E3Switch LLC High-Speed Ethernet to Single/Dual DS3/E3 Network Extender... Скачать руководство пользователя страница 10

Chapter 4: Remote Management HTTP and SNMP

Management Passwords

Note: In order to log in with Internet Explorer 7+ or if difficulty occurs when logging in with credentials  
known to be valid, firmware prior to October 18

th

, 2007 must be upgraded to ameliorate a new feature 

present in IE7 authentication messages.  This is also the case with some versions of Opera.  Contact the  
factory for an upgrade or attempt to login with FireFox, Mozilla, or a browser earlier than IE7+ for  
immediate resolution.

The HTTP management statistics page is initially accessible without a password.  The HTTP settings page 
is initially accessible within the first several minutes after powerup with username 

admin

 and no password. 

If the unit has not had its default password changed, after several minutes the settings page will be locked 
for security reasons.  It is desirable to change the default password of the unit.  For security reasons, 
changing the default password of the unit must be done within the first several minutes of powerup.  If the 
HTTP management password is lost or forgotten, it may be reset by accessing the HTTP management 
settings within the first minute after powerup and with no BNC cables attached to the unit.

SNMP statistics may initially be accessed using the read-only community name 

public

.  Write-community 

names and variable access authorization may be set through the HTTP management interface.

Security

Please also refer to the password section above.

HTTP Interface Security

Access to the HTTP management interface statistics and settings pages can be selectively limited to users 
knowing the HTTP management password, which is transmitted securely on the network using MD5 
encoding.  New values of management settings, or modifications of the administrator password are not 
encrypted and are visible to users monitoring network packets, as is statistical data requested by an MD5 
authorized user or any information visible on a HTTP page.

When logging out from any secure webpage, the browser window should always be closed!

  Browsers 

typically continue to send administrator credentials continuously even after apparent logout.

SNMP Security

The converter implements SNMPv2c, which is inherently an insecure protocol; however, the converter 
enhances security by implementing view-based access management (VACM), which can restrict read or 
write access to specific management settings and statistics.  When shipped, the converter allows read access 
to “safe” SNMP statistics and prohibits read and write access to statistics and settings which could allow 
determination of network topology or interfere with normal link traffic.  The VACM configuration can be 
updated through the HTTP management interface to meet the user's needs, and most SNMP variables can 
also be set through the HTTP management interface in a more secure manner than SNMP allows.

–  SNMP VACM Security Warning  –

As shipped, the default “safe_ro_view” is secure but not private.

View based access model VACM for SNMPv2c provides good restriction

 of access to only specified statistics but no data privacy and 

 minimal user authentication. When a specific variable is enabled

 for reading or writing, from a security perspective it should

 be considered either public for reading or public for writing.

Alternatively, most configuration parameters can be set through

 the HTTP password-protected interface which is secure.

Viewing snmpd.conf exposes it and community names to visibility by 

 3rd party network sniffers. All SNMPv2c data on the network 

 is visible. All community names can be "guessed" and, when used,

 become visible to sniffers. Source IP addresses of requests

 can be forged. Enabling a write community should be considered

 insecure with respect to the specific view variables enabled.

10

Содержание High-Speed Ethernet to Single/Dual DS3/E3 Network Extender...

Страница 1: ...High Speed Ethernet to Single Dual DS3 E3 Network Extender V5 4 October 31st 2011 Operating Information ...

Страница 2: ...oronado Ave San Carlos CA 94070 U S A http www ds3switch com support ds3switch com TEL 1 650 241 9941 FCC STATEMENT This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference 2 This device must accept any interference received including interference that may cause undesired operation Note This equipment h...

Страница 3: ...equipment were derived for commercial and industrial environments to provide reasonable protection against interference with licensed communication equipment Attention This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures International Electrotechnical Commission IEC Statement 3 ...

Страница 4: ...D PMDL 12 PACKET FLOW 13 Packet Order and Channel Bonding Aggregation 13 PORT TO PORT PACKET FLOW 13 LAN to LAN 14 Forwarding 14 Loopback 14 LAN PORT SETTINGS 14 LAN Port Speed 15 Autonegotiation Problems 15 SFP Second LAN Port 15 Dedicated Management Data LAN Ports 15 VLAN 15 VOIP VIDEO OR HIGH COS PRIORITY FRAMES 16 PORT AUTO DISABLE AND RETURN TO SERVICE DELAY 16 DS3 E3 Return to Service delay ...

Страница 5: ...10 TROUBLESHOOTING 20 GENERAL 20 LOOPBACK OF DS3 21 Warnings 21 Terminology 21 Limitations 21 Alternatives to Loopback 22 Initiating Loopback 22 PERFORMANCE 23 INTEROPERABILITY 23 LABORATORY TESTING 23 PINGING 23 STEP BY STEP DIAGNOSIS 24 CHAPTER 11 THIRD PARTY COPYRIGHT NOTICES 25 ECOS LICENSE 25 THE FREEBSD COPYRIGHT 25 THE NET SNMP COPYRIGHT 26 THE APACHE LICENSE 27 THE SHA2 COPYRIGHT 28 THE BZ...

Страница 6: ...g firmware shipped after February 2007 If the dual DS3 E3 option or password upgrade has been purchased then LAN data is forwarded at twice the single DS3 E3 data rate across the link The converter will monitor the telecom connection status and automatically switch to an available link should a single DS3 E3 link fail Firmware shipped after April 2008 has the ability to maintain strict packet orde...

Страница 7: ...information Attach two 75 ohm coaxial cables from either Port 1 or 2 BNC connectors of the converter to the input and output connectors of your E3 or DS3 link Once each converter is receiving a valid signal from the remote partner the DS3 E3 Port LED will change from orange to green This indicates that the converter has achieved proper sync lock with the remote converter A green indicator will onl...

Страница 8: ...MP Converters shipped or upgraded with firmware after March 2007 contain an HTTP management interface Converters shipped or upgraded with firmware after June 2007 contain an SNMPv2c agent Unit s IP MAC Address The source Ethernet MAC address of E3Switch converters is 00 50 C2 6F xx xx The converter s current IP and MAC addresses are always both shown at the HTTP management screen If the unit conta...

Страница 9: ... on top of the chassis or can be initially contacted at the IP address above where aa bbb matches the serial number listed on the front label For units shipped prior to November 2007 serial numbers listed on the front label translate to IP addresses as follows 51 bbb 51 bbb 15 bbb 49 bbb IP3 bbb 51 bbb B2hh6 50 bbb where bbb is the base10 decimal version of the base16 hexadecimal number hh The con...

Страница 10: ...are not encrypted and are visible to users monitoring network packets as is statistical data requested by an MD5 authorized user or any information visible on a HTTP page When logging out from any secure webpage the browser window should always be closed Browsers typically continue to send administrator credentials continuously even after apparent logout SNMP Security The converter implements SNMP...

Страница 11: ...e packet transfer CPU would be operating with the older incompatible version of firmware SNMP The converter contains an SNMP agent which can respond to version 1 and version 2c requests for network statistics from remote SNMP clients The agent can also generate notifications of important network events such as when network ports go up down or experience high error rates These trap notifications ca...

Страница 12: ...etting sets the AIC bit in DS3 frames to either 0 or 1 This bit is typically ignored by the DS3 carrier however DS3 carrier equipment set to autosense the incoming DS3 framing type will need this setting to be correct Clock Source The transmit clock source is typically local for both units Certain DS3 E3 carrier equipment or optical converters require the same transmit clock in each direction this...

Страница 13: ...tting in the field Bonded is preferred from a data integrity and interoperability standpoint however load balancing mode will generally deliver packets to their final destination faster especially for very high traffic loads of consistently small packets 128 bytes Link aggregation bonding of the telecom channels allows packets to be delivered to the remote converter s LAN port in the same order in...

Страница 14: ...ns in which the converter is receiving loopback data This prevents attached LAN equipment from becoming confused or disabling ports when it receives packets containing a source MAC addresses identical to its own unique source address For firmware shipping since August 5th 2009 any DS3 E3 loopback can be detected For firmware prior to August 5th 2009 the automatic loopback traffic disable will only...

Страница 15: ...d to 100BaseTX full duplex Autonegotiation interoperability and standards were not well understood by the industry at the inception of 100BaseTX resulting in some older LAN equipment not understanding the converter s autonegotiation advertisement of strictly full duplex capability SFP Second LAN Port The SFP LAN Port 1 hardware exists on all converters shipped and may be enabled as purchased or en...

Страница 16: ... link in order to allow management of the remote converter Some telecom carriers will interrupt service for 50msec once per day as a link test Firmware shipping since August 2010 has a configurable failure time setting to prevent such tests from triggering a link down retun to service delay To exit the return to service delay power cycle the converter or click the button which appears on the confi...

Страница 17: ...abled in the settings or through autonegotiation the converter sends pause command frames to attached LAN equipment when the converter s incoming LAN buffers become nearly full The converter ignores pause command frames sent to it VoIP Video or High CoS Priority Frames Receive queue space is reserved in the converter to allow frames with high 802 1p class of service CoS priority settings to bypass...

Страница 18: ...ally noisy environments it may be important to use a high quality 75 ohm cable which will have more consistent shielding and conduction The maximum length of each cable shall be 440 meters for E3 or 300 meters for T3 DS3 but the acceptable cable lengths of equipment attached to the converter must be met as well For lengths over 135 meters testing in field should be used to determine whether bit er...

Страница 19: ...o the machines connected to its LANs rather than simply dropping incoming packets For connected 100 1000BaseTX LANs the converter uses 802 3x flow control Flow control creates a much more efficient network by avoiding time out requirements for packets that would otherwise be dropped during bursts of network traffic Unless disabled in the settings or during autonegotiation the converter will transm...

Страница 20: ...with FCS CRC and length errors Link Aggregation Refer to the configuration section of this document for a thorough discussion Chapter 10 Troubleshooting General A great deal of diagnostic information is available by accessing the HTTP management interface of the converter Refer to the management section of this document for additional information The converter s front panel lights can provide usef...

Страница 21: ...will no longer be accessible for management across the DS3 until a FEAC Reset code is sent on a C Bit framed DS3 link Terminology Remote Loopback A DS3 signal received at the In port of the converter is duplicated onto the converter s Out port In this case the DS3 signal has traversed the entire link in both directions Local Loopback The DS3 signal being sent at the converter s Out port is duplica...

Страница 22: ...ate a flaky link even if alarm signals are OK The error counts are also available through the standard DS3 MIB variables For a sophisticated user these counts indicate where in the path the error is occurring Packet Audit The ingress egress of every packet as it passes through the converter or is dropped due to an error condition is detailed at the top of the web management status screen The Clear...

Страница 23: ... 2 1 10 30 5 1 to the Access Rights snmpd conf section submit changes and confirm error free in the Status snmpd conf section Remember to remove this line when done testing to maintain a completely secure system This enables the configuration and loopback sections of the DS3 MIB using community name public for all IP hosts Performance Performance issues are addressed in the previous chapter Intero...

Страница 24: ...n units at each end of the link If flashing orange green the link may be in loopback as indicated by the HTTP management status page If not in loopback the remote unit is not receiving a valid sync from the local unit Check the TX path starting at the local unit Ensure the carrier believes the link is set up in unchannelized mode not subdivided into T1 or E1 channels Either M13 or C Bit framing is...

Страница 25: ...rse direction from the remote machine back to the local machine 9 Enlist the aid of a sniffer program to view at the source and destination machines exactly what data packets are being sent and received Free public domain programs such as Wireshark are readily available Chapter 11 Third Party Copyright Notices E3Switch is grateful for and contributes to open source software development which may b...

Страница 26: ...software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMP...

Страница 27: ...License as indicated by a copyright notice that is included in or attached to the work an example is provided in the Appendix below Derivative Works shall mean any work whether in Source or Object form that is based on or derived from the Work and for which the editorial revisions annotations elaborations or other modifications represent as a whole an original work of authorship For the purposes o...

Страница 28: ...ether in tort including negligence contract or otherwise unless required by applicable law such as deliberate and grossly negligent acts or agreed to in writing shall any Contributor be liable to You for damages including any direct indirect special incidental or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work including but ...

Страница 29: ...0 meters to radio CSU BNC 75ohm one rx one tx DS3 E3 Frame Lock 250ms typical lock time Lock maintained up to 10 2 BER typically LAN Layer 1 100BaseTX full duplex Autoneg Auto MDIX correction 1000Base X optical SFP and GbE options LAN Layer 2 802 3x flow control 802 1p CoS priority for VoIP 1650 byte packets 9600 for jumbo option Transparent VLAN QinQ Link aggregation for dual channel option Packe...

Страница 30: ...chnical Specifications and Standards 2011 E3Switch LLC Data is subject to change without notice Other brand and product names mentioned herein may be trademarks or registered trademarks of their respective owners 30 ...

Отзывы: