D-Link DWS-1008 Скачать руководство пользователя страница 273

Страница: 273 / 502

D-Link DWS-1008 User Manual

Security ACL Configuration Scenario

The following scenario illustrates how to create a security ACL named

acl-99

that consists of one ACE

to permit incoming packets from one IP address, and how to map the ACL to a port and a user:

1. Type the following command to create and name a security ACL and add an ACE to it.

DWS-1008#

set security acl ip acl-99 permit 192.168.1.1 0.0.0.0

2. To view the ACE you have entered, type the following command:

DWS-1008

show security acl editbuffer

ACL

Type

Status

--------------------------------------------------------

acl-99

Not committed

3. To save

acl-99

and its associated ACE to the configuration, type the following command:

DWS-1008#

commit security acl acl-99

success: change accepted.

4. To map

acl-99

to port 9 to filter incoming packets, type the following command:

DWS-1008#

set security acl map acl-99 port 9 in

mapping configuration accepted

Because every security ACL includes an implicit rule denying all traffic that is not permitted,

port 9 now accepts packets only from 192.168.1.1, and denies all other packets.

5. To map

acl-99

to user Natasha’s sessions when you are using the local database for

authentication, configure Natasha in the database with the Filter-Id attribute. Type the

following commands:

DWS-1008#

set authentication dot1x Natasha local

success: change accepted.

DWS-1008#

set user natasha attr filter-id acl-99.in

success: change accepted.

6. Alternatively, you can map

acl-99

to Natasha’s sessions when you are using a remote

RADIUS server for authentication. To configure Natasha for pass-through authentication

to the RADIUS server shorebirds, type the following command:

DWS-1008#

set authentication dot1x Natasha pass-through shorebirds

success: change accepted.

You must then map the security ACL to Natasha’s session in RADIUS. For instructions,

see the documentation for your RADIUS server.

7. To save your configuration, type the following command:

DWS-1008#

save config

success: configuration saved.

Содержание DWS-1008

Страница 1: ......

Страница 2: ...ns and Allowed Characters 10 MAC Address Notation 11 IP Address and Mask Notation 11 Globs 12 User Globs 12 MAC Address Globs 13 VLAN Globs 13 Matching Order for Globs 13 Port Lists 14 Command Line Ed...

Страница 3: ...ation for Telnet Users 34 Local Override and Backup Local Authentication 34 Authentication When RADIUS Servers Do Not Respond 35 Configuring and Managing Ports and VLANs 36 Configuring and Managing Po...

Страница 4: ...55 Adding an Entry to the Forwarding Database 56 Removing Entries from the Forwarding Database 56 Configuring the Aging Timeout Period 57 Displaying the Aging Timeout Period 57 Changing the Aging Tim...

Страница 5: ...the DNS Client 76 Configuring DNS Servers 76 Adding a DNS Server 77 Removing a DNS Server 77 Configuring a Default Domain Name 77 Adding the Default Domain Name 77 Removing the Default Domain Name 77...

Страница 6: ...NMP Community Strings 101 Displaying USM Settings 101 Displaying Notification Profiles 101 Displaying Notification Targets 101 Displaying SNMP Statistics Counters 101 Configuring DWL 8220AP Access Poi...

Страница 7: ...n Indirectly Connected AP 127 Configuring Static IP Addresses on Distributed APs 128 Specifying IP Information 128 Specifying Switch Information 128 Specifying VLAN information 129 Clearing an AP from...

Страница 8: ...All Radios Using a Profile 148 Resetting a Radio to its Factory Default Settings 149 Restarting an AP 149 Displaying AP Information 149 Displaying AP Configuration Information 150 Displaying Connectio...

Страница 9: ...Are Selected 177 Channel and Power Tuning 177 Power Tuning 177 Channel Tuning 178 Tuning the Transmit Data Rate 179 RF Auto Tuning Parameters 179 Changing RF Auto Tuning Settings 180 Changing Channel...

Страница 10: ...ying the DSCP Table 201 Displaying AP Forwarding Queue Statistics 201 Configuring and Managing Spanning Tree Protocol 202 Enabling the Spanning Tree Protocol 202 Changing Standard Spanning Tree Parame...

Страница 11: ...ng Robustness 218 Enabling Router Solicitation 219 Changing the Router Solicitation Interval 219 Configuring Static Multicast Ports 219 Adding or Removing a Static Multicast Router Port 220 Adding or...

Страница 12: ...upport for TeleSym VoIP 247 Enabling SVP Optimization for SpectraLink Phones 248 Known Limitations 248 Configuring a Service Profile for RSN WPA2 249 Configuring a Service Profile for WPA 249 Configur...

Страница 13: ...s for Network Users 278 Globs and Groups for Network User Classification 278 AAA Methods for IEEE 802 1X and Web Network Access 278 AAA Rollover Process 279 Local Override Exception 279 Remote Authent...

Страница 14: ...of a Third Party AP with Tagged SSIDs 311 Configuring Authentication for Non 802 1X Users of a Third Party AP with Tagged SSIDs313 Configuring Access for Any Users of a Non Tagged SSID 313 Assigning...

Страница 15: ...the System IP Address as the Source Address 341 Configuring Individual RADIUS Servers 341 Deleting RADIUS Servers 342 Configuring RADIUS Server Groups 342 Creating Server Groups 342 Ordering Server Gr...

Страница 16: ...ile 366 Uninstalling the SODA Agent Files from the Switch 367 Displaying SODA Configuration Information 367 Managing Sessions 369 About the Session Manager 369 Displaying and Clearing Administrative S...

Страница 17: ...390 Displaying RF Detection Information 392 Displaying Rogue Clients 393 Displaying Rogue Detection Counters 394 Displaying RF Detect Data 395 Displaying the APs Detected by an AP Radio 395 Displayin...

Страница 18: ...onfiguration 424 Running Traces 424 Using the Trace Command 424 Tracing Authentication Activity 425 Tracing Session Manager Activity 425 Tracing Authorization Activity 425 Tracing 802 1X Sessions 425...

Страница 19: ...437 Preparing an Observer and Capturing Traffic 438 Capturing System Information and Sending it to Technical Support 439 The show tech support Command 440 Core Files 440 Debug Messages 441 Enabling an...

Страница 20: ...onnel only Please follow all warning notices and instructions marked on the product or included in the documentation The manufacturer is not responsible for any radio or TV interference caused by unau...

Страница 21: ...n AAA server for complete verification This offloading capability ensures that the WLAN will not overload when clients are simultaneously connecting to the network User Based Authentication Services T...

Страница 22: ...s operational Solid amber 10Mbps link is operational Blinking green Traffic is active on the 100Mbps link Blinking amber Traffic is active on the 10Mbps link AP 1 6 Solid green For an DWL 8220AP s act...

Страница 23: ...eroute You can test IP connectivity between the switch and other devices Domain Name Service DNS You can configure the switch to use DNS servers for name resolution You also can configure a default do...

Страница 24: ...ect Italic Text Designates command variables that you replace with appropriate values or highlights publication titles or words requiring special emphasis Menu Name Command Indicates a menu item that...

Страница 25: ...ard The 10 100 Ethernet ports on the DWS 1008 switch provide automatic MDI MDX which automatically crosses over the send and receive signals if required The table below lists the pin signals for 10 10...

Страница 26: ...u are relying on the rack to provide ground the rack itself must be grounded with a ground strap to the earth ground Metal screws attaching the switch to the rack provide ground attachment to the rack...

Страница 27: ...n to the firmware on the DWS 1008 switch No additional software is required The switch supports two connection modes Administrative access mode which enables the network administrator to connect to th...

Страница 28: ...hich enables the network administrator to connect to the switch and configure the network Network access mode which enables network users to connect through the switch to access the network CLI Conven...

Страница 29: ...th in the following command set port enable disable port list Text Entry Conventions and Allowed Characters Unless otherwise indicated the MSS CLI accepts standard ASCII alphanumeric characters except...

Страница 30: ...se classless interdomain routing CIDR format to express subnet masks for example 192 168 1 112 24 You indicate the subnet mask with a forward slash and specify the number of bits in the mask Wildcard...

Страница 31: ...character matches any number of characters up to but not including a delimiter character in the glob Valid user glob delimiter characters are the at sign and the period For example the following glob...

Страница 32: ...WS 1008 switch known as the location policy to one or more users MSS compares the VLAN glob which can optionally contain wildcard characters against the VLAN Name attribute returned by AAA to determin...

Страница 33: ...exists on the switch You can include a single port or multiple ports in a command that includes port port list Use one of the following formats for port list A single port number For example DWS 1008...

Страница 34: ...a new line Ctrl N or Down Arrow key Enters the next command line in the history buffer Ctrl P or Up Arrow key Enters the previous command line in the history buffer Ctrl U or Ctrl X Deletes characters...

Страница 35: ...for more information Commit the content of the ACL table Copy from filename or url to filename or url Crypto use crypto help for more information Delete url Show list of files on flash device Disable...

Страница 36: ...ap name The set ap dap name command has the following complete syntax set ap port list dap dap num name name A brief description of the command s functions The full command syntax Any command defaults...

Страница 37: ...already configured The quickstart command enables you to configure a switch to provide wireless access to any number of users CLI You can configure a switch using the CLI by attaching a PC to the swit...

Страница 38: ...switch Country code the country where wireless access will be provided Administrator username and password Management IP address and default router gateway Time and date statically configured or prov...

Страница 39: ...IC is statically configured 5 Use a web browser to access IP address 192 168 100 1 This is a temporary well known address assigned to the unconfigured switch when you power it on The Web Quick Start e...

Страница 40: ...s then click Finish to save the changes or click Back to change settings If you want to quit for now and start over later click Cancel If you click Finish the wizard saves the configuration settings i...

Страница 41: ...f applicable You can advance to the next item and accept the default if applicable by pressing Enter The command also automatically generates a key pair for SSH The command automatically places all po...

Страница 42: ...tem IP address that uses that interface Likewise if you configure this information manually instead of using the quickstart command you must configure the interface and system IP address separately De...

Страница 43: ...o use public Do you want Web Portal authentication y y Enter a username to be used with Web Portal cr to exit user1 Enter a password for user1 user1pass Enter a username to be used with Web Portal cr...

Страница 44: ...e of operation is restricted In this mode only a small subset of status and monitoring commands is available Restricted mode is useful for administrators with basic monitoring privileges who are not a...

Страница 45: ...ork connections by identifying who the user is what the user can access and the amount of network resources the user can consume Access Modes MSS provides AAA either locally or via remote servers to a...

Страница 46: ...elf as an administrator you must log in to the switch from the console Until you set the enable password and configure authentication the default username and password are blank Press Enter when promp...

Страница 47: ...nter 3 At the Enter new password prompt enter an enable password of up to 32 alphanumeric characters with no spaces The password is not displayed as you type it Note The enable password is case sensit...

Страница 48: ...ore entering this command you must configure a local username and password DWS 1008 set authentication console local 3 To store this configuration into nonvolatile memory type the following command DW...

Страница 49: ...floor of building 17 into the group bldg 17 1st floor or group all users in the IT group into the group infotech people Individual user entries override group entries if they both configure the same a...

Страница 50: ...cates that the password string you are entering is the encrypted form of the password Use this option only if you do not want MSS to encrypt the password for you To clear a user from the local databas...

Страница 51: ...rs using the start stop mode via the local database DWS 1008 set accounting admin EXAMPLE start stop local success change accepted The accounting records show the date and time of activity the user s...

Страница 52: ...on all changes are lost You can also type the load config command which reloads the switch to the last saved configuration or loads a particular configuration filename Administrative AAA Configuration...

Страница 53: ...on through the group She types the following commands in this order DWS 1008 set server group sg1 members r1 success change accepted DWS 1008 set authentication admin sg1 success change accepted DWS 1...

Страница 54: ...ion When RADIUS Servers Do Not Respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users but to unconditionally allow access for administrative an...

Страница 55: ...lso can provide power to the access point Wireless users are authenticated to the network through an access port Wired authentication port A wired authentication port connects the switch to user devic...

Страница 56: ...oin VLANs Enabled as the port is added to VLANs Maximum user sessions Not applicable 1 one Not applicable Setting a Port for a Directly Connected Access Point Note Before configuring a port as an AP a...

Страница 57: ...he following command DWS 1008 set dap 1 serial id 0322199999 model dwl 8220ap success change accepted Setting a Port for a Wired Authentication User To set a port for a wired authentication user use t...

Страница 58: ...traffic coming from the switch such as Spanning Tree Protocol STP BPDUs In this case disable repetitive traffic emissions such as STP BPDUs from downstream switches If you want to provide a management...

Страница 59: ...t have a name by default Setting a Port Name To set a port name use the following command set port port name name You can specify only a single port number with the command To set the name of port 2 t...

Страница 60: ...figure the following port operating parameters Speed Autonegotiation Port state PoE state You also can toggle a port s administrative state and PoE setting off and back on to reset the port Autonegoti...

Страница 61: ...a port use the following command reset port port list Displaying Port Information You can use CLI commands to display the following port information Port configuration and status PoE state Port statis...

Страница 62: ...4 up AP enabled 1 44 In this example PoE is disabled on port 1 and enabled on port 4 The access point connected to port 4 is drawing 1 44 W of power from the switch Displaying Port Statistics To displ...

Страница 63: ...rs collisions receive etherstats transmi t etherstats Statistics types are displayed in the following order by default Octets Packets Receive errors Transmit errors Collisions Receive Ethernet statist...

Страница 64: ...Only network ports can participate in a port group You can configure up to 6 ports in a port group in any combination of ports The port numbers do not need to be contiguous and you can use 10 100 Eth...

Страница 65: ...ds that change Layer 2 configuration parameters to apply configuration changes to all ports in the port group For example Spanning Tree Protocol STP and VLAN membership changes affect the entire port...

Страница 66: ...isplay the configuration and status of port group server2 type the following command DWS 1008 show port group name server2 Port group server2 is up Ports 3 5 Interoperating with Cisco Systems EtherCha...

Страница 67: ...ip of these types of ports is determined dynamically through the authentication and authorization process Users who require authentication connect through switch ports that are configured for access p...

Страница 68: ...can vary uniquely for each switch and are not related to 802 1Q tag values You cannot use a number as the first character in a VLAN name Traffic Forwarding A switch switches traffic at Layer 2 among p...

Страница 69: ...use the same name with different capitalizations for VLANs or ACLs For example do not configure two separate VLANs with the names red and RED Note D Link recommends that you do not use the name defaul...

Страница 70: ...value 11 to port 6 type the following commands DWS 1008 set vlan 4 name marigold port 1 3 success change accepted DWS 1008 set vlan 4 name marigold port 6 tag 11 success change accepted Removing an En...

Страница 71: ...are not permitted to communicate among themselves directly To communicate with another client the client must use one of the specified default routers Note For networks with IP only clients you can r...

Страница 72: ...tes whether restriction is enabled The Drops field indicates how many packets were addressed directly from one client to another and dropped by MSS The Hits field indicates how many packets the permit...

Страница 73: ...ge out regardless of how often the entry is used However like dynamic entries static entries are removed if the switch is powered down or rebooted Permanent A permanent entry does not age out regardle...

Страница 74: ...r glob vlan vlan id show fdb perm static dynamic system all port port list vlan vlan id The mac addr glob parameter can be an individual address or a portion of an address with the asterisk wildcard c...

Страница 75: ...he following command DWS 1008 set fdb perm 00 bb cc dd ee ff port 3 5 vlan blue success change accepted To add a static entry for MAC address 00 2b 3c 4d 5e 6f on port 1 in the default VLAN type the f...

Страница 76: ...aging is disabled Displaying the Aging Timeout Period To display the current setting of the aging timeout period use the following command show fdb agingtime vlan vlan id For example to display the a...

Страница 77: ...oom1 success change accepted DWS 1008 set port 7 8 name backbone success change DWS 1008 show port status Port Name Admin Oper Config Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx...

Страница 78: ...d ports Would you like to continue y n n y success change accepted DWS 1008 show port status Port Name Admin Oper Config Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx 2 finance up...

Страница 79: ...k 5 Configure ports 7 and 8 as a load sharing port group to provide a redundant link to the backbone and verify the configuration change Type the following commands DWS 1008 set port group name backbo...

Страница 80: ...nal 44 bytes to the packet headers so MSS does fragment and reassemble the packets if necessary to fit within the supported MTUs However MSS does not support defragmentation except at the receiving en...

Страница 81: ...t router gateway DNS domain name DNS server IP address The DHCP client is implemented according to RFC 2131 Dynamic Host Configuration Protocol and RFC 2132 DHCP Options and BOOTP Vendor Extensions Th...

Страница 82: ...n name and DNS server IP address are already configured on the switch and DNS is enabled the configured values are used Otherwise the values received from the DHCP server are used If the address offer...

Страница 83: ...on To display DHCP client information type the following command DWS 1008 show dhcp client Interface corpvl an 4 Configuration Status Enabled DHCP State IF_UP Lease Allocation 65535 seconds Lease Rema...

Страница 84: ...ng the following Topology reporting for dual homed access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Designating the System IP Ad...

Страница 85: ...ute for a given destination MSS uses the route Otherwise MSS uses a default route For example if the route table does not have a route to host 192 168 1 10 the switch uses the default route to forward...

Страница 86: ...ault router 10 0 1 17 is reachable through the subnet on VLAN 1 Route 10 0 1 1 24 resolves the static route that uses the default router Default router 10 0 2 17 is reachable through the subnet on VLA...

Страница 87: ...he bottom of the group If you add a new route that has the same destination and cost as a route already in the table MSS places the new route at the top of the group of routes with the same cost To ad...

Страница 88: ...hell SSH provides a secure connection to the CLI through TCP port 22 Telnet provides a nonsecure connection to the CLI through TCP port 23 HTTPS provides a secure connection to the Web management appl...

Страница 89: ...0 28 93 ae a4 f9 7c f5 13 04 This command displays the checksum also called a fingerprint of the public key When you initially connect to the switch with an SSH client you can compare the SSH key chec...

Страница 90: ...ver Sessions Use the following commands to manage SSH server sessions show sessions admin clear sessions admin ssh session id These commands display and clear SSH server sessions Note If you type the...

Страница 91: ...y2 tech 6 Telnet tty3 sshadmin 381 SSH To clear all SSH server sessions type the following command DWS 1008 clear sessions admin ssh This will terminate manager sessions do you wish to continue y n n...

Страница 92: ...e status of the Telnet server use the following command show ip telnet To display the Telnet server status and the TCP port number on which a switch listens for Telnet traffic type the following comma...

Страница 93: ...ion ends as soon as you press Enter DWS 1008 show sessions admin tty Username Time Type tty0 3644 Console tty2 tech 6 Telnet tty3 sshadmin 381 SSH 3 admin sessions To clear all Telnet server sessions...

Страница 94: ...he output Changing the Idle Timeout for CLI Management Sessions By default MSS automatically terminates a console or Telnet session that is idle for more than one hour To change the idle timeout for C...

Страница 95: ...ping chris example com When you enter ping chris example com the switch s DNS client queries a DNS server for the IP address that corresponds to the hostname chris example com then sends the ping req...

Страница 96: ...s instead of ping chris example com and the switch automatically requests the DNS server to send the IP address for chris example com To override the default domain name when entering a hostname in a...

Страница 97: ...ommands For example you can configure alias pubs1 for IP address 10 10 10 20 and enter ping pubs1 as a shortcut for ping 10 10 10 20 Aliases take precedence over DNS When you enter a hostname MSS chec...

Страница 98: ...me by an additional hour for daylight savings time or similar summertime period Note D Link recommends that you set the time and date parameters before you install certificates on the switch If the sw...

Страница 99: ...to or subtract from UTC Use a minus sign in front of the hour value to subtract the hours from UTC To set the time zone to PST Pacific Standard Time type the following command DWS 1008 set timezone P...

Страница 100: ...nd end time MSS implements the time change starting at 2 00 a m on the first Sunday in April and ending at 2 00 a m on the last Sunday in October according to the North American standard To set the su...

Страница 101: ...w timedate DWS 1008 show timedate Sun Feb 29 2004 23 58 02 PST Configuring and Managing NTP The Network Time Protocol NTP allows a networking device to synchronize its system time and date with the ti...

Страница 102: ...void a significant delay in convergence Adding an NTP Server To add an NTP server to the list of NTP servers use the following command set ntp server ip addr To configure a switch to use NTP server 19...

Страница 103: ...le disable Displaying NTP Information To display NTP information use the following command show ntp Here is an example DWS 1008 show ntp NTP client enabled Current update interval 20 secs Current time...

Страница 104: ...ng ARP Table Entries To display ARP table entries use the following command show arp ip addr Here is an example DWS 1008 show arp ARP aging time 1200 seconds Host HW Address VLAN Type State 10 5 4 51...

Страница 105: ...ng command DWS 1008 set arp static 10 10 10 1 00 bb cc dd ee ff success added arp 10 10 10 1 at 00 bb cc dd ee ff on VLAN 1 Changing the Aging Timeout The aging timeout specifies how long a dynamic en...

Страница 106: ...1 from 10 9 4 34 56 84 bytes of data 64 bytes from 10 1 1 1 icmp_seq 1 ttl 255 time 0 769 ms 64 bytes from 10 1 1 1 icmp_seq 2 ttl 255 time 0 628 ms 64 bytes from 10 1 1 1 icmp_seq 3 ttl 255 time 0 6...

Страница 107: ...ou press Ctrl t or type exit to end the client session the management session returns to the local prompt DWS 1008 remote Session 0 pty tty2 d terminated tt name tty2 d DWS 1008 Use the following comm...

Страница 108: ...s continues until the TTL is incremented to a value large enough for the datagram to reach the destination host or until the maximum TTL is reached To determine when a datagram has reached its destina...

Страница 109: ...of community strings SNMPv3 supports user security model USM users with individually configurable access levels authentication options and encryption options All SNMP versions are disabled by default...

Страница 110: ...ss change accepted Enabling SNMP Versions To enable an SNMP protocol use the following command set snmp protocol v1 v2c usm all enable disable The usm option enables SNMPv3 The all option enables all...

Страница 111: ...ing to send notifications To clear an SNMP community string use the following command clear snmp community name comm string The following command configures community string switchmgr1 with access lev...

Страница 112: ...algorithm 5 is used sha Secure Hashing Algorithm SHA is used If the authentication type is md5 or sha you can specify a passphrase or a hexadecimal key To specify a passphrase use the auth pass phrase...

Страница 113: ...r of message exchanges and notifications You also can require encryption in addition to authentication SNMPv1 and SNMPv2c do not support authentication or encryption If you plan to use SNMPv1 or SNMPv...

Страница 114: ...ification type all To clear a notification profile use the following command clear snmp notify profile profile name The profile name can be up to 32 alphanumeric characters long with no spaces To modi...

Страница 115: ...a management session with the switch DeviceFailTraps Generated when an event with an Alert severity occurs DeviceOkayTraps Generated when a device returns to its normal state LinkDownTraps Generated...

Страница 116: ...ects beacon frames for a valid SSID but sent by a rogue AP RFDetectUnAuthorizedAPTraps Generated when MSS detects the MAC address of an AP that is on the attack list RFDetectUnAuthorizedOuiTraps Gener...

Страница 117: ...ticated encrypted retries num timeout num To configure a notification target for traps from SNMPv3 use the following command set snmp notify target target num ip addr udp port number usm trap user use...

Страница 118: ...the snmp engine id of the target Specify ip if the target s SNMP engine ID is based on its IP address If the target s SNMP engine ID is a hexadecimal value use hex hex string to specify the value The...

Страница 119: ...igures a notification target for unacknowledged notifications DWS 1008 set snmp notify target 2 10 10 40 10 v1 trap success change accepted Enabling the SNMP Service To enable the MSS SNMP service use...

Страница 120: ...d show snmp notify profile The command lists settings separately for each notification profile The use count indicates how many notification targets use the profile For each notification type the comm...

Страница 121: ...D Link network containing DWL 8220AP access points and DWS 1008 switches An AP can be directly connected to a switch port or indirectly connected to a switch through a Layer 2 or IPv4 Layer 3 network...

Страница 122: ...es of AP to DWS 1008 connection direct and distributed In direct connection an AP connects to one or two 10 100 ports on a switch The switch port is then configured specifically for a direct attachmen...

Страница 123: ...s as its boot device DNS If the intermediate network between the switch and Distributed AP includes one or more IP routers create a DLINK mynetwork com or wlan switch mynetwork com entry on the DNS se...

Страница 124: ...s the other device s port from forwarding traffic during each boot attempt the AP repeatedly disables and reenables the link causing STP to repeatedly stop the other device s port from forwarding traf...

Страница 125: ...r receiving a DHCP Offer containing a valid string for option 43 a Distributed AP sends a unicast Find switch messages to each switch in the list No configuration is required on the switch itself AP P...

Страница 126: ...y connected switch or a PoE injector Dual homing support for PoE is automatically enabled when you connect both AP Ethernet ports Data link redundancy You can provide data link redundancy by connectin...

Страница 127: ...is either obtained through DHCP the default or can be statically configured on the AP How a Distributed AP Obtains an IP Address through DHCP By default a distributed AP obtains its IP address through...

Страница 128: ...ured or its static IP configuration is disabled then the AP obtains its IP address through DHCP Contacting a Switch After the AP has an IP address it attempts to contact a switch on the network The me...

Страница 129: ...ss skips to step 6 If no switches reply the AP repeatedly resends the Find switch broadcast If still no switches reply the process continues with step 3 3 If the AP is unable to locate a switch on the...

Страница 130: ...est capacity to add new active AP connections 7 The switch sends a unicast Find switch Reply message to the AP containing the system IP address of the best switch to use 8 The AP sends a unicast messa...

Страница 131: ...the default router address to contact the switch 2 If Item A but not Item B is specified then the AP uses the specified static IP configuration and broadcasts a Find switch message to the subnet If th...

Страница 132: ...er determines if the switch permits the AP to load a local image or if the image should be downloaded from the switch The AP loads its local image only if the switch is running MSS Version 5 0 or late...

Страница 133: ...asons but not for authentication reasons the rejection does not count as an authentication failure D Link recommends that you configure small groups and ensure that all the radios in the group provide...

Страница 134: ...ep initial vlan Disable Reassigns the user to a VLAN after roaming instead of leaving the roamed user on the VLAN assigned by the switch where the user logged on Note Enabling this option does not ret...

Страница 135: ...b portal Otherwise the value is unconfigured If set to portalacl and the service profile fallthru is set to web portal radios use the portalacl ACL to filter traffic for Web Portal users during authen...

Страница 136: ...D can be encrypted or clear and beaconing can be enabled or disabled on an individual SSID basis Each radio has 32 MAC addresses and can therefore support up to 32 SSIDs with one MAC address assigned...

Страница 137: ...rt retry count for frames shorter than 2346 bytes and uses the long retry count for frames that are 2346 bytes or longer max rx lifetime 2000 Allows a received frame to stay in the buffer for up to 20...

Страница 138: ...are unique to each radio and are not controlled by radio profiles The table below lists the defaults for these parameters Parameter Default Value Description antenna location indoors Location of the r...

Страница 139: ...the channel transmit power and external antenna type on each radio Map the radio profile to a service profile Assign the radio profile to radios and enable the radios Specifying the Country of Operati...

Страница 140: ...NG Norway NO Oman OM Pakistan PK Panama PA Paraguay PY Country Code Peru PE Philippines PH Poland PL Portugal PT Puerto Rico PR Romania RO Russia RU Saudi Arabia SA Serbia CS Singapore SG Slovakia SK...

Страница 141: ...ll need to configure a service profile separately for each SSID A DWS 1008 switch can have one Auto AP profile How an Unconfigured AP Finds a Switch To Configure It The boot process for a Distributed...

Страница 142: ...itch and finishes the boot and configuration process Configuring an Auto AP Profile The Auto AP profile for Distributed AP configuration is like an individual AP configuration except the configuration...

Страница 143: ...d to the radio profile To use a radio profile other than default you must specify the radio profile you want to use Changing AP Parameter Values The commands for configuring AP and radio parameters fo...

Страница 144: ...accepted Note You must configure the radio profile before you can apply it to the Auto AP profile Displaying Status Information for APs Configured by the Auto AP Profile To display status information...

Страница 145: ...f the Auto AP profile assigned the number 100 and the name DAP 100 to the AP the persistent configuration for the AP has the same number and name In this case use 100 as the dap num with show dap set...

Страница 146: ...power D Link DWL 8220AP access points only If you enable PoE on a port connected to another device physical damage to the device can result To set the port type for access ports use the following com...

Страница 147: ...k addr gateway gateway addr mode enable disable To configure Distributed AP 1 to use IP address 172 16 0 42 with a 24 bit netmask and use 172 16 0 20 as its default router gateway type the following c...

Страница 148: ...VLAN tagging information for a Distributed AP use the following command set dap dap num boot vlan vlan tag tag value mode enable disable When this command is configured all Ethernet frames emitted fr...

Страница 149: ...this section enable you to change the bias for an AP To change the bias of an AP use the following command set ap port list dap dap num bias high low The default bias is high To change the bias for a...

Страница 150: ...r it can download an operational image from the switch to which it has connected By default an AP model that can locally store a software image on the AP will load the locally stored image instead of...

Страница 151: ...RSA as the public key cryptosystem with AES CCM for data encryption and integrity checking and HMAC MD5 for keyed hashing and message authentication during the key exchange Bulk data protection is pro...

Страница 152: ...tion for management information you can disable the feature The table below lists the AP security options and whether an AP can establish a management session with a switch based on the option setting...

Страница 153: ...rational channel 48 operational power 11 base mac 00 0b 0e 0a 60 01 bssid1 00 0b 0e 0a 60 01 ssid public bssid2 00 0b 0e 0a 60 03 ssid dlink The fingerprint is displayed regardless of whether it has b...

Страница 154: ...g DAP HS secure optional configure DAP 0335301065 with fingerprint c6 98 9c 41 32 ab 37 09 7e 93 79 a4 ca dc ec fb The message lists the serial number and fingerprint of the AP You can check this info...

Страница 155: ...nd clear service profile name soda agent directory failure page remediation acl success page logout page The soda options reset Sygate On Demand SODA settings to their default values If you omit the s...

Страница 156: ...change the fallthru method use the following command set service profile name auth fallthru last resort none web portal Changing Transmit Rates Each type of radio 802 11b and 802 11g that provides se...

Страница 157: ...e and are the same as the valid rates for mandatory However you cannot set the beacon rate to a disabled rate multicast rate auto for all radio types Data rate of multicast frames sent by AP radios ra...

Страница 158: ...probing use the following command set service profile name idle client probing enable disable The following command disables idle client probing on service profile sp1 DWS 1008 set service profile sp...

Страница 159: ...me for an SSID without receiving an acknowledgment for the frame A long unicast frame is a frame that is equal to or longer than the RTS threshold To change the long retry threshold use the following...

Страница 160: ...nge individual parameters controlled by a radio profile use the commands described in the following sections Note You must disable all radios that are using a radio profile before you can change param...

Страница 161: ...io profile rp1 dtim interval 2 success change accepted Changing the RTS Threshold The RTS threshold specifies the maximum length a frame can be before a radio uses the Request to Send Clear to Send RT...

Страница 162: ...ximum receive lifetime use the following command set radio profile name max rx lifetime time The time can be from 500 ms 0 5 second through 250 000 ms 250 seconds The default is 2000 ms 2 seconds To c...

Страница 163: ...g frames with either short or long preambles If any client associated with an 802 11b g radio uses long preambles for unicast traffic the AP access point still accepts frames with short preambles but...

Страница 164: ...st and remove the profile type the following commands DWS 1008 set radio profile rptest mode disable DWS 1008 clear radio profile rptest success change accepted Configuring Radio Specific Parameters T...

Страница 165: ...mmand DWS 1008 set ap 2 radio 1 channel 1 tx power 10 success change accepted To configure the 802 11a radio on port 5 for channel 36 with a transmit power of 10 dBm type the following command DWS 100...

Страница 166: ...ling Radios To assign a radio profile to radios use the following command set ap port list dap dap num radio 1 2 radio profile name mode enable disable To assign radio profile rp1 to radio 1 on ports...

Страница 167: ...success change accepted Disabling or Reenabling All Radios Using a Profile To disable or reenable all radios that are using a radio profile use the following command set radio profile name mode enable...

Страница 168: ...access point use the following command reset ap port list dap dap num Use the reset ap command to reset an access point configured on an access port Use the reset dap command to reset a Distributed A...

Страница 169: ...mode disabled channel dynamic tx pwr 1 profile default auto tune max power default Radio 2 type 802 11a mode disabled channel dynamic tx pwr 1 profile default auto tune max power default To display c...

Страница 170: ...Total number of entries 8 DAP Serial Id IP Address Bias 1 11223344 10 3 8 111 HIGH 11223344 10 4 3 2 LOW 2 332211 10 3 8 111 LOW 332211 10 4 3 2 HIGH 17 0322100185 10 3 8 111 HIGH 0322100185 10 4 3 2...

Страница 171: ...ides information only if the Distributed AP is configured on the switch where you use the command The switch does not need to be the one that booted the AP but it must have the AP in its configuration...

Страница 172: ...dio profile type the following command DWS 1008 show radio profile default Beacon Interval 100 DTIM Interval 1 Max Tx Lifetime 2000 Max Rx Lifetime 2000 RTS Threshold 2346 Frag Threshold 2346 Long Pre...

Страница 173: ...0 0b 0e 00 d2 c2 ssid employee net bssid3 00 0b 0e 00 d2 c4 ssid mycorp tkip Radio 2 type 802 11a state configure succeed Enabled operational channel 64 operational power 14 base mac 00 0b 0e 00 d2 c1...

Страница 174: ...Pkt Replays 0 TKIP Decrypt Err 0 CCMP Pkt Decrypt Err 0 CCMP Pkt Replays 0 CCMP Pkt Transfer Ct 0 RadioResets 0 Radio Recv Phy Err Ct 0 Transmit Retries 60501 Radio Adjusted Tx Pwr 15 Noise Floor 93 8...

Страница 175: ...WPA clients you can configure MSS to provide encryption for both types of clients To configure encryption parameters for an SSID create or edit a service profile map the service profile to a radio pr...

Страница 176: ...11i standard You can use WPA with 802 1X authentication If the client does not support 802 1X you can use a preshared key on the access point and the client for authentication WPA Cipher Suites WPA su...

Страница 177: ...rk by refusing all association or reassociation requests from TKIP and WEP clients In addition MSS generates an SNMP trap that indicates the switch port and radio that received frames with the two MIC...

Страница 178: ...RSN clients and the AP to the same value as the last setting of the retransmission timeout The retransmission timeout is set to the lower of the 802 1X supplicant timeout or the RADIUS session timeout...

Страница 179: ...nted by the client If the keys match MSS authenticates the client Because the WEP key is static MSS does not use 802 1X to authenticate the client To allow a non WPA client that uses dynamic WEP to be...

Страница 180: ...Service Profile for WPA Encryption parameters apply to all users who use the SSID configured by a service profile To create a service profile use the following command set service profile name To cre...

Страница 181: ...is command the service profile supports TKIP and 40 bit WEP Note Microsoft Windows XP does not support WEP with WPA To configure a service profile to provide WEP for XP clients leave WPA disabled and...

Страница 182: ...e psk phrase passphrase The passphrase must be from 8 to 63 characters long including blanks If you use blanks you must enclose the string in quotation marks To configure service profile wpa to use pa...

Страница 183: ...none Sygate On Demand SODA no Enforce SODA checks yes SODA remediation ACL Custom success web page Custom failure web page Custom logout web page Custom agent di rectory Static COS no COS 0 CAC mode...

Страница 184: ...radios use the following command set ap port list radio 1 2 radio profile name mode enable disable To map service profile wpa to radio profile bldg1 type the following command DWS 1008 set radio profi...

Страница 185: ...control IEEE settings for the radios 5 Assign the radio profile to the radios and enable the radios If you plan to use PSK authentication you also need to enable this authentication method and enter...

Страница 186: ...rsn cipher ccmp enable success change accepted After you type this command the service profile supports both TKIP and CCMP Note Microsoft Windows XP does not support WEP with RSN To configure a servi...

Страница 187: ...sending it The radio or client that receives the frame recalculates the ICV and compares the result to the ICV in the frame If the values match the frame is processed If the values do not match the fr...

Страница 188: ...ex num parameter specifies the index you are configuring You can specify a value from 1 through 4 The key value parameter specifies the hexadecimal value of the key Type a 10 character ASCII string re...

Страница 189: ...th TKIP The following example shows how to configure MSS to provide authentication and TKIP encryption for 801 X WPA clients This example assumes that pass through authentication is used for all users...

Страница 190: ...uration saved Enabling Dynamic WEP in a WPA Network The following example shows how to configure MSS to provide authentication and encryption for 801 X dynamic WEP clients and for 801 X WPA clients us...

Страница 191: ...ce profile wpa wep success change accepted 8 Apply radio profile rp2 to radio 1 on port 5 and to radios 1 and 2 on port 6 enable the radios and verify the configuration changes Type the following comm...

Страница 192: ...AC users to MAC user group wpa for mac Type the following commands DWS 1008 set mac user aa bb cc dd ee ff group wpa for mac success configuration saved DWS 1008 set mac user a1 b1 c1 d1 e1 f1 group w...

Страница 193: ...p for mac auth psk enable success change accepted 10 Configure a passphrase for the preshared key Type the following command DWS 1008 set service profile wpa wep for mac psk phrase passphrase to conve...

Страница 194: ...4 6 radio 1 radio profile rp3 mode enable success change accepted DWS 1008 set ap 6 radio 2 radio profile rp3 mode enable success change accepted DWS 1008 show ap config Port 4 AP model DWL 8220AP POE...

Страница 195: ...manages the radio After this the channel and power do not change unless you change the settings in the radio profile or enable RF Auto Tuning If RF Auto Tuning is enabled for channel and power assignm...

Страница 196: ...r Tuning RF Auto Tuning can change the channel or power of a radio to compensate for RF changes such as interference or to maintain at least the minimum data transmit rate for associated clients A rad...

Страница 197: ...ich is the number of frames received by the AP radio that have physical layer errors A high number of Phy errors can indicate the presence of a non 802 11 device using the same RF spectrum Received CR...

Страница 198: ...SS examines the RF information gathered from the network and determines whether the channel needs to be changed to compensate for RF changes channel holddown 900 MSS maintains the channel setting on a...

Страница 199: ...following command DWS 1008 set radio profile rp2 auto tune channel config disable success change accepted Changing the Channel Tuning Interval The default channel tuning interval is 3600 seconds You...

Страница 200: ...by default To enable or disable the feature for all radios in a radio profile use the following command set radio profile name auto tune power config enable disable To enable power tuning for radios...

Страница 201: ...ically configured settings by locking them down When you lock down channel or power settings MSS converts the latest values set by RF Auto Tuning into static settings You can lock down channel or powe...

Страница 202: ...000 RTS Threshold 2346 Frag Threshold 2346 Long Preamble no Tune Channel yes Tune Power no Tune Channel Interval 3600 Tune Power Interval 600 Power ramp interval 60 Channel Holddown 300 Countermeasure...

Страница 203: ...hannel 36 tx pwr 1 profile default auto tune max power default Displaying RF Neighbors To display the other radios that a specific D Link radio can hear use the following commands show auto tune neigh...

Страница 204: ...show auto tune attributes ap ap num radio 1 2 all show auto tune attributes dap dap num radio 1 2 all To display RF attribute information for radio 1 on the directly connected access point on port 2...

Страница 205: ...st three listeners Configuring AP Radios to Listen for AeroScout RFID Tags To configure AP radios to listen for AeroScout RFID tags Configure a service profile for the AeroScout listeners and set the...

Страница 206: ...disable success change accepted DWS 1008 set radio profile rfid listeners success change accepted DWS 1008 set radio profile rfid listeners success change accepted DWS 1008 set radio profile rfid lis...

Страница 207: ...d the site map in AeroScout System Manager 2 Mark the origin point 0 0 if not already done 3 Calibrate distance if not already done 4 Add each AP configured as a listener to the map and enter its IP a...

Страница 208: ...rsave support Unscheduled Automatic Powersave Delivery U APSD U APSD enables clients that use powersave mode to more efficiently request buffered unicast packets from AP radios set radio profile wmm p...

Страница 209: ...before being disassociated default 180 seconds idle client probing keepalives sent to clients enabled by default set service profile user idle timeout set service profile idle client probing QoS Mode...

Страница 210: ...r the egress interface is tagged or is an IP tunnel The mappings between DSCP and CoS values are configurable See Changing CoS Mappings 802 1p and CoS values map directly and are not configurable DSCP...

Страница 211: ...le after an AP restart the AP uses the mappings in effect on the new switch The table below lists the default mappings between an AP s internal CoS values and its forwarding queues CoS AP Forwarding Q...

Страница 212: ...t must send a separate PSpoll for each buffered packet U APSD is supported only for QoS mode WMM Call Admission Control Call Admission Control CAC is an optional feature that helps ensure that high pr...

Страница 213: ...ic on an SSID with a specific CoS value When static CoS is enabled the AP marks all traffic between clients and the switch for a given SSID with the static CoS value The static CoS value must be confi...

Страница 214: ...e is WMM To change the QoS mode on a radio profile use the following command set radio profile name qos mode svp wmm For example the following command changes the QoS mode for radio profile rp1 to SVP...

Страница 215: ...by default To change the maximum number of sessions use the following command set service profile name cac session max sessions The max sessions can be a value from 0 to 100 For example to change the...

Страница 216: ...s classification but does not affect marking DWS 1008 set qos dscp to cos map 45 cos 7 success change accepted The following command changes the mapping of CoS value 6 from DSCP value 48 to DSCP value...

Страница 217: ...o Profile s QoS Settings To display the QoS mode and all other settings for a radio profile use the following command show radio profile name The following example shows the configuration of radio pro...

Страница 218: ...yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 WEP Multicast Index 1 Shar...

Страница 219: ...3 4 5 6 Egress DSCP 0 8 16 24 32 40 48 56 Egress ToS byte 0x00 0x20 0x40 0x60 0x80 0xA0 0xC0 0xE0 Displaying a DSCP to CoS Mapping To display the CoS value to which a specific DSCP value is mapped dur...

Страница 220: ...6 0x24 1 2 63 0x3f 252 0xfc 7 14 Displaying AP Forwarding Queue Statistics You can display statistics for AP forwarding queues using the following commands show dap qos stats dap num clear show dap qo...

Страница 221: ...ield of the BPDUs MSS runs a separate instance of PVST on each tagged VLAN Note STP does not run on AP access ports or wired authentication ports and does not affect traffic flow on these port types N...

Страница 222: ...ric value the device with the lowest MAC address becomes the root bridge If the root bridge fails STP elects a new root bridge based on the bridge priorities of the remaining bridges Port Cost Port co...

Страница 223: ...ority 69 vlan pink success change accepted Changing STP Port Parameters You can change the STP cost and priority of an individual port on a global basis or an individual VLAN basis Changing the STP Po...

Страница 224: ...ty To change the priority of a port use one of the following commands set spantree portpri port list priority value set spantree portvlanpri port list priority value all vlan vlan id The set spantree...

Страница 225: ...iving a topology change notification to begin forwarding data packets You can specify a delay from 4 through 30 seconds The default is 15 seconds The root bridge always forwards traffic Maximum age Th...

Страница 226: ...pecify an age from 6 through 40 seconds The default is 20 seconds The all option applies the change to all VLANs Alternatively specify an individual VLAN To change the maximum acceptable age for root...

Страница 227: ...a port is still valid If not the bridge immediately starts the listening stage on the port Note If you plan to use the backbone fast convergence feature you must enable it on all the bridges in the s...

Страница 228: ...is enabled on ports 6 and 8 in VLAN 2 and port 4 in VLAN 1 Configuring Backbone Fast Convergence To enable or disable backbone fast convergence use the following command set spantree backbonefast ena...

Страница 229: ...ll VLANs DWS 1008 show spantree uplinkfast VLAN port list 1 1 fwd 2 3 In this example ports 1 2 and 3 provide redundant links to the network core Port 1 is forwarding traffic The remaining ports block...

Страница 230: ...mauve type the following command DWS 1008 show spantree vlan mauve VLAN 3 Spanning tree mode Spanning tree type Spanning tree enabled PVST IEEE Designated Root 00 02 4a 70 49 f7 Designated Root Prior...

Страница 231: ...rately for each VLAN To display the STP port cost of port 1 type the following command DWS 1008 show spantree portvlancost 1 port 1 VLAN 1 have path cost 19 Displaying Blocked STP Ports To display inf...

Страница 232: ...o This scenario configures a VLAN named backbone for a switch s connections to the network backbone adds ports 7 and 8 to the VLAN and enables STP on the VLAN to prevent loops 1 Remove the network cab...

Страница 233: ...ify the change Type the following commands DWS 1008 set spantree enable vlan backbone success change accepted DWS 1008 show spantree vlan 10 VLAN 10 Spanning tree mode PVST Spanning tree type IEEE Spa...

Страница 234: ...5 Wait for STP to complete the listening and learning stages and converge then verify that STP is operating properly and blocking one of the ports in the backbone VLAN Type the following command DWS 1...

Страница 235: ...supports IGMP versions 1 and 2 Disabling or Reenabling IGMP Snooping IGMP snooping is enabled by default To disable or reenable the feature use the following command set igmp enable disable vlan vlan...

Страница 236: ...r to respond to a group specific query message before removing the receiver from the receiver list for the group Note The query interval other querier present interval and query response interval are...

Страница 237: ...the following command set igmp qri tenth seconds vlan vlan id You can specify a value from 1 through 65 535 tenths of a second The default is 100 tenths of a second 10 seconds Changing the Last Member...

Страница 238: ...u can specify 1 through 65 535 seconds The default is 30 seconds Configuring Static Multicast Ports A DWS 1008 switch learns about multicast routers and receivers from multicast traffic it receives fr...

Страница 239: ...rt list enable disable Displaying Multicast Information You can use the CLI to display the following IGMP snooping information Multicast configuration information and statistics Multicast queriers Mul...

Страница 240: ...5 10 10 10 13 00 02 04 06 08 0d 258 237 255 255 255 5 10 10 10 14 00 02 04 06 08 0e 258 237 255 255 255 5 10 10 10 12 00 02 04 06 08 0c 258 237 255 255 255 5 10 10 10 10 00 02 04 06 08 0a 258 Querier...

Страница 241: ...the following command show igmp querier vlan vlan id To display querier information for VLAN orange type the following command DWS 1008 show igmp querier vlan orange Querier for vlan orange Port Quer...

Страница 242: ...pecific group or set of groups For example to display receivers for multicast groups 237 255 255 1 through 237 255 255 255 in all VLANs type the following command DWS 1008 show igmp receiver table gro...

Страница 243: ...erver in which confidential salary information is stored D Link provides a very powerful mapping application for security ACLs In addition to being assigned to physical ports VLANs virtual ports in a...

Страница 244: ...does not contain at least one ACE that permits access no traffic is allowed Plan your security ACL maps to ports VLANs virtual ports and Distributed APs so that only one security ACL filters a given f...

Страница 245: ...user group Individual user attribute attr filter id acl name in or attr filter id acl name out is configured on the individual user SSID default attr filter id acl name in or attr filter id acl name o...

Страница 246: ...ic Routing Encapsulation GRE packets from source IP address 192 168 1 11 to destination IP address 192 168 1 15 with a precedence level of 0 routine and a type of service TOS level of 0 normal GRE is...

Страница 247: ...AP The table below shows the results of CoS priorities you assign in security ACLs WMM Priority Desired CLI CoS Value to Enter Background 1 or 2 Best effort 0 or 3 Video 4 or 5 Voice 6 or 7 AP forwar...

Страница 248: ...y acl ip acl 3 permit icmp 192 168 1 3 0 0 0 0 192 168 1 4 0 0 0 0 type 11 code 0 precedence 7 tos 12 before 1 hits The before 1 portion of the ACE places it before any others in the ACL so it has pre...

Страница 249: ...p addr mask any operator port port2 precedence precedence tos tos dscp codepoint established before editbuffer index modify editbuffer index hits For example the following command permits packets sent...

Страница 250: ...ed ACL is created in the edit buffer If the ACL exists but is not in the edit buffer the ACL reverts or is rolled back to the state when its last ACE was committed but it now includes the new ACE Comm...

Страница 251: ...rt To map an ACL see Mapping Security ACLs To display the mapped ACLs use the show security acl command without the editbuffer or info option Viewing the Edit Buffer The edit buffer enables you to vie...

Страница 252: ...11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable hits You can also view a specific security ACL For example to view acl 2 type the following command DWS 1008 show security acl...

Страница 253: ...the commit security acl command For example the following command deletes acl 99 from the edit buffer DWS 1008 clear security acl acl 99 To clear acl 99 from the configuration type the following comm...

Страница 254: ...local database To map a security ACL to a user session follow these steps 1 Create the security ACL For example to filter packets coming from 192 168 253 1 and going to 192 168 253 12 type the follow...

Страница 255: ...Security ACLs to Ports VLANs Virtual Ports or Distributed APs Security ACLs can be mapped to ports VLANs virtual ports and Distributed APs Use the following command set security acl map acl name vlan...

Страница 256: ...ts VLANs virtual ports or Distributed APS first display the mapping with show security acl map and then use clear security acl map to remove it This command removes the mapping but not the ACL For exa...

Страница 257: ...ays Add another ACE to a security ACL at the end of the ACE list See Adding Another ACE to a Security ACL Place an ACE before another ACE so it is processed before subsequent ACEs using the before edi...

Страница 258: ...destination IP any enable hits 2 To add another ACE to the end of acl violet type the following command DWS 1008 set security acl ip acl violet permit 192 168 123 11 0 0 0 255 hits 3 To commit the up...

Страница 259: ...it L4 Protocol 115 source IP 192 168 1 11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable hits 2 To add the deny ACE to acl 111 and place it first type the following commands DWS...

Страница 260: ...IP 192 168 253 11 0 0 0 0 destination IP any set security acl ip acl 2 hits 1 0 1 permit L4 Protocol 115 source IP 192 168 1 11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable h...

Страница 261: ...acl 2 hits 1 0 1 permit L4 Protocol 115 source IP 192 168 1 11 0 0 0 0 destination IP 192 168 1 15 0 0 0 0 precedence 0 tos 0 enable hits 2 To view a summary of the security ACLs for which you just c...

Страница 262: ...errides the CoS value assigned by the switch s QoS map To change CoS values using an ACL you must map the ACL to the outbound traffic direction on an AP port Distributed AP or user VLAN For example to...

Страница 263: ...Using the dscp Option The easiest way to filter based on DSCP is to use the dscp codepoint option The following commands remap IP packets from IP address 10 10 50 2 that have DSCP value 46 to have CoS...

Страница 264: ...ibuted AP 4 DWS 1008 set security acl ip acl2 permit cos 7 ip 10 10 50 2 0 0 0 0 10 10 90 0 0 0 0 255 precedence 5 tos 12 success change accepted DWS 1008 set security acl ip acl2 permit cos 7 ip 10 1...

Страница 265: ...or example when an AP receives traffic from its switch the AP classifies the traffic based on the IP ToS value in the IP header of the tunnel that is carrying the traffic By default the switch marks e...

Страница 266: ...p port list virtual port list Distributed AP or user glob You do not need to disable WMM support Enabling VoIP Support for TeleSym VoIP To enable VoIP support for TeleSym packets which use UDP port 33...

Страница 267: ...s configuration examples for WPA and for RSN WPA2 Configure a radio profile to manage the radios that will provide service for the voice SSID Configure a VLAN for the voice clients Configure a last re...

Страница 268: ...isable DWS 1008 set service profile vowlan wpa2 auth psk enable DWS 1008 set service profile vowlan wpa2 psk raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d Configuring a Service...

Страница 269: ...nd enable them The following commands modify the default radio profile for SVP phones DWS 1008 set radio profile default service profile vowlan wpa2 DWS 1008 set radio profile default dtim interval 3...

Страница 270: ...ue for priority forwarding If the VLAN will be shared by other clients you also need to add an ACE that permits the traffic that is not using IP protocol 119 Otherwise the switch drops this traffic Ev...

Страница 271: ...tch 2 with VLAN_B If a handset connected to switch 2 is placed in VLAN_A a tunnel is created between switch 1 and switch 2 If an ACL is mapped to VLAN_A out on switch 1 it will affect local clients bu...

Страница 272: ...r 2 forwarding see Restricting Layer 2 Forwarding Among Clients For example to restrict client to client forwarding within subnet 10 10 11 0 24 in VLAN vlan 1 with default router 10 10 11 8 perform th...

Страница 273: ...se every security ACL includes an implicit rule denying all traffic that is not permitted port 9 now accepts packets only from 192 168 1 1 and denies all other packets 5 To map acl 99 to user Natasha...

Страница 274: ...ertificates might not be installed correctly Why Use Keys and Certificates Certain switch operations require the use of public private key pairs and digital certificates All Web View users and users f...

Страница 275: ...Keys and Certificates Public private key pairs and digital signatures and certificates allow keys to be generated dynamically so that data can be securely encrypted and delivered You generate the key...

Страница 276: ...h the use of public key cryptography To have a PKI the switch requires the following A public key A private key Digital certificates A CA A secure place to store the private key A PKI enables you to s...

Страница 277: ...ts WebAAA certificate Used by the switch to authenticate itself to WebAAA clients who use a web page served by a switch to log onto the network Certificate authority CA certificates Used by the switch...

Страница 278: ...o request a digital certificate from a CA To generate the request use the crypto generate request command Copy and paste the results directly into a browser window on the CA server or into a file to s...

Страница 279: ...hen the certificate is generated Creating Keys and Certificates Public private key pairs and digital certificates are required for management access with Web View or for network access by 802 1X or We...

Страница 280: ...while the certificate comes from a trusted source CA This method requires generating the key pair creating a CSR and sending it to the CA cutting and pasting the certificate signed by the CA into the...

Страница 281: ...crypto generate key ssh 2048 command to generate one Note After you generate or install a certificate described in the following sections do not create the key pair again If you do the certificate mig...

Страница 282: ...following command copy tftp filename local filename 2 Enter a one time password OTP to unlock the PKCS 12 object file The password must be the same as the password protecting the PKCS 12 file The pass...

Страница 283: ...supported on your network The other information is optional For example DWS 1008 crypto generate request admin Country Name US State Name MI Locality Name Detroit Organizational Name example Organiza...

Страница 284: ...YgOY40 END CERTIFICATE Displaying Certificate and Key Information To display information about certificates installed on a switch use the following commands show crypto ca certificate admin eap web sh...

Страница 285: ...rameters if not already set 2 Generate public private key pairs DWS 1008 crypto generate key admin 1024 key pair generated DWS 1008 crypto generate key eap 1024 key pair generated DWS 1008 crypto gene...

Страница 286: ...B Validity Not Before Oct 19 01 57 13 2004 GMT Not After Oct 19 01 57 13 2005 GMT DWS 1008 show crypto certificate eap Certificate Version 3 Serial Number 999 0x3e7 Subject C US ST CA L PLEAS O DLINK...

Страница 287: ...d 2048admn p12 20481x p12 and 2048web p12 from the TFTP server at the address 192 168 253 1 type the following commands DWS 1008 copy tftp 192 168 253 1 2048admn p12 2048admn p12 success received 637...

Страница 288: ...12 file keypair device certificate CA certificate Note MSS erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command Installing CA Signed Certificates Using...

Страница 289: ...BJgqBsCZz4DP00 END CERTIFICATE REQUEST 4 Copy the CSR into the CA s application Note You must paste the entire block from the beginning BEGIN CERTIFICATE REQUEST to the end END CERTIFICATE REQUEST 5 T...

Страница 290: ...lp authenticate the switch s Admin certificate type the following command to display a prompt DWS 1008 crypto ca certificate admin Enter PEM encoded certificate 13 Paste the CA s signed certificate un...

Страница 291: ...cluding VLAN membership Optionally you also can configure accounting rules to track network access information The following sections describe the MSS authentication authorization and accounting AAA f...

Страница 292: ...e over IP VoIP phone and the SSID if wireless do match a MAC authentication rule MSS checks the RADIUS server group or local database for matching user information If the MAC address and password if o...

Страница 293: ...he SSID This value is a wildcard that matches on any SSID string requested by the user For 802 1X and WebAAA rules that match on SSID any MSS checks the RADIUS servers or local database for the userna...

Страница 294: ...configured in the local database no password is required However since RADIUS requires a password if the last resort wired user is on the RADIUS server MSS checks for a password The default well known...

Страница 295: ...e if specified Time of Day Day s and time s during which the user is permitted to log into the network URL URL to which the user is redirected after successful WebAAA VLAN Name VLAN to place the user...

Страница 296: ...etwork users without 802 1X support can be authenticated by the MAC addresses of their devices If neither 802 1X nor MAC authentication apply to the user they can still be authenticated by a fallthru...

Страница 297: ...example you might group all users on the first floor of building 17 into the group bldg 17 1st floor or group all users in the IT group into the group infotech people AAA Methods for IEEE 802 1X and W...

Страница 298: ...ching username entry in the local database the switch tries the next RADIUS server group method This exception is referred to as local override If the local database is the last method in the list how...

Страница 299: ...h Message Digest Algorithm 5 Authentication algorithm that uses achallenge response mechanism to compare hashes Wired authentication only 1 This protocol provides no encryption or key establishment EA...

Страница 300: ...he clients also need certificates Offload The switch offloads all EAP processing from a RADIUS server by establishing a TLS session between the switch and the client In this case the switch needs a di...

Страница 301: ...S examines each command in the configuration file in strict configuration order 2 The first command whose SSID and user glob matches the SSID and incoming username is used to process this authenticati...

Страница 302: ...set authentication dot1x ssid ssid name wired user glob bonded protocol local For example the following command authenticates 802 1X user Jose for wired authentication access via the local database DW...

Страница 303: ...or the RADIUS Session Timeout parameter is applicable the user must log in before the 802 1X reauthentication timeout or the RADIUS session timeout for the machine s session expires Normally these par...

Страница 304: ...sion in the table However since the user s authentication rule contains the bonded option MSS remembers that the machine was authenticated If a Bonded Auth user s session is ended due to 802 1X reauth...

Страница 305: ...tion of all users at mycorp com mycorp com Both rules use pass through as the protocol and use RADIUS server group radgrp1 DWS 1008 set authentication dot1x ssid mycorp host laptop mycorp com pass thr...

Страница 306: ...ion rule The bonded option applies only to the authentication rules for users not the authentication rules for machines Configuring Authentication and Authorization by MAC Address You must sometimes a...

Страница 307: ...C user group called mac easters with a 3000 second Session Timeout value type the following command DWS 1008 set mac usergroup mac easters attr session timeout 3000 success change accepted To configur...

Страница 308: ...If the switch s configuration does not contain a set authentication mac command that matches a non 802 1X client s MAC address MSS tries MAC authentication by default You can also glob MAC addresses F...

Страница 309: ...d password The default password is dlink Note Before setting the outbound authorization password for a RADIUS server you must have set the address for the RADIUS server For more information see Config...

Страница 310: ...which is used by default You can add custom login pages to the switch s nonvolatile storage and configure MSS to serve those pages instead How Web Portal WebAAA Works 1 A WebAAA user attempts to acce...

Страница 311: ...server has a record for the requested URL the request is successful and the switch serves a web login page to the client However if the DNS request is unsuccessful the switch displays a message infor...

Страница 312: ...ed DNS server If users will roam from the switch where they connect to the network to other switches the system IP addresses of the switches should not be in the web portal VLAN Although the SSID s de...

Страница 313: ...rt to web portal The ACL is mapped to wireless Web Portal users through the service profile When you set the fallthru authentication type on a service profile to web portal portalacl is set as the Web...

Страница 314: ...ser is authenticated and authorized map an ACL to the individual WebAAA user Changes you make to the ACL mapped to the service profile or web portal wired user do not affect user access after authenti...

Страница 315: ...d on the service profile where it is set by the attr vlan name vlan id option or web portal wired user where it is set to default MSS ignores the VLAN Name and Tunnel Private Group ID attributes Howev...

Страница 316: ...rsn ie enable success change accepted DWS 1008 set service profile mycorp srvcprof cipher ccmp enable success change accepted 3 Display the service profile to verify the changes DWS 1008 show service...

Страница 317: ...at 2006 6 13 13 27 07 Image 5 0 0 0 62 Model DWS 1008 Last change occurred at 2006 6 13 13 24 46 set service profile mycorp srvcprof ssid name mycorp set service profile mycorp srvcprof auth fallthru...

Страница 318: ...ame and is flagged with an asterisk The asterisk indicates that the user has completed authentication and authorization The session for web portal mycorp indicates that a WebAAA user is on the network...

Страница 319: ...to wired authentication users you must create a web subdirectory and save the custom page in this directory MSS uses the following process to find the login page to serve to a user If the user is atte...

Страница 320: ...and temporary radio profile Use the last command to map the temporary radio profile with the disabled radio and enable the radio Note If the radio you plan to use is already in service first you will...

Страница 321: ...emporary service profile to it DWS 1008 set radio profile temprad service profile tempsrvc success change accepted c Map a radio to the temporary radio profile and enable it DWS 1008 set ap 2 radio 1...

Страница 322: ...e a new subdirectory for the customized page The files must be on a TFTP server that the switch can reach over the network DWS 1008 mkdir mycorp webaaa success change accepted 8 Copy the files for the...

Страница 323: ...ter q The literal character You can configure a redirect URL for a group of users or for an individual user For example the following command configures a redirect URL containing a variable for the us...

Страница 324: ...0 255 255 255 255 capture 2 Add the additional rules required for your application For example if you want to redirect users to a credit card server add the ACEs to do so 3 Add the last rule contained...

Страница 325: ...e Web Portal WebAAA session enters the Active state The Web Portal WebAAA session is terminated administratively The Web Portal WebAAA session timeout period expires at which time the Web Portal WebAA...

Страница 326: ...les and wired authentication ports that have the fallthru authentication type set to last resort The authentication method for last resort is always local MSS does not use RADIUS for last resort authe...

Страница 327: ...lue none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 WEP Multicast Index 1 Shared Key Auth NO WPA and RSN enabled ciphers cipher tkip cipher ccmp cipher wep40 authentication 802 1X T...

Страница 328: ...sed 3 The AP acting as a RADIUS client sends a RADIUS access request to the switch The access request includes the SSID the user s MAC address and the username 4 For 802 1X users the AP uses 802 1X to...

Страница 329: ...ing station id that includes the user s MAC address The MAC address can be in any of the following formats Separated by colons for example AA BB CC DD EE FF Separated by dashes for example AA BB CC DD...

Страница 330: ...he following command set port type wired auth port list tag tag list max sessions num auth fall thru last resort none web portal Configure a MAC authentication rule for the AP Use the following comman...

Страница 331: ...switch on a wired authentication port the wired option is used DWS 1008 set authentication mac wired aa bb cc 01 01 01 srvrgrp1 success change accepted The following command maps SSID mycorp to packe...

Страница 332: ...configure username web portal wired or last resort wired depending on the fallthru authentication type specified for the wired authentication port Assigning Authorization Attributes Authorization att...

Страница 333: ...on with time of day filter id network access mode only Security access control list ACL to permit or deny traffic received input or sent output by the switch Name of an existing security ACL up to 253...

Страница 334: ...ept Callback Framed but you cannot select this access type in MSS session timeout network access mode only Maximum number of seconds for the user s session Number between 0 and 4 294 967 296 seconds a...

Страница 335: ...onday and Friday Separate values or a series of ranges except time ranges with commas or a vertical bar Do not use spaces The maximum number of characters is 253 For example to allow access only on Tu...

Страница 336: ...es to Users and Groups You can assign authorization attributes to individual users or groups of users Use any of the following commands to assign an attribute to a user or group in the local database...

Страница 337: ...ight be configured with the service type attribute set to 2 If a user accessing the SSID is authenticated by a RADIUS server and the RADIUS server returns the vlan name attribute set to orange then th...

Страница 338: ...user username attr filter id acl name in set mac user username attr filter id acl name out Group of users authenticated by a MAC address set mac usergroup groupname attr filter id acl name in set mac...

Страница 339: ...s configuration on a RADIUS server see the documentation for your RADIUS server Assigning Encryption Types to Wireless Users When a user turns on a wireless laptop or PDA the device attempts to find...

Страница 340: ...ed Equivalent Privacy protocol using 104 bits of key strength WEP_ 104 This is the default 16 Wired Equivalent Privacy protocol using 40 bits of key strength WEP_ 40 32 No encryption 64 Static WEP For...

Страница 341: ...n that switch Location Policy means the VLAN is assigned by a location policy on the roamed to switch The VLAN is assigned by the vlan vlan id option of the set location policy permit command AAA mean...

Страница 342: ...LAN and applies optional user attributes such as a session timeout value and one or more security ACL filters A location policy is a set of rules that enables you to locally set or change authorizatio...

Страница 343: ...w the Location Policy Differs from a Security ACL Although structurally similar the location policy and security ACLs have different functions The location policy on a switch can be used to locally re...

Страница 344: ...kiosk_1 DWS 1008 set location policy permit vlan kiosk_1 if ssid eq tempvendor_a success change accepted Applying Security ACLs in a Location Policy Rule When reassigning security ACL filters specify...

Страница 345: ...c inacl tac_24 in if user eq ny ourfirm com 4 permit inacl svcs_2 in outacl svcs_3 out if vlan eq bldg4 To move the first rule to the end of the list and display the results type the following command...

Страница 346: ...owing command set accounting admin console dot1x mac web last resort ssid ssid name wired user glob mac addr glob start stop stop only method1 method2 method3 method4 For example to store start stop a...

Страница 347: ...n the switch is adminstratively shut down To do this use the following command set accounting system method1 method2 method3 method4 For example the following command causes Accounting On and Accounti...

Страница 348: ...ccounting statistics commands on each switch involved in the roaming you can determine the user s movements between switches when accounting is configured locally The user started on DL 0013 DWS 0013...

Страница 349: ...Displaying the AAA Configuration To view the results of the AAA commands you have set and verify their order type the show aaa command The order in which the commands appear in the output determines t...

Страница 350: ...appears in the configuration before a rule that matches on a specific SSID for the same authentication type and userglob the rule with any always matches first To ensure the authentication behavior th...

Страница 351: ...g dot1x ssid mycorp start stop group1 success change accepted You then set up PEAP MS CHAP V2 authentication and authorization for all users at EXAMPLE at server group 1 Finally you set up PEAP MS CHA...

Страница 352: ...set accounting dot1x ssid mycorp EXAMPLE start stop group1 success change accepted DWS 1008 set authentication dot1x ssid mycorp EXAMPLE peap mschapv2 group1 success change accepted DWS 1008 set accou...

Страница 353: ...ocally Type the following command DWS 1008 set accounting dot1x ssid mycorp EXAMPLE stop only local success change accepted 3 Configure an ACL to filter the inbound packets for each user at EXAMPLE Ty...

Страница 354: ...following command DWS 1008 show aaa Default Values authport 1812 acctport 1813 timeout 5 acct timeout 5 retrans 3 deadtime 0 key null author pass null Radius Servers Server Addr Ports T o Tries Dead S...

Страница 355: ...aved Enabling PEAP MS CHAP V2 Authentication The following example illustrates how to enable local PEAP MS CHAP V2 authentication for all 802 1X network users This example includes local usernames pas...

Страница 356: ...entication dot1x ssid thiscorp peap mschapv2 sg1 4 Save the configuration DWS 1008 save config success configuration saved Combining EAP Offload with Pass Through Authentication The following example...

Страница 357: ...want to tunnel these users back to building A from building B when they use their wireless laptops in class you configure the location policy on the switch to redirect them to the bldgb eng VLAN You...

Страница 358: ...then set up communication between the switch and each RADIUS server group Configuring RADIUS Servers An authentication server authenticates each client with access to a switch port before making avail...

Страница 359: ...time For failover authentication or authorization to work promptly D Link recommends that you change the dead time to a value other than 0 With the default setting the dead time is never invoked and M...

Страница 360: ...ce interface address based on information in its routing table as the RADIUS client address Configuring Individual RADIUS Servers You must set up a name and IP address for each RADIUS server To config...

Страница 361: ...on and set accounting commands Subsequently you can change the members of a group or configure load balancing If you add or remove a RADIUS server in a server group all the RADIUS dead timers for that...

Страница 362: ...failed search of the database by sending a request to the following RADIUS server group This exception is called local override Configuring Load Balancing You can configure the switch to distribute a...

Страница 363: ...and accepts any RADIUS servers as the current set of servers To change the server members you must reenter all of them For example to add RADIUS server coot to server group shorebirds 1 Determine the...

Страница 364: ...1 1812 1813 5 3 0 UP coot 192 168 253 4 1812 1813 5 3 0 UP egret 192 168 253 2 1812 1813 5 3 0 UP Server groups RADIUS and Server Group Configuration Scenario The following example illustrates how to...

Страница 365: ...command DWS 1008 set server group shorebirds load balance enable 6 Display the configuration Type the following command DWS 1008 show aaa Default Values authport 1812 acctport 1813 timeout 5 acct time...

Страница 366: ...t 802 1X authentication is enabled for wired authenticated ports but you can disable it You can also set the port to unconditionally authorize or unconditionally reject all users Enabling and Disablin...

Страница 367: ...s set to FORCE UNAUTH The set dot1x port control command is overridden by the set dot1x authcontrol command The clear dot1x port control command returns port control to the default auto value Type the...

Страница 368: ...The default is 5 seconds The range for the retransmission interval is from 1 to 65 535 seconds For example type the following command to set the retransmission interval to 300 seconds DWS 1008 set dot...

Страница 369: ...rekeying for broadcast and multicast keys DWS 1008 set dot1x wep rekey disable success wep rekeying disabled Note Reauthentication is not required for using this command Broadcast and multicast keys...

Страница 370: ...of the following timeouts Supplicant timeout configured by the set dot1x timeout supplicant command RADIUS session timeout attribute If both of these timeouts are set MSS uses the shorter of the two I...

Страница 371: ...comes unauthorized set dot1x reauth max number of attempts The default number of reauthentication attempts is 2 You can specify from 1 to 10 attempts For example type the following command to set the...

Страница 372: ...DWS 1008 set dot1x reauth period 100 success dot1x auth server timeout set to 100 Type the following command to reset the default timeout period DWS 1008 clear dot1x reauth period success change accep...

Страница 373: ...iod to 300 seconds DWS 1008 set dot1x quiet period 300 success dot1x quiet period set to 300 Type the following command to reset the 802 1X quiet period to the default DWS 1008 clear dot1x quiet perio...

Страница 374: ...lays the username MAC address VLAN and state of active 802 1X clients show dot1x config displays a summary of the current configuration show dot1x stats displays global 802 1X statistical information...

Страница 375: ...rekey period 1800 WEP rekey enabled Bonded period 60 port 4 authcontrol auto max sessions 1 port 5 authcontrol auto max sessions 16 port 6 authcontrol auto max sessions 1 port 8 authcontrol auto max s...

Страница 376: ...g that an anti virus product is running with up to date virus definitions Ensuring that a personal firewall is active Checking that service pack levels are met Ensuring that critical patches are insta...

Страница 377: ...ndpoint Security Support DWS 1008 switches support SODA endpoint security functionality in the following ways SODA agent applets can be uploaded to a switch stored there and downloaded by clients atte...

Страница 378: ...n page where he or she enters a username and password 4 The user is redirected to a page called index html which exists in the SODA agent directory on the switch 5 The redirection to the index html pa...

Страница 379: ...functionality for the service profile See Enabling SODA Functionality for the Service Profile 6 Specify whether to require clients to pass SODA agent checks to gain access to the network optional See...

Страница 380: ...work When a SODA agent is created by pressing the Apply button in SODA Manager a subdirectory called On DemandAgent is created in the C Program Files Sygate Sygate On Demand directory You place the co...

Страница 381: ...Switch After creating the SODA agent with SODA manager you copy the zip file to the switch using TFTP For example the following command copies the soda ZIP file from a TFTP server to the switch DWS 10...

Страница 382: ...SODA agent checks are downloaded to a client and run before the client is allowed on the network You can optionally disable the enforcement of the SODA security checks so that the client is allowed ac...

Страница 383: ...ccess html which is a file in the root directory on the switch as the page to load when a client passes the SODA agent checks DWS 1008 set service profile sp1 soda success page success html success ch...

Страница 384: ...ACL to apply to the client when the failure page is loaded The remediation ACL can be used to grant the client limited access to network resources for example To specify a remediation ACL to be appli...

Страница 385: ...ch to the DNS server as a well known name and you can advertise the URL of the page to users as a logout page For example the following command specifies logout html which is a file in the root direct...

Страница 386: ...accepted Uninstalling the SODA Agent Files from the Switch To remove the directory on the switch that contains SODA agent files use the following command uninstall soda agent agent directory directory...

Страница 387: ...OS no COS 0 CAC mode none CAC sessions 14 User idle timeout 180 Idle client probing yes Keep initial vlan no Web Portal Session Timeout 5 Web Portal ACL WEP Key 1 value none WEP Key 2 value none WEP K...

Страница 388: ...user with administrative access to the switch use the following command show sessions admin console telnet client You can view all administrative sessions or only the sessions of administrators with a...

Страница 389: ...Telnet Sessions To view information about administrative Telnet sessions type the following command DWS 1008 show sessions telnet Tty Username Time s Type tty3 sshadmin 2099 SSH 1 telnet session To cl...

Страница 390: ...dio EXAMPLE wong 5 192 168 12 100 vlan eng 3 1 jose example com 5125 192 168 12 141 vlan eng 1 1 00 30 65 16 8d 69 4385 192 168 19 199 vlan wep 3 1 761 00 0b be 15 46 56 none 1 2 763 00 02 2d 02 10 f5...

Страница 391: ...5 16 8d 69 4385 192 168 19 199 vlan wep 3 1 Client MAC 00 10 65 16 8d 69 GID SESS 4385 000430 842879 bf7a7 State ACTIVE prev AUTHORIZED now on 192 168 12 7 port 3 AP radio 0222900129 1 as of 00 40 45...

Страница 392: ...ession information about nin example com DWS 1008 show sessions network user nin example com verbose User Sess IP or MAC VLAN Port Name ID Address Name Radio nin example com 5 192 168 12 141 vlan eng...

Страница 393: ...to clear all sessions for MAC address 00 01 02 04 05 06 type the following command DWS 1008 clear sessions network mac addr 00 01 02 04 05 06 Displaying and Clearing Network Sessions by VLAN Name You...

Страница 394: ...ACTIVE SSID Rack 39 PM Port Radio 10 1 MAC Address 00 0f 66 f4 71 6d User Name last resort Rack 39 PM IP Address 10 2 39 217 Vlan Name default Tag 1 Session Start Wed Apr 12 21 19 27 2006 GMT Last Aut...

Страница 395: ...time the client sends data or responds to a keepalive probe MSS resets the idle timer to 0 for the client However if the client remains idle for the period of the idle timer MSS changes the client s...

Страница 396: ...ially allowing unchallenged access to the network by any wireless user or client in the physical vicinity Rogue access points and users can also interfere with the operation of your enterprise network...

Страница 397: ...he Organizationally Unique Identifier OUI which is the first three bytes of the equipment s MAC address MSS generates a message if an AP or wireless client with an OUI that is not on the list is detec...

Страница 398: ...ns is true High priority traffic voice or video is present at 64 Kbps or higher In this case active scan scans for 30 msec every 60 seconds Heavy data traffic is present at 4 Mbps or higher In this ca...

Страница 399: ...allow on the network An OUI is the first three octets of a MAC address and uniquely identifies an AP s or client s vendor Yes No Permitted SSID list List of SSIDs allowed on the network MSS can issue...

Страница 400: ...he permitted vendor list merely indicates that the device is from an allowed vendor However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore l...

Страница 401: ...ce as a rogue Adding an entry to the permitted SSID list merely indicates that the device is using an allowed SSID However to cause MSS to stop classifying the device as a rogue you must add the devic...

Страница 402: ...mmand set rfdetect black list mac addr The following command adds client MAC address 11 22 33 44 55 66 to the black list DWS 1008 set rfdetect black list 11 22 33 44 55 66 success MAC 11 22 33 44 55 6...

Страница 403: ...ity to the wired network are not attacked To add an entry to the attack list use the following command set rfdetect attack list mac addr The following command adds MAC address aa bb cc 44 55 66 to the...

Страница 404: ...ice as a rogue you must add the device s MAC address to the ignore list To add a device to the ignore list use the following command set rfdetect ignore mac addr The mac addr is the BSSID of the devic...

Страница 405: ...es specified in the attack list on the switch on demand countermeasures When this option is used devices found to be rogues by other means such as policy violations or by determining that the device i...

Страница 406: ...bits in a management frame sent by an AP that identifies that AP to MSS If someone attempts to spoof management packets from a D Link AP MSS can detect the spoof attempt AP signatures are disabled by...

Страница 407: ...a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests The threshold for triggering a flood message is 100 frames of the same type from the same MAC...

Страница 408: ...f so many SSIDs and BSSIDs and thus interferes with the clients ability to connect to valid APs This type of attack can also interfere with RF Auto Tuning when an AP is trying to adjust to its RF neig...

Страница 409: ...rmitted vendor list MSS generates a message if an AP or wireless client with an OUI that is not on the list is detected Client black list MSS prevents clients on the list from accessing the network th...

Страница 410: ...ding disassociate request flood on port 2 Weak WEP initialization vector IV Client aa bb cc dd ee ff is using weak wep initialization vector Seen by AP on port 2 radio 1 on channel 11 with RSSI 53 Dec...

Страница 411: ...tener aa bb cc dd ee fd port 2 radio 1 channel 11 with RSSI 53 Client from disallowed vendor detected Client Mac aa bb cc dd ee ff is not part of vendor list Detected by listener aa bb cc dd ee fd por...

Страница 412: ...nts detected by a DWS 1008 switch s APs DWS 1008 show rfdetect clients Total number of entries 30 Client MAC Client AP MAC AP Port Radio NoL Type Last Vendor Vendor Channel seen 00 03 7f bf 16 70 Unkn...

Страница 413: ...type d flood 0 0 802 11 mgmt type e flood 0 0 802 11 mgmt type f flood 0 0 802 11 association flood 0 0 802 11 reassociation flood 0 0 802 11 disassociation flood 0 0 Weak wep initialization vectors...

Страница 414: ...6 i w 82 6 r116 00 09 b7 7b 8a 54 Cisco intfr 3 1 2 i 57 6 Displaying the APs Detected by an AP Radio To display the APs detected by an AP radio use any of the following commands show rfdetect visible...

Страница 415: ...llowing command show rfdetect countermeasures This command is valid only on the network s seed switch DWS 1008 show rfdetect countermeasures Total number of entries 190 Rogue MAC Type Countermeasures...

Страница 416: ...on file A DWS 1008 switch can also contain temporary files with trace information used for troubleshooting Temporary files are not stored in nonvolatile memory but are listed when you display a direct...

Страница 417: ...F W2 5 6 S W 4 1 0 67_072105_0432__AP BOOT S W 4 0 3 15_062705_0107__AP Displaying Boot Information Boot information consists of the MSS version and the names of the system image file and configuratio...

Страница 418: ...ded on the switch you can configure the switch to load image B the next time the switch is booted When the switch is reset if image B fails to load the switch then attempts to load image A the last im...

Страница 419: ...ile testback 28 KB Apr 19 2005 16 37 18 Total 159 Kbytes used 207663 Kbytes free Boot Filename Size Created boot0 mx040100 020 9780 KB Aug 23 2005 15 54 08 boot1 mx040100 020 9796 KB Aug 28 2005 21 09...

Страница 420: ...2005 40 KB May 09 2005 21 08 30 file sysa_bak 12 KB Mar 15 2005 19 18 44 file testback 28 KB Apr 19 2005 16 37 18 Total 159 Kbytes used 207663 Kbytes free The following command limits the output to th...

Страница 421: ...ddr filename URL refers to a file on a TFTP server If DNS is configured on the switch you can specify a TFTP server s hostname as an alternative to specifying the IP address The tmp filename URL refer...

Страница 422: ...e To rename the file when copying it type the following command DWS 1008 copy tftp 10 1 1 1 newconfig mxconfig success received 637 bytes in 0 253 seconds 2517 bytes sec To copy system image MX010101...

Страница 423: ...y the image onto the switch s nonvolatile storage 2 On the switch use the dir command to display the contents of nonvolatile storage 3 Enter a command such as the following to calculate the checksum f...

Страница 424: ...S 1008 copy testconfig tftp 10 1 1 1 testconfig success sent 365 bytes in 0 401 seconds 910 bytes sec DWS 1008 delete testconfig success file deleted Creating a Subdirectory You can create subdirector...

Страница 425: ...n the software is rebooted You also can load a configuration file while the switch is running to change the switch s configuration When you enter CLI commands to make configuration changes these chang...

Страница 426: ...tart first sun apr 2 0 end last sun oct 2 0 set system name DWS 1008 set system countrycode US set system contact trapeze pubs set radius server r1 address 192 168 253 1 key sunflower set server group...

Страница 427: ...ved To save the running configuration to a file named newconfig type the following command DWS 1008 save config newconfig success configuration saved to newconfig Specifying the Configuration File to...

Страница 428: ...y MSS replaces the running configuration with the configuration in the newconfig file If you type n MSS does not load the newconfig file and the running configuration remains unchanged Specifying a Ba...

Страница 429: ...on file that the switch searches for after the software is rebooted To back up the current configuration file named configuration and reset the switch to the factory default configuration type the fol...

Страница 430: ...the same files as the critical option and all files in the user files area of nonvolatile storage The user files area contains the set of files listed in the file section of dir command output Archiv...

Страница 431: ...the switch If instead you want to replace the configuration restored from the archive with the running configuration use the save config command to save the running configuration to the boot configur...

Страница 432: ...t has been backed up use the following command restore system tftp ip addr filename all critical force Note If you have made configuration changes but have not saved the changes use the save config co...

Страница 433: ...After an AP restarts it checks the version of the new AP boot image to make sure the boot image is newer than the boot image currently installed on the AP If the boot image is newer the AP completes...

Страница 434: ...See Setting the Time Zone 2 Use set timedate to configure the current time and date in that time zone See Statically Configuring the System Time and Date 3 Reconfiguretheadministrativecertificate s S...

Страница 435: ...t one of the ports in a VLAN must have a physical link to the network for the VLAN to be connected Recovering the System When the Enable Password is Lost To recover a DWS 1008 switch use the following...

Страница 436: ...omponents Field Description Facility Portion of MSS that is affected Date Time and date the message is generated Severity Severity level of the message Tag Identifier for the message Message Descripti...

Страница 437: ...buffer Trace is enabled and shows debug output Specifying a severity level sends log messages for events or conditions at that level or higher to the logging destination The table below lists the seve...

Страница 438: ...view log entries in the system or trace buffer use the following command show log buffer trace To clear log messages from the system or trace buffer use the following command clear log buffer trace T...

Страница 439: ...g command displays all messages at the error severity level or higher DWS 1008 show log buffer severity error SYS Jun 02 17 41 35 176214 ERROR nos_vms_port add Failed to set default vlan v1 an 4096 fo...

Страница 440: ...le the typing disables log output to the console until you press the Enter key Logging Messages to a Syslog Server To send event messages to a syslog server use the following command set log server ip...

Страница 441: ...sessions and change the default event severity level use the following command set log sessions severity severity level enable To disable session logging use the following command set log sessions di...

Страница 442: ...system time and date D Link can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred Mark messages are disabled by default When...

Страница 443: ...ord such as authentication or sm to trace activity for a particular feature such as authentication or the session manager Caution Using the set trace command can have adverse effects on system perform...

Страница 444: ...or port For example to trace all session manager sm activity at level 3 type the following command DWS 1008 set trace sm level 3 success change accepted Tracing Authorization Activity Tracing authoriz...

Страница 445: ...ng mechanism to deliver trace messages Trace messages are generated with the debug severity level By default the only log target that receives debug level messages is the volatile trace buffer The vol...

Страница 446: ...RNEL AAA SYSLOGD ACL APM ARP ASO BOOT CLI CLUSTER CRYPTO DOT1X ENCAP ETHERNET GATEWAY HTTPD IGMP IP MISC NOSE NP RAND RESOLV RIB ROAM ROGUE SM SNMPD SPAN STORE SYS TAGMGR TBRIDGE TCPSSL TELNET TFTP TL...

Страница 447: ...itch you can use show commands to display information about different areas of the MSS The following commands can provide helpful information if you are experiencing MSS performance issues Viewing VLA...

Страница 448: ...o Tries Dead State SQA2BServer 11 1 1 11 1812 1813 5 3 5 UP SideShow 192 168 0 21 1812 1813 5 3 0 UP Server groups sg1 SideShow SQA SQA2BServer set authentication dot1x xmpl com pass through sg1 set a...

Страница 449: ...0 04 30 CPU ALL Total Matching FDB Entries Displayed 32 dynamic 27 static 0 permanent 0 system 5 Viewing ARP Information The show arp command displays the ARP aging timer and ARP entries in the system...

Страница 450: ...raffic use the following command DWS 1008 set port 1 observer 2 Attach a protocol analyzer to the observer port in this example port 2 Displaying the Port Mirroring Configuration To display the port m...

Страница 451: ...switch or the AP is restarted the filter is disabled To continue using the filter you must enable it again Using Snoop Filters on Radios That Use Active Scan When active scan is enabled in a radio pro...

Страница 452: ...er is not present the AP still sends the snoop packets which use bandwidth If the observer is present but is not listening to TZSP traffic the observer continuously sends ICMP error indications back t...

Страница 453: ...q equal to match only on traffic that matches the condition value Use neq not equal to match only on traffic that is not equal to the condition value The src mac dest mac and host mac conditions also...

Страница 454: ...snoop filter use the following command clear snoop filter name Mapping a Snoop Filter to a Radio You can map a snoop filter to a radio on a Distributed AP To map a snoop filter to a radio use the fol...

Страница 455: ...s for All Radios To display all snoop filter mappings use the following command DWS 1008 show snoop Dap 3 Radio 2 snoop1 snoop2 Dap 2 Radio 2 snoop2 Removing Snoop Filter Mappings To remove a snoop fi...

Страница 456: ...e the filter to place it back into effect The following command enables snoop filter snoop1 and configures the filter to stop after 5000 packets match the filter DWS 1008 set snoop snoop1 mode enable...

Страница 457: ...obtain Netcat through the following link http www vulnwatch org netcat If the observer is a PC you can use a Tcl script instead of Netcat if preferred 1 Install the required software on the observer...

Страница 458: ...data encryption used by AP radios 6 Enable the snoop filter on the AP using the following command set snoop filter name all mode enable stop after num pkts disable 7 Stop the Ethereal capture and vie...

Страница 459: ...rashes the switch generates a core file in the temporary file area The name of the file indicates the system area where the problem occurred Core files are saved in tarball tar format Core files are e...

Страница 460: ...omplete DWS 1008 dir file Filename Size Created core netsys core 217 tar 560 KB May 06 2005 21 48 33 file configuration 48 KB Jul 12 2005 15 02 32 file sysa_bak 12 KB Mar 15 2005 19 18 44 Total 620 Kb...

Страница 461: ...nternet Options to display the Internet Options dialog box 2 Select the Advanced tab 3 Scroll to the bottom of the list of options and select the TLS 1 0 SSL 2 0 or SSL 3 0 option to enable it 4 Click...

Страница 462: ...ession or for all web management sessions After you accept the certificate the browser might display another dialog asking whether you want to view the certificate You can view the certificate or cont...

Страница 463: ...865 Remote Authentication Dial in User Service RADIUS RFC 2866 RADIUS Accounting RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions draft congdon radius 8021x 29 txt IEE...

Страница 464: ...cannot select this access type in MSS Filter Id 11 Yes No Optional Name of an access control list ACL to filter outbound or inbound traffic Use the form ACL name in and ACL name out Reply Message 18 Y...

Страница 465: ...st records in which Acct Status Type is set to Acct Stop or Acct Interim Update Acct Output Octets 43 No No Yes Number of octets sent on the port in the course of this service being provided Can be pr...

Страница 466: ...ent only in Accounting Request records in which Acct Status Type is set to Acct Stop or Acct Interim Update For details see RFC 2869 Acct Output Gigawords 53 No No Yes Number of times the Acct Output...

Страница 467: ...a random TCP port that is equal to or higher than 4096 The target switch listens for the traffic on TCP port 8821 IP TCP 6 8889 SSL management GuestPass GuestPass originates the SSL connection on TCP...

Страница 468: ...e the DHCP server on more than one VLAN You can configure a DHCP client and DHCP server on the same VLAN but only the client or the server can be enabled The DHCP client and DHCP server cannot both be...

Страница 469: ...n the range the server is allowed to use In addition to an IP address the Offer message from the MSS DHCP server also contains the following options Option 54 Server Identifier which has the same valu...

Страница 470: ...the network broadcast address and the subnet broadcast address are included in the range If you specify the range the start address must be lower than the stop address and all addresses must be in the...

Страница 471: ...ed vlan 192 168 1 5 00 01 03 04 06 08 102 2 red vlan 192 168 1 7 00 01 03 04 06 09 16789 Note This command clears all IP configuration information from the interface The following command displays con...

Страница 472: ...LAN specification for a Carrier Sense Multiple Access with Collision Detection CSMA CD network a type of network related to Ethernet In general 802 3 specifies the physical media and the working chara...

Страница 473: ...ink Mobility System the DWS 1008 switch can use a RADIUS server or its own local database for AAA services access control entry See ACE access control list See security ACL access point AP A hardware...

Страница 474: ...The ability of a user client authenticated via Extensible Authentication Protocol EAP plus an appropriate subprotocol and back end authentication authorization and accounting AAA service to roam to d...

Страница 475: ...information the certificate authority can issue a certificate Based on the PKI implementation the certificate content can include the certificate s expiration date the owner s public key the owner s...

Страница 476: ...strator to request a security certificate from a certificate authority CA A CSR is a text string formatted by Privacy Enhanced Mail PEM protocol according to Public Key Cryptography Standard PKCS 10 T...

Страница 477: ...um See DSSS domain 1 On the Internet a set of network addresses that are organized in levels 2 In Microsoft Windows NT and Windows 2000 a set of network resources applications printers and so forth fo...

Страница 478: ...sulated form of the Extensible Authentication Protocol EAP defined in the IEEE 802 1X standard that allows EAP messages to be carried directly by a LAN media access control MAC service between a wirel...

Страница 479: ...rning body for telecommunications radio television cable and satellite communications FDB See forwarding database FDB Federal Communications Commission See FCC FHSS Frequency hopping spread spectrum O...

Страница 480: ...and multicast packets for transmissions using the Temporal Key Integrity Protocol TKIP and Advanced Encryption Standard AES group master key See GMK group transient key See GTK H 323 A set of Internat...

Страница 481: ...cast group membership to neighboring multicast routers Multicasting allows a computer on the Internet to send content to other computers that have identified themselves as interested in receiving it I...

Страница 482: ...odies from many countries ISO has defined a number of computer standards including the Open Systems Interconnection OSI standardized architecture for network design IV See initialization vector IV jum...

Страница 483: ...pacity and the stations that are allowed to use the medium for transmission MAC address glob A D Link convention for matching media access control MAC addresses or sets of MAC addresses by means of kn...

Страница 484: ...l defined in RFC 2759 that also permits a single login in a Microsoft network environment See also CHAP MSDU MAC service data unit In IEEE 802 11 communications the data payload encapsulated within a...

Страница 485: ...all outgoing interfaces to many receivers PIM sparse mode PIM SM limits data distribution to a minimal number of widely distributed routers PIM SM packets are sent only if they are explicitly requeste...

Страница 486: ...tion priorities and availability of resources port address translation See PAT Power over Ethernet See PoE pre master secret A key generated during the handshake process in Transport Layer Security TL...

Страница 487: ...mprove and guarantee transmission rates error rates and other performance characteristics based on priorities policies and reservation criteria arranged in advance Some protocols allow packets or stre...

Страница 488: ...oint radio sweeps all channels in the IEEE 802 11b g and 802 11a spectrum In contrast SentrySweep operates only on the disabled radios in a network and does not disrupt service robust security network...

Страница 489: ...static key distributed by an out of band mechanism to both the sender and receiver Also known as a shared key or preshared key PSK a shared secret is used as input to a one way hash algorithm When a...

Страница 490: ...ssion over the Internet Defined in RFC 2246 TLS provides mutual authentication with nonrepudiation encryption algorithm negotiation secure key derivation and message integrity checking TLS has been ad...

Страница 491: ...mbers of VLAN 1 which is named default VLAN glob A D Link convention for applying the authentication authorization and accounting AAA attributes in the location policy on a switch to one or more users...

Страница 492: ...he address to ignore in a comparison with another IP address When setting up security access control lists ACLs you specify source and destination IP addresses and corresponding wildcard masks by whic...

Страница 493: ...n into an electronic directory that can be part of a global directory available to anyone in the world with Internet access X 509 An International Telecommunications Union Telecommunication Standardiz...

Страница 494: ...ng 10 to 95 Power VAC range Hz range 90 132 VAC 180 264 VAC 50 60 Hz Amperage draw maximums At 115Vrms 4Arms At 230Vrms 2Arms Interfaces 8 10 100 Mbps ports with no restrictions on port usage 6 ports...

Страница 495: ...ntication Protocol RFC 2759 Microsoft PPP CHAP Extensions Version 2 RFC 2865 RADIUS Authentication RFC 2866 RADIUS Accounting RFC 2869 RADIUS Extensions RFC 2986 PKCS 10 Certification Request Syntax S...

Страница 496: ...RFC 826 ARP IEEE 802 1D Spanning Tree IEEE 802 1Q VLAN tagging IEEE 802 3ad static config Management RFC 854 Telnet server and client RFC 1157 SNMP v1 v2c RFC 1213 MIB II RFC 1907 SNMPv2 RFC 3164 Sys...

Страница 497: ...are or any part thereof with any reconditioned product that D Link reasonably determines is substantially equivalent or superior in all material respects to the defective Hardware Repaired or replacem...

Страница 498: ...the product is within warranty the customer shall submit a claim to D Link as outlined below The customer must submit with the product as part of the claim a written description of the Hardware defect...

Страница 499: ...ties EXCEPT FOR THE LIMITED WARRANTY SPECIFIED HEREIN THE PRODUCT IS PROVIDED AS IS WITHOUT ANY WARRANTY OF ANY KIND WHATSOEVER INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY FITNESS FOR...

Страница 500: ...s is a Class B product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures FCC Statement This equipment has been tested...

Страница 501: ...ce complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received...

Страница 502: ...D Link DWS 1008 User Manual 483 Registration Version 2 0 December 8 2006 Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights...

Результаты поиска

Содержание DWS-1008

Отзывы:

Похожие инструкции для DWS-1008

Бренды по названию

Популярные бренды

D-Link DWS-1008, Руководство по эксплуатации продукта

Результаты поиска

Содержание DWS-1008

Отзывы:

Похожие инструкции для DWS-1008

Бренды по названию

Популярные бренды