Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3324SR » Manual Viewer

D-Link DGS-3324SR Product Manual - Page 151

Understanding 802.1x Port-based and MAC-based Network Access Control

UPC - 790069262067

Add to My Manuals
Save this manual to your list of manuals

Page 151 highlights

xStack DGS/DXS-3300 Series Layer 3 Stackable Gigabit Ethernet Switch User Manual Understanding 802.1x Port-based and MAC-based Network Access Control The original intent behind the development of 802.1X was to leverage the characteristics of point-to-point in LANs. As any single LAN segment in such infrastructures has no more than two devices attached to it, one of which is a Bridge Port. The Bridge Port detects events that indicate the attachment of an active device at the remote end of the link, or an active device becoming inactive. These events can be used to control the authorization state of the Port and initiate the process of authenticating the attached device if the Port is unauthorized. This is the Port-Based Network Access Control. Port-Based Network Access Control Ethernet Switch RADIUS Server 802.1X Client 802.1X 802.1X 802.1X Client Client Client 802.1X Client 802.1X Client 802.1X Client ... 802.1X Client 802.1X Client Network access controlled port Network access uncontrolled port Figure 6- 100. Example of Typical Port-Based Configuration Once the connected device has successfully been authenticated, the Port then becomes Authorized, and all subsequent traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized. Hence, if the Port is actually connected to a shared media LAN segment with more than one attached device, successfully authenticating one of the attached devices effectively provides access to the LAN for all devices on the shared segment. Clearly, the security offered in this situation is open to attack. 136

Section	Page
Table of Contents	3
	11
Intended Readers	12
Typographical Conventions	12
Notes, Notices, and Cautions	12
Safety Instructions	13
Safety Cautions	13
General Precautions for Rack-Mountable Products	14
Protecting Against Electrostatic Discharge	15
Switch Description	16
Gigabit Combo Ports	16
Ethernet Technology	16
Fast Ethernet	16
Gigabit Ethernet Technology	16
Switching Technology	17
Switch Description	17
Features	18
Ports	19
Installing the SFP ports	20
Front-Panel Components	20
DGS-3324SR	20
DXS-3326GSR	20
DXS-3350SR	20
LED Indicators	21
Rear Panel Description	22
DGS-3324SRi	22
DGS-3324SR	22
DXS-3326GSR	22
Side Panel Description	23
DGS-3324SRi & DGS-3324SR	23
	23
DXS-3326GSR & DXS-3350SR	23
Package Contents	24
Before Connecting to the Network	24
Installing the Switch without the Rack	25
Installing the Switch in a Rack	25
Mounting the Switch in a Standard 19\	26
Power On	26
Power Failure	26
The Optional Module	26
The Media Accessory	28
External Redundant Power System	29
Switch to End Node	30
Switch to Hub or Switch	31
Connecting To Network Backbone or Server	32
Stacking and the xStack DGS/DXS-3300 Series	33
Stacking Limitations Utilizing a Ring or Star Topology	35
Token Cost * Number of Switches ≤ 32	35
Stacking In a Star Topology	37
Management Options	38
Web-based Management Interface	38
SNMP-Based Management	38
Command Line Console Interface through the Serial Port	38
Connecting the Console Port (RS-232 DCE)	38
First Time Connecting to the Switch	40
Password Protection	42
SNMP Settings	43
Traps	43
MIBs	43
IP Address Assignment	44
Connecting Devices to the Switch	45
Introduction	46
Logging on to the Web Manager	46
Web-based User Interface	48
Areas of the User Interface	48
Web Pages	49
Switch Information	51
IP Address	52
Advanced Settings	55
Box Information	57
Port Configuration	58
Port Description	60
Port Mirroring	61
Link Aggregation	62
Understanding Port Trunk Groups	62
LACP Port Setting	66
MAC Notification	67
MAC Notification Global Settings	67
MAC Notification Port Settings	68
IGMP Snooping	69
Static Router Ports	71
Spanning Tree	72
802.1s MSTP	72
802.1w Rapid Spanning Tree	72
Port Transition States	72
Edge Port	73
P2P Port	73
802.1d / 802.1w / 802.1s Compatibility	73
STP Bridge Global Settings	74
MST Configuration Table	76
MSTP Port Information	79
STP Instance Settings	80
STP Port Settings	83
Forwarding & Filtering	85
Unicast Forwarding	85
Multicast Forwarding	86
VLANs	87
Understanding IEEE 802.1p Priority	87
VLAN Description	87
Notes about VLANs in the xStack DGS/DXS-3300 Series	87
IEEE 802.1Q VLANs	88
802.1Q VLAN Tags	89
Port VLAN ID	90
Tagging and Untagging	90
Ingress Filtering	90
Default VLANs	91
Port-based VLANs	91
VLAN Segmentation	91
VLAN and Trunk Groups	92
Protocol VLANs	92
Static VLAN Entry	93
GVRP Settings	97
Traffic Control	99
Port Security	100
Port Lock Entries	101
QoS	102
The Advantages of QoS	102
Understanding QoS	103
Bandwidth Control	104
QoS Scheduling Mechanism	105
QoS Output Scheduling	106
Configuring the Combination Queue	107
802.1p Default Priority	108
802.1p User Priority	109
Traffic Segmentation	109
System Log Host	111
SNTP Settings	113
Time Settings	113
Time Zone and DST	114
Access Profile Table	116
Configuring the Access Profile Table	116
CPU Access Profile	133
CPU Access Profile Table	133
System Severity Settings	147
Port Access Entity (802.1X)	148
802.1x Port-Based and MAC-Based Access Control	148
Authentication Server	149
Authenticator	149
Client	150
Authentication Process	150
Understanding 802.1x Port-based and MAC-based Network Access Control	151
Port-Based Network Access Control	151
MAC-Based Network Access Control	152
Configure Authenticator	153
802.1X User	155
PAE System Control	156
Port Capability	156
Initializing Ports for Port Based 802.1x	157
Initializing Ports for MAC Based 802.1x	158
Reauthenticate Port(s) for Port Based 802.1x	158
Reauthenticate Port(s) for MAC-based 802.1x	159
RADIUS Server	160
Layer 3 IP Networking	161
Layer 3 Global Advanced Settings	161
IP Multinetting	162
IP Interface Setup	162
MD5 Key Table Configuration	165
Route Redistribution Settings	165
Static/Default Route Settings	167
Route Preference Settings	169
Static ARP Table	171
RIP	172
RIP Version 1 Message Format	173
RIP Command Codes	173
RIP 1 Message	173
RIP 1 Route Interpretation	173
RIP Version 2 Extensions	173
RIP2 Message Format	174
RIP Timers	174
RIP Global Settings	174
RIP Settings	175
OSPF	177
Link-State Algorithm	177
Shortest Path Algorithm	177
OSPF Cost	177
Shortest Path Tree	178
Areas and Border Routers	179
Link-State Packets	179
OSPF Authentication	180
Message Digest Authentication (MD-5)	180
Simple Password Authentication	180
Backbone and Area 0	180
Virtual Links	180
Areas Not Physically Connected to Area 0	180
Partitioning the Backbone	181
Neighbors	181
Adjacencies	181
Designated Router Election	181
Building Adjacency	181
Adjacencies on Point-to-Point Interfaces	182
OSPF Packet Formats	182
OSPF Packet Header	183
Hello Packet	184
Database Description Packet	185
Link-State Request Packet	186
Link-State Update Packet	186
Link-State Acknowledgment Packet	187
Link-State Advertisement Formats	187
Link State Advertisement Header	188
Router Links Advertisements	189
Network Links Advertisements	191
Summary Link Advertisements	192
Autonomous Systems External Link Advertisements	193
OSPF Global Settings	194
OSPF Area Setting	194
OSPF Interface Settings	196
OSPF Virtual Link Settings	198
OSPF Area Aggregation Settings	200
OSPF Host Route Settings	201
DHCP / BOOTP Relay	202
DHCP / BOOTP Relay Information	202
DHCP/BOOTP Relay Interface Settings	203
DNS Relay	204
Mapping Domain Names to Addresses	204
Domain Name Resolution	204
Configuring DNS Relay Information	204
DNS Relay Static Settings	205
VRRP	206
VRRP Global Settings	206
VRRP Virtual Router Settings	207
VRRP Authentication Settings	210
IP Multicast Routing Protocol	212
IGMP	212
IGMP Versions 1 and 2	212
IGMP Version 3	213
IGMP Interface Configuration	215
DVMRP Interface Configuration	217
DVMRP Global Settings	217
DVMRP Interface Settings	217
PIM Protocol	219
PIM-SM	219
Discovering and Joining the Multicast Group	219
Distribution Trees	219
Register and Register Suppression Messages	219
Assert Messages	220
PIM-DM Interface Configuration	220
PIM Global Settings	220
PIM Interface Settings	220
PIM Candidate BSR Settings	222
PIM Parameter Settings	223
PIM Candidate RP Global Settings	224
PIM Candidate RP Settings	224
PIM Register Checksum Settings	225
PIM Static RP Settings	226
Security IP	227
User Accounts	228
Admin and User Privileges	229
Access Authentication Control	230
Authentication Policy & Parameters	231
Application's Authentication Settings	232
Authentication Server Group	233
Authentication Server Host	234
Login Method Lists	236
Enable Method Lists	238
Configure Local Enable Password	240
Enable Admin	241
Secure Socket Layer (SSL)	242
Download Certificate	243
Configuration	244
Secure Shell (SSH)	246
SSH Server Configuration	246
SSH Authentication Mode and Algorithm Settings	248
SSH User Authentication Mode	250
	250
SNMP Settings	251
Traps	251
MIBs	251
SNMP User Table	252
SNMP View Table	254
SNMP Group Table	255
SNMP Community Table	257
SNMP Host Table	258
SNMP Engine ID	259
Port Utilization	261
CPU Utilization	262
Packets	263
Received (RX)	263
UMB Cast (RX)	265
Transmitted (TX)	267
Errors	269
Received (RX)	269
Transmitted (TX)	271
Size	273
Stacking Information	275
Module Information	277
Device Status	278
MAC Address	279
Switch History Log	281
IGMP Snooping Group	282
IGMP Snooping Forwarding	283
Browse Router Port	284
Port Access Control	285
Authenticator State	285
Authenticator Statistics	287
Authenticator Session Statistics	288
Authenticator Diagnostics	290
RADIUS Authentication	292
RADIUS Accounting	293
Layer 3 Feature	295
Browse IP Address Table	295
Browse Routing Table	296
Browse ARP Table	296
Browse IP Multicast Forwarding Table	297
Browse IGMP Group Table	298
OSPF Monitoring	300
Browse OSPF LSDB Table	300
Browse OSPF Neighbor Table	302
OSPF Virtual Neighbor	302
DVMRP Monitoring	303
Browse DVMRP Routing Table	303
Browse DVMRP Neighbor Table	304
Browse DVMRP Routing Next Hop Table	304
PIM Monitoring	305
Browse PIM Neighbor Table	305
PIM IP MRoute Table	305
Browse PIM RP Set Table	306
TFTP Services	307
Download Firmware	307
Download Configuration File	308
Download PROM	308
Upload Configuration	308
Upload Log	309
Multiple Image Services	310
Firmware Information	310
Config Firmware Image	311
CompactFlash Services	312
CF Card Information	312
Download Firmware from CF	313
Download Configuration from CF	313
Upload Firmware to CF	314
Upload Config to CF	314
Upload Log to CF	315
FS Commands	316
Format	316
Copy	316
Md/Mkdir	317
Rd/Rmdir	317
Dir	317
Rename	317
Ping Test	318
Save Changes	318
Reset	319
Reboot System	320
Logout	320
Single IP Management (SIM) Overview	321
The Upgrade to v1.6.	322
SIM Using the Web Interface	324
Topology	325
Tool Tips	327
Right Click	329
Group Icon	329
Commander Switch Icon	330
Member Switch Icon	330
Candidate Switch Icon	331
Menu Bar	333
File	333
Group	333
Device	333
View	333
Firmware Upgrade	334
Configuration File Backup/Restore	334
Upload Log File	334
Cables and Connectors	337
Cable Lengths	351
LIMITED WARRANTY	356
Copyright Statement: No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976 and any amendments thereto. Contents are subject to change without prior notice. Copyright 2004 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	359
FCC Statement: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communication. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential environment is likely to cause harmful interference to radio or television reception. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:	359
D-Link Europe Limited Lifetime Warranty	361
Warranty beneficiary	361
Duration of Limited Lifetime Warranty	361
Replacement, Repair or Refund Procedure for Hardware	361
	362
	362
D-Link Limited Lifetime Warranty	362

Match case Limit results 1 per page

xStack DGS/DXS-3300 Series Layer 3 Stackable Gigabit Ethernet Switch User Manual

136

Understanding 802.1x Port-based and MAC-based Network

Access Control

The original intent behind the development of 802.1X was to leverage the characteristics of point-to-point in LANs. As any

single LAN segment in such infrastructures has no more than two devices attached to it, one of which is a Bridge Port.

The Bridge Port detects events that indicate the attachment of an active device at the remote end of the link, or an active

device becoming inactive. These events can be used to control the authorization state of the Port and initiate the process of

authenticating the attached device if the Port is unauthorized. This is the Port-Based Network Access Control.

Port-Based Network Access Control

…

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

802.1X

Client

Network access controlled port

Network access uncontrolled port

RADIUS

Server

Ethernet Switch

Figure 6- 100. Example of Typical Port-Based Configuration

Once the connected device has successfully been authenticated, the Port then becomes Authorized, and all subsequent

traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become

Unauthorized. Hence, if the Port is actually connected to a shared media LAN segment with more than one attached device,

successfully authenticating one of the attached devices effectively provides access to the LAN for all devices on the shared

segment. Clearly, the security offered in this situation is open to attack.