Home » D-Link Manuals » Hubs & Switches » D-Link DES-3028 » Manual Viewer

D-Link DES-3028 Product Manual - Page 217

Guest VLANs, Vendor-Specific attribute, Description, Value, Usage

UPC - 790069305375

Add to My Manuals
Save this manual to your list of manuals

Page 217 highlights

DES-3028 DES-3028P DES-3028G DES-3052 DES-3052P Layer 2 Fast Ethernet Managed Switch Attribute-Specific field Used to assign the Unit (Kbits) bandwidth of the port Required If the user has configured the bandwidth attribute of the RADIUS server (for example, ingress bandwidth 1000Kbps) and the 802.1X authentication is successful, the device will assign the correct bandwidth (according to the RADIUS server) to the port. However, if the user does not configure the bandwidth attribute but authenticates successfully, the device will not assign bandwidth to the port. When the bandwidth attribute is configured on the RADIUS with a value of "0" or more than the effective bandwidth (100Mbps on an Ethernet port or 1Gbps on a Gigabit port) of the port will be set to no_limit. To assign 802.1p default priority by RADIUS server, proper parameters should be configured on the RADIUS Server. See below for the parameters of a user account. The parameters of the Vendor-Specific attribute are: Vendor-Specific attribute Description Value Usage Vendor-ID Vendor-Type Attribute-Specific field Defines the vendor 171 (DLINK) The definition of this 4 attribute Used to assign the 0-7 802.1p default priority of the port Required Required Required If the user has configured the 802.1p priority attribute of the RADIUS server (for example, priority 7) and the 802.1X authentication is successful, the device will assign the correct 802.1p default priority (according to the RADIUS server) to the port. However, if the user does not configure the priority attribute but authenticates successfully, the device will not assign a priority to this port. If the priority attribute configured on the RADIUS is a value out of range (>7), it will not be set to the device. Guest VLANs On 802.1X security enabled networks, there is a need for non 802.1X supported devices to gain limited access to the network, due to lack of the proper 802.1X software or incompatible devices, such as computers running Windows 98 or lower operating systems, or the need for guests to gain access to the network without full authorization. To supplement these circumstances, this switch now implements Guest 802.1X VLANs. These VLANs should have limited access rights and features separate from other VLANs on the network. To implement Guest 802.1X VLAN, the user must first create a VLAN on the network with limited rights and then enable it as an 802.1X guest VLAN. Then the administrator must configure the guest accounts accessing the Switch to be placed in a Guest VLAN when trying to access the Switch. Upon initial entry to the Switch, the client wishing to have services on the Switch will need to be authenticated by a remote RADIUS Server on the Switch to be placed in a fully operational VLAN. If authenticated and the authenticator posseses the VLAN placement information, that client will be accepted into the fully operational target VLAN and normal switch functions will be open to the client. Yet, if the client is denied authentication by the authenticator, it will be placed in the Guest VLAN where it has limited rights and access. The adjacent figure should give the user a better understanding of the Guest VLAN process. Client Placed in Guest VLAN Figure 10- 22. Guest VLAN Authentication Process 203

Section	Page
Table of Contents	3
Preface	9
Intended Readers	10
Typographical Conventions	10
Bold font	10
Notes, Notices, and Cautions	10
Safety Instructions	11
Safety Cautions	11
General Precautions for Rack-Mountable Products	12
Protecting Against Electrostatic Discharge	13
DES-3028/28P/28G/52/52P Switch Description	14
Features	14
Ports	14
LED Indicators	14
Front-Panel Description	14
Rear Panel Description	14
Side Panel Description	14
Installing SFP ports	14
DES-3028/28P/28G/52/52P	14
Features	14
Ports	16
LED Indicators	17
Front-Panel Description	19
DES-3028/DES-3028P	19
DES-3052P/DES-3052	19
DES-3028G	19
Rear Panel Description	20
Side Panel Description	20
Gigabit Combo Ports	21
Installing the SFP ports	22
Package Contents	23
Before You Connect to the Network	23
Installing the Switch without the Rack	23
Rack Installation	23
Power On	23
Package Contents	23
Before You Connect to the Network	23
Installing the Switch without the Rack	24
Installing the Switch in a Rack	24
Mounting the Switch in a Standard 19\	25
Power on AC Power	25
Power Failure	25
Switch to End Node	26
Switch to Hub or Switch	26
Connecting to Network Backbone or Server	26
Switch to End Node	26
Switch to Hub or Switch	27
Management Options	28
Web-based Management Interface	28
SNMP-Based Management	28
Managing User Accounts	28
Command Line Console Interface through the Serial Port	28
Connecting the Console Port (RS-232 DCE)	28
First Time Connecting to the Switch	28
Password Protection	28
SNMP Settings	28
IP Address Assignment	28
Management Options	28
Web-based Management Interface	28
SNMP-Based Management	28
Connecting the Console Port (RS-232 DCE)	28
First Time Connecting to the Switch	30
Password Protection	30
SNMP Settings	31
Traps	32
MIBs	32
IP Address Assignment	32
Introduction	35
Login to Web manager	35
Web-Based User Interface	35
Basic Setup	35
Reboot	35
Basic Switch Setup	35
Network Management	35
Switch Utilities	35
Network Monitoring	35
IGMP Snooping Status	35
Introduction	35
Login to Web Manager	35
Web-based User Interface	36
Areas of the User Interface	36
Web Pages	38
IP Address	39
Port Configuration	39
DHCP/BOOTP Relay	39
User Accounts	39
Cable Diagnostics	39
Port Mirroring	39
System Log Settings	39
Log Settings	39
SNTP Settings	39
MAC Notification Settings	39
TFTP Services	39
Multiple Image Services	39
Ping Test	39
Safeguard Engine	39
SNMP Manager	39
PoE System	39
Single IP Settings	39
Forwarding & Filtering	39
SMTP Service	39
Device Information	40
IP Address	42
Setting the Swith’s IP Address using the Console Interface	44
Port Configuration	45
Port Settings	45
Port Description	47
Port Error Disabled	47
DHCP/BOOTP Relay	49
DHCP/BOOTP Relay Global Settings	49
The Implementation of DHCP Information Option 82 in the DES-3028/28P/28G/52/52P switches	51
DHCP/BOOTP Relay Interface Settings	52
DHCP Local Relay Settings	52
User Accounts	54
Cable Diagnostics	56
Port Mirroring	58
System Log Settings	59
Log Settings	61
SNTP Settings	62
Time Settings	62
Time Zone and DST	63
MAC Notification Settings	65
TFTP Services	66
Multiple Image Services	67
Firmware Information	67
Config Firmware Image	67
Ping Test	68
Safeguard Engine	68
SNMP Manager	71
SNMP Settings	71
Traps	71
MIBs	71
SNMP Traps Settings	72
SNMP User Table	72
SNMP View Table	74
SNMP Group Table	75
SNMP Community Table Configuration	76
SNMP Host Table	77
SNMP Engine ID	78
PoE System	79
PoE System Configuration	79
PoE Port Configuration	80
Single IP Settings	82
The Upgrade to v1.6	83
SIM Settings	83
Topology	85
Tool Tips	87
Right-Click	88
Group Icon	88
Commander Switch Icon	89
Member Switch Icon	89
Candidate Switch Icon	89
Menu Bar	90
File	90
Group	90
Device	90
View	90
Help	91
Firmware Upgrade	91
Configuration Backup/Restore	91
Upload Log	92
Forwarding & Filtering	92
Unicast Forwarding	92
Multicast Forwarding	93
Multicast Filtering Mode	95
SMTP Service	96
SMTP Server Settings	97
SMTP Service	97
VLAN	99
QinQ	99
Trunking	99
IGMP Snooping	99
MLD Snooping	99
Spanning Tree	99
Loopback Detection	99
LLDP	99
VLANs	99
Notes about VLANs on the Switch	99
IEEE 802.1Q VLANs	99
802.1Q VLAN Tags	100
Tagging and Untagging	101
Ingress Filtering	101
Default VLANs	102
VLAN Segmentation	102
Asymmetric VLANs	103
VLAN and Trunk Groups	104
Static VLAN Entry	104
GVRP Settings	106
VLAN Trunk Settings	108
QinQ	110
Trunking	112
Link Aggregation	113
LACP Port Settings	113
IGMP Snooping	115
Router Ports Settings	117
IGMP Authentication	119
Dynamic IP Multicast Learning	121
ISM VLAN Settings	122
Restrictions and Provisos	122
IP Multicast Filter Profile Settings	124
Limited Multicast Range Settings	125
Max Multicast Group Settings	127
MLD Snooping	128
MLD Control Messages	128
MLD Snooping Settings	128
MLD Snooping Router Port Settings	130
Spanning Tree	131
802.1Q MSTP	131
802.1w Rapid Spanning Tree	132
Port Transition States	132
Edge Port	133
P2P Port	133
802.1D/802.1w/802.1s Compatibility	133
STP LoopBack Prevention	133
Setting the LoopBack Timer	133
Regulations and Restrictions for the LoopBack Detection Function	133
STP Bridge Global Settings	134
STP Port Settings	137
MST Configuration Identification	139
STP Instance Settings	141
MSTP Port Information	142
Loopback Detection Settings	144
LLDP	145
LLDP Global Settings	145
Basic LLDP Port Settings	147
802.1 Extension LLDP Port Settings	148
802.3 Extension LLDP Port Settings	150
LLDP Management Address Settings	152
LLDP Statistics	153
LLDP Management Address Table	154
LLDP Local Port Table	154
LLDP Remote Port Table	156
Port Bandwidth	157
802.1p Default Priority	157
802.1p User Priority	157
CoS Scheduling Mechanism	157
CoS Output Scheduling	157
Priority Settings	157
TOS Priority Settings	157
DSCP Priority Settings	157
Port Mapping Priority Settings	157
MAC Priority	157
Understanding IEEE 802.1p Priority	157
Advantages of CoS	157
Understanding CoS	158
Port Bandwidth	160
802.1p Default Priority	161
802.1p User Priority	163
CoS Scheduling Mechanism	163
CoS Output Scheduling	164
Priority Settings	165
TOS Priority Settings	167
DSCP Priority Settings	168
Port Mapping Priority Settings	169
MAC Priority	170
Time Range	171
Access Profile Table	171
CPU Interface Filtering	171
Time Range	171
Access Profile Table	171
CPU Interface Filtering	183
CPU Interface Filtering State	183
CPU Interface Filtering Profile Table	183
Traffic Control	195
Port Security	195
Port Lock Entries	195
IP-MAC-Port Binding	195
SSL	195
SSH	195
802.1X	195
Trusted Host	195
Access Authentication Control	195
Traffic Segmentation	195
DoS Attack Prevention	195
Traffic Control	195
Port Security	199
Port Lock Entries	200
IP-MAC-Port Binding	201
IMP Global Settings	201
IMP Port Settings	201
IMP Entry Settings	203
DHCP Snooping Entries	204
MAC Block List	204
SSL	205
Download Certificate	205
Ciphersuite	205
SSH	208
SSH Server Configuration	208
SSH Authentication Mode and Algorithm Settings	209
SSH User Authentication	211
802.1X	212
802.1X Port-Based and Host-Based Access Control	212
Authentication Server	213
Authenticator	213
Client	214
Authentication Process	214
Understanding 802.1X Port-based and Host-based Access Control	214
802.1X Port-based Access Control	215
802.1X Host-based Access Control	216
RADIUS Attributes Assignment	216
Guest VLANs	217
Limitations Using the Guest VLAN	218
802.1X Authenticator Settings	219
Local Users	222
802.1X Capability Settings	223
Configure 802.1X Guest VLAN	223
Initializing Ports for Port Based 802.1X	224
Initializing Ports for Host Based 802.1X	225
Reauthenticate Port(s) for Port Based 802.1X	226
Reauthenticate Port(s) for Host-based 802.1X	227
RADIUS Server	227
Trusted Host	228
Access Authentication Control	229
Authentication Policy and Parameter Settings	230
Application Authentication Settings	230
Authentication Server Group	231
Authentication Server Host	232
Login Method Lists	235
Enable Method Lists	236
Configure Local Enable Password	239
Enable Admin	239
Traffic Segmentation	240
DoS Attack Prevention	241
Port Access Control	246
CPU Utilization	246
Port Utilization	247
Packets	248
Received (RX)	249
UMB Cast (RX)	251
Transmitted (TX)	253
Packet Errors	255
Received (RX)	255
Transmitted (TX)	257
Packet Size	259
MAC Address	261
Switch Log	263
IGMP Snooping Group	264
Browse Router Port	265
VLAN Status	265
MLD Snooping Group	265
Browse MLD Snooping Router Port	266
Static ARP Settings	267
ARP-FDB	267
Gratuitous ARP Settings	269
Session Table	270
Port Access Control	270
RADIUS Authentication	270
RADIUS Accounting	272
Reset	273
Reboot System	274
Save Changes	274
Logout	275
LED indicators	279
Detailed Description	280
Detailed Description	280
Detailed Description	280
Standard Trap List	292
Proprietary Trap List	293
Proprietary Trap List (project dependent)	293
Configuration:	305
LIMITED WARRANTY	310
Copyright Statement: No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976 and any amendments thereto. Contents are subject to change without prior notice. Copyright 2004 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	313

Match case Limit results 1 per page

DES-3028 DES-3028P DES-3028G DES-3052 DES-3052P Layer 2 Fast Ethernet Managed Switch

Attribute-Specific field

Used to assign the

bandwidth of the port

Unit (Kbits)

Required

If the user has configured the bandwidth attribute of the RADIUS server (for example, ingress bandwidth 1000Kbps) and the

802.1X authentication is successful, the device will assign the correct bandwidth (according to the RADIUS server) to the port.

However, if the user does not configure the bandwidth attribute but authenticates successfully, the device will not assign

bandwidth to the port. When the bandwidth attribute is configured on the RADIUS with a value of “0” or more than the effective

bandwidth (100Mbps on an Ethernet port or 1Gbps on a Gigabit port) of the port will be set to no_limit.

To assign 802.1p default priority by RADIUS server, proper parameters should be configured on the RADIUS Server. See below

for the parameters of a user account.

The parameters of the Vendor-Specific attribute are:

Vendor-Specific attribute

Description

Value

Usage

Vendor-ID

Defines the vendor

171 (DLINK)

Required

Vendor-Type

The definition of this

attribute

Required

Attribute-Specific field

Used to assign the

802.1p default priority

of the port

0-7

Required

If the user has configured the 802.1p priority attribute of the RADIUS server (for example, priority 7) and the 802.1X

authentication is successful, the device will assign the correct 802.1p default priority (according to the RADIUS server) to the port.

However, if the user does not configure the priority attribute but authenticates successfully, the device will not assign a priority to

this port. If the priority attribute configured on the RADIUS is a value out of range (>7), it will not be set to the device.

Guest VLANs

On 802.1X security enabled networks, there is a need for non

802.1X supported devices to gain limited access to the network, due

to lack of the proper 802.1X software or incompatible devices, such

as computers running Windows 98 or lower operating systems, or

the need for guests to gain access to the network without full

authorization. To supplement these circumstances, this switch now

implements Guest 802.1X VLANs. These VLANs should have

limited access rights and features separate from other VLANs on

the network.

To implement Guest 802.1X VLAN, the user must first create a

VLAN on the network with limited rights and then enable it as an

802.1X guest VLAN. Then the administrator must configure the

guest accounts accessing the Switch to be placed in a Guest VLAN

when trying to access the Switch. Upon initial entry to the Switch,

the client wishing to have services on the Switch will need to be

authenticated by a remote RADIUS Server on the Switch to be

placed in a fully operational VLAN. If authenticated and the

authenticator posseses the VLAN placement information, that client

will be accepted into the fully operational target VLAN and normal

switch functions will be open to the client. Yet, if the client is

denied authentication by the authenticator, it will be placed in the

Guest VLAN where it has limited rights and access. The adjacent

figure should give the user a better understanding of the Guest

VLAN process.

Client Placed in

Guest VLAN

Figure 10- 22. Guest VLAN Authentication Process

203