D-Link DWS-1008 Скачать руководство пользователя страница 309

Страница: 309 / 454

304

DWS-1008 User’s Manual

D-Link Systems, Inc.

Conﬁguring AAA for Network Users

How the Location Policy Differs from a Security ACL

Although structurally similar, the location policy and security ACLs have different functions.

The location policy on a switch can be used to locally redirect a user to a different VLAN or

locally control the trafﬁc to and from a user.

In contrast, security ACLs are packet ﬁlters applied to the user throughout a MobileLAN.

You can use the location policy to locally apply a security ACL to a user.

Setting the Location Policy

To enable the location policy function on a switch, you must create at least one location

policy rule with one of the following commands:

set location policy deny if

{

ssid

operator

ssid-name

vlan

operator

vlan-glob

user

operator user-glob

port

port-list

dap

dap-num

}

[

before

rule-number

modify

rule-number

]

set location policy permit

{

vlan

vlan-name

inacl

inacl-name

outacl

outacl-name

}

{

ssid

operator

ssid-name

vlan

operator

vlan-glob

user

operator

user-glob

port

port-list

dap

dap-num

}

[

before

rule-number

modify

rule-number

]

You must specify whether to permit or deny access, and you must identify a VLAN,

username, or access port to match. Use one of the following operators to specify how the

rule must match the VLAN or username:

•

- Applies the location policy rule to all users assigned VLAN names matching

vlan-glob

or having usernames that match

user-glob

(Like a user glob, a VLAN glob is a way to group VLANs for use in this command.)

•

neq

- Applies the location policy rule to all users assigned VLAN names

not

matching

vlan-glob

or having usernames that

do not

match

user-glob

For example, the following command denies network access to all users matching

*.theirﬁrm.com, causing them to fail authorization:

DWS-1008#

set location policy deny if user eq *.theirﬁrm.com

The following command authorizes access to the

guest_1

VLAN for all users who do not

match *.ourﬁrm.com:

DWS-1008#

set location policy permit vlan guest_1 if user neq *.ourﬁrm.com

The following command places all users who are authorized for SSID

tempvendor_a

into

VLAN

kiosk_1

DWS-1008#

set location policy permit vlan kiosk_1 if ssid eq tempvendor_a

success: change accepted.

Содержание DWS-1008

Страница 1: ......

Страница 2: ...stomizing AAA with Globs and Groups Con guring and Managing Ports and VLANs Setting the Port Type Displaying Port Statistics Con guring and Managing VLANs Managing the Layer 2 Forwarding Database Con...

Страница 3: ...dios Disabling or Reenabling Radios Displaying AP Con guration Information Con guring User Encryption Con guring WPA Con guring RSN Con guring WEP Encryption Con guration Scenarios Con guring RF Auto...

Страница 4: ...ion Key and Certi cate Con guration Scenarios Con guring AAA for Network Users About AAA for Network Users AAA Tools for Network Users Con guring 802 1X Authentication Con guring Authentication and Au...

Страница 5: ...DoS Alerts Displaying RF Detection Information Managing System Files About System Files Working with Files Managing Con guration Files Backing Up and Restoring the System Appendix A Troubleshooting Fi...

Страница 6: ...by quali ed service personnel only Please follow all warning notices and instructions marked on the product or included in the documentation The manufacturer is not responsible for any radio or TV in...

Страница 7: ...o an AAA server for complete veri cation This of oading capability ensures that the WLAN will not overload when clients are simultaneously connecting to the network User Based Authentication Services...

Страница 8: ...green 100Mbps link is operational Solid amber 10Mbps link is operational Blinking green Traf c is active on the 100Mbps link Blinking amber Traf c is active on the 10Mbps link AP 1 6 Solid green For a...

Страница 9: ...Protocol over Secure Sockets Layer HTTPS IP Services IP interfaces You can con gure an IP interface for each VLAN IP ping and traceroute You can test IP connectivity between the switch and other devic...

Страница 10: ...nd 10 100 Ethernet Cable Wiring Connections on the 10 100 ports require CAT5 cable based on the EIA TIA 586 standard The 10 100 Ethernet ports on the DWS 1008 switch provide automatic MDI MDX which au...

Страница 11: ...r on a tabletop Each switch is shipped with two brackets for rack mounting and four adhesive rubber feet for tabletop mounting The mounting brackets support front mounting only Warning Earth grounding...

Страница 12: ...are on the DWS 1008 switch No additional software is required The switch supports two connection modes Administrative access mode which enables the network administrator to connect to the switch and c...

Страница 13: ...Warning To prevent the switch from slipping do not release the switch until all the rack mount screws are tight Tabletop Installation 1 On a clean work surface with no debris carefully turn the switch...

Страница 14: ...d con gure the following modem settings 9600 bps 8 bits 1 stop No parity Hardware ow control off or disabled 4 Open a connection on a serial port If the switch is already powered on press Enter three...

Страница 15: ...the mains 1 Insert a CAT5 cable with a standard RJ 45 connector The 10 100 Ethernet ports on the DWS 1008 switch provide automatic MDI MDX 2 If the cable is directly attached to a DWL 8220AP access p...

Страница 16: ...ce to con gure a new switch or to continue con guration of a partially con gured switch CLI Command Line Interface You can con gure a switch using the CLI by attaching a PC to the switch s Console por...

Страница 17: ...lists the default if applicable You can advance to the next item and accept the default if applicable by pressing Enter Depending on your input the command also automatically generates the following k...

Страница 18: ...ntry code For a list of valid country codes refer to the section Appendix Country of Operation Another question the script asks is Do you wish to con gure wireless If you answer y the script goes on t...

Страница 19: ...port 2 and 3 The IP addresses usernames and passwords in this document are examples Use values that are appropriate for your organization If you con gure time and date parameters you will be required...

Страница 20: ...y Enter a crypto SSID to use corporate Enter a username with which to do PEAP MSCHAPv2 cr to exit alice Enter a password for alice alicepass Enter a username with which to do PEAP MSCHAPv2 cr to exit...

Страница 21: ...tems Inc Con guration continued Con guration 6 Optionally enable Telnet DWS 1008 aabbcc set ip telnet server enable 7 Verify the con guration changes DWS 1008 aabbcc show con g 8 Save the con guration...

Страница 22: ...s Enter a third time to display a command prompt Username Password DWS 1008 Note For simplicity the command prompt examples in the documentation show a switch model such as DWS 1008 and the CLI access...

Страница 23: ...e IP connectivity See Con guring IP Connectivity on page 22 4 Specify the country of operation See Specifying the Country of Operation on page 25 5 Specify a system IP address See Specifying a System...

Страница 24: ...ready at the enabled access level enter the enable command DWS 1008 enable 2 At the enabled prompt enter set enablepass DWS 1008 set enablepass 3 When you are prompted for your old password press Ente...

Страница 25: ...cates are valid for one year beginning with the system time and date that are in effect when you generate the certi cate request If the switch s time and date are incorrect the certi cate might not be...

Страница 26: ...show timezone Timezone is set to PST offset from UTC is 8 0 hours DWS 1008 show summertime Summertime is enabled and set to PDT Start Sun Apr 04 2004 02 00 00 End Sun Oct 31 2004 02 00 00 Offset 60 mi...

Страница 27: ...lthough you do not need to con gure every user s VLAN on every DWS 1008 switch To con gure a VLAN and an IP address use the following commands set vlan vlan num name name set vlan vlan id port port li...

Страница 28: ...ute that uses gateway 10 10 20 19 with a path cost of 1 and verify the change DWS 1008 set ip route default 10 10 20 19 1 success change accepted DWS 1008 show ip route Router table for IPv4 Destinati...

Страница 29: ...lias for the host device you can specify the DNS hostname or the alias instead of the IP address of the device The following command veri es IP connectivity to IP address 10 10 20 19 DWS 1008 ping 10...

Страница 30: ...listed below Country Code Australia AU Austria AT Belgium BE Brazil BR Canada CA China CN Czech Republic CZ Denmark DK Finland FI France FR Germany DE Greece GR Hong Kong HK Hungary HU Iceland IS Indi...

Страница 31: ...pper Power Supply missing Memory 115 09 496 04 23 Total Power Over Ethernet 32 000 Specifying a System IP Address You can designate one of the IP addresses con gured on a DWS 1008 switch s VLAN to be...

Страница 32: ...m ip address 10 10 10 4 success change accepted DWS 1008 show system Product Name DWS 1008 System Name DWS 1008 System Countrycode System Location System Contact System Description DWS 1008 System IP...

Страница 33: ...gured AP on that port The port numbers on the switch con gured for direct attached APs reference a particular AP An AP that is not directly connected to a switch is considered a Distributed AP The swi...

Страница 34: ...or two 10 100 ports on a switch The switch port is then con gured speci cally for a direct attachment to an AP There is no intermediate networking equipment between the switch and AP and only one AP i...

Страница 35: ...guration in order to boot and con gure AP2 The Layer 2 network must provide DHCP services to AP2 AP3 is connected through a Layer 3 network Layer 2 networks separated by IP routers to the switch The...

Страница 36: ...guration The switch can communicate with the Distributed AP through any network port In the CLI a Distributed AP con guration is referred to as a DAP Because distributed APs are not directly attached...

Страница 37: ...tacts the switch whose IP address is returned for TRPZ If only wlan switch is de ned in DNS the AP contacts the switch whose IP address is returned for wlan switch If both TRPZ and wlan switch are de...

Страница 38: ...be con gured for 802 11b or 802 11g exclusively If the country of operation speci ed by the set system countrycode command does not allow 802 11g the default is 802 11b DWL 8220AP radios con gured for...

Страница 39: ...retransmissions 10 Radio 2 type 802 11a mode disabled channel 36 tx pwr 11 pro le default auto tune max power default min client rate 24 max retransmissions 10 Con guring for a Distributed AP To crea...

Страница 40: ...show dap con g dap num radio 1 2 Here is an example DWS 1008 show dap con g Dap 1 serial id 0322199999 AP model dwl 8220ap bias high name DAP01 ngerprint boot download enable YES load balancing group...

Страница 41: ...0322199998 10 10 40 4 HIGH 0322199998 10 10 50 4 HIGH 0322199997 10 10 40 4 HIGH 0322199997 10 10 50 4 HIGH 0322199996 10 10 40 4 HIGH 0322199996 10 10 50 4 HIGH 0322199995 10 10 40 4 HIGH 0322199995...

Страница 42: ...When the Wi Fi Protected Access WPA information element IE is enabled uses 802 1X to authenticate WPA clients auth fallthru web portal Uses WebAAA for users who do not match an 802 1X or MAC authenti...

Страница 43: ...tion for WPA use the set radio pro le auth psk command ssid name default Uses the SSID name default ssid type crypto Encrypts wireless traf c for the SSID tkip mc time 60000 Uses Michael countermeasur...

Страница 44: ...named set of radio parameters that you can apply to multiple radios A radio pro le can contain information for two types of SSIDs Encrypted SSID Clients using this SSID must use encryption Use the enc...

Страница 45: ...measures Not con gured Does not issue countermeasures against any device dtim interval 1 Sends the delivery traf c indication map DTIM after every beacon frag threshold 2346 Transmits frames up to 234...

Страница 46: ...the lowest valid channel number for the country of operation Transmit power Highest setting allowed for the country of operation or highest setting supported on the hardware whichever is lower Externa...

Страница 47: ...ly a radio pro le to radios use the following command set ap port list dap dap num radio 1 2 radio pro le name mode enable disable The following commands applies radio pro le rp1 to radio 1 on AP acce...

Страница 48: ...x pwr 15 pro le default auto tune max power default min client rate 5 5 max retransmissions 10 Radio 2 type 802 11a mode disabled channel 36 tx pwr 11 pro le default auto tune max power default min cl...

Страница 49: ...es MSS grants access Otherwise MSS attempts the fallthru authentication type which can be Web last resort or none Last resort A network user requests access to the network without entering a username...

Страница 50: ...be set in the local database or on a RADIUS server to assign the user to a VLAN This is true regardless of the authentication type you use You can use either of the following attributes to assign a u...

Страница 51: ...erver name4 To con gure MSS to load balance authentication requests among the servers use the following command set server group group name load balance enable disable To verify the change use the fol...

Страница 52: ...the delimiter characters in user globs which are the at sign and the dot To match a username that contains a delimiter you must specify the delimiter in the user glob as shown in these examples Alter...

Страница 53: ...through grp1 success change accepted DWS 1008 set authentication dot1x ssid private_wlan com pass through grp1 success change accepted Displaying the Server Group and Authentication Con guration The...

Страница 54: ...r 802 1X users use the following command A user glob represents a set of users set authentication dot1x ssid ssid name wired user glob bonded protocol method1 method2 method3 method4 To verify the cha...

Страница 55: ...AMPLE peap mschapv2 grp1 Displaying and Saving the Con guration MSS immediately implements con guration changes by updating the device s running con guration The software does not automatically retain...

Страница 56: ...last sun oct 31 0 set service pro le corp1 ssid name private_wlan set service pro le corp1 ssid type crypto set radius server svr1 address 10 10 70 20 key rad1pword set radius server svr2 address 10 1...

Страница 57: ...a small subset of status and monitoring commands is available Restricted mode is useful for administrators with basic monitoring privileges who are not allowed to change the con guration or run trace...

Страница 58: ...con gure authentication authorization and accounting for administrative access mode D Link recommends enforcing authentication for administrative access using usernames and passwords stored either loc...

Страница 59: ...y enabled To con gure a previously uncon gured DWS 1008 switch via the console you must complete the following tasks Enable an administrator Con gure authentication Optionally con gure accounting Save...

Страница 60: ...d Password changed Caution D Link recommends that you change the enable password from the default no password to prevent unauthorized users from entering con guration commands The enable password is c...

Страница 61: ...l MAC address for different AAA treatments A user glob is a string possibly containing wildcards for matching AAA and IEEE 802 1X authentication methods to a user or set of users The switch supports t...

Страница 62: ...switch is the simplest way to store user information in a D Link system To con gure a user in the local database type the following command set user username password password Note Although MSS allows...

Страница 63: ...up For example you can set accounting for administrative users using the start stop mode via the local database DWS 1008 set accounting admin EXAMPLE start stop local success change accepted The accou...

Страница 64: ...or all commands that you enter and want to use for future sessions After you enter the administrator s AAA con guration type the following command to maintain these commands in nonvolatile memory DWS...

Страница 65: ...e con g success con guration saved Local Authentication for Console Users and RADIUS Authentication for Telnet Users This scenario illustrates how to enable local authentication for console users and...

Страница 66: ...et server group sg1 members r1 success change accepted DWS 1008 set authentication console local sg1 success change accepted DWS 1008 save con g success con guration saved Natasha also enables backup...

Страница 67: ...ntication Natasha sets the authentication method to none She types the following commands in this order DWS 1008 set user natasha password m Jor User natasha created DWS 1008 set radius server r1 addr...

Страница 68: ...DWS 1008 switch ports are network ports by default You must set the port type for ports directly connected to AP access ports and to wired user stations that must be authenticated to access the networ...

Страница 69: ...1a 11b 11g The dap num parameter identi es the Distributed AP connection for the DWL 8220AP The range of valid connection ID numbers is 1 to 30 For the serial id parameter specify the serial ID of the...

Страница 70: ...omatically denied access if neither 802 1X authentication or MAC authentication is successful To set port 2 as a wired authentication port type the following command DWS 1008 set port type wired auth...

Страница 71: ...ttings from port 5 and reset the port as a network port type the following command DWS 1008 clear port type 5 This may disrupt currently authenticated users Are you sure y n n y success change accepte...

Страница 72: ...ort list 10 100 auto To set the port speed on ports 1 3 through 6 to 10 Mbps type the following command DWS 1008 set port speed 1 3 6 10 Disabling or Reenabling a Port All ports are enabled by default...

Страница 73: ...egularly update port statistics in a separate window Displaying Port Con guration and Status To display port con guration and status information use the following command show port status port list To...

Страница 74: ...rom the switch Displaying Port Statistics To display port statistics use the following command show port counters octets packets receive errors transmit errors collisions receive etherstats transmit e...

Страница 75: ...ach type of statistic is displayed separately Press the Spacebar to cycle through the displays for each type If you use an option to specify a statistic type the display begins with that statistic typ...

Страница 76: ...c for that ow Link Redundancy A port group ensures link stability by providing redundant connections for the same link If an individual port in a group fails the switch reassigns traf c to the remaini...

Страница 77: ...WS 1008 set port group name server2 3 5 mode on success change accepted DWS 1008 set vlan default port server2 success change accepted To verify the con guration change type the following command DWS...

Страница 78: ...idual network ports You can con gure multiple VLANs on a switch s network ports Optionally each VLAN can have an IP address VLANs are not con gured onAPaccess ports or wired authentication ports becau...

Страница 79: ...sume the VLAN is assigned on a RADIUS server with either of the valid attributes VLAN Names TocreateaVLAN youmustassignanametoit VLANnamesmustbegloballyunique toensure the intended user connectivity a...

Страница 80: ...be used by different VLANs but on different network ports If you use a tag value D Link recommends that you use the same value as the VLAN number MSS does not require the VLAN number and tag value to...

Страница 81: ...mmand DWS 1008 set vlan 2 name red After you create a VLAN you can use the VLAN number or the VLAN name in commands In addition the VLAN name appears in CLI displays Adding Ports to a VLAN To add a po...

Страница 82: ...mation that uses the VLAN If you want to remove only a speci c port from the VLAN make sure you specify the port number in the command To remove port 5 from VLAN red type the following command DWS 100...

Страница 83: ...sses within a particular VLAN To forward a packet to another device in a VLAN the switch searches the forwarding database for the packet s destination MAC address then forwards the packet out the port...

Страница 84: ...rding database size and the entries contained in the database Displaying the Size of the Forwarding Database To display the number of entries contained in the forwarding database use the following com...

Страница 85: ...ries Displayed 2 Adding an Entry to the Forwarding Database To add an entry to the forwarding database use the following command set fdb perm static mac addr port port list vlan vlan id tag tag value...

Страница 86: ...ng the Aging Timeout Period To display the current setting of the aging timeout period use the following command show fdb agingtime vlan vlan id For example to display the aging timeout period for all...

Страница 87: ...p up auto 100 full network 10 100BaseTx 2 nance up down auto network 10 100BaseTx 3 accounting up down auto network 10 100BaseTx 4 shipping up down auto network 10 100BaseTx 5 lobby up down auto netwo...

Страница 88: ...rt status Port Name Admin Oper Con g Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx 2 nance up up auto 100 full ap 10 100BaseTx 3 accounting up up auto 100 full ap 10 100BaseTx 4 sh...

Страница 89: ...ts 7 and 8 as a load sharing port group to provide a redundant link to the backbone and verify the con guration change Type the following commands DWS 1008 set port group name backbonelink port 7 8 mo...

Страница 90: ...85 DWS 1008 User s Manual D Link Systems Inc Con guring and Managing Ports and VLANs success con guration saved...

Страница 91: ...does not support defragmentation except at the receiving end of an IP tunnel and only to reassemble fragments created by another D Link device for tunneling If the path MTU between D Link devices is l...

Страница 92: ...e following options 12 Host Name the system name 55 Parameter request list consisting of 1 Subnet Mask 3 Router 15 Domain Name and 6 Domain Name Server 60 Vendor Class Identi er set to TRPZ x x x wher...

Страница 93: ...subnet that is already con gured on another VLAN on the switch MSS sends a DHCP Decline message to the server and generates a log message If the switch is powered down or restarted MSS does not retai...

Страница 94: ...UP Lease Allocation 65535 seconds Lease Remaining 65532 seconds IP Address 10 3 1 110 Subnet Mask 255 255 255 0 Default Gateway 10 3 1 1 DHCP Server 10 3 1 4 DNS Servers 10 3 1 29 DNS Domain Name myco...

Страница 95: ...p address Con guring and Managing IP Routes The IP route table contains routes that MSS uses for determining the interfaces for a switch s external communications When you add an IP interface to a VLA...

Страница 96: ...d a static route use the show interface command to verify that the switch has an IP interface in the same subnet as the route s gateway router MSS requires the routes for the interface to resolve the...

Страница 97: ...o Down If the route table contains other static routes to the same destination MSS selects the resolved route that has the lowest cost In the following example the default route to 10 0 1 17 is down s...

Страница 98: ...can no longer reach its estination For example if you are managing the Switch with a Telnet session and the session needs the static route removing the route also removes the Telnet connection to the...

Страница 99: ...le timeout controls how long an open SSH session can remain idle before MSS closes the session The default idle timeout is 30 minutes You can set the idle timeout to a value from 0 disabled to 2 147 4...

Страница 100: ...compare the SSH key checksum displayed by the Switch with the one displayed by the client to verify that you really are connected to the Switch and not another device Generally SSH clients remember t...

Страница 101: ...minutes type the following command DWS 1008 set ip ssh absolute timeout 30 success absolute timeout set to 30 minutes Managing SSH Server Sessions Use the following commands to manage SSH server sessi...

Страница 102: ...with Telnet a user must supply a valid username and password To add a username and password to the local database use the following command set user username password password Optionally you also can...

Страница 103: ...ip telnet Managing Telnet Server Sessions Use the following commands to manage Telnet server sessions show sessions admin clear sessions admin telnet session id These commands display and clear manag...

Страница 104: ...n IP address in a command For example as an alternative to the command ping 192 168 9 1 you can enter the command ping chris example com When you enter ping chris example com the Switch s DNS client q...

Страница 105: ...r use the following command clear ip dns server ip addr Con guring a Default Domain Name You can con gure a single default domain name for DNS queries The Switch appends the default domain name to hos...

Страница 106: ...ollowing command show ip dns The following example shows DNS server information on a switch con gured to use three DNS servers DWS 1008 show ip dns Domain Name example com DNS Status enabled IP Addres...

Страница 107: ...following command show ip alias name Here is an example DWS 1008 show ip alias Name IP Address HR1 192 168 1 2 payroll 192 168 1 3 radius1 192 168 7 2 Con guring and Managing Time Parameters You can...

Страница 108: ...ds Setting the Time Zone The time zone parameter adjusts the system date and optionally the time by applying an offset to UTC To set the time zone use the following command set timezone zone name hour...

Страница 109: ...p to 32 alphanumeric characters long with no spaces The start and end dates and times are optional If you do not specify a start and end time MSS implements the time change starting at 2 00 a m on the...

Страница 110: ...isplaying the Time and Date To display the time and date use the following command show timedate DWS 1008 show timedate Sun Feb 29 2004 23 58 02 PST Con guring and Managing NTP The Network Time Protoc...

Страница 111: ...192 168 1 5 type the following command DWS 1008 set ntp server 192 168 1 5 Removing an NTP Server To remove an NTP server use the following command clear ntp server ip addr all If you use the all opt...

Страница 112: ...s 8 0 hours Summertime is enabled Last NTP update Sun Feb 29 2004 23 58 00 NTP Server Peer state Local State 192 168 1 5 SYSPEER SYNCED The Timezone and Summertime elds are displayed only if you chang...

Страница 113: ...ent an ARP request for the entry and is waiting for the reply RESOLVING Adding an ARP Entry MSS automatically adds a local entry for a switch and dynamic entries for addresses learned from traf c rece...

Страница 114: ...vice that has IP address 10 1 1 1 type the following command DWS 1008 ping 10 1 1 1 PING 10 1 1 1 10 1 1 1 from 10 9 4 34 56 84 bytes of data 64 bytes from 10 1 1 1 icmp_seq 1 ttl 255 time 0 769 ms 64...

Страница 115: ...clear Telnet sessions from an Switch s Telnet client to another device To display the Telnet client sessions on an Switch type the following command DWS 1008 show sessions telnet client Session Server...

Страница 116: ...lity that it has reached the destination To trace a route to a destination subnet use the following command traceroute host dnf no dns port port num queries num size size ttl hops wait ms To trace the...

Страница 117: ...nge accepted DWS 1008 show system Product Name DWS 1008 System Name DWS 1008 System Countrycode US System Location System Contact System IP 10 02 10 10 System MAC 00 0B 0E 00 04 0C Boot Time 2000 03 1...

Страница 118: ...rify the con guration changes Type the following commands DWS 1008 set ip dns domain example com success change accepted DWS 1008 set ip dns server 10 10 10 69 PRIMARY success change accepted DWS 1008...

Страница 119: ...of October DWS 1008 set ntp server 192 168 1 5 DWS 1008 set ntp enable success NTP Client enabled DWS 1008 show ntp NTP client enabled Current update interval 20 secs Current time Sun Feb 29 2004 23 5...

Страница 120: ...gs SNMPv3 supports user security model USM users with individually con gurable access levels authentication options and encryption options All SNMP versions are disabled by default Con guring SNMP To...

Страница 121: ...mands set a switch s location to 3rd_ oor_closet and set the contact to sysadmin1 DWS 1008 set system location 3rd_ oor_closet success change accepted DWS 1008 set system contact sysadmin1 success cha...

Страница 122: ...et write them This is the default read notify An SNMP management application using the string can get object values on the switch but cannot set them The switch can use the string to send noti cations...

Страница 123: ...32 alphanumeric characters long with no spaces You can con gure up to 10 SNMPv3 users The snmp engine id option speci es a unique identi er for an instance of an SNMP engine To send informs you must...

Страница 124: ...cryption is used 3des Triple DES encryption is used aes Advanced Encryption Standard AES encryption is used If the encryption type is des 3des or aes you can specify a passphrase or a hexadecimal key...

Страница 125: ...ncrypted auth req unsec notify You can specify one of the following options unsecured SNMP message exchanges are not secure This is the default and is the only value supported for SNMPv1 and SNMPv2c T...

Страница 126: ...numeric characters long with no spaces To modify the default noti cation pro le specify default The noti cation type can be one of the following AuthenTraps Generated when the DWS 1008 switch s SNMP e...

Страница 127: ...occurs DeviceOkayTraps Generated when a device returns to its normal state LinkDownTraps Generated when the link is lost on a port LinkUpTraps Generated when the link is detected on a port MichaelMICF...

Страница 128: ...ated when an interfering device is no longer detected RFDetectSpoofedMacAPTraps Generated when MSS detects a wireless packet with the source MAC address of a D Link AP but without the spoofed AP s sig...

Страница 129: ...RogueWiredAPTraps success change accepted DWS 1008 set snmp notify pro le snmpprof_rfdetect send RFDetectDoSTraps success change accepted DWS 1008 set snmp notify pro le snmpprof_rfdetect send RFDetec...

Страница 130: ...NMP noti cations You can con gure the MSS SNMP engine to send con rmed noti cations informs or uncon rmed noti cations traps Some of the command options differ depending on the SNMP version and the ty...

Страница 131: ...value on the target itself You can specify a number from 1 to 10 The ip addr udp port number is the IP address of the server You also can specify the UDP port number to send noti cations to The defau...

Страница 132: ...onds MSS waits for acknowledgement of a noti cation You can specify from 1 to 5 seconds The default is 2 Command Examples The following command con gures a noti cation target for acknowledged noti cat...

Страница 133: ...P community strings use the following command DWS 1008 show snmp community Displaying USM Settings To display USM settings use the following command DWS 1008 show snmp usm Displaying Noti cation Pro l...

Страница 134: ...129 DWS 1008 User s Manual D Link Systems Inc Con guring SNMP Displaying SNMP Statistics Counters To display SNMP statistics counters use the following command DWS 1008 show snmp counters...

Страница 135: ...ate Layer 2 or Layer 3 networks To con gure DWL 8220AP access points perform the following tasks in this order Specify the country of operation Con gure DWL 8220AP access ports Distributed AP connecti...

Страница 136: ...routers and it can also be con gured for 802 1Q VLAN tagging The DWS 1008 contains a con guration for a Distributed AP based on the AP s serial number Similar to ports con gured for directly connecte...

Страница 137: ...is directly connected to a Distributed AP you might need to change the STP con guration on the port to allow the AP to boot Note STP on a port directly connected to a Distributed AP can prevent the AP...

Страница 138: ...ostname1 hostname2 You can use an IP address list or a hostname list but not both If the list contains both types of values the AP does not attempt to use the list The ip and host keywords can be in l...

Страница 139: ...be preferred over switches with low bias for booting and managing the AP Note Bias applies only to switches that are indirectly attached to the AP through an intermediate Layer 2 or Layer 3 network a...

Страница 140: ...ncy of DWS 1008 services by dual homing the AP to two directly connected switches or by con guring a Distributed AP con guration either on two or more indirectly connected switches or on a combination...

Страница 141: ...lies with a unicast DHCP Offer message The Offer message must contain the following parameters IP address for the AP IP address of the network s DNS server IP address of the subnet s default gateway O...

Страница 142: ...addresses or hostnames in the DHCP option 43 eld the AP contacts the switches If the DHCP ACK message contained a list of DWS 1008 IP addresses in DHCP option 43 the AP sends a unicast Find DWS 1008...

Страница 143: ...reply the AP retries this method up to 11 more times If the DWS 1008 replies after all 12 attempts the AP begins the process again with step 1 on the other AP port If the other AP port does not have a...

Страница 144: ...access point to a group does not affect sessions that are already active on the access point In addition MSS does not attempt to rebalance sessions when a client disassociates from an access point If...

Страница 145: ...CCMP to encrypt traf c sent to WPA clients cipher tkip enable When the WPA IE is enabled uses Temporal Key Integrity Protocol TKIP to encrypt traf c sent to WPA clients cipher wep104 disable Does not...

Страница 146: ...n of a second MIC failure within 60 seconds web portal form Not con gured For WebAAA users serves the default login web page or if con gured the SSID speci c login web page wep key index No keys de ne...

Страница 147: ...already deployed and running on the network you can display the MAC address assignments by using the show ap dap status command All MAC addresses on a DWL 8220AP are assigned based on the AP s base M...

Страница 148: ...n you assign the pro le The table below summarizes the parameters controlled by radio pro les Generally the only radio parameters controlled by the pro le that you need to modify are the SSIDs and if...

Страница 149: ...ry 5 Sends a long unicast frame up to ve times without acknowledgment max rx lifetime 2000 Allows a received frame to stay in the buffer for up to 2000 ms 2 seconds max tx lifetime 2000 Allows a frame...

Страница 150: ...wing tasks Assign initial channel and power settings when a DWL 8220AP radio is started Periodically assess the RF environment and change the channel or power setting if needed Change the transmit dat...

Страница 151: ...ower and external antenna type on each radio Map the radio pro le to a service pro le Assign the radio pro le to radios and enable the radios Specifying the Country of Operation You must specify the c...

Страница 152: ...ystem MAC 00 0B 0E 02 76 F6 Boot Time 2003 05 07 08 28 39 Uptime 0 days 04 00 07 Country Code Australia AU Austria AT Belgium BE Brazil BR Canada CA China CN Czech Republic CZ Denmark DK Finland FI Fr...

Страница 153: ...ed APs When a switch determines the DWS 1008 IP address to send to a booting AP the switch gives preference to APs that are already con gured over uncon gured APs that require a template The DWS 1008...

Страница 154: ...in the template The table below lists the con gurable template parameters and their defaults The only parameter that requires con guration is the template mode The template is disabled by default To...

Страница 155: ...ap auto blink enable disable Radio Parameters set dap auto radiotype 11a 11b 11g set dap auto radio 1 2 mode enable disable set dap auto radio 1 2 radio pro le name mode enable disable set dap auto ra...

Страница 156: ...3 ssid employee net bssid3 00 0b 0e 00 d2 c5 ssid mycorp tkip The output displays auto next to the Distributed AP number to indicate that the AP was con gured using a template Converting a DWL 8220AP...

Страница 157: ...y APs you can con gure on a switch and how many APs a switch can boot The numbers are for directly connected and Distributed APs combined Maximum APs Supported Per Switch Switch Model Maximum That Can...

Страница 158: ...g but can be con gured for 802 11b or 802 11g exclusively If the country of operation speci ed by the set system countrycode command does not allow 802 11g the default is 802 11b The DWL 8220AP has a...

Страница 159: ...aution When you clear an access point MSS ends user sessions that are using the AP To clear the port settings from a port use the following command clear port type port list This command resets the po...

Страница 160: ...named loadbalance1 that contains directly connected access points on ports 1 4 and 6 type the following command DWS 1008 set ap 1 4 6 group loadbalance1 success change accepted Disabling or Reenablin...

Страница 161: ...for unencrypted management traf c is 1474 bytes Make sure the devices in the intermediate network between the switch and Distributed AP can support the higher MTU Encryption Key Fingerprint APs are c...

Страница 162: ...is already installed and operating use the show dap status command to display the ngerprint The following example shows information for Distributed AP 8 including its ngerprint DWS 1008 show dap stat...

Страница 163: ...37 58 f4 d0 10 75 43 2f 45 c9 52 c3 success change accepted Setting the AP Security Requirement on a switch Note A change to AP security support does not affect management sessions that are already e...

Страница 164: ...pted The following command applies the name corporate users to the SSID managed by service pro le mycorp_srvcprf DWS 1008 set service pro le mycorp_srvcprf ssid name corporate users success change acc...

Страница 165: ...e to one or more service pro les The channel number transmit power and external antenna type are unique to each radio and are not controlled by radio pro les Creating a New Pro le To create a radio pr...

Страница 166: ...equest them in response to the DTIM The DTIM interval applies to both the beaconed SSID and the unbeaconed SSID The DTIM interval does not apply to unicast frames A DWL 8220AP access point also stores...

Страница 167: ...shold 1500 success change accepted Changing the Fragmentation Threshold The fragmentation threshold speci es the longest a frame can be without being fragmented into multiple frames by a radio before...

Страница 168: ...adio can remain in buffer memory To change the maximum receive lifetime use the following command set radio pro le name max rx lifetime time The time can be from 500 ms 0 5 second through 250 000 ms 2...

Страница 169: ...n mode remains in effect until 60 seconds after the last 802 11b traf c is detected by the 802 11b g radio Protection mode lowers overall traf c throughput due to the additional messages sent by 802 1...

Страница 170: ...is command does not apply to 802 11a radios To change the preamble length advertised by 802 11b g radios use the following command set radio pro le name preamble length long short To con gure 802 11b...

Страница 171: ...wer in decibels referred to 1 milliwatt External antenna model if applicable These parameters have the following defaults Channel number The default channel number for 802 11b g is 6 The default chann...

Страница 172: ...the 802 11a radio on port 5 for channel 36 with a transmit power of 10 dBm type the following command DWS 1008 set ap 5 radio 2 channel 36 tx power 10 success change accepted You also can change the...

Страница 173: ...o le rp1 mode enable success change accepted To assign radio pro le rp1 to radio 2 on ports 1 4 and port 6 and enable the radios type the following command DWS 1008 set ap 1 4 6 radio 2 radio pro le r...

Страница 174: ...o pro le rp1 mode disable success change accepted DWS 1008 set radio pro le rp1 beacon interval 200 success change accepted DWS 1008 set radio pro le rp1 mode enable success change accepted Resetting...

Страница 175: ...f Distributed APs that are not con gured on a switch Connection information for Distributed APs Service pro le information Radio pro le information Status information Statistics counters Displaying AP...

Страница 176: ...ult auto tune max power default min client rate 24 max retransmissions 10 Displaying a List of Distributed APs To display a list of the Distributed APs con gured on switches on your network use the fo...

Страница 177: ...nformation is displayed only for Distributed APs that are con gured on this switch Displaying Service Pro le Information To display service pro le information use the following command show service pr...

Страница 178: ...k state and DWS 1008 status use the following commands show ap status terse port list all radio 1 2 show dap status terse dap num all radio 1 2 The terse option displays a brief line of essential stat...

Страница 179: ...counters 2 Port 2 radio 1 LastPktXferRate 2 PktTxCount 91594255 NumCntInPwrSave 4294966683 MultiPktDrop 0 LastPktRxSigStrength 54 MultiBytDrop 0 LastPktSigNoiseRatio 40 User Sessions 5 TKIP Pkt Trans...

Страница 180: ...0 89354 1947920 0 0 421 9 0 508 0 149925 0 0 0 0 0 0 12 0 16 0 768 0 3 681 0 0 1 18 0 240 0 80769 0 5 1017 0 0 0 24 0 107057 7694 8085317 629107 1663 63543 0 0 141546 36 0 453 0 132499 0 254 20533 0...

Страница 181: ...ork contains a combination of WPA RSN clients and non WPA clients you can con gure MSS to provide encryption for both types of clients To con gure encryption parameters for an SSID create or edit a se...

Страница 182: ...information element IE Specify the supported cipher suites CCMP TKIP 40 bit WEP 104 bit WEP TKIP is enabled by default when the RSN IE is enabled WPA WPA clients Non WPA clients Disabled Enable the W...

Страница 183: ...egrity Protocol TKIP TKIP uses the RC4 encryption algorithm a 128 bit encryption key a 48 bit initialization vector IV and a message integrity code MIC called Michael Wired Equivalent Privacy WEP with...

Страница 184: ...asures timer expires the access point allows associations and reassociations and generates new session keys for them You can set the countermeasures timer for DWL 8200AP access point radios to a value...

Страница 185: ...con frame Association request or reassociation sent by a client The WPA IE in an association request lists the authentication method and cipher suite the client wants to use Client Support To use the...

Страница 186: ...ro le for each SSID that will support WPA clients 2 Enable the WPA IE in the service pro le 3 Enable the cipher suites you want to support in the service pro le TKIP is enabled by default Optionally y...

Страница 187: ...wing cipher suites CCMP TKIP 40 bit WEP 104 bit WEP By default TKIP is enabled and the other cipher suites are disabled To enable or disable cipher suites use the following commands set service pro le...

Страница 188: ...wpa type the following command DWS 1008 set service pro le wpa auth psk enable success change accepted Con guring a Global PSK Passphrase or Raw Key for All Clients To con gure a global passphrase for...

Страница 189: ...service pro le wpa type the following command DWS 1008 set service pro le wpa auth dot1x disable success change accepted Displaying WPA Settings To display the WPA settings in a service pro le use th...

Страница 190: ...lowing command DWS 1008 set ap 1 3 6 radio 1 radio pro le bldg1 mode enable success change accepted To assign radio pro le bldg1 to radio 2 on ports 4 5 and enable the radios type the following comman...

Страница 191: ...ce pro le name rsn ie enable disable To enable RSN in service pro le wpa type the following command DWS 1008 set service pro le rsn rsn ie enable success change accepted Specifying the RSN Cipher Suit...

Страница 192: ...abling the Radios After you con gure RSN settings in a service pro le you can map the service pro le to a radio pro le assign the radio pro le to radios and enable the radios to activate the settings...

Страница 193: ...n change or disable the broadcast or multicast rekeying interval For static WEP MSS uses statically con gured keys typed in the switch s con guration and on the wireless client and does not rotate the...

Страница 194: ...tic WEP Keys When static WEP is enabled static WEP key 1 is assigned to unicast and multicast traf c by default To assign another key to unicast or multicast traf c use the following commands set serv...

Страница 195: ...tion dot1x ssid mycorp EXAMPLE pass through shorebirds 2 Create a service pro le named wpa for the SSID Type the following command DWS 1008 set service pro le wpa success change accepted 3 Set the SSI...

Страница 196: ...AP6 boot download enable YES load balancing group none Radio 1 type 802 11g mode enabled channel 6 tx pwr 1 pro le rp1 auto tune max power default min client rate 5 5 max retransmissions 10 Radio 2 t...

Страница 197: ...le wpa wep Type the following command DWS 1008 set service pro le wpa wep cipher wep40 enable success change accepted TKIP is already enabled by default when WPA is enabled 6 Display the service pro l...

Страница 198: ...p none Radio 1 type 802 11g mode enabled channel 6 tx pwr 1 pro le rp2 auto tune max power default min client rate 5 5 max retransmissions 10 Radio 2 type 802 11a mode enabled channel 36 tx pwr 1 pro...

Страница 199: ...null Radius Servers Server Addr Ports T o Tries Dead State Server groups Web Portal enabled set authentication mac ssid voice local mac usergroup wpa for mac vlan name blue mac user aa bb cc dd ee ff...

Страница 200: ...mand DWS 1008 show service pro le wpa wep for mac ssid name voice ssid type crypto beacon yes auth fallthru none WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP...

Страница 201: ...min client rate 5 5 max retransmissions 10 Port 6 AP model DWL 8220AP POE enable bias high name AP06 boot download enable YES load balancing group none Radio 1 type 802 11g mode enabled channel 6 tx p...

Страница 202: ...io pro le or enable RF AutoTuning If RF AutoTuning is enabled for channel and power assignment the radio performs an RF scan and reports the results to the switch that is managing the AP the radio is...

Страница 203: ...ese symptoms First if the data rate at which the radio is sending packets to the client is above the minimum data rate allowed the radio lowers the unicast data rate with the client down to the next v...

Страница 204: ...es An RF anomaly is a sudden major change in the RF environment such as sudden major interference on the channel By default a radio cannot change its channel more often than every 900 seconds regardle...

Страница 205: ...chever is lower power interval 300 Every 300 seconds MSS examines the RF information gathered from the network and determines whether the power needs to be changed to compensate for RF changes power b...

Страница 206: ...eived by the radio from a client are retransmissions the radio lowers the data rate to the client and if necessary increases power to reduce the retransmissions min client rate 5 5 for 802 11b g 24 fo...

Страница 207: ...ntervals However RF AutoTuning can still change the channel in response to RF anomalies D Link recommends that you use an interval of at least 300 seconds 5 minutes To change the channel tuning interv...

Страница 208: ...a value from 1 to 65535 seconds To change the power tuning interval use the following command set radio pro le name auto tune power interval seconds To set the power tuning interval for radios in rad...

Страница 209: ...considers changing the channel on the radio is 10 percent You can change the threshold to value from 1 to 100 percent To change the max retransmissions threshold use the following command set ap port...

Страница 210: ...ong Retry Limit 5 Long Preamble no Allow 802 11g clients only no Tune Channel yes Tune Power no Tune Channel Interval 3600 Tune Power Interval 600 Power Backoff Timer 10 Channel Holddown 300 Counterme...

Страница 211: ...ode disabled channel 36 tx pwr 1 pro le default auto tune max power default min client rate 24 max retransmissions 10 Displaying RF Neighbors To display the other radios that a speci c D Link radio ca...

Страница 212: ...owing commands show auto tune attributes ap ap num radio 1 2 all show auto tune attributes dap dap num radio 1 2 all To display RF attribute information for radio 1 on the directly connected DWL 8220A...

Страница 213: ...e IP ToS value in the data packets themselves QoS on the DWS 1008 Switch The switch obtains an inbound packet s QoS value from the packet s Layer 2 802 1p or Layer 3 IP ToS value Depending on the dest...

Страница 214: ...D Link switches and APs perform these mappings automatically WMM Priority Mappings IP Precedence IP ToS DSCP 802 1p CoS AP Forwarding Queue 0 0 0 0 0 0 3 3 0x60 24 3 3 1 1 0x20 8 1 1 Best Effort 2 2 0...

Страница 215: ...el yes Tune Power no Tune Channel Interval 3600 Tune Power Interval 600 Power Backoff Timer 10 Channel Holddown 300 Countermeasures none Active Scan yes WMM enabled yes Service pro les srvcprof1 Displ...

Страница 216: ...twork ports as untagged members of the same VLAN MSS does not support running 802 1D on multiple tagged VLANs MSS uses PVST BPDUs on VLAN ports that are tagged PVST BPDUs include tag information in th...

Страница 217: ...o the total cost of a path to the root bridge When a designated bridge has multiple equal cost paths to the root bridge the designated bridge uses the path with the lowest total cost You can set this...

Страница 218: ...cost cost set spantree portvlancost port list cost cost all vlan vlan id The set spantree portcost command changes the cost for ports in the default VLAN VLAN 1 only The set spantree portvlancost comm...

Страница 219: ...r ports in the default VLAN VLAN 1 only The set spantree portvlanpri command changes the priority for ports in a speci c other VLAN or in all VLANs Specify a priority from 0 highest priority through 2...

Страница 220: ...no longer available and initiating a topology change You can specify an age from 6 through 40 seconds The default is 20 seconds Changing the STP Hello Interval To change the hello interval use the fo...

Страница 221: ...ence features to bypass the forwarding delay Port fast Backbone fast Uplink fast Port Fast Convergence Port fast convergence bypasses both the listening and learning stages and immediately places a po...

Страница 222: ...DWS 1008 switches that are in the network core Con guring Port Fast Convergence To enable or disable port fast convergence use the following command set spantree portfast port port list enable disabl...

Страница 223: ...kbonefast Here is an example DWS 1008 show spantree backbonefast Backbonefast is enabled In this example backbone fast convergence is enabled Con guring Uplink Fast Convergence To enable or disable up...

Страница 224: ...ted in the command output To list only the ports that are in the active forwarding state enter the active option To display STP information for VLAN mauve type the following command DWS 1008 show span...

Страница 225: ...ort cost of port 1 type the following command DWS 1008 show spantree portvlancost 1 port 1 VLAN 1 have path cost 19 Displaying Blocked STP Ports To display information about ports that are in the STP...

Страница 226: ...DU s xmitted port VLAN 0 1 con g BPDU s received port VLAN 21825 43649 tcn BPDU s xmitted port VLAN 0 0 tcn BPDU s received port VLAN 2 2 forward transition count port VLAN 1 1 scp failure count 0 roo...

Страница 227: ..._mac 00 0b 0e 00 04 30 next_src_mac 00 0b 0e 02 76 f6 Clearing STP Statistics To clear the STP statistics counters use the following command clear spantree statistics port list vlan vlan id As soon as...

Страница 228: ...ollowing commands DWS 1008 set vlan 10 name backbone port 2 3 success change accepted DWS 1008 show vlan con g Admin VLAN Tunl Port VLAN Name Status State Af n Port Tag State 1 default Up Up 5 1 none...

Страница 229: ...100BaseTx 6 up down auto network 10 100BaseTx 7 up down auto network 10 100BaseTx 8 up down auto network 10 100BaseTx 5 Wait for STP to complete the listening and learning stages and converge then ve...

Страница 230: ...oping IGMP snooping is enabled by default To disable or reenable the feature use the following command set igmp enable disable vlan vlan id If you do not specify a VLAN ID the change is applied to all...

Страница 231: ...erier for the subnet For the switch to become the querier the pseudo querier feature must be enabled on the switch and the switch must have the lowest IP address among all the devices eligible to beco...

Страница 232: ...for more traf c loss To change the robustness value use the following command set igmp rv num vlan vlan id You can specify a value from 2 through 255 The default is 2 Enabling Router Solicitation A DW...

Страница 233: ...ports or wired authentication ports as static multicast ports However MSS can dynamically add these port types to the list of multicast ports based on multicast traf c Adding or Removing a Static Mul...

Страница 234: ...0b 258 237 255 255 255 5 10 10 10 13 00 02 04 06 08 0d 258 237 255 255 255 5 10 10 10 14 00 02 04 06 08 0e 258 237 255 255 255 5 10 10 10 12 00 02 04 06 08 0c 258 237 255 255 255 5 10 10 10 10 00 02 0...

Страница 235: ...information use the following command show igmp querier vlan vlan id To display querier information for VLAN orange type the following command DWS 1008dws 1008 show igmp querier vlan orange Querier f...

Страница 236: ...parameter to display receivers for a speci c group or set of groups For example to display receivers for multicast groups 237 255 255 1 through 237 255 255 255 in all VLANs type the following command...

Страница 237: ...iority handling A security ACL contains an ordered list of rules called access control entries ACEs which specify how to handle packets An ACE contains an action that can deny the traf c permit the tr...

Страница 238: ...Security ACLs Overview of Security ACL Commands The gure below provides a visual overview of the way you use MSS commands to set a security ACL commit the ACL so it is stored in the con guration and m...

Страница 239: ...set security acl ip acl name permit cos cos deny source ip addr mask before editbuffer index modify editbuffer index hits For example to create ACL acl 1 that permits all packets from IP address 192 1...

Страница 240: ...ced Interior Gateway Routing Protocol EIGRP 89 Open Shortest Path First OSPF protocol 103 Protocol Independent Multicast PIM protocol 112 Virtual Router Redundancy Protocol VRRP 115 Layer Two Tunnelin...

Страница 241: ...er non WMM type of prioritization you must con gure ACLs to tag the packets Optionally for WMM or non WMM traf c you can use ACLs to change the priority of traf c sent to an AP or VLAN Setting an ICMP...

Страница 242: ...nd Host Redirect 3 Echo 8 None Time Exceeded 11 Time to Live TTL Exceeded 0 Fragment Reassembly Time Exceeded 1 Parameter Problem 12 None Timestamp 13 None Timestamp Reply 14 None Information Request...

Страница 243: ...ample the following command permits UDP packets sent from IP address 192 168 1 7 to IP address 192 168 1 8 with any UDP destination port less than 65 535 It puts this ACE rst in the ACL and counts the...

Страница 244: ...and the committed ACLs After you commit an ACL MSS removes it from the edit buffer To display ACLs use the following command show security acl editbuffer Use the editbuffer option to display the ACLs...

Страница 245: ...d DWS 1008 show security acl info all ACL information for all set security acl ip acl 999 hits 2 0 1 deny IP source IP 192 168 0 1 0 0 0 0 destination IP any 2 permit IP source IP 192 168 0 2 0 0 0 0...

Страница 246: ...econds type the following commands DWS 1008 hit sample rate 180 DWS 1008 show security acl hits ACL hit counters Index Counter ACL name 1 31986 acl red 2 0 acl green Clearing Security ACLs The clear s...

Страница 247: ...tion to lter packets for the authenticated user Note The Filter Id attribute is more often received by the DWS 1008 switch through an external AAA RADIUS server than applied through the local database...

Страница 248: ...ports VLANs virtual ports and Distributed APs Use the following command set security acl map acl name vlan vlan id port port list tag tag value dap dap num in out Specify the name of the ACL the port...

Страница 249: ...al ports or Distributed APS rst display the mapping with show security acl map and then use clear security acl map to remove it This command removes the mapping but not the ACL For example to clear th...

Страница 250: ...tion of the set security acl commands See Modifying an Existing Security ACL Use the rollback command set to clear changes made to the security ACL edit buffer since the last time it was saved The ACL...

Страница 251: ...efore editbuffer index portion of the set security acl command to place a new ACE before an existing ACE For example suppose you want to deny some traf c from IP address 192 168 254 12 in acl 111 Foll...

Страница 252: ...ocks some packets from IP address 192 168 254 12 with the mask 0 0 0 255 and you want to change the ACL to permit all packets from this address Follow these steps 1 To display all committed security A...

Страница 253: ...remove an ACE that you just created in the edit buffer for acl 111 1 To display the contents of all committed security ACLs type the following command DWS 1008 show security acl info all ACL informat...

Страница 254: ...0 1 permit SRC source IP 192 168 1 1 0 0 0 0 6 Alternatively to clear the entire edit buffer of all changes made since a security ACL was last committed and display the results type the following com...

Страница 255: ...cedence value 5 and ToS value 12 to have CoS value 7 when they are forwarded to any 10 10 90 x address on Distributed AP 4 DWS 1008 set security acl ip acl2 permit cos 7 ip 10 10 50 2 0 0 0 0 10 10 90...

Страница 256: ...abled the AP forwarding queue that maps to CoS values 6 and 7 is optimized for SVP You must map the ACL to the outbound traf c direction on an AP port Distributed AP or user VLAN An ACL can set a pack...

Страница 257: ...L that assigns traf c for IP protocol 119 to CoS queue 6 or 7 and map the ACL to the outbound traf c direction For example to enable SVP support for all users in VLAN corp_vlan perform the following s...

Страница 258: ...t security acl map acl 99 port 9 in mapping con guration accepted Because every security ACL includes an implicit rule denying all traf c that is not permitted port 9 now accepts packets only from 192...

Страница 259: ...254 DWS 1008 User s Manual D Link Systems Inc Con guring and Managing Security ACLs 7 To save your con guration type the following command DWS 1008 save con g success con guration saved...

Страница 260: ...eys and certi cates are fundamental to securing wireless wired authentication and administrative connections because they support Wi Fi Protected Access WPA encryption and dynamic Wired Equivalency Pr...

Страница 261: ...ates generated by a CA Note The switch uses separate server certi cates for Admin EAP 802 1X and Web AAA authentication Where applicable the manuals refer to these server certi cates as Admin EAP or 8...

Страница 262: ...transaction creates a key pair that includes the public and private keys The public key encrypts data and veri es digital signatures and the corresponding private key decrypts data and generates digi...

Страница 263: ...urpose PKCS 7 Cryptographic Message Syntax Standard Contains a digital certi cate signed by a CA To install the certi cate from a PKCS 7 le use the crypto certi cate command to prepare MSS to receive...

Страница 264: ...rti cates signed by a CA you must also install a certi cate from the CA to validate the digital signatures of the certi cates installed on the switch Each of the following types of access requires a s...

Страница 265: ...hen cutting and pasting the CA s own certi cate into the CLI Creating Public Private Key Pairs To use a self signed certi cate or Certi cate Signing Request CSR certi cate for switch authentication yo...

Страница 266: ...nformation see PKCS 7 PKCS 10 and PKCS 12 Object Files A PKCS 12 object le which you obtain from a CA includes the private key a certi cate and optionally the CA s own certi cate After transferring th...

Страница 267: ...ds You must include a common name string when you generate a CSR Use a fully quali ed name if such names are supported on your network The other information is optional For example DWS 1008 dws 1008 c...

Страница 268: ...VYxP56M CUAm908C2foYgOY40 END CERTIFICATE Displaying Certi cate and Key Information To display information about certi cates installed on an switch use the following commands show crypto ca certi cate...

Страница 269: ...y pairs DWS 1008 crypto generate key admin 1024 key pair generated DWS 1008 crypto generate key eap 1024 key pair generated DWS 1008 crypto generate key webaaa 1024 key pair generated 3 Generate self...

Страница 270: ...c0B0cnB6LmNvbTAeFw0wMzA0 Lm8wmVYLxP56M 4 Display certi cate information for veri cation DWS 1008 show crypto certi cate admin Certi cate Version 3 Serial Number 999 0x3e7 Subject C US ST CA L PLEAS O...

Страница 271: ...time and date parameters if not already set 2 Obtain PKCS 12 object les from a certi cate authority 3 Copy the PKCS 12 object les to nonvolatile storage on the switch Use the following command copy t...

Страница 272: ...eap 20481x p12 Unwrapped from PKCS12 le keypair device certi cate CA certi cate DWS 1008 crypto pkcs12 web 2048web p12 Unwrapped from PKCS12 le keypair device certi cate CA certi cate Note MSS erases...

Страница 273: ...ATE REQUEST 4 Copy the CSR into the CA s application Note You must paste the entire block from the beginning BEGIN CERTIFICATE REQUEST to the end END CERTIFICATE REQUEST 5 Transfer the signed administ...

Страница 274: ...command to display a prompt DWS 1008 crypto ca certi cate admin Enter PEM encoded certi cate 13 Paste the CA s signed certi cate under the prompt 14 Display information about the CA s certi cate to ve...

Страница 275: ...counting AAA features in more detail Authentication When a user attempts to access the network MSS checks for an authentication rule that matches the following parameters For wireless access the authe...

Страница 276: ...more detail in Authentication Algorithm Web A network user attempts to access a web page over the network The switch intercepts the HTTP or HTTPS request and serves a login Web page to the user The u...

Страница 277: ...e of the user s device If the address matches MSS grants access to the SSID requested by the user regardless of which SSID name it is However in a last resort authentication rule for wireless access i...

Страница 278: ...esort user is on the RADIUS server MSS checks for a password The default well known password is dlink but is con gurable The same password applies to MAC users If the last resort authentication rule m...

Страница 279: ...urity ACL that permits or denies traf c received input or sent output the switch Service Type Type of access the user is requesting which can be network access administrative access to the enabled con...

Страница 280: ...ion provides access control by means of such mechanisms as per user security access control lists ACLs VLAN membership and timeout enforcement Because authorization is always performed on network acce...

Страница 281: ...802 1X and Web Network Access The following AAA methods are supported by D Link for 802 1X and Web network access mode Client certi cates issued by a certi cate authority CA for authentication For thi...

Страница 282: ...entication by a RADIUS server group as the rst method for these users and con gure local authentication last in case the RADIUS servers are unavailable 1 To con gure server 1 and server 2 at IP addres...

Страница 283: ...Electronic Engineers IEEE IEEE 802 1X is an encapsulated form for carrying authentication messages in a standard message exchange between a user client and an authenticator EAP A summarizes the EAP pr...

Страница 284: ...hese three basic authentication approaches Three Basic Approaches to EAP Authentication Approach Description Pass through An EAP session is established directly between the client and RADIUS server pa...

Страница 285: ...f wireless users but they can be authenticated by an EAP method a MAC address a Web login page served by the switch or a last resort username Con guring 802 1X Authentication The IEEE 802 1X standard...

Страница 286: ...switch while still performing MS CHAP V2 authentication via the server group shorebirds DWS 1008 set authentication dot1x ssid marshes example com peap mschapv2 shorebirds To of oad both PEAP and MS...

Страница 287: ...y from a trusted machine known to Active Directory For example if user bob mycorp com has a trusted laptop PC used for work but also has a personal laptop PC you might want to bind Bob s authenticatio...

Страница 288: ...odes for example nl mycorp com use an asterisk in each node that you want to match globally For example to match on all machines and users in mycorp com use the following userglobs host mycorp com use...

Страница 289: ...ds D Link recommends that you try 60 seconds and change the period to a longer value only if clients are unable to authenticate within 60 seconds To set the Bonded Auth period use the following comman...

Страница 290: ...mum requests 2 key transmission enabled reauthentication enabled authentication control enabled WEP rekey period 1800 WEP rekey enabled Bonded period 60 Information for the 802 1X authentication rule...

Страница 291: ...r pro le or MAC user group on a RADIUS server see the documentation for your RADIUS server Adding MAC Users and Groups To create a MAC user group in the local database you must associate it with an au...

Страница 292: ...sses of their devices with the following command set authentication mac ssid ssid name wired mac addr glob method1 method2 method3 method4 MAC addresses can be authenticated by either the switch s loc...

Страница 293: ...ce To authenticate and authorize MAC users via RADIUS you must con gure a single prede ned password for MAC users which is called the outbound authorization password The same password is used for all...

Страница 294: ...set authentication last resort ssid guestssid local success change accepted DWS 1008 set user last resort guestssid attr vlan name k3 success change accepted Note AlthoughMSSallowsyoutocon gureauserpa...

Страница 295: ...from the AP to a real RADIUS server depending on the authentication method speci ed in the proxy authentication rule for the user For non 802 1X users the AP does not use 802 1X The switch sends a RA...

Страница 296: ...to send a RADIUS stop accounting record when a user s session ends Switch Requirements The switch port connected to the third party AP must be con gured as a wired authentication port If SSID traf c f...

Страница 297: ...h listens for RADIUS access requests and stop accounting records from the AP Use the following command set radius proxy client address ip address port udp port number acct port acct udp port number ke...

Страница 298: ...key1 success change accepted The IP address is the AP s IP address The key is the shared secret con gured on the RADIUS servers MSS uses the shared secret to authenticate and encrypt RADIUS communicat...

Страница 299: ...ning Authorization Attributes Authorization attributes can be assigned to users in the local database or on remote servers The attributes which include access control list ACL lters VLAN membership en...

Страница 300: ...KIP Temporal Key Integrity Protocol 8 WEP_104 the default Wired Equivalent Privacy protocol using 104 bits of key strength 16 WEP_40 Wired Equivalent Privacy protocol using 40 bits of key strength 32...

Страница 301: ...rt or wired authentication port or from the network via a network port Note If the Filter Id value returned through the authentication and authorization process does not match the name of a committed...

Страница 302: ...user can still enter the enable command and the correct enable password to access the enabled mode For administrative sessions the switch always sends 6 Administrative The RADIUS server can reply wit...

Страница 303: ...ate or both in conjunction with time of day time of day network access mode only Day s and time s during which the user is permitted to log into the network After authorization the user s session can...

Страница 304: ...d RADIUS attribute Tunnel Pvt Group ID instead of VLAN Name Name of a VLAN that you want the user to use Assigning Attributes to Users and Groups You can assign authorization attributes to individual...

Страница 305: ...ommands Security ACL Target Commands User authenticated by a password set user username attr lter id acl name in set user username attr lter id acl name out Group of users authenticated by a password...

Страница 306: ...Verify the deletions by entering the show aaa command and checking the output TodeleteasecurityACLfromauser scon gurationonaRADIUSserver seethedocumentation for your RADIUS server Assigning Encryptio...

Страница 307: ...ntegrity Protocol TKIP 8 Wired Equivalent Privacy protocol using 104 bits of key strength WEP_104 This is the default 16 Wired Equivalent Privacy protocol using 40 bits of key strength WEP_40 32 No en...

Страница 308: ...can con gure the location policy on the switch YoucanusealocationpolicytolocallysetorchangetheFilter IdandVLAN Nameauthorization attributes obtained from AAA About the Location Policy Each switch can...

Страница 309: ...operator user glob port port list dap dap num before rule number modify rule number You must specify whether to permit or deny access and you must identify a VLAN username or access port to match Use...

Страница 310: ...4 and applies security ACLs svcs_2 to the traf c they send and svcs_3 to the traf c they receive DWS 1008 set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4 You can optionally add...

Страница 311: ...a switch delete all the location policy rules Con guring Accounting for Wireless Network Users Accounting records come in three types start stop stop only and update for network users The records prov...

Страница 312: ...AA_ TTY_ATTR 2 Event Timestamp 1064599308 Sept 26 12 50 21 Acct Status Type STOP Acct Authentic 2 User Name geetha AAA_ TTY_ATTR 2 Acct Session Time 6513 Event Timestamp 1064605821 Acct Output Octets...

Страница 313: ...kets 10 Acct Input Packets 15 Event Timestamp 1053536700 Vlan Name default Calling Station Id 00 06 25 09 39 5D Nas Port Id 2 1 Called Station Id 00 0B 0E 76 56 A0 The user terminated the session on D...

Страница 314: ...rs Server Addr Ports T o Tries Dead State rs 3 198 162 1 1 1821 1813 5 3 0 UP rs 4 198 168 1 2 1821 1813 77 11 2 UP rs 5 198 162 1 3 1821 1813 42 23 0 UP Server groups sg1 rs 3 sg2 rs 4 sg3 rs 5 Web P...

Страница 315: ...con guration before the rule with SSID any set authentication web ssid corpa corpasrvr Here is an example of a AAA con guration where the most speci c rules for 802 1X are rst and the rules with any a...

Страница 316: ...ion for a Correct Processing Order To avoid processing errors for authentication and accounting commands that include order sensitive user globs enter the commands for each user glob in pairs For exam...

Страница 317: ...pted You can then assign this Mobility Pro le to one or more users For example to assign the Mobility Pro le roses pro le to all users at EXAMPLE type the following command DWS 1008 set user EXAMPLE a...

Страница 318: ...of Network User Commands The following example illustrates how to con gure IEEE 802 1X network users for authentication accounting ACL ltering and Mobility Pro le assignment 1 Con gure all 802 1X user...

Страница 319: ...Name Ports tulip AP 2 AP 4 AP 5 AP 6 6 To assign Mobility Pro le tulip to all users at EXAMPLE type the following command for each EXAMPLE user DWS 1008 set user EXAMPLE username attr mobility pro le...

Страница 320: ...Con gure the RADIUS server r1 at IP address 10 1 1 1 with the string sunny for the key Type the following command DWS 1008 set radius server r1 address 10 1 1 1 key sunny 2 Con gure the server group...

Страница 321: ...asha password moon 3 To assign Natasha to a VLAN named red type the following command DWS 1008 set user Natasha attr vlan name red 4 To assign Natasha a session timeout value of 1200 seconds type the...

Страница 322: ...DWS 1008 set server group sg1 members r1 3 Enable all 802 1X users of SSID thiscorp using PEAP MS CHAP V2 to authenticate MS CHAP V2 on server group sg1 Type the following command DWS 1008 set authen...

Страница 323: ...g PEAP on the switch and MS CHAP V2 on server sg1 type the following command DWS 1008 set authentication dot1x ssid bobblehead mktg peap mschapv2 sg1 4 To authenticate all 802 1X users of SSID aircorp...

Страница 324: ...structors normally authorized to use any techcomm VLAN in the college to access the network through the bldgb eng VLAN when they are in building B 1 Redirect bldga prof VLAN users to the VLAN bldgb en...

Страница 325: ...t before making available any services offered by the switch or the wireless network The authentication server can reside either in the local database on the switch or on a remote RADIUS server When a...

Страница 326: ...MSS does not hold down requests to unresponsive RADIUS servers Instead MSS attempts to send each new authentication or authorization request to a server even if the server is thought to be unresponsiv...

Страница 327: ...h to select a source interface address based on information in its routing table as the RADIUS client address Con guring Individual RADIUS Servers You must set up a name and IP address for each RADIUS...

Страница 328: ...s con gured you can use a server group name as the AAA method with the set authentication and set accounting commands Subsequently you can change the members of a group or con gure load balancing If y...

Страница 329: ...a request to the following RADIUS server group This exception is called local override Con guring Load Balancing You can con gure the switch to distribute authentication requests across RADIUS servers...

Страница 330: ...add RADIUS server coot to server group shorebirds 1 Determine the server group by typing the following command DWS 1008 show aaa Radius Servers Server Addr Ports T o Tries Dead State sandpiper 192 168...

Страница 331: ...swampbirds and shorebirds 1 Con gure RADIUS servers Type the following commands DWS 1008 set radius server pelican address 192 168 253 11 key elm DWS 1008 set radius server seagull address 192 168 243...

Страница 332: ...etrans 3 deadtime 0 key null author pass null Radius Servers Server Addr Ports T o Tries Dead State sandpiper 192 168 253 17 1812 1813 5 3 0 UP heron 192 168 253 12 1812 1813 5 3 0 UP egret 192 168 25...

Страница 333: ...tionally authorize or unconditionally reject all users Enabling and Disabling 802 1X Globally The following command globally enables or disables 802 1X authentication on all wired authentication ports...

Страница 334: ...reless supplicant client in an Extensible Authentication Protocol over LAN EAPoL packet after authentication is successful You can disable this feature or change the time interval for key transmission...

Страница 335: ...ess point WEP uses a secret key shared between the communicators WEP rekeying increases the security of the network New unicast keys are generated every time a client performs 802 1X authentication Th...

Страница 336: ...s1800 seconds 30 minutes Youcansettheintervalfrom30 to1 641 600 seconds 19 days For example type the following command to set the WEP rekey period to 900 seconds DWS 1008 set dot1x wep rekey period 90...

Страница 337: ...reauthentication timeout is shorter than the session timeout MSS uses the global timeout instead Enabling and Disabling 802 1X Reauthentication The following command enables or disables the reauthent...

Страница 338: ...bal setting or the value returned by the AAA server with the rest of the authorization attributes for that client For example type the following command to set the number of seconds to 100 before reau...

Страница 339: ...onds For example type the following command to set the quiet period to 300 seconds DWS 1008 set dot1x quiet period 300 success dot1x quiet period set to 300 Type the following command to reset the 802...

Страница 340: ...to 300 DWS 1008 set dot1x timeout supplicant 300 success dot1x supplicant timeout set to 300 Type the following command to reset the timeout period DWS 1008 clear dot1x timeout supplicant success chan...

Страница 341: ...ticated vlan eng EXAMPLE nwong 00 06 80 00 5c 02 Authenticated vlan eng EXAMPLE hhabib 00 02 2d 6a de f2 Authenticated vlan pm smith exmpl com 00 02 2d 5e 5b 76 Authenticated vlan pm EXAMPLE natasha 0...

Страница 342: ...mand to display 802 1X statistics about connecting and authenticating DWS 1008 show dot1x stats 802 1X statistic value Enters Connecting 709 Logoffs While Connecting 112 Enters Authenticating 467 Succ...

Страница 343: ...isplaying and Clearing Administrative Sessions To display session information and statistics for a user with administrative access to the switch use the following command show sessions admin console t...

Страница 344: ...e the following command DWS 1008 clear sessions console This will terminate manager sessions do you wish to continue y n y y Displaying and Clearing Administrative Telnet Sessions To view information...

Страница 345: ...ired verbose In most cases you can display both summary and detailed verbose information for a session For example the following command displays summary information about all current network sessions...

Страница 346: ...00 05 ff as of 00 37 35 ago 00 30 65 16 8d 69 4385 192 168 19 199 vlan wep 3 1 Client MAC 00 10 65 16 8d 69 GID SESS 4385 000430 842879 bf7a7 State ACTIVE prev AUTHORIZED now on 192 168 12 7 AP radio...

Страница 347: ...f 00 23 32 ago 1 sessions match criteria of 10 total To clear all the network sessions of a user or group of users use the following command clear sessions network user user glob For example the follo...

Страница 348: ...west 1 2 EXAMPLE jose 20 192 168 12 171 west 1 2 EXAMPLE geetha 21 192 168 12 169 west 3 2 To clear the sessions on a VLAN or set of VLANs use the following command clear sessions network vlan vlan gl...

Страница 349: ...st packet signal strength 67 dBm Last packet data S N ratio 55 The verbose option is not available with the show sessions network session id command To clear network sessions by session ID type the fo...

Страница 350: ...nterprise network by potentially allowing unchallenged access to the network by any wireless user or client in the physical vicinity Rogue access points and users can also interfere with the operation...

Страница 351: ...ue detection MSS does not count devices on the ignore list as rogues or interfering devices and does not issue countermeasures against them An empty permitted SSID list or permitted vendor list implic...

Страница 352: ...f scans on all channels allowed for the country of operation This is the regulatory domain set by the set system countrycode command 802 11b g radios scan in the 2 4 GHz to 2 4835 GHz spectrum 802 11a...

Страница 353: ...generates a message Note The RF Auto tuning feature must be enabled Otherwise MSS cannot change the channel Countermeasures You can enable MSS to use countermeasures against rogues Countermeasures co...

Страница 354: ...nt black list List of client or AP MAC addresses that are not allowed on the wireless network MSS drops all packets from these clients or APs Yes Yes Attack list List of AP MAC addresses to attack MSS...

Страница 355: ...hird party AP or client vendors that are allowed on the network MSS does not list a device as a rogue or interfering device if the device s OUI is in the permitted vendor list By default the permitted...

Страница 356: ...list speci es the SSIDs that are allowed on the network If MSS detects packets for an SSID that is not on the list the AP that sent the packets is classi ed as a rogue MSS issues countermeasures again...

Страница 357: ...e network MSS drops all packets from the clients on the black list By default the client black list is empty In addition to manually con gured entries the list can contain entries added by MSS MSS can...

Страница 358: ...ices that MSS should issue countermeasures against whenever the devices are detected on the network The attack list can contain the MAC addresses of APs and clients By default the attack list is empty...

Страница 359: ...devices list To add a device to the ignore list use the following command set rfdetect ignore mac addr The mac addr is the BSSID of the device you want to ignore Note If you try to initiate counterme...

Страница 360: ...ues only DWS 1008 set radio pro le radprof3 countermeasures rogue success change accepted To disable countermeasures on a radio pro le use the following command clear radio pro le name countermeasures...

Страница 361: ...ected or disappears To disable or reenable the log messages use the following command set rfdetect log enable disable To display log messages on a switch use the following command show log buffer Enab...

Страница 362: ...ges the radio to a different channel Deauthenticate frames Spoofed deauthenticate frames form the basis for most DoS attacks and are the basis for other types of attacks including man in the middle at...

Страница 363: ...attack based on the ngerprint of the spoofed AP Packets from the real AP have the correct signature while spoofed packets lack the signature Netstumbler and Wellenreiter Applications Netstumbler and...

Страница 364: ...t these lists are empty and all SSIDs vendors and clients are allowed Displaying Statistics Counters To display IDS and DoS statistics counters use the show rfdetect counters commands IDS Log Message...

Страница 365: ...a bb cc dd ee ff is sending re associate request ood on port 2 Disassociate request ood Client aa bb cc dd ee ff is sending disassociate request ood on port 2 Weak WEP initialization vector IV Client...

Страница 366: ...port 2 radio 1 on channel 11 with RSSI 53 SSID myssid Ad hoc client frame detected Adhoc client frame detected from aa bb cc dd ee ff Seen by AP on port 2 radio 1 on channel 11 with RSSI 53 SSID myss...

Страница 367: ...re from rogues or interfering devices show rfdetect visible mac addr show rfdetect visible ap ap num radio 1 2 show rfdetect visible dap dap num radio 1 2 Displays the BSSIDs detected by a speci c D L...

Страница 368: ...own dap 1 1 149 1 intfr 117 00 05 5d 7e 96 ce D Link Unknown dap 1 1 157 1 intfr 162 00 05 5d 84 d1 c5 D Link Unknown dap 1 1 1 1 intfr 52 The following command displays more details about a speci c c...

Страница 369: ...od 0 0 802 11 association ood 0 0 802 11 reassociation ood 0 0 802 11 disassociation ood 0 0 Weak wep initialization vectors 0 0 Spoofed access point mac address attacks 0 0 Spoofed client mac address...

Страница 370: ...ap dap num radio 1 2 To following command displays information about the rogues detected by radio 1 on AP port 3 DWS 1008 show rfdetect visible ap 3 radio 1 Total number of entries 104 Flags i infrast...

Страница 371: ...mage then loads con guration information from a designated con guration le A DWS 1008 switch can also contain temporary les with trace information used for troubleshooting Temporary les are not stored...

Страница 372: ...al Versions 5 DWL 8220AP 0123456789 H W A3 F W1 5 6 F W2 5 6 S W 3 0 0 6 DWL 8220AP 9876543210 H W A3 F W1 5 6 F W2 N A S W 3 0 0 Displaying Boot Information Boot information consists of the MSS versi...

Страница 373: ...tware reload or power cycle The boot area is divided into two partitions boot0 and boot1 Each partition can contain one system image le The le area can contain subdirectories Subdirectory names are in...

Страница 374: ...URL can be one of the following subdirname lename le subdirname lename tftp ip addr subdirname lename tmp lename The lename and le lename URLs are equivalent You can use either URL to refer to a le i...

Страница 375: ...rom a TFTP server to nonvolatile storage type the following command DWS 1008 copy tftp 10 1 1 1 newcon g newcon g success received 637 bytes in 0 253 seconds 2517 bytes sec The above command copies th...

Страница 376: ...ng the le MSS does not allow you to delete the currently running software image le or the running con guration To delete a le use the following command delete url The URL can be a lename of up to 128...

Страница 377: ...al 8928 Kbytes used 3312 Kbytes free Boot1 Total 8197 Kbytes used 4060 Kbytes free temporary les Filename Size Created Total 0 bytes used 93537 Kbytes free Removing a Subdirectory To remove a subdirec...

Страница 378: ...owing command DWS 1008 show con g Con guration nvgen d at 2004 5 10 19 08 38 Image 2 1 0 Model DWS 1008 Last change occurred at 2004 5 10 16 31 14 set trace authentication level 10 set ip dns server 1...

Страница 379: ...on guration le that was loaded the last time the software was rebooted To save the running con guration to the le loaded the last time the software was rebooted type the following command DWS 1008 sav...

Страница 380: ...type n MSS does not load the newcon g le and the running con guration remains unchanged Resetting to the Factory Default Con guration To reset the switch to its factory default con guration use the fo...

Страница 381: ...size of an archive created by this option is generally 1MB or less This is the default for the restore command all Backs up or restores the same les as the critical option and all les in the user les...

Страница 382: ...guration currently running on the switch use the load con g command to load the boot con guration le or restart the switch If instead you want to replace the con guration restored from the archive wi...

Страница 383: ...chnical Support Fixing Common Setup Problems The table below contains remedies for some common problems that can occur during basic installation and setup of a DWS 1008 switch Setup Problems and Remed...

Страница 384: ...switch allow the client to authenticate 2 Check the authorization rules in the switch s local database show aaa or on the RADIUS servers to ensure the client is authorized to join a VLAN that is con g...

Страница 385: ...ch returns to the state it was in before you restarted it Once you have entered the command the switch returns to its initial uncon gured state For model DWS 1008 you also can recon gure basic paramet...

Страница 386: ...igher are posted to the console and to the log buffer Debug output is logged to the trace buffer by default The table below summarizes the destinations and defaults for system log messages System Log...

Страница 387: ...equired info Informational messages only No problem exists debug Output from debugging Note The debug level produces a lot of messages many of which can appear to be somewhat cryptic Debug messages ar...

Страница 388: ...view log entries in the system log buffer use the following command show log buffer number of messages facility facility name matching string severity severity level You can display the most recent me...

Страница 389: ...DWS 1008 set log buffer disable Logging to the Console By default console logging is enabled and messages at the error level and higher are sent to the console To modify console logging use the follow...

Страница 390: ...Amessages are sent with facility 4 and boot messages are sent with facility 20 by default For example the following command sends all error level event messages generated by a switchto a server at IP...

Страница 391: ...disable current session logging type the following command DWS 1008 set log current disable success change accepted Logging to the Trace Buffer Trace logging is enabled by default and stores debug lev...

Страница 392: ...stic routines You can set a trace command with a keyword such as authentication or sm to trace activity for a particular feature such as authentication or the session manager Caution Using the set tra...

Страница 393: ...l session manager sm activity at level 3 type the following command DWS 1008 set trace sm level 3 success change accepted Tracing Authorization Activity Tracing authorization activity can help diagnos...

Страница 394: ...with the debug severity level By default the only log target that receives debug level messages is the volatile trace buffer The volatile trace buffer receives messages for all log severities when an...

Страница 395: ...t in the log number of messages Displays the speci ed number of the most recent entries in the log starting with the least recent To lter trace output by MSS area use the facility facility name keywor...

Страница 396: ...formation if you are experiencing MSS performance issues Viewing VLAN Interfaces To view interface information for VLANs type the following command DWS 1008 show interface From DHCP VLAN Name Address...

Страница 397: ...splays the hosts learned by the switch and the ports to which they are connected To display forwarding database FDB information type the following command DWS 1008 show fdb Static Entry Permanent Entr...

Страница 398: ...37008 for its transport TZSP was created by Chris Waters of Network Chemistry You can map up to eight snoop lters to a radio A lter does not become active until you enable it Filters and their mappin...

Страница 399: ...nform you of this condition MSS generates a log message such as the following the rst time an ICMP error message is received following the start of a snoop lter AP Mar 25 13 15 21 681369 ERROR DAP 3 a...

Страница 400: ...ecifying a snap length of 100 bytes or less The following command con gures a snoop lter named snoop1 that matches on all traf c and copies the traf c to the device that has IP address 10 10 30 2 DWS...

Страница 401: ...the AP sends the packet and stops comparing the packet against other lters for the same observer If the lter does not have an observer the AP still maintains a counter of the number of packets that ma...

Страница 402: ...lter after the speci ed number of packets match the lter Without the stop after option the lter operates until you disable it or until the AP is restarted Caution The lter mode is not retained if you...

Страница 403: ...eachable messages from the observer back to the radio You can obtain Netcat through the following link http www securityfocus com tools 139 scoreit If the observer is a PC you can use a Tcl script ins...

Страница 404: ...e stop after num pkts disable 7 Stop the Ethereal capture and view the monitored packets The source IP address of a monitored packet identi es the Distributed AP that copied the packet s payload and s...

Страница 405: ...s are based on these IETF RFCs and drafts RFC 2865 Remote Authentication Dial in User Service RADIUS RFC 2866 RADIUS Accounting RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS E...

Страница 406: ...dministrative The RADIUS server can reply with one of the values listed above If the service type is not set on the RADIUS server administrative users receive NAS Prompt access and network users recei...

Страница 407: ...uses the global timeout instead Called Station Id 30 No Yes Yes For IEEE 802 1X authenticators stores the DWL 8220AP access point MAC address in uppercase ASCII format with octet values separated by...

Страница 408: ...t Session Id Acct Authentic 45 No No Yes Valid values RADIUS Local Acct Session Time 46 No No Yes Number of seconds for which the user has received service Can be present only in Accounting Request re...

Страница 409: ...869 Acct Output Gigawords 53 No No Yes Number of times the Acct Output Octets counter has wrapped around 232 over the course of this service being provided Can be present only in Accounting Request re...

Страница 410: ...can con gure the DHCP server on more than one VLAN You can con gure a DHCP client and DHCP server on the same VLAN but only the client or the server can be enabled The DHCP client and DHCP server can...

Страница 411: ...d cannot be con gured Option 1 Subnet Mask of the VLAN s IP interface Option 15 Domain Name which is the default domain name con gured on the switch If the default domain name is not con gured this op...

Страница 412: ...nter the command without the interface or verbose option the command displays a table of all the IP addresses leased by the server You can use the interface option to display addresses leased by a spe...

Страница 413: ...45 seconds IP Address 10 10 20 2 Subnet Mask 255 255 255 0 Default Gateway 10 10 20 1 DNS Servers 10 10 20 4 10 10 20 5 DNS Domain Name mycorp com In addition to information for addresses leased from...

Страница 414: ...ch is based on the Extensible Authentication Protocol EAP provides an authentication framework that supports a variety of methods for authenticating and authorizing network access for wired or wireles...

Страница 415: ...orks that have a mixture of both client types However association by any 802 11b clients restricts the maximum data transmit rate for all clients To allow the radios to operate at the higher 802 11g d...

Страница 416: ...also known as a peer to peer network or independent basic service set IBSS you can set up a wireless network in which a wireless infrastructure does not exist or is not required for services in a cla...

Страница 417: ...appropriate subprotocol and back end authentication authorization and accounting AAA service to roam to different access points APs without reauthentication authentication server An entity that provi...

Страница 418: ...i speci cation CCMP uses a symmetric key block cipher mode that provides privacy by means of counter mode and data origin authenticity by means of cipher block chaining message authentication code CBC...

Страница 419: ...urity TTLS client The requesting program or device in a client server relationship In a wireless LAN WLAN the client or supplicant requests access to the services provided by the authenticator See als...

Страница 420: ...on rm each other s identity and the information s origin and destination CSR Certi cateSigningRequest Amessagesentbyanadministratortorequestasecuritycerti cate from a certi cate authority CA A CSR is...

Страница 421: ...f aggregated ows even if those ows contain thousands or millions of individual ows digital certi cate A document containing the name of a user client or server a digital signature a public key and oth...

Страница 422: ...data transfer and uses the other link s as backups in case the active link fails If the AP has two direct physical links to one or more switches the Power over Ethernet PoE load is shared across both...

Страница 423: ...or supplicant and the authenticator must support the same EAP type for successful authentication to occur EAP types supported in a D Link Mobility System wireless LAN WLAN include EAPMD5 EAPTLS PEAPTL...

Страница 424: ...service FCC Federal Communications Commission The United States governing body for telecommunications radio television cable and satellite communications FDB See forwarding database FDB Federal Commu...

Страница 425: ...it Ethernet port to link the port with a ber optic or copper network The data transfer rate is 1 gigabit per second Gbps or more Typically employed as high speed interfaces GBICs allow you to easily c...

Страница 426: ...y the European Telecommunications Standards Institute ETSI HMAC Hashed message authentication code A function de ned in RFC 2104 for keyed hashing for message authentication HMAC is used with MD5 and...

Страница 427: ...RFC 2236 that enables an Internet computer to report its multicast group membership to neighboring multicast routers Multicasting allows a computer on the Internet to send content to other computers t...

Страница 428: ...ad hoc network initialization vector IV In encryption random data used to make a message unique Institute of Electrical and Electronic Engineers See IEEE integrity check value See ICV interface A pla...

Страница 429: ...encoding rules BER Lightweight Directory Access Protocol See LDAP location policy An ordered list of rules that overrides the virtual LAN VLAN assignment and security ACL ltering applied to users dur...

Страница 430: ...es of the address See also user glob VLAN glob MAC protocol data unit See MPDU MAC service data unit See MSDU managed device In a D Link network wireless LAN WLAN a DWS 1008 switch or DWL 8220AP acces...

Страница 431: ...ation and accounting AAA functions manages DWS 1008 switches and DWL 8220AP access points and maintains the wireless LAN WLAN by means of such network structures as MobileLAN groups virtual LANs VLANs...

Страница 432: ...nslation See NAT nonvolatile storage A way of storing images and con gurations so that they are maintained in a unit s memory whether power to the unit is on or off Odyssey An 802 1X security and acce...

Страница 433: ...to a minimal number of widely distributed routers PIM SM packets are sent only if they are explicitly requested at a rendezvous point RP PKCS Public Key Cryptography Standards A group of speci cation...

Страница 434: ...comes out at the device end is kept separate from the data signal so neither interferes with the other policy A formal set of statements that de ne the way a network s resources are allocated among it...

Страница 435: ...generator An algorithm of predictable behavior that generates a sequence of numbers with little or no discernible order except for broad statistical patterns Protected Extensible Authentication Proto...

Страница 436: ...o le A group of parameters such as the beacon interval fragmentation threshold and security policies that you con gure in common across a set of radios in one or more DWL 8220AP access points A few pa...

Страница 437: ...group to locate rogue clients rogue access points and ad hoc users A sweep can be either a scheduled sweep or a continuous SentrySweep search During a scheduled sweep each included DWL 8220AP access...

Страница 438: ...access control list An ordered list of rules to control access to and from a network by determining whether to forward or lter packets that are entering or exiting it Associating a security ACL with...

Страница 439: ...set identi er The unique name shared among all computers and other devices in a wireless LAN WLAN SSL Secure Sockets Layer protocol A protocol developed by Netscape for managing the security of messa...

Страница 440: ...on command Temporal Key Integrity Protocol See TKIP TKIP Temporal Key Integrity Protocol A wireless encryption protocol that xes the known problems in the Wired Equivalent Privacy WEP protocol for exi...

Страница 441: ...e transmission of data by one network through the connections of another network by encapsulating its data and protocol information within the other network s transmission units To forward traf c for...

Страница 442: ...single device into multiple logical Layer 2 switches with each VLAN operating as a separate switch or make multiple devices members of multiple logical Layer 2 networks By default all DWS 1008 switch...

Страница 443: ...Sockets Layer HTTPS WECA Wireless Ethernet Compatibility Alliance See Wi Fi Alliance WEP Wired Equivalent Privacy protocol A security protocol speci ed in the IEEE 802 11 standard that attempts to pro...

Страница 444: ...less Internet service provider A company that provides public wireless LAN WLAN services WLAN Wireless LAN A LAN to which mobile users clients can connect and communicate by means of high frequency ra...

Страница 445: ...rnational Telecommunications Union Telecommunication Standardization Sector ITU T Recommendation and the most widely used standard for de ning digital certi cates XML Extensible Markup Language Asimpl...

Страница 446: ...90 132 VAC 180 264 VAC 50 60 Hz Amperage draw maximums At 115Vrms 4Arms At 230Vrms 2Arms Interfaces 8 10 100 Mbps ports with no restrictions on port usage 6 ports provide integrated PoE Power over Et...

Страница 447: ...oft RADIUS VSAs RFC 2716 PPP EAP TLS Authentication Protocol RFC 2759 Microsoft PPP CHAP Extensions Version 2 RFC 2865 RADIUS Authentication RFC 2866 RADIUS Accounting RFC 2869 RADIUS Extensions RFC 2...

Страница 448: ...ICMP RFC 793 TCP RFC 826 ARP IEEE 802 1D Spanning Tree IEEE 802 1Q VLAN tagging IEEE 802 3ad static con g Management RFC 854 Telnet server and client SSHv2 Secure Shell V2 RFC 1157 SNMP v1 v2c RFC 12...

Страница 449: ...defective Hardware or any part thereof with any reconditioned product that D Link reasonably determines is substantially equivalent or superior in all material respects to the defective Hardware Repa...

Страница 450: ...he product is within warranty the customer shall submit a claim to D Link as outlined below The customer must submit with the product as part of the claim a written description of the Hardware defect...

Страница 451: ...al adjustments covered in the operating manual for the product and normal maintenance Damage that occurs in shipment due to act of God failures due to power surge and cosmetic damage Any hardware soft...

Страница 452: ...REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ANY OTHER WARRANTIES OR REMEDIES EXPRESS IMPLIED OR STATUTORY Governing Law This Limited Warranty shall be governed by the laws of the State of California So...

Страница 453: ...eceiver is connected Consult the dealer or an experienced radio TV technician for help For detailed warranty outside the United States please contact corresponding local D Link of ce FCC Caution The m...

Страница 454: ...Manual D Link Systems Inc Registration Appendix G Registration Revised 10 12 2005 Version 1 00 Product registration is entirely voluntary and failure to complete or return this form will not diminish...

Результаты поиска

Содержание DWS-1008

Отзывы:

Похожие инструкции для DWS-1008

Бренды по названию

Популярные бренды

D-Link DWS-1008, Руководство пользователя

Результаты поиска

Содержание DWS-1008

Отзывы:

Похожие инструкции для DWS-1008

Бренды по названию

Популярные бренды