница 248: ...ember generates a link up notification 1 3 6 1 4 1 171 12 8 6 0 14 SingleIPMSAuthFail The commander switch will send swSingleIPMSAuthFail notification to the indicated host when its member generates an authentation failure notification 1 3 6 1 4 1 171 12 8 6 0 15 SingleIPMSnewRoot The commander switch will send swSingleIPMSnewRoot notification to the indicated host when its member generates a new ...

Страница 249: ...a high capacity alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps 1 3 6 1 2 1 16 29 2 0 1 FallingAlarmTrap This trap is an SNMP notification that is generated when a high capacity alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps 1 3 6 1 2 1 16 29 2 0 2 newRoot The newRoot trap indicate...

Страница 250: ...of the switch 2 Power on the Switch After the runtime image is loaded to 100 the Switch will allow 2 seconds for the user to press the hotkey Shift 6 to enter the Password Recovery Mode Once the Switch enters the Password Recovery Mode all ports on the Switch will be disabled Boot Procedure V1 00 B006 Power On Self Test 100 MAC Address 00 19 5B EC 32 15 H W Version A1 Please wait loading V1 35 B01...

Страница 251: ...estination devices on the network broadcast storm Multiple simultaneous broadcasts that typically absorb available network bandwidth and can cause network failure console port The port on the Switch accepting a terminal or modem connector It changes the parallel arrangement of data within computers to the serial form used on data transmission links This port is most often used for dedicated local ...

Страница 252: ...k Management Protocol A protocol originally designed to be used in managing TCP IP internets SNMP is presently implemented on a wide range of computers and networking equipment and may be used to manage many aspects of network and end station operation Spanning Tree Protocol STP A bridge based system for providing fault tolerance on networks STP works by allowing the user to implement parallel pat...

Страница 253: ...ation pertaining to the product and in that case the product is being sold As Is without any warranty whatsoever including without limitation the Warranty as described herein notwithstanding anything stated herein to the contrary Submitting A Claim The customer shall return the product to the original purchase point based on its return policy In case the return policy period has expired and the pr...

Страница 254: ...ms Inc Other trademarks or registered trademarks are the property of their respective owners Copyright Statement No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from D Link Corporation D Link Systems Inc as stipulated by the United ...

Страница 255: ...Registration Register your D Link product online at http support dlink com register Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights ...

Страница 256: ... the defective Hardware the price paid by the original purchaser for the defective Hardware will be refunded by D Link upon return to D Link of the defective Hardware All Hardware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of...

Страница 257: ... not to be defective or non conforming What Is Not Covered This limited warranty provided by D Link does not cover Products that have been subjected to abuse accident alteration modification tampering negligence misuse faulty installation lack of reasonable care repair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been alte...

Страница 258: ...ir respective proprietors Copyright Statement No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from D Link Corporation D Link International Ptd Ltd FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 ...

Страница 259: ...e warranty period on this product U S and Canadian customers can contact D Link technical support through our website or by phone Tech Support for customers within the United States D Link Technical Support over the Telephone USA 877 DLINK 55 877 354 6555 D Link Technical Support over the Internet http support dlink com Tech Support for customers within Canada D Link Technical Support over the Tel...

Страница 260: ... uk ftp ftp dlink co uk Technische Unterstützung Deutschland Web http www dlink de E Mail support dlink de Telefon 49 0 1805 2787 0 14 pro Minute Zeiten Mo Fr 09 00 17 30 Uhr Österreich Web http www dlink at E Mail support dlink at Telefon 43 0 820 480084 0 116 pro Minute Zeiten Mo Fr 09 00 17 30 Uhr Schweiz Web http www dlink ch E Mail support dlink ch Telefon 41 0 848 331100 0 08 CHF pro Minute ...

Страница 261: ... www dlink nl 0 15ppm anytime Tech Support for customers within Belgium 070 66 06 40 www dlink be 0 175ppm peak 0 0875ppm off peak Tech Support for customers within Luxemburg 32 70 66 06 40 www dlink be Asistencia Técnica Asistencia Técnica Telefónica de D Link 34 902 30 45 45 0 067 min De Lunes a Viernes de 9 00 a 14 00 y de 15 00 a 18 00 http www dlink es Supporto tecnico Supporto Tecnico dal lu...

Страница 262: ... PO PÁ od 09 00 do 17 00 Land Line 1 78 CZK min Mobile 5 40 CZK min Technikai Támogatás Tel 06 1 461 3001 Fax 06 1 461 3004 Land Line 14 99 HUG min Mobile 49 99 HUF min email support dlink hu URL http www dlink hu Teknisk Support D Link Teknisk telefon Support 820 00 755 Hverdager 08 00 20 00 D Link Teknisk Support over Internett http www dlink no Teknisk Support D Link teknisk support over telefo...

Страница 263: ...εφαλληνίας 64 11251 Αθήνα Τηλ 210 86 11 114 Δευτέρα Παρασκευή 09 00 17 00 Φαξ 210 8611114 http www dlink gr support Assistência Técnica Assistência Técnica da D Link na Internet http www dlink pt e mail soporte dlink es Teknisk Support D Link Teknisk Support via telefon 0900 100 77 00 Vardagar 08 00 20 00 D Link Teknisk Support via Internet http www dlink se ...

Страница 264: ...k biz hr Tehnična podpora Zahvaljujemo se vam ker ste izbrali D Link proizvod Za vse nadaljnje informacije podporo ter navodila za uporabo prosimo obiščite D Link ovo spletno stran www dlink eu www dlink biz sl Suport tehnica Vă mulţumim pentru alegerea produselor D Link Pentru mai multe informaţii suport şi manuale ale produselor vă rugăm să vizitaţi site ul D Link www dlink eu www dlink ro ...

Страница 265: ...link co in support productsupport aspx Indonesia Malaysia Singapore and Thailand Tel 62 21 5731610 Indonesia Tel 1800 882 880 Malaysia Tel 65 6501 4200 Singapore Tel 66 2 719 8978 9 Thailand 24 7 for English Support Only http www dlink com sg support e mail support dlink com sg Korea Tel 82 2 2028 1815 Monday to Friday 9 00am to 6 00pm http www d link co kr e mail arthur d link co kr New Zealand T...

Страница 266: ... 92 21 4548158 or 92 21 4548310 Monday to Friday 10 00am to 6 00pm http support dlink me com E mail zkashif dlink me com South Africa and Sub Sahara Region Tel 27 12 665 2165 08600 DLINK for South Africa only Monday to Friday 8 30am to 9 00pm South Africa Time http www d link co za Turkey Tel 90 212 2895659 Monday to Friday 9 00am to 6 00pm http www dlink com tr e mail turkiye dlink me com e mail ...

Страница 267: ...ink D Link предоставляет бесплатную поддержку для клиентов в течение гарантийного срока Клиенты могут обратиться в группу технической поддержки D Link по телефону или через Интернет Техническая поддержка D Link 7 495 744 00 99 Техническая поддержка через Интернет http www dlink ru e mail support dlink ru ...

Страница 268: ...s 06 00am a 19 00pm Costa Rica 0800 0521478 Lunes a Viernes 05 00am a 18 00pm Ecuador 1800 035465 Lunes a Viernes 06 00am a 19 00pm El Salvador 800 6335 Lunes a Viernes 05 00am a 18 00pm Guatemala 1800 8350255 Lunes a Viernes 05 00am a 18 00pm México 01800 1233201 Lunes a Viernes 06 00am a 19 00pm Panamá 011 008000525465 Lunes a Viernes 05 00am a 18 00pm Perú 0800 00968 Lunes a Viernes 06 00am a 1...

Страница 269: ...il A D Link fornece suporte técnico gratuito para clientes no Brasil durante o período de vigência da garantia deste produto Suporte Técnico para clientes no Brasil Telefone São Paulo 11 2185 9301 Segunda à sexta Das 8h30 às 18h30 Demais Regiões do Brasil 0800 70 24 104 E mail e mail suporte dlinkbrasil com br ...

Страница 270: ...方式與D Link台灣地區技術支援工程師聯絡 D Link 免付費技術諮詢專線 0800 002 615 服務時間週一至週五早上9 00到晚上9 00 不含周六日及國定假日網站 http www dlink com tw 電子郵件 dssqa_service dlink com tw 如果您是台灣地區以外的用戶請參考D Link網站全球各地分公司的聯絡資訊以取得相關支援服務產品保固期限台灣區維修據點查詢請參考以下網頁說明 http www dlink com tw 產品維修使用者可直接送至全省聯強直營維修站或請洽您的原購買經銷商 ...

Страница 271: ...okumentasi pengguna dapat diperoleh pada situs web D Link Dukungan Teknis untuk pelanggan Dukungan Teknis D Link melalui telepon Tel 62 21 5731610 Dukungan Teknis D Link melalui Internet Email support dlink co id Website http support dlink co id ...

Страница 272: ...Technical Support この度は弊社製品をお買い上げいただき誠にありがとうございます下記弊社 Web サイトからユーザ登録及び新製品登録を行っていただくとダウンロードサービスにてサポート情報ファームウェアユーザマニュアルをダウンロードすることができますディーリンクジャパン Web サイト URL http www dlink jp com ...

Страница 273: ...城区北三环东路 36 号环球贸易中心 B 座 26F 02 05 室邮编 100013 技术支持中心电话 8008296688 028 66052968 技术支持中心传真 028 85176948 维修中心地址北京市东城区北三环东路 36 号环球贸易中心 B 座 26F 02 05 室邮编 100013 维修中心电话 010 58257789 维修中心传真 010 58257790 网址 http www dlink com cn 办公时间周一到周五早09 00到晚18 00 ...

Отзывы:

Нет отзывов

Похожие инструкции для DGS-3200-16 - Switch - Stackable

Бренд: FAAC Страницы: 2

Бренд: Magnetrol Страницы: 28

Бренд: Amped Wireless Страницы: 22

Бренд: YA Страницы: 47

Бренд: West Mountain Radio Страницы: 10

EXHL-TRN-LE1 Series

Бренд: Larson Electronics Страницы: 2

SISTG1040-242-LRT

Бренд: Transition Networks Страницы: 31

Бренд: Xunison Страницы: 14

Бренд: Nextech Страницы: 4

Бренд: Pathway connectivity solutions Страницы: 34

Бренд: Control 4 Страницы: 2

Бренд: Edimax Страницы: 2

Бренд: Alaxala Страницы: 522

Ascentic MH10-ARC

Бренд: Audio Authority Страницы: 5

Бренд: Black Box Страницы: 3

Бренд: Black Box Страницы: 21

IDAN-LAN25255HR

Бренд: rtd Страницы: 24

Бренд: H-Tronic Страницы: 20

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды