Planet WGD-800 Скачать руководство пользователя страница 54

Страница: 54 / 90

4.7.6 802.1X Port-Based Network Access Control

4.7.6.1 Theory

Understanding IEEE 802.1X Port-Based Authentication

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts

unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server

authenticates each client connected to a switch port before making available any services offered by the switch or

the LAN.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN

(EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic

can pass through the port.

This section includes this conceptual information:

•

Device Roles

•

Authentication Initiation and Message Exchange

•

Ports in Authorized and Unauthorized States

Device Roles

With 802.1X port-based authentication, the devices in the network have specific roles as shown below.

Client

—the device (workstation) that requests access to the LAN and switch services and responds to

requests from the switch. The workstation must be running 802.1X-compliant client software such as that

offered in the Microsoft Windows XP operating system. (The client is the

supplicant

in the IEEE 802.1X

specification.)

Содержание WGD-800

Страница 1: ...User s Manual WGD 800 8 Port 10 100Mbps Managed Ethernet Switch...

Страница 2: ...sleading or incomplete we would appreciate your comments and suggestions FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15...

Страница 3: ...2 Rack Mounting 11 3 CONSOLE MANAGEMENT 12 3 1 CONNECTING TO THE SWITCH 12 3 2 LOGIN IN THE CONSOLE INTERFACE 12 3 3 CONSOLE MANAGEMENT 13 3 4 TELNET LOGIN 14 3 5 COMMANDS 14 3 5 1 First level command...

Страница 4: ...5 MAC Address Aging Time 53 4 7 6 802 1X Port Based Network Access Control 54 4 8 QOS 67 4 8 1 Understand QOS 67 4 8 2 QOS Configuration 68 4 9 MULTICAST 73 4 9 1 IGMP Snooping 73 4 9 2 Static Routing...

Страница 5: ...6 2 100BASE TX 10BASE T PIN ASSIGNMENTS 86 7 APPENDIX B 87 802 1Q VLAN MULTI UNTAGGED VLAN SETTING SAMPLE 1 87...

Страница 6: ...INSTALLATION The chapter explains the functions of the Switch and how to physically install the Switch Chapter 3 CONSOLE MANAGEMENT The chapter explains how to manage the switch by Console interface C...

Страница 7: ...ecification Hardware Specification Network Connector 8 Port RJ 45 for 10 100Base TX RS 232 connector One RS 232 DB 9 male connector for switch management Switch architecture Store and forward switch a...

Страница 8: ...terprise private MIB Standard Compliance Network Standard IEEE802 3 10Base T IEEE802 3u 100Base TX IEEE802 3x Flow Control and Back pressure IEEE802 3ad Port trunk with LACP IEEE802 1d Spanning tree p...

Страница 9: ...ing to enhance security and bandwidth utilization With its built in web based management the PLANET WSD 800 offers an easy to use platform independent management and configuration facility The PLANET...

Страница 10: ...itch on desktop or shelf please follows these steps Step1 Attach the rubber feet to the recessed areas on the bottom of the switch Step2 Place the switch on the desktop or the shelf near an AC power s...

Страница 11: ...ide of the switch Figure 2 5 Attach brackets to the switch Caution You must use the screws supplied with the mounting brackets Damage caused to the parts by using incorrect screws would invalidate the...

Страница 12: ...r remote terminal as if the console terminal were directly connected to it 3 2 Login in the Console Interface When the connection between Switch and PC is ready turn on the PC and run a terminal emula...

Страница 13: ...nd the system asks for password please enter admin for the default password As shows in the following screen Console login screen 3 3 Console Management Entering a question mark at the prompt displays...

Страница 14: ...w dot1x local user information show dot1x state Show dot1x information show igmp snooping group number show igmp snooping group limit show igmp snooping group policy Show igmp snooping group policy sh...

Страница 15: ...nning tree information show syntax Show basic help infomation show system Show system information show trunk Show trunk information show version Get last software version show vlan Show vlan informati...

Страница 16: ...trap management host clear spantree root Restore spanning tree parameters clear trunk Clear trunk port from vlans clear vlan Clear member from vlan copy config flash Copy system configuration paramete...

Страница 17: ...th mode set dot1x auth ctrl disable Disable dot1x set dot1x auth ctrl enable Enable dot1x set dot1x local userInfo Set dot1x local user information set dot1x max req Max times of re transmit EAP reque...

Страница 18: ...Capture egress traffic set mirror monitored port ingress Capture ingress traffic set multicast router Set multicst router port set password Set the password for telnet set port disable Disable a port...

Страница 19: ...snmp trap Set snmp trap receive host set spantree disable Disable spanning tree set spantree enable Enable spaning tree set spantree fwddelay Set the forward delay for the spanning tree set spantree...

Страница 20: ...n show ip telnet server Show telnet server information show ipstack info Show ipstack info show mirror Show mirror information show multicast router Show multicast router port information show port co...

Страница 21: ...Show snmp information show snmp rmon Show snmp rmon state show spantree Show spanning tree information show syntax Show basic help infomation show system Show system information show trunk Show trunk...

Страница 22: ...has to explicitly modify the browser setting to enable Java Applets to use network ports 4 2 Preparing for Web Management Before use web management you can use console to login the Switch checking th...

Страница 23: ...tch The default IP address of the switch is 192 168 0 100 You can change the IP address to be in the same IP segment as your LAN network for convinence To change the IP address click on the System IP...

Страница 24: ...ast CPUs megapixel color displays substantial memory and abundant disk space At least one NMS must be present in each managed environment Agents Agents are software modules that reside in network elem...

Страница 25: ...turn on SNMP Agent Enabled Disabled To turn on or turn off the SNMP function on the Switch 2 System Options This table is to define the system name system location and the contact person of the switc...

Страница 26: ...acteristics can be associated with the community string Add Community enter private or public Chooses community strings for the Switch management access read only or read write Read only Enables reque...

Страница 27: ...ement stations IP address 192 168 0 53 for example Trap Community must be the same string as Add community Then click on Add button The Current Management Stations field shows the trap list 4 4 3 Pass...

Страница 28: ...web 4 4 5 System Upgrade This function allows performing firmware update from the web interface Click on the System System Upgrade menu button and the following table shows in the main page of the web...

Страница 29: ...he following 4 4 7 Parameters Backup Recovery This function is to backup the running configuration to the workstation and to restore the configuration you had saved in the workstation Click on the Sys...

Страница 30: ...anagement status port negotiation mode and the port flow control function Management Status Display port status Enable or Disable Disable is to turn off the port Link Status Up to indicate the port is...

Страница 31: ...he function provides the In Band and Out Band connection speed restriction on the ports The Band of the connection speed rangs from 64Kbps to 80000Kbps Ingress Port List Egress Port List field can be...

Страница 32: ...ws for the duplicate links to be used in the event of a failure of the primary link Once the Spanning Tree Protocol is configured and enabled primary links are established and duplicated links are blo...

Страница 33: ...the frame to calculate a BPDU and if the topology changes initiates a BPDU transmission The communication between switches via BPDUs results in the following One switch is elected as the root switch...

Страница 34: ...packets that may tell the port to go back to the blocking state Learning the port is adding addresses to its forwarding database but not yet forwarding packets Forwarding the port is forwarding packe...

Страница 35: ...the switch level Parameter Description Default Value Bridge Identifier Not user configurable except by setting priority below A combination of the User set priority and the switch s MAC address The B...

Страница 36: ...lo Time The Hello Time can be from 1 to 10 seconds This is the interval between two transmissions of BPDU packets sent by the Root Bridge to tell all other Switches that it is indeed the Root Bridge I...

Страница 37: ...ction between switch B and C The decision to block a particular connection is based on the STP calculation of the most current Bridge and Port settings Now if switch A broadcasts a packet to switch C...

Страница 38: ...m the default to ensure that the link between switch B and switch C is the blocked link 4 6 2 Spanning Tree Configuration The Spanning Tree Protocol STP operates on two levels On the switch level the...

Страница 39: ...d to a PC Print Server IP camera or any other network end node device Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state There are two s...

Страница 40: ...k LACP operation requires full duplex mode more detail information refer to the IEEE 802 3ad standard Link aggregation can be used to increase the bandwidth of a network connection or to ensure fault...

Страница 41: ...critical data over congested networks The quality of applications that are dependent on such time critical data such as video conferencing can be severely and adversely affected by even very small de...

Страница 42: ...a logical scheme rather than the physical layout VLAN can be used to combine any collection of LAN segments into an autonomous user group that appears as a single LAN VLAN also logically segment the...

Страница 43: ...liver packets between stations that are members of the VLAN Any port can be configured as either tagging or untagging The untagging feature of IEEE 802 1Q VLAN allows VLAN to work with legacy switches...

Страница 44: ...g an IEEE802 1Q Tag Dest Addr Src Addr Length E type Data Old CRC Dest Addr Src Addr E type Tag Length E type Data New CRC Priority CFI VLAN ID New Tagged Packet Original Ethernet Port VLAN ID Packets...

Страница 45: ...he Switch initially configures one VLAN VID 1 called default The factory default setting assigns all ports on the Switch to the default As new VLAN are configured in Port based mode their respective m...

Страница 46: ...he VLAN 5 Select the ports in the Port List field and click on the Add button to add the member ports to the VLAN The selected VLAN member then shows in the VLAN Member field 6 Click on the Close butt...

Страница 47: ...an 802 1Q compliant network device to a non compliant network device Frame Income Frame Leave Income Frame is tagged Income Frame is untagged Leave port is tagged Frame remains tagged Tag is inserted...

Страница 48: ...ul for accommodating devices that you want to participate in the VLAN but that don t support tagging The Switch allows each port to set one PVID the range is 1 255 default PVID is 1 The PVID must be t...

Страница 49: ...assigned to more than one VLAN group 4 Define the PVID for the port Set the port VLAN ID that will be assigned to untagged traffic on a given port This feature is useful for accommodating devices that...

Страница 50: ...02 1Q main page 5 5 Click on the Show VLAN Members button to show the VLAN members 5 6 As shows in the following screen 4 7 2 MAC Address Bind This function is based upon for the switch security When...

Страница 51: ...d 2 Click on the Add button 3 To remove the MAC Address binded by the port Simply click on the Delete button of the MAC Address in the Show MAC Address Table 4 7 3 MAC Address Filtering MAC address fi...

Страница 52: ...ddress Learning The switch is able to disable MAC Address learning function on ports 1 Fill the Port List field in the MAC Address Learning table and select Enable Disable in the MAC Address Learning...

Страница 53: ...that are out of date or no longer exist This may cause incorrect packet forward indecisions by the Switch If the Aging Time is too short however many entries may be aged out too soon This will result...

Страница 54: ...ion Protocol over LAN EAPOL traffic through the port to which the client is connected After authentication is successful normal traffic can pass through the port This section includes this conceptual...

Страница 55: ...on server When the switch receives EAPOL frames and relays them to the authentication server the Ethernet header is stripped and the remaining EAP frame is re encapsulated in the RADIUS format The EAP...

Страница 56: ...thorized For more information see the Ports in Authorized and Unauthorized States section The specific exchange of EAP frames depends on the authentication method being used Figure 2 43 shows a messag...

Страница 57: ...ort is in the authorized state If the client is successfully authenticated receives an Accept frame from the authentication server the port state changes to authorized and all frames from the authenti...

Страница 58: ...te In this situation do not need Radius server in the network all authentication completed by 802 1x Switch the normal topologies as below 1 Enter 802 1X Port Status Configuration there are 3 Authenti...

Страница 59: ...on services to the client through the interface Maximum account number the biggest user s quantity of passing authentication under this port set 1 Only one user can pass this authentication The second...

Страница 60: ...Radius Server In this situation need a Radius server in the network the normal topologies as below 1 Select the Radius Server mode 2 The RADIUS Server configuration table includes the following fields...

Страница 61: ...ing server The valid range is 0 65535 The default UDP Port No is 1813 Share Key Indicates if the shared secret for this server has been configured 3 Setup the RADIUS server and assign the client IP ad...

Страница 62: ...Force Authorized if the port is connected to the RADIUS server or the port is a uplink port that is connected to another switch Or once the 802 1X stat to work the switch might not be able to access...

Страница 63: ...Server PC For example the Radius Server founded on Win2000 Server and then Enter Active Directory Users and Computers create legal user data the next right click a user what you created to enter prope...

Страница 64: ...n in Windows XP Please note that if you want to change the 802 1x authentication type of a wireless client i e switch to EAP TLS from EAP MD5 you must remove the current existing wireless network from...

Страница 65: ...using IEEE 802 1X to enable 802 1x authentication 6 Select MD 5 Challenge from the drop down list box for EAP type 7 Click OK 8 When wireless client has associated with WGSW 2840 5240 a user authentic...

Страница 66: ...9 Enter the user name password and the logon domain that your account belongs 10 Click OK to complete the validation process...

Страница 67: ...unt of traffic grows Reduce the need to constantly add bandwidth to the network Manage network congestion QoS Terminology Classifier classifies the traffic on the network Traffic classifications are d...

Страница 68: ...ices a tag inserted into the packet header is used to identify the priority level of data packets The Switch supports four kinds of Traffic classifiers 802 1P Port MAC VLANs and four queues NOTE COS P...

Страница 69: ...Traffic classifiers 1 Fill the VID 1 2094 field in the VLAN CoS Mapping Table 2 Fill the mapping number in the CoS 0 7 field 3 Click on the OK button to save 4 To remove the VLAN CoS mapping item sim...

Страница 70: ...802 1p Priority specification uses 8 priority levels to classify data packets In 802 1p compliant devices a tag inserted into the packet header is used to identify the priority level of data packets...

Страница 71: ...g 1 3 7 field in the port based QoS Configuration Table 2 Fill the mapping number in the CoS 0 7 field 3 Click on the OK button to save 5 COS Queue Mapping 1 Fill the CoS 0 7 field in the CoS Queue M...

Страница 72: ...ue Weighted Round Robin WRR and Always Hight To configure Queue Rule select the Queue Policy drop down menu in the Queue Rule Configuration table And Click on the OK button to save If the WRR was chos...

Страница 73: ...t work If there are no members on a sub network packets will not be forwarded to that sub network IGMP Versions 1 and 2 Multicast groups allow members to join or leave at any time IGMP provides the me...

Страница 74: ...ies will not be forwarded to other sub networks IGMP version 2 introduces some enhancements such as a method to elect a multicast queried for each LAN an explicit leave message and query messages that...

Страница 75: ...his fill the Port List field and the VID field for the static routing and click on the Add button to save 4 10 Port Analysis 4 10 1 Port Analysis This function shows the statistical information of eac...

Страница 76: ...r it if necessary Configuring the port mirroring by assigning a source port from which to copy all packets and a sniffer port where those packets will be sent Capture Port Use this option to select th...

Страница 77: ...e web main page then shows the Strom Restricting function table 1 Fill the Port List field in the Broadcast Storm Restricting table select the type in the Restricting Type drop down menu and enter the...

Страница 78: ...to identify the roles of the stackable switches the Master mode and Client mode At a IP stacking group domain there is only one Master switch and many Client switches If there re more than one switch...

Страница 79: ...p If not the switches will not be the IP Stack group members System priority If there re more than one switch be configured to the Master mode the it will depends on the System Priority to elect a act...

Страница 80: ...assigned to the same IP Stack group 4 Modify the System priority and Stack name if necessary At this sample we change the Stack name of the Master to Switch 1 5 Click OK if the configuration is down...

Страница 81: ...group 9 Modify the System priority and Stack name if necessary At this sample we change the Stack name of the Client to Switch 2 10 Click OK if the configuration is down 11 Please use a UTP cable to u...

Страница 82: ...go to system and choose Saving parameters to save current configuration The following screen appears NOTE Please do not assign role for whole stack member Switch as client it cannot detect the Master...

Страница 83: ...e T network installation 5 1 3 Improper Network Topologies It is important to make sure that you have a valid network topology Common topology faults include excessive cable length and too many repeat...

Страница 84: ...Category 3 4 or 5 cable for 10Mbps connections or 100 Category 5 cable for 100Mbps connections Also be sure that the length of any twisted pair connection does not exceed 100 meters 328 feet...

Страница 85: ...ed to connect to the serial port are provided in the following tables DB 9 Console Port Pin Numbers DB 9 Port Pin Assignments EIA Circuit CCITT Signal Description Switch s DB9 DTE Pin PC DB9 DTE Pin B...

Страница 86: ...s that make up each wire pair All ports on this switch support automatic MDI MDI X operation you can use straight through cables for all network connections to PCs or servers or to other switches or h...

Страница 87: ...to access the same server AP Printer But the two VLAN groups are separated and can t access to each other The graphic in Figure 7 1 appears Figure 7 1 Overlap VLAN graphic The next will be a configure...

Страница 88: ...er then click on the port For this case we set the Port 1 to be the multiple untagged port The screen in Figure 7 3 appears 4 At the Link Type select Always Untag at the draw bar Click OK to apply Fig...

Страница 89: ...ss close to back to the 802 1Q VLAN main screen And check if the setting be applied to Port 1 at the Egress Policy column The screen in Figure 7 5 appears Figure 7 5 Port 1 VLA N status 8 Assign the V...

Страница 90: ...as the screen in Figure 7 6 appears Figure 7 6 Port 1 Port 2 and Port 3 VLAN configuration Although Port 2 and Port 3 are VLAN 1 members with different PVID setting the two ports are not able to acce...

Результаты поиска

Содержание WGD-800

Отзывы:

Похожие инструкции для WGD-800

Бренды по названию

Популярные бренды

Planet WGD-800, Руководство пользователя

Результаты поиска

Содержание WGD-800

Отзывы:

Похожие инструкции для WGD-800

Бренды по названию

Популярные бренды