D-Link DWS-1008 Product Manual

D-Link DWS-1008 - AirPremier MobileLAN Switch Manual

Get D-Link DWS-1008 - AirPremier MobileLAN Switch PDF manuals and user guides
UPC - 790069282911
View all D-Link DWS-1008 manuals
Add to My Manuals
Save this manual to your list of manuals

D-Link DWS-1008 manual content summary:

  • D-Link DWS-1008 | Product Manual - Page 1
  • D-Link DWS-1008 | Product Manual - Page 2
    17 DWS-1008 Setup Methods...18 Overview...18 Quick Starts...18 CLI...18 Web View...18 Web Quick Start...19 Web Quick Start Parameters 19 Web Quick Start Requirements 19 Accessing the Web Quick Start 20 CLI quickstart Command...22 Quickstart Example...23 D-Link DWS-1008 User Manual 
  • D-Link DWS-1008 | Product Manual - Page 3
    Switch Port Configuration and Status 42 Displaying PoE State...43 Displaying Port Statistics 43 Clearing Statistics Counters 44 Monitoring Port Statistics 44 Configuring Load-Sharing Port Groups 45 Load Sharing...45 Link Redundancy...45 Configuring a Port Group 46 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 4
    57 Changing the Aging Timeout Period 57 Port and VLAN Configuration Scenario 58 Configuring and Managing IP Interfaces and Services 61 MTU Support...61 Configuring and Managing IP Interfaces IP Routes...67 Adding a Static Route...68 Removing a Static Route...69 D-Link DWS-1008 User Manual iii
  • D-Link DWS-1008 | Product Manual - Page 5
    72 Enabling Telnet...72 Adding a Telnet User...73 Displaying Telnet Status 73 Changing the Telnet Service Port Number 73 Resetting the Telnet Service Port Number to Its Default 73 Managing Default 84 Enabling the NTP Client...84 Displaying NTP Information 84 D-Link DWS-1008 User Manual iv
  • D-Link DWS-1008 | Product Manual - Page 6
    Service Connectivity Switch (DHCP-Obtained Address 109 How a Distributed AP Contacts an Switch (Statically Configured Address 111 Loading and Activating an Operational Image 113 Obtaining Configuration Information from the Switch 113 Session Load Balancing 114 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 7
    Service Profile Setting 136 Disabling or Reenabling Encryption for an SSID 136 Disabling or Reenabling Beaconing of an SSID 137 Changing the Fallthru Authentication Type 137 Changing Transmit Rates 137 Disabling Idle-Client Probing 139 Changing the User Idle Timeout 139 D-Link DWS-1008 User
  • D-Link DWS-1008 | Product Manual - Page 8
    Displaying Connection Service Profile for WPA 161 Enabling WPA...161 Specifying the WPA Cipher Suites 161 Changing the TKIP Countermeasures Timer Value 162 Enabling PSK Authentication 163 Disabling 802.1X Authentication for WPA 164 Displaying WPA Settings 164 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 9
    AeroScout Listeners 186 Configuring AP Radios to Listen for AeroScout RFID Tags 186 Locating an RFID Tag...188 Configuring Quality of Service...189 About QoS...189 Summary of QoS Features 189 QoS Mode...190 WMM QoS Mode...191 WMM QoS on the DWS-1008 Switch 191 D-Link DWS-1008 User Manual viii
  • D-Link DWS-1008 | Product Manual - Page 10
    U-APSD Support 195 Displaying a Service Profile's Port Fast Convergence...208 Backbone Fast Convergence 208 Uplink Fast Convergence 208 Configuring Port Fast Convergence 208 Displaying Port Fast Convergence Information 209 Configuring Backbone Fast Convergence 209 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 11
    of User ACLs 226 Creating and Committing a Security ACL 226 Setting a Source IP ACL...227 Wildcard Masks...228 Class of Service...228 Setting an ICMP ACL...229 Setting TCP and UDP ACLs 230 Setting a TCP ACL...230 Setting a UDP ACL...230 Determining the ACE Order 231 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 12
    Support for TeleSym VoIP 247 Enabling SVP Optimization for SpectraLink Phones 248 Known Limitations...248 Configuring a Service Profile for RSN (WPA2 249 Configuring a Service and Certificates 255 Wireless Security through Installation Method for Your Network 261 D-Link DWS-1008 User Manual xi
  • D-Link DWS-1008 | Product Manual - Page 13
    User Groups Locally 288 Adding MAC Users and Groups 288 Clearing MAC Users and Groups 288 Configuring MAC Authentication and Authorization 289 Changing the MAC Authorization Password for RADIUS 290 Configuring Web Portal WebAAA 291 How Web Portal WebAAA Works 291 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 14
    and Positioning Location Policy Rules 326 Clearing Location Policy Rules and Disabling the Location Policy 326 Configuring Accounting for Wireless Network Users 327 Configuring Periodic Accounting Update Records 328 Enabling System Accounting Messages 328 D-Link DWS-1008 User Manual xiii
  • D-Link DWS-1008 | Product Manual - Page 15
    Records 329 Displaying the AAA Configuration 330 Avoiding AAA Problems in Configuration Order 331 Using the Wildcard "Any 802.1X on Wired Authentication Ports 347 Enabling and Disabling 802.1X Globally 347 Setting 802.1X Port Control 347 Managing 802.1X 354 D-Link DWS-1008 User Manual xiv
  • D-Link DWS-1008 | Product Manual - Page 16
    Support 358 How SODA Functionality Works 358 Configuring SODA Functionality 360 Configuring Web Portal WebAAA for the Service Profile 361 Creating the SODA Agent with SODA Manager 361 Copying the SODA Agent to the Switch 362 Installing 379 Countermeasures...380 D-Link DWS-1008 User Manual xv
  • D-Link DWS-1008 | Product Manual - Page 17
    DoS Alerts...388 Flood Attacks...388 DoS Attacks...388 Netstumbler and Wellenreiter Applications 389 Wireless Bridge...389 Ad-Hoc Network...390 Weak WEP Key Used by Client 390 410 Backing Up and Restoring the System 411 Managing Configuration Changes 412 D-Link DWS-1008 User Manual xvi
  • D-Link DWS-1008 | Product Manual - Page 18
    the Port Mirroring Configuration 431 Remotely Monitoring Traffic...431 How Remote Traffic Monitoring Works 432 Using Snoop Filters on Radios That Use Active Scan 432 All Snooped Traffic Is Sent in the Clear 432 Best Practices for Remote Traffic Monitoring 433 D-Link DWS-1008 User Manual xvii
  • D-Link DWS-1008 | Product Manual - Page 19
    Extended Attributes 444 Traffic Ports Used by MSS...448 DHCP Server...449 How the MSS DHCP Server Works 450 Configuring the DHCP Server 451 Displaying DHCP Server Information 452 Glossary...453 Technical Specifications...475 Warranty...478 Registration...483 D-Link DWS-1008 User Manual xviii
  • D-Link DWS-1008 | Product Manual - Page 20
    Product Overview Product Contents DWS-1008 8-Port Wireless Switch Power Supply Serial Cable for Connection to Console Rack-Mount Brackets (2) Rubber Feet (4) Screws (6) Install Guide Manual and Reference Guide on CD System Requirements An existing 10/100 Ethernet network DWL-8220AP Access Point(s)
  • D-Link DWS-1008 | Product Manual - Page 21
    Introduction The D-Link® AirPremier® MobileLAN™ DWS-1008 is a wireless LAN switch optimized for deployment in the Small-Medium Enterprise (SME) environment. The DWS-1008 is designed to allow easy user installation and operation yet support advanced wireless switch features such as secure mobility,
  • D-Link DWS-1008 | Product Manual - Page 22
    attempt has failed. Solid amber PoE is on but no access point is connected to the link. Blinking amber Access point is not connected or is unresponsive, or there is a PoE problem. Unlit Port is not configured as an AP access port, or PoE is off. D-Link DWS-1008 User Manual 
  • D-Link DWS-1008 | Product Manual - Page 23
    The DWS-1008 generates log messages to log system events. The log messages are stored locally and also can be exported to syslog servers. • Simple Network Management Protocol (SNMP) - A DWS-1008 switch can be configured to generate SNMP traps for major system events. D-Link DWS-1008 User Manual 
  • D-Link DWS-1008 | Product Manual - Page 24
    Text and Syntax Conventions Trapeze manuals use the following text and syntax conventions: Convention Monospace Text Bold Text Italic Text Menu in command syntax. Enclose mandatory parameters in command syntax. Separates mutually exclusive options in command syntax. D-Link DWS-1008 User Manual 
  • D-Link DWS-1008 | Product Manual - Page 25
    2 TD- 3 RD+ 4 PoE+ 5 PoE+ 6 RD- 7 PoE- 8 PoE- Note: Mounting a DWL-8220AP access point on a solid surface requires CAT5 cable that does not have strain relief. For installation on all other surfaces, you can use CAT5 cable with or without strain relief. D-Link DWS-1008 User Manual 
  • D-Link DWS-1008 | Product Manual - Page 26
    . Do not install equipment such that the branch circuit current and voltage protection is exceeded. Pay particular attention to the earthing connection for the supply connections. When using an extension cord or power strip, pay attention to the grounding type. D-Link DWS-1008 User Manual 
  • D-Link DWS-1008 | Product Manual - Page 27
    (APs) that transmit and receive radio frequency (RF) signals to and from wireless users and connect them to a DWS-1008 switch. • Mobility System Software™ (MSS™) - The operating system (firmware) that runs all D-Link DWS-1008 switches and DWL-8220AP access points in a WLAN, and is accessible through
  • D-Link DWS-1008 | Product Manual - Page 28
    of network operations. The DWS-1008 switch supports two connection modes: • Administrative access mode, which enables the network administrator to connect to the switch and configure the network. • Network access mode, which enables network users to connect through the switch to access the network
  • D-Link DWS-1008 | Product Manual - Page 29
    port and a port list in the following command, but a VLAN ID is optional: clear fdb {dynamic | port port-list} [vlan vlan-id] A vertical bar (|) separates (""). In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR. D-Link DWS-1008 User Manual 10
  • D-Link DWS-1008 | Product Manual - Page 30
    (ACLs) use source and destination IP addresses and wildcard masks to determine whether the switch filters or forwards IP packets. Matching packets are either permitted or denied network access. The are valid ACL masks. However, 0.255.0.255 is not a valid ACL mask. D-Link DWS-1008 User Manual 11
  • D-Link DWS-1008 | Product Manual - Page 31
    users at example.com whose usernames contain a period. All users with usernames that have no delimiters. All users in the Windows® Domain EXAMPLE with usernames that have no delimiters. All users in the Windows® Domain EXAMPLE whose usernames contain a period. All users D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 32
    unique identity (OUI). VLAN Globs A VLAN glob is a method for matching one of a set of local rules on a DWS-1008 switch, known as the location policy, to one or more users. MSS compares the VLAN glob, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA
  • D-Link DWS-1008 | Product Manual - Page 33
    : DWS-1008# show port poe 1,2,4,6 • A hyphen-separated range of port numbers, with no spaces. For example: DWS-1008# reset port 1-4 • Any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example: DWS-1008# show port status 1-3,6 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 34
    command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. D-Link DWS-1008 User Manual 15
  • D-Link DWS-1008 | Product Manual - Page 35
    help' for more information show Show, use 'show help' for more information telnet telnet IP address [server port] traceroute Print the route packets take to network host To see a subset of the online help, type the command for which you want more information. D-Link DWS-1008 User Manual 16
  • D-Link DWS-1008 | Product Manual - Page 36
    {ap | dap} name The set {ap | dap} name command has the following complete syntax: set {ap port-list | dap dap-num} name name • A brief description of the command's functions. • The full command syntax introduced and the version numbers of any subsequent updates. D-Link DWS-1008 User Manual 17
  • D-Link DWS-1008 | Product Manual - Page 37
    is a web-based management application that is available at any time on a switch that already has IP connectivity. (Web View access also requires the switch's HTTPS server to be enabled.) The Web Quick Start application is accessible only on unconfigured switches. D-Link DWS-1008 User Manual 18
  • D-Link DWS-1008 | Product Manual - Page 38
    the switch • PC with an Ethernet port that you can connect directly to the switch • Category 5 (Cat 5) or higher Ethernet cable If the PC is connected to the network, power down the PC or disable its network interface card (NIC), then unplug the PC from the network. D-Link DWS-1008 User Manual 19
  • D-Link DWS-1008 | Product Manual - Page 39
    connect the switch directly to a PC that has a web browser. 2. Connect the switch to an AC power source. If the green power LED is lit, the switch is receiving power. 3. Enable the PC's NIC that is connected to the switch The wizard screens guide you through the Link DWS-1008 User Manual 20
  • D-Link DWS-1008 | Product Manual - Page 40
    click Finish, the wizard saves the configuration settings into the switch's configuration file. If the switch is rebooted, the configuration settings are restored when the reboot is finished. The switch is ready for operation. You do not need to restart the switch. D-Link DWS-1008 User Manual 21
  • D-Link DWS-1008 | Product Manual - Page 41
    AP Notice for directly connected APs can appear. To run the quickstart command: 1. Attach a PC to the switch's serial console port. (Use these modem : DWS-1008-aabbcc> 3. Access the enabled level (the configuration level) of the CLI: DWS-1008-aabbcc> enable D-Link DWS-1008 User Manual 22
  • D-Link DWS-1008 | Product Manual - Page 42
    Username bob and password bobpass for 802.1X authentication • Directly connected access point on port 2, model DWL-8220AP The IP addresses, usernames, and (the offset from UTC) separately. You can use a string of up to 32 alphabetic characters as the timezone name. D-Link DWS-1008 User Manual 23
  • D-Link DWS-1008 | Product Manual - Page 43
    to configure wireless? [y]: y DWS-1008-aabbcc# save config 6. Optionally, enable Telnet. DWS-1008-aabbcc# set ip telnet server enable 7. Verify the configuration changes. DWS-1008-aabbcc# show config 8. Save the configuration changes. DWS-1008-aabbcc# save config D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 44
    Access Overview D-Link Mobility System Software (MSS) supports authentication, authorization, and accounting (AAA) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before you can configure the DWS-1008 switch for
  • D-Link DWS-1008 | Product Manual - Page 45
    , use the Quick Installation Guide to set up your DWS-1008 switch and the attached access points for basic service. About Administrative Access The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access
  • D-Link DWS-1008 | Product Manual - Page 46
    enable to go into enabled mode. DWS-1008> enable 4. Press Enter to display an enabled-mode command prompt: DWS-1008# Once you see this prompt after you have typed the enable command, you have administrative privileges, which allow you to further configure the switch. D-Link DWS-1008 User Manual 27
  • D-Link DWS-1008 | Product Manual - Page 47
    switch. You can optionally change the enable password from the default. Caution: D-Link recommends that you change the enable password from the default (no password) to prevent unauthorized users following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual 28
  • D-Link DWS-1008 | Product Manual - Page 48
    administrative access is different from the fallthru authentication type None, which applies only to network access. The authentication method none allows access to the switch by an administrator. The fallthru authentication type None denies access to a network user. D-Link DWS-1008 User Manual 29
  • D-Link DWS-1008 | Product Manual - Page 49
    form of the password in show commands. Note: Although MSS allows you to configure a user password for the special "last-resort" guest user, the password has no effect. Last-resort users can never access a DWS-1008 switch in administrative mode and never require a password. D-Link DWS-1008 User
  • D-Link DWS-1008 | Product Manual - Page 50
    with the password spRin9 in the local database on the switch, type the following command: DWS-1008# set user Jose password spRin9 success: User Jose created The encrypted option indicates that the password string you are entering is the encrypted form of the password. Use this option only if you do
  • D-Link DWS-1008 | Product Manual - Page 51
    : r1 Web Portal: enabled set authentication console * local set authentication admin * local set accounting admin Geetha stop-only local set accounting admin * start-stop local user Geetha Password = 1214253d1d19 (encrypted) D-Link DWS-1008 User Manual 32
  • D-Link DWS-1008 | Product Manual - Page 52
    of the switch, Natasha is connected through the console and has enabled access. To enable local authentication for a console user, you must configure a local username. Natasha types the following commands in this order: DWS-1008# set user natasha password m@Jor User natasha created DWS-1008# set
  • D-Link DWS-1008 | Product Manual - Page 53
    server r1 address 192.168.253.1 key sunFLOW#$ success: change accepted. DWS-1008# set server group sg1 members r1 success: change accepted. DWS-1008# set authentication console * local sg1 success: change accepted. DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual 34
  • D-Link DWS-1008 | Product Manual - Page 54
    . DWS-1008# set server group sg1 members r1 success: change accepted. DWS-1008# set authentication console * sg1 none success: change accepted. DWS-1008# set authentication admin * sg1 none success: change accepted. DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual 35
  • D-Link DWS-1008 | Product Manual - Page 55
    (PoE) state • Load sharing Setting the Port Type A DWS-1008 switch port can be one of the following types: • Network port - A network port is a Layer 2 switch port that connects the switch to other networking devices such as switches and routers. • AP access port - An AP access port connects the
  • D-Link DWS-1008 | Product Manual - Page 56
    point model DWL-8220AP and enable PoE on the ports, type the following command: DWS-1008# set port type ap 4-6 model dwl-8220ap poe enable This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted. D-Link DWS-1008 User Manual 37
  • D-Link DWS-1008 | Product Manual - Page 57
    . To set port 2 as a wired authentication port, type the following command: DWS-1008# set port type wired-auth 2 success: change accepted This command configures port 2 as a wired authentication port supporting one interface and one simultaneous user session. D-Link DWS-1008 User Manual 38
  • D-Link DWS-1008 | Product Manual - Page 58
    type port-list For example, to clear the port-related settings from port 5 and reset the port as a network port, type the following command: DWS-1008# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. D-Link DWS-1008 User Manual 39
  • D-Link DWS-1008 | Product Manual - Page 59
    following command: DWS-1008# set port 2 name adminpool success: change accepted. Note: To avoid confusion, D-Link recommends that you do not use numbers as port names. Removing a Port Name To remove a port name, use the following command: clear port port-list name D-Link DWS-1008 User Manual 40
  • D-Link DWS-1008 | Product Manual - Page 60
    a Port All ports are enabled by default. To administratively disable a port, use the following command: set port {enable | disable} port-list A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 61
    its link state and PoE state. MSS disables the port's link and PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing an access point that is connected to two DWS-1008 switches to reboot using the port connected to the other switch. To reset a port, use
  • D-Link DWS-1008 | Product Manual - Page 62
    command: DWS-1008# show port poe 1,4 Link Port PoE PoE Port Name Status Type config Draw 1 1 down AP disabled off 4 4 up AP enabled 1.44 In this example, PoE is disabled on port 1 and enabled on port 4. The access point connected to port 4 is
  • D-Link DWS-1008 | Product Manual - Page 63
    cannot be configured. To monitor port statistics, use the following command: monitor port counters [octets | packets | statistics • Transmit Ethernet statistics Each type of statistic is displayed separately. Press the Spacebar to cycle through the displays for each D-Link DWS-1008 User Manual 44
  • D-Link DWS-1008 | Product Manual - Page 64
    port in a group fails, the switch reassigns traffic to the remaining ports. When the failed port starts operating again, the switch begins using it for new traffic flows. Traffic that belonged to the port before it failed continues to be assigned to other ports. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 65
    Tunl Port VLAN Name Status State Affin Port Tag State 1 default Up Up 5 server2 none Up To indicate that the ports are configured as a port group, the show vlan config output lists the port group name instead of the individual port numbers. D-Link DWS-1008 User Manual 46
  • D-Link DWS-1008 | Product Manual - Page 66
    Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst switch to interoperate with a D-Link DWS-1008 switch, use the following command on the Catalyst switch: set port channel port-list mode on D-Link DWS-1008 User Manual 47
  • D-Link DWS-1008 | Product Manual - Page 67
    the system IP address to one of the VLANs, for communications between switches and for unsolicited communications such as SNMP traps and RADIUS accounting messages. Any IP address configured on a switch can be used for management access unless explicitly restricted. D-Link DWS-1008 User Manual 48
  • D-Link DWS-1008 | Product Manual - Page 68
    user database: • Tunnel-Private-Group-ID - This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol Support. • VLAN-Name - This attribute is a D-Link you configure on the VLAN ports through which the Distributed AP is connected to the switch. D-Link DWS-1008 User Manual 49
  • D-Link DWS-1008 | Product Manual - Page 69
    can change a VLAN's name. For example, to assign the name red to VLAN 2, type the following command: DWS-1008# set vlan 2 name red After you create a VLAN, you can use the VLAN number or the VLAN name in commands. In addition, the VLAN name appears in CLI display. D-Link DWS-1008 User Manual 50
  • D-Link DWS-1008 | Product Manual - Page 70
    a port list or tag value clears all ports and tag values from the VLAN. To remove port 4 from VLAN red, type the following command: DWS-1008# clear vlan red port 4 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. D-Link DWS-1008 User Manual 51
  • D-Link DWS-1008 | Product Manual - Page 71
    following command: DWS-1008# clear vlan ecru This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. Note: You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports.You can also rename the default VLAN, but D-Link recommends against
  • D-Link DWS-1008 | Product Manual - Page 72
    none Up 3 none Up 4 none Up 6 none Up Note: The display can include access ports and wired authentication ports, because MSS dynamically adds these ports to a VLAN when handling user traffic for the VLAN. D-Link DWS-1008 User Manual 53
  • D-Link DWS-1008 | Product Manual - Page 73
    database entry.) Added by the switch itself - For example, the authentication protocols can add entries for wired and wireless authentication users. The switch also adds any static entries added by the system administrator and saved in the configuration file. D-Link DWS-1008 User Manual 54
  • D-Link DWS-1008 | Product Manual - Page 74
    Entry. # = System Entry. VLAN Ports TAG Dest MAC/Route Des [CoS] Destination [Protocol Type] 1 00:01:97:13:0b:1f 1 [ALL] 1 aa:bb:cc:dd:ee:ff * 3 [ALL] 1 Total 00:0b:0e:02:76:f5 Matching FDB Entries Displayed = 3 1 [ALL] D-Link DWS-1008 User Manual 55
  • D-Link DWS-1008 | Product Manual - Page 75
    that match all VLANs, type the following command: DWS-1008# clear fdb dynamic success: change accepted. To clear all dynamic forwarding database entries that match ports 3 and 5, type the following command: DWS-1008# clear fdb port 3,5 success: change accepted. D-Link DWS-1008 User Manual 56
  • D-Link DWS-1008 | Product Manual - Page 76
    to display the aging timeout period for all configured VLANs, type the following command: DWS-1008# show fdb agingtime VLAN 2 aging time = 300 sec VLAN 1 aging time = seconds, type the following command: DWS-1008# set fdb agingtime 2 age 600 success: change accepted. D-Link DWS-1008 User Manual 57
  • D-Link DWS-1008 | Product Manual - Page 77
    change. Type the following commands: DWS-1008# set system countrycode US success: change accepted. DWS-1008# show system Product Name: DWS-1008 System Name: DWS-1008 System Countrycode: US System Location: System Contact: System IP: 0.0.0.0 D-Link DWS-1008 User Manual 58
  • D-Link DWS-1008 | Product Manual - Page 78
    ports 2 through 8 for connection to access point model DWL-8220AP and verify the configuration changes. Type the following commands: DWS-1008# set port type ap 2-8 model dwl-8220ap poe down --- --- invalid 8 Backbone down --- --- invalid D-Link DWS-1008 User Manual 59
  • D-Link DWS-1008 | Product Manual - Page 79
    Port Tag State 1 default Up Up 5 1 none Up 2 roaming Up Up 5 2 none Up 3 none Up 7. Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 80
    DWS-1008 switches is supported over any path MTU, and the Mobility Domain itself can run over the minimum IP path MTU (PMTU). However, tunnels between two switches require a path MTU of at least 1384 bytes. This minimum MTU path is required because D-Link devices use IP tunnels to transport user
  • D-Link DWS-1008 | Product Manual - Page 81
    enables a switch to obtain its IP configuration from a DHCP server. A switch can use and BOOTP Vendor Extensions". The client supports the following options: � • (12 to DLINK x.x.x, where x.x.x is the MSS version The DHCP client is disabled by default on the DWS-1008. Link DWS-1008 User Manual 62
  • D-Link DWS-1008 | Product Manual - Page 82
    If the default domain name and DNS server IP address are already configured on the switch, and DNS is enabled, the configured values are used. Otherwise, the values received corpvlan: DWS-1008# set interface corpvlan ip dhcp-client enable success: change accepted. D-Link DWS-1008 User Manual 63
  • D-Link DWS-1008 | Product Manual - Page 83
    ). In the following example, VLAN corpvlan received IP address 10.3.1.110 from a DHCP server. DWS-1008# show interface * = From DHCP VLAN Name Address Mask Enabled State RIB 4 corpvlan *10.3.1. the system IP address will not work correctly. D-Link DWS-1008 User Manual 64
  • D-Link DWS-1008 | Product Manual - Page 84
    System IP Address You can designate one of the IP addresses configured on a switch to be the system IP address of the switch. The system IP address determines the interface or source IP address MSS uses IP address, use the following command: clear system ip-address D-Link DWS-1008 User Manual 65
  • D-Link DWS-1008 | Product Manual - Page 85
    routes for the interface to resolve the static route. If the switch does not have an interface in the default router's subnet, the static route cannot be resolved and the VLAN:Interface field of the show ip route command output shows that the static route is down. D-Link DWS-1008 User Manual 66
  • D-Link DWS-1008 | Product Manual - Page 86
    attached subnets that the switch's IP addresses are in. Local routes are for destination interfaces configured on the switch itself. MSS automatically adds the 224.0.0.0 route to support the IGMP snooping feature down, so MSS selects the default route to 10.0.2.17. D-Link DWS-1008 User Manual 67
  • D-Link DWS-1008 | Product Manual - Page 87
    accepted. To add an explicit route from a switch to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and give the route a cost of 1, type the following command: DWS-1008# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1 success: change accepted. D-Link DWS-1008 User Manual 68
  • D-Link DWS-1008 | Product Manual - Page 88
    DWS-1008# clear ip route default 10.5.5.5 success: change accepted. Managing the Management Services MSS provides the following services for managing a switch over the network: • Secure Shell (SSH) provides a secure connection to the CLI through TCP port Telnet. D-Link DWS-1008 User Manual 69
  • D-Link DWS-1008 | Product Manual - Page 89
    user username password password Optionally, you also can configure MSS either to locally authenticate the user or to use a RADIUS server to authenticate the user. Use the following command: set authentication admin {user-glob} method1 [method2] [method3] [method4] D-Link DWS-1008 User Manual 70
  • D-Link DWS-1008 | Product Manual - Page 90
    : DWS-1008# set user mxadmin password letmein success: User mxadmin created DWS-1008# set authentication admin mxadmin sg1 success: change accepted Changing the SSH Service Port Number To change the SSH port the switch listens on for SSH connections, use the following command: set ip ssh port port
  • D-Link DWS-1008 | Product Manual - Page 91
    as you press Enter. To display the SSH server sessions on a DWS-1008 switch, type the following command: DWS-1008# show sessions admin Tty Username Time(s) Type tty0 3644 Console tty2 use the following command: set ip telnet server {enable | disable} D-Link DWS-1008 User Manual 72
  • D-Link DWS-1008 | Product Manual - Page 92
    . To open a new management session, you must Telnet to the switch with the new Telnet port number. Resetting the Telnet Service Port Number to Its Default To reset the Telnet management service to its default TCP port, use the following command: clear ip telnet D-Link DWS-1008 User Manual 73
  • D-Link DWS-1008 | Product Manual - Page 93
    . To enable HTTPS, use the following command: set ip https server {enable | disable} Caution: If you disable the HTTPS server, Web View access to the switch is also disabled. D-Link DWS-1008 User Manual 74
  • D-Link DWS-1008 | Product Manual - Page 94
    To display HTTPS service information, use the following command: show ip https To display information for a switch's HTTPS server, type the following command: DWS-1008> show ip https HTTPS is enabled HTTPS is set to use port 443 Last 10 Connections: IP Address Last Connected Time Ago
  • D-Link DWS-1008 | Product Manual - Page 95
    a switch to use one primary DNS server and up to five secondary DNS servers to resolve DNS queries. The switch always sends a request to the primary DNS server first. The switch sends a request to a secondary DNS server only if the primary DNS server does not respond. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 96
    domain name. In this case, you can enter ping chris instead of ping chris.example.com, and the switch automatically requests the DNS server to send the IP address for chris.example.com. To override the default name, use the following command: clear ip dns domain D-Link DWS-1008 User Manual 77
  • D-Link DWS-1008 | Product Manual - Page 97
    switch configured to use three DNS servers. DWS-1008 DWS-1008# set ip alias HR1 192.168.1.2 success: change accepted. After configuring the alias, you can use HR1 in commands in place of the IP address. For example, to ping 192.168.1.2, you can type the command ping HR1. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 98
    or similar summertime period. Note: D-Link recommends that you set the time and date parameters before you install certificates on the switch. If the switch's time and date are incorrect, (set summertime command) • Configure NTP server information (set ntp commands) D-Link DWS-1008 User Manual 79
  • D-Link DWS-1008 | Product Manual - Page 99
    the following command: show timezone For example, to display the time zone, type the following command: DWS-1008# show timezone Timezone set to 'PST', offset from UTC is -8 hours Clearing the Time Zone To clear the time zone, use the following command: clear timezone D-Link DWS-1008 User Manual 80
  • D-Link DWS-1008 | Product Manual - Page 100
    the following command: show summertime For example, to display the summertime period, type the following command: DWS-1008# show summertime Summertime is enabled, and set to 'PDT'. Start :Sun Apr 04 2004, 02 period, use the following command: clear summertime D-Link DWS-1008 User Manual 81
  • D-Link DWS-1008 | Product Manual - Page 101
    NTP servers for an update every 64 seconds and waits 15 seconds for a reply. If the switch does not receive a reply to an NTP query within 15 seconds, the switch tries again up to 16 times. You can change the update interval but not the timeout or number of retries. D-Link DWS-1008 User Manual 82
  • D-Link DWS-1008 | Product Manual - Page 102
    command: set ntp server ip-addr To configure a switch to use NTP server 192.168.1.5, type the following command: DWS-1008# set ntp server 192.168.1.5 Removing an NTP Server the following command: DWS-1008# set ntp update-interval 128 success: change accepted. D-Link DWS-1008 User Manual 83
  • D-Link DWS-1008 | Product Manual - Page 103
    Displaying NTP Information To display NTP information, use the following command: show ntp Here is an example: DWS-1008> show ntp NTP client: enabled Current update-interval: 20(secs) Current time: Sun Feb 29 2004, if you change the timezone or enable summertime. D-Link DWS-1008 User Manual 84
  • D-Link DWS-1008 | Product Manual - Page 104
    the switch. The ARP table can also contain static and permanent entries, which are added by an administrator. The State field indicates whether an entry is resolved (RESOLVED) or whether MSS has sent an ARP request for the entry and is waiting for the reply (RESOLVING). D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 105
    for a switch and dynamic entries for addresses learned from traffic received by the switch. You can DWS-1008# set arp agingtime 0 success: set arp aging time to 0 seconds Note: To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 106
    .1.1.1 ping statistics -5 packets transmitted, 5 packets received, 0 errors, 0% packet loss In this example, the ping is successful, indicating that the switch has IP connectivity with the other device. Note: A switch cannot ping itself. MSS does not support this. D-Link DWS-1008 User Manual 87
  • D-Link DWS-1008 | Product Manual - Page 107
    {ip-addr | hostname} [port port -num] To establish a Telnet session from switch to 10.10.10.90, type the following command: DWS-1008# telnet 10.10.10.90 Session 0 pty tty2.d Trying 10.10.10.90... Connected to 10.10.10.90 Disconnect character is '^t' Copyright (c) 2002, 2003 D-Link Systems, Inc
  • D-Link DWS-1008 | Product Manual - Page 108
    reached). To determine when a datagram has reached its destination, traceroute sets the UDP destination port in the datagram to a very large value, one that the destination host is unlikely the hop that is closest to the switch and ending with the route's destination. D-Link DWS-1008 User Manual 89
  • D-Link DWS-1008 | Product Manual - Page 109
    to SNMPv1, but supports informs. An inform is users, with individually configurable access levels, authentication options, and encryption options. All SNMP versions are disabled by default. Configuring SNMP To configure SNMP, perform the following tasks: • Set the switch Link DWS-1008 User Manual 90
  • D-Link DWS-1008 | Product Manual - Page 110
    a switch, use the following commands: set system location string set system contact string Each string can be up to 256 characters long, with no blank spaces. The following commands set a DWS-1008's , with no spaces. You can configure up to 10 community strings. D-Link DWS-1008 User Manual 91
  • D-Link DWS-1008 | Product Manual - Page 111
    on the switch but cannot set user, use the following command: clear snmp usm usm-username snmp-engine-id {ip (ip-addr) | local | hex (hex-string)} The usm-username can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 20 SNMPv3 users. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 112
    value computed from the switch's system IP address. The access option specifies the access level of the user. The options are DES or 3DES, or at least 12 characters long for AES. • To specify a key, use the encrypt-key hex-string option. Type a 16-byte hexadecimal string. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 113
    notifications.You also can require encryption in addition to authentication. SNMPv1 and SNMPv2c do not support authentication or encryption. If you plan to use SNMPv1 or SNMPv2c, leave the minimum encrypted, and notifications are neither authenticated nor encrypted. D-Link DWS-1008 User Manual 94
  • D-Link DWS-1008 | Product Manual - Page 114
    Generated when an access point fails to respond to the switch. AuthenTraps - Generated when the switch's SNMP engine receives a bad community string. AutoTuneRadioChannelChangeTraps - Generated when a client's attempt to associate with a radio fails. D-Link DWS-1008 User Manual 95
  • D-Link DWS-1008 | Product Manual - Page 115
    when MSS detects, on the wired part of the network, the MAC address of a wireless client associated with a third-party AP. RFDetectDoSPortTraps - Generated when MSS detects an associate request flood, reassociate request flood, or disassociate request flood. D-Link DWS-1008 User Manual 96
  • D-Link DWS-1008 | Product Manual - Page 116
    AP that is on the attack list. RFDetectUnAuthorizedOuiTraps - Generated when a wireless device that is not on the list of permitted vendors is detected. to send for all notification types: DWS-1008# set snmp notify profile default send all success: change accepted. D-Link DWS-1008 User Manual 97
  • D-Link DWS-1008 | Product Manual - Page 117
    udp-port-number] v2c community-string trap [profile profile-name] To configure a notification target for traps from SNMPv1, use the following command: set snmp notify target target-num ip-addr[:udp-port-number] v1 community-string [profile profile-name] D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 118
    port number to send notifications to. The default is 162. Use v1, v2c, or usm to specify the SNMP version. The inform or trap option specifies whether the MSS SNMP engine expects the target to acknowledge notifications sent to the target by the switch default is 2. D-Link DWS-1008 User Manual 99
  • D-Link DWS-1008 | Product Manual - Page 119
    • Configured community strings • User-based security model (USM) settings • Notification targets • SNMP statistics counters Displaying SNMP Version and Status Information To display SNMP version and status information, use the following command: show snmp status D-Link DWS-1008 User Manual 100
  • D-Link DWS-1008 | Product Manual - Page 120
    profiles, use the following command: show snmp notify profile The command lists settings separately for each notification profile. The use count indicates how many notification targets use SNMP statistics counters, use the following command: show snmp counters D-Link DWS-1008 User Manual 101
  • D-Link DWS-1008 | Product Manual - Page 121
    a 10/100 Ethernet link and connects to wireless users through radio signals. Overview The diagram below shows an example of a D-Link network containing DWL-8220AP access points and DWS-1008 switches. An AP can be directly connected to a switch port or indirectly connected to a switch through a Layer
  • D-Link DWS-1008 | Product Manual - Page 122
    for a Distributed AP based on the AP's serial number. Similar to ports configured for directly connected APs, Distributed AP configurations are numbered and can reference a particular AP. These numbered configurations do not, however, reference any physical port. D-Link DWS-1008 User Manual 103
  • D-Link DWS-1008 | Product Manual - Page 123
    for DLINK.The AP ignores the IP address returned for wlan-switch. • If both DLINK and wlan-switch are defined in DNS, and the AP is unable to contact the IP address returned for DLINK, the AP never contacts the IP address returned for wlan-switch. The AP does not boot. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 124
    of switch IP addresses or hostnames, in the following format: ip: ip-addr1, ip-addr2,... or host: hostname1,hostname2,... You can use an IP address list or a hostname list, but not both. If the list contains both types of values, the AP does not attempt to use the list. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 125
    MSS load-balances user sessions among the access points in the group. Automatic upgrade of boot firmware. LED blink mode - blinking LEDs on an AP make the AP visually easy to identify. Information about the physical location of an AP. Contact information for the AP. D-Link DWS-1008 User Manual 106
  • D-Link DWS-1008 | Product Manual - Page 126
    DWS-1008 and Ethernet switch. If an intermediate Ethernet connection is used, you also need a Distributed AP configuration on a switch somewhere in the network. Dual-homing support for data link redundancy is automatically enabled when you connect both AP Ethernet ports. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 127
    DWS-1008 IP addresses or hostnames, in the Option 43 field. 3. The AP broadcasts a DHCP Request to the DHCP servers, and receives an Ack from a DHCP server.The AP then configures its network connection with the information contained in the Ack message from that server. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 128
    DNS server for the IP addresses of the hosts, then sends a unicast Find switch message to each address. The process skips to step 6. • If no switches reply, the AP repeatedly resends the Find switch messages. If no switches reply, the process continues with step 3. D-Link DWS-1008 User Manual 109
  • D-Link DWS-1008 | Product Manual - Page 129
    for DLINK. The AP ignores the IP address returned for wlan-switch. • If both DLINK and wlan-switch are defined in DNS, and the AP is unable to contact the IP address returned for DLINK, the AP never contacts the IP address returned for wlan-switch. The AP does not boot. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 130
    IP address information is enabled for the AP. B. The IP address of a suitable switch for the AP to use as a boot device. C. The fully qualified domain name of a switch to use as a boot device, and the IP address of a DNS server used to resolve the switch's name. D-Link DWS-1008 User Manual 111
  • D-Link DWS-1008 | Product Manual - Page 131
    sends a Find switch message to the switch. • If a response is received from the switch, then the AP sends a unicast message to the switch, to request an operational image. • If a response is not received from the switch, then the process skips to step 4 on page 113. D-Link DWS-1008 User Manual 112
  • D-Link DWS-1008 | Product Manual - Page 132
    connected. This information includes commands that activate the radios on the AP, regulate power levels, assign SSIDs, and so on. After the AP receives the configuration information from the switch, it is then operational on the network as a wireless access point. D-Link DWS-1008 User Manual 113
  • D-Link DWS-1008 | Product Manual - Page 133
    clients. Denies access to users who do not match an 802.1X or MAC authentication rule for the SSID requested by the user. Does not support using a preshared key (PSK) to authenticate WPA clients. Sends beacons to advertise the SSID managed by the service profile. D-Link DWS-1008 User Manual 114
  • D-Link DWS-1008 | Product Manual - Page 134
    switch where the user logged on. Note: Enabling this option does not retain the user's initial VLAN assignment in all cases. Sends a long unicast frame up to five times without acknowledgment. Does not reduce wireless ) files are not downloaded to connecting clients. D-Link DWS-1008 User Manual 115
  • D-Link DWS-1008 | Product Manual - Page 135
    SSID name dlink. Encrypts wireless traffic for connected to the radio. Accepts frames from clients at all valid data rates. (No rates are disabled by default.) user-idle-timeout web-portal-acl web-portal-form the service profile continues to also support dynamic WEP. Link DWS-1008 User Manual 116
  • D-Link DWS-1008 | Product Manual - Page 136
    encryption. Use the clear SSID for public access to nonsecure portions of your network. All supported access point models can support up to 32 SSIDs per radio. Each SSID can be encrypted or clear, and (WEP) • Non-WPA static WEP Dynamic WEP is enabled by default. D-Link DWS-1008 User Manual 117
  • D-Link DWS-1008 | Product Manual - Page 137
    ). Advertises support for short service profiles defined You must configure a profile. The service profile sets defined the SSID name and other parameters. Disable Requires clients to send a separate PSpoll to retrieve each unicast packet buffered by the AP radio. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 138
    applies only to APs that support external antennas. internal. D-Link external antenna model Note: This parameter is configurable only on APs that support external antennas. Highest setting radio, in decibels the referred to 1 milliwatt (dBm) highest setting. D-Link DWS-1008 User Manual 119
  • D-Link DWS-1008 | Product Manual - Page 139
    for automatic configuration of Distributed APs. • Configure AP access ports and dual homing. • Configure AP-Switch security. • Configure a service profile to set SSID and encryption parameters. • Configure a radio of the codes listed in the table on the next page. D-Link DWS-1008 User Manual 120
  • D-Link DWS-1008 | Product Manual - Page 140
    SV EG EE FI FR DE GR GT HN HK HU DWS-1008 System Name: DWS-1008 System Countrycode: US System Location: System Contact: System IP: 30.30.30.2 System idle timeout: 3600 System MAC: 00:0B:0E:02:76:F6 Boot Time: 2003-05-07 08:28:39 Uptime: 0 days 04:00:07 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 141
    to add new unconfigured Distributed AP's is the lesser of the following: • Maximum number of APs that can be configured on the switch, minus the number that are configured. • Maximum number of APs that can be active on the switch, minus the number that are active. D-Link DWS-1008 User Manual 122
  • D-Link DWS-1008 | Product Manual - Page 142
    connection from the configured AP in its place. The disconnected AP can then begin the boot process again to find another switch that has an Auto-AP profile. When the AP is disconnected, the AP's clients experience a service APs, you must enable the profile. D-Link DWS-1008 User Manual 123
  • D-Link DWS-1008 | Product Manual - Page 143
    -firmware {enable | disable} Radio Parameters: set dap auto radiotype {11a | 11b| 11g} set dap auto radio {1 | 2} auto-tune max-power power-level set dap auto radio {1 | 2} mode {enable | disable} set dap auto radio {1 | 2} radio-profile name mode {enable | disable} D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 144
    profile, type the following command: DWS-1008# show dap status auto Dap: 100 (auto), IP-addr: 10.8.255.6 (vlan 'default'), AP model: DWL-8220AP, manufacturer: D-Link, name: DAP100 State: operational employee-net bssid3: 00:0b:0e:00:d2:c4, ssid: mycorp-tkip D-Link DWS-1008 User Manual 125
  • D-Link DWS-1008 | Product Manual - Page 145
    Layer or Layer network, configure a Distributed AP on the switch. • Optionally, you also can change other parameters that affect the entire AP: • AP name. • Dual-home bias. • Load-balancing group. • Automatic firmware upgrade capability. • LED blink mode D-Link DWS-1008 User Manual 126
  • D-Link DWS-1008 | Product Manual - Page 146
    Enabled as users are authenticated and join VLANs. Not applicable Caution: When you set the port type for AP use, you must specify the PoE state (enable or disable) of the port. Use the DWS-1008 switch's PoE to power D-Link DWL-8220AP access points only. If you enable PoE on a port connected to
  • D-Link DWS-1008 | Product Manual - Page 147
    connect to a switch. In some installations, DHCP may not be available. In such a case, you can manually switch's name. If you specify both the address of the switch, and the switch's name and DNS server address, then the AP ignores the switch's address and uses the name. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 148
    the port. Note: The clear port type command does not place the cleared port in any VLAN, not even in the default VLAN (VLAN 1). To use the cleared port in a VLAN, you must add the port to the VLAN. To clear a Distributed AP, use the following command: clear dap dap-num D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 149
    : set {ap port-list | dap dap-num} group name To configure a load-balancing group named loadbalance1 that contains directly-connected access points on ports 1, 4, and 6, type the following command: DWS-1008# set ap 1,4,6 group loadbalance1 success: change accepted. D-Link DWS-1008 User Manual 130
  • D-Link DWS-1008 | Product Manual - Page 150
    and does not have a newer AP image than the one in the AP's local storage. If the switch is not running MSS Version 5.0 or later, or the switch has a newer version of the AP image than the version in the AP 's local storage, the AP loads its image from the switch. D-Link DWS-1008 User Manual 131
  • D-Link DWS-1008 | Product Manual - Page 151
    a label on the back of the AP, in the following format: RSA aaaa:aaaa:aaaa:aaaa: aaaa:aaaa:aaaa:aaaa If the AP is already installed, you can display the fingerprint in MSS. D-Link DWS-1008 User Manual 132
  • D-Link DWS-1008 | Product Manual - Page 152
    identity. Verifying an AP's Fingerprint on a Switch To verify an AP's fingerprint, find the fingerprint and use the set dap fingerprint command to enter the fingerprint in MSS. Finding the Fingerprint An AP's fingerprint is listed on a label on the back of the AP. D-Link DWS-1008 User Manual 133
  • D-Link DWS-1008 | Product Manual - Page 153
    dlink DWS-1008# set dap 8 fingerprint b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 success: change accepted. Note: A change to AP security support does not affect management sessions that are already established. To apply the new setting to an AP, restart the AP. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 154
    connection to APs with or without encryption. The following command configures a switch to require Distributed APs to have encryption keys: DWS-1008 verify that the AP is authentic. Configuring a Service Profile A service profile is a set of parameters that control Link DWS-1008 User Manual 135
  • D-Link DWS-1008 | Product Manual - Page 155
    to change. Do not use the clear service-profile command. Disabling or Reenabling Encryption for an SSID To specify whether the SSID is encrypted or unencrypted, use the following command: set service-profile name ssid-type [clear | crypto] The default is crypto. D-Link DWS-1008 User Manual 136
  • D-Link DWS-1008 | Product Manual - Page 156
    the specified mandatory rates. The valid rates depend on the radio type: • 11b - 1, 2, 5.5, 11 • 11g - 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Use a comma to separate multiple rates; for example: 6.0,9.0,12.0 D-Link DWS-1008 User Manual 137
  • D-Link DWS-1008 | Product Manual - Page 157
    are supported by service profile sp1 to 6Mbps and 9 Mbps, disables rates 48 Mbps and 54Mbps, and changes the beacon rate to 9 Mbps: DWS-1008# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.0 disabled 48.0,54.0 beacon-rate 9.0 success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 158
    the user-idle timeout, use the following command: set service-profile name user-idle-timeout seconds The following command increases the user idle timeout to 360 seconds (6 minutes): DWS-1008# set service-profile sp1 user-idle-timeout 360 success: change accepted. D-Link DWS-1008 User Manual 139
  • D-Link DWS-1008 | Product Manual - Page 159
    configure a radio profile: • Create a new profile. • Change radio parameters. • Map the radio profile to one or more service profiles. The channel number, transmit power, and external antenna type are unique to each radio and are not controlled by radio profiles. D-Link DWS-1008 User Manual 140
  • D-Link DWS-1008 | Product Manual - Page 160
    profile. To configure a new radio profile named rp1, type the following command: DWS-1008# set radio-profile rp1 success: change accepted. To assign the profile to one following command: DWS-1008# set radio-profile rp1 beacon-interval 200 success: change accepted. D-Link DWS-1008 User Manual 141
  • D-Link DWS-1008 | Product Manual - Page 161
    256 bytes through 3000 bytes. The default is 2346. To change the RTS threshold for radio profile rp1 to 1500 bytes, type the following command: DWS-1008# set radio-profile rp1 rts-threshold 1500 success: change accepted. D-Link DWS-1008 User Manual 142
  • D-Link DWS-1008 | Product Manual - Page 162
    threshold for radio profile rp1 to 4000 ms, type the following command: DWS-1008# set radio-profile rp1 max-rx-lifetime 4000 success: change accepted. 4000 ms, type the following command: DWS-1008# set radio-profile rp1 max-tx-lifetime 4000 success: change accepted. D-Link DWS-1008 User Manual 143
  • D-Link DWS-1008 | Product Manual - Page 163
    that use the radio profile rp_long to advertise support for long preambles instead of short preambles, type the following command: DWS-1008# set radio-profile rp_long preamble-length long success parameter, MSS deletes the entire profile from the configuration. D-Link DWS-1008 User Manual 144
  • D-Link DWS-1008 | Product Manual - Page 164
    • For the 802.1 1a radio in a two-radio model, specify radio 2. Note: The maximum transmit power you can configure on any D-Link radio is the highest setting allowed for the country of operation or the highest setting supported on the hardware, whichever is lower. D-Link DWS-1008 User Manual 145
  • D-Link DWS-1008 | Product Manual - Page 165
    configure the 802.11a radio on port 5 for channel 36 with a transmit power of 10 dBm, type the following command: DWS-1008# set ap 5 radio 2 channel 36 tx-power 10 success: change accepted. You also can change the channel and transmit power on an individual basis. D-Link DWS-1008 User Manual 146
  • D-Link DWS-1008 | Product Manual - Page 166
    : DWS-1008# set ap 2-4, 6 radio 2 radio-profile rp1 mode enable success: change accepted. To disable radio 1 on port 6 without disabling the other radios using radio profile rp1, type the following command: DWS-1008# set ap 6 radio 1 radio-profile rp1 mode disable D-Link DWS-1008 User Manual 147
  • D-Link DWS-1008 | Product Manual - Page 167
    the beacon interval, then reenable the radios: DWS-1008# set radio-profile rp1 mode disable success: change accepted. DWS-1008# set radio-profile rp1 beacon-interval 200 success: change accepted. DWS-1008# set radio-profile rp1 mode enable success: change accepted. D-Link DWS-1008 User Manual 148
  • D-Link DWS-1008 | Product Manual - Page 168
    following command: clear {ap port-list | dap dap- DWS-1008 switch • Connection information for Distributed APs • Service profile information • Radio profile information • Status information • Information about static IP addresses on Distributed APs • Statistics counters D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 169
    separately for each access point. To display configuration information for an access point on switch port 2, type the following command: DWS-1008# show ap config 6 Port 6: AP model: DWL-8220AP, POE configured on connection 1, type the following command: DWS-1008# show Link DWS-1008 User Manual 150
  • D-Link DWS-1008 | Product Manual - Page 170
    DAP field indicates that the AP is configured on another switch in the same Mobility Domain. Displaying a List of Distributed APs that Are Not Configured To display a list on Distributed APs that are not configured, use the following command: show dap unconfigured D-Link DWS-1008 User Manual 151
  • D-Link DWS-1008 | Product Manual - Page 171
    Port Vlan 0333001287 DWL-8220AP 10.3.8.54 5 default 0333001285 DWL-8220AP 10.3.8.57 7 vlan-eng Displaying Active Connection Information for Distributed APs A Distributed AP can have only one active data connection. To display the system IP address of the switch Link DWS-1008 User Manual 152
  • D-Link DWS-1008 | Product Manual - Page 172
    | 2}]] The terse option displays a brief line of essential status information for each directly connected AP or Distributed AP. The all option displays information for all directly attached access points and all Distributed AP access points configured on the switch. D-Link DWS-1008 User Manual 153
  • D-Link DWS-1008 | Product Manual - Page 173
    command: DWS-1008# show dap boot-configuration 1 Flags: 11 DAP: 1 Enable ip: yes Enable vlan: no Enable mx: yes Vlan Tag: off IP address: 172.16.0.42 IP netmask: 255.255.255.0 gateway: 172.16.0.20 IP: 172.16.0.21 DNS: 172.16.0.1 name: mxr2 D-Link DWS-1008 User Manual 154
  • D-Link DWS-1008 | Product Manual - Page 174
    port-list [radio {1 | 2}]] show dap counters [dap-num [radio {1 | 2}]] To display statistics counters for Distributed AP 7, type the following command: DWS-1008 0 1 68 0 0 29 54.0: 0 0 0 0 0 0 0 0 5 TOTL: 6660 55683 832715 8697520 41 11513 0 0 12948 ... D-Link DWS-1008 User Manual 155
  • D-Link DWS-1008 | Product Manual - Page 175
    type is clear, wireless traffic is not encrypted, regardless of the encryption settings. Note: MSS does not encrypt traffic in the wired part of the network. MSS does not encrypt wireless or wired traffic for users who associate with an unencrypted (clear) SSID. D-Link DWS-1008 User Manual 156
  • D-Link DWS-1008 | Product Manual - Page 176
    to support one or more of these cipher suites. For all of these cipher suites, MSS dynamically generates unique session keys for each session. MSS periodically changes the keys to reduce the likelihood that a network intruder can intercept enough frames to decode a key. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 177
    and clients verify the integrity of a wireless frame received on the network by generating clients. In addition, MSS generates an SNMP trap that indicates the switch port and radio that received frames with the two MIC failures as well integrity check value (ICV). D-Link DWS-1008 User Manual 158
  • D-Link DWS-1008 | Product Manual - Page 178
    requires user information to be configured on AAA servers or in the switch's local entering the key itself in raw (hexadecimal) form. Note: For a MAC client that authenticates WPA support in a service profile, you must enable the WPA IE. The following types of wireless Link DWS-1008 User Manual 159
  • D-Link DWS-1008 | Product Manual - Page 179
    suite in the service profile for the Supported WPA - TKIP WPA - WEP40 WPA - WEP 104 Dynamic WEP Static WEP WPA - TKIP Supported Client Encryption Type WPA WEP40 WPA WEP104 Supported Supported Dynamic WEP Static WEP Supported Supported Supported Supported D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 180
    support WPA: 1. Create a service profile for each SSID that will support WPA clients. 2. Enable the WPA IE in the service profile. 3. Enable the cipher suites you want to support in the service By default, TKIP is enabled and the other cipher suites are disabled. D-Link DWS-1008 User Manual 161
  • D-Link DWS-1008 | Product Manual - Page 181
    value, use the following command: set service-profile name tkip-mc-time wait-time To change the countermeasures wait time in service profile wpa to 30 seconds, type the following command: DWS-1008# set service-profile wpa tkip-mc-time 30000 success: change accepted. D-Link DWS-1008 User Manual 162
  • D-Link DWS-1008 | Product Manual - Page 182
    number. Examples: To configure service profile wpa to use a raw PSK with PSK clients, type a command such as the following: DWS-1008# set service-profile wpa psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa0 836162e758100f5f6b87965e59d success: change accepted. D-Link DWS-1008 User Manual 163
  • D-Link DWS-1008 | Product Manual - Page 183
    non-WPA clients. To disable WPA authentication in service profile wpa, type the following command: DWS-1008# set service-profile wpa auth-dot1x disable success: change accepted Note: The WPA fields appear in the show service-profile output only when WPA is enabled. D-Link DWS-1008 User Manual 164
  • D-Link DWS-1008 | Product Manual - Page 184
    1 radio-profile bldg1 mode enable success: change accepted. To assign radio profile bldg1 to radio 2 on ports 1-3 and port 5 and enable the radios, type the following command: DWS-1008# set ap 1-3,5 radio 2 radio-profile bldg1 mode enable success: change accepted. D-Link DWS-1008 User Manual 165
  • D-Link DWS-1008 | Product Manual - Page 185
    ) in the service profile. To enable the RSN IE, use the following command: set service-profile name rsn-ie {enable | disable} To enable RSN in service profile wpa, type the following command: DWS-1008# set service-profile rsn rsn-ie enable success: change accepted. D-Link DWS-1008 User Manual 166
  • D-Link DWS-1008 | Product Manual - Page 186
    Settings To display the RSN settings in a service profile, use the following command: show service-profile {name | ?} The RSN settings appear at the bottom of the output. The RSN-related fields appear in the show service-profile output only when RSN is enabled. D-Link DWS-1008 User Manual 167
  • D-Link DWS-1008 | Product Manual - Page 187
    configured keys typed in the switch's configuration and on the wireless client and does not rotate the keys. Dynamic WEP encryption is enabled by default. You can disable dynamic WEP support by enabling WPA and you configure the same static keys on the clients. D-Link DWS-1008 User Manual 168
  • D-Link DWS-1008 | Product Manual - Page 188
    Keys".) Setting Static WEP Key Values MSS supports dynamic WEP automatically. To enable static service-profile name wep active-multicast-index num set service-profile name wep active-unicast-index num The num parameter specifies the key and the value can be from 1 to 4. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 189
    service profile to mycorp. Type the following command: DWS-1008# set service-profile wpa ssid-name wpa success: change accepted. 4. Enable WPA in service profile wpa. Type the following command: DWS-1008# set service-profile wpa wpa-ie enable success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 190
    . Type the following command: DWS-1008# set authentication dot1x ssid thiscorp EXAMPLE\* pass-through shorebirds 2. Create a service profile named wpa-wep for the SSID. Type the following command: DWS-1008# set service-profile wpa-wep success: change accepted. D-Link DWS-1008 User Manual 171
  • D-Link DWS-1008 | Product Manual - Page 191
    accepted. DWS-1008# set ap 11 radio 2 radio-profile rp2 mode enable success: change accepted. DWS-1008# show ap config Port 5: AP model: dwl-8220ap, POE: enable, Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual 172
  • D-Link DWS-1008 | Product Manual - Page 192
    mac-user aa:bb:cc:dd:ee:ff Group = wpa-for-mac mac-user a1:b1:c1:d1:e1:f1 Group = wpa-for-mac 5. Create a service profile named wpa-wep-for-mac for SSID voice. Type the following command: DWS-1008# set service-profile wpa-wep-for-mac success: change accepted. D-Link DWS-1008 User Manual 173
  • D-Link DWS-1008 | Product Manual - Page 193
    accepted. 8. Enable the WEP40 cipher suite in service profile wpa-wep-for-mac. Type the following command: DWS-1008# set service-profile wpa-wep-for-mac cipher-wep40 enable > WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO WPA enabled: D-Link DWS-1008 User Manual 174
  • D-Link DWS-1008 | Product Manual - Page 194
    accepted. DWS-1008# set ap 6 radio 2 radio-profile rp3 mode enable success: change accepted. DWS-1008# show ap config Port 4: AP model: DWL-8220AP, POE: enable the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual 175
  • D-Link DWS-1008 | Product Manual - Page 195
    enabled for channel and power assignment, the radio performs an RF scan and reports the results to the switch that is managing the AP the radio is on. The scan results include third-party access points. Based the AP's nearest neighbor that is on the same channel. D-Link DWS-1008 User Manual 176
  • D-Link DWS-1008 | Product Manual - Page 196
    on its active data channel and on other channels and reports the results to its switch. Periodically, the switch examines these results to determine whether the channel or the power needs to be changed. . The power ramp amount (1dBm per interval) is not configurable. D-Link DWS-1008 User Manual 177
  • D-Link DWS-1008 | Product Manual - Page 197
    Channel Tuning By default, the switch evaluates the scan results for possible channel changes every 3600 seconds (1 hour). MSS uses the following channel holddown avoids unnecessary changes due to very transient RF changes, such as activation of a microwave oven. D-Link DWS-1008 User Manual 178
  • D-Link DWS-1008 | Product Manual - Page 198
    . MSS uses the highest power level allowed for the country of operation or the highest supported by the hardware, whichever is lower. Every 300 seconds, MSS examines the RF information is higher than the maximum allowed for the country of operation (countrycode). D-Link DWS-1008 User Manual 179
  • D-Link DWS-1008 | Product Manual - Page 199
    tuning for radios in the rp2 radio profile, type the following command: DWS-1008# set radio-profile rp2 auto-tune channel-config disable success: change the following command: DWS-1008# set radio-profile rp2 auto-tune channel-interval 2700 success: change accepted. D-Link DWS-1008 User Manual 180
  • D-Link DWS-1008 | Product Manual - Page 200
    in radio profile rp2 to 600 seconds, type the following command: DWS-1008# set radio-profile rp2 auto-tune channel-holddown 600 success: change accepted the following command: DWS-1008# set radio-profile rp2 auto-tune power-interval 240 success: change accepted. D-Link DWS-1008 User Manual 181
  • D-Link DWS-1008 | Product Manual - Page 201
    1 on the access point on port 1 to 12 dBm, type the following command. DWS-1008# set ap 7 radio 1 auto DWS-1008# set radio-profile rp2 auto-tune channel -lockdown success: change accepted. DWS-1008# set radio-profile rp2 auto-tune power-lockdown success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 202
    : DWS-1008# show ap config 2 radio 1 Port 2: AP model: DWL-8220AP, POE: enable, bias: high, name: AP02 boot-download-enable: YES force-image-download: NO Radio 1: type: 802.11g, mode: disabled, channel: 6 tx pwr: 1, profile: default auto-tune max-power: default D-Link DWS-1008 User Manual 183
  • D-Link DWS-1008 | Product Manual - Page 203
    on connection 1, type the following command: DWS-1008# show port 2 radio 1: 5 Channel Neighbor BSS/MAC RSSI 1 00:0b:85:06:e3:60 -46 1 00:0b:0e:00:0a:80 -78 1 00:0b:0e:00:d2:c0 -74 1 00:0b:85:06:dd:00 -50 1 00:0b:0e:00:05:c1 -72 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 204
    connected access point on port 2, type the following command: DWS-1008# show auto-tune attributes ap 2 radio 1 Auto-tune attributes for port 2 radio 1: Noise: -92 Packet Retransmission Count: 0 Utilization: 0 Phy Errors Count: 0 CRC Errors count: 122 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 205
    . • Map the AeroScout listeners' service profile to the radio profile. • Set the channel on each radio to the channel on which the RFID tags transmit. You can use the same channel on all the RFID tags. • Map the AP radios to the radio profile and enable the radios. D-Link DWS-1008 User Manual 186
  • D-Link DWS-1008 | Product Manual - Page 206
    . DWS-1008# set dap 68 radio 1 channel 7 success: change accepted. DWS-1008# set dap 69 radio 1 channel 7 success: change accepted. DWS-1008# set dap 67 radio 1 radio-profile success: change accepted. DWS-1008# set dap 68 radio 1 radio-profile success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 207
    calculation. 6. Enable tag positioning. 7. Enable the map to use the APs. To check an AP's status, right-click on the AP icon and select Status. D-Link DWS-1008 User Manual 188
  • D-Link DWS-1008 | Product Manual - Page 208
    unauthenticated clients. One or more of the following can be enabled: • Proxy ARP • No-Broadcast • DHCP Restrict All three options are disabled by default. set service-profile proxy-arp set service-profile no-broadcast set service-profile dhcp-restrict D-Link DWS-1008 User Manual 189
  • D-Link DWS-1008 | Product Manual - Page 209
    CoS value. You can use ACLs to override CoS markings or set CoS for non-WMM traffic. The following sections describe each of these options. D-Link DWS-1008 User Manual 190
  • D-Link DWS-1008 | Product Manual - Page 210
    the switch to the client). You also can use ACLs to override marking for specific packets. Configure ACEs that use the dscp option to match on ingress DSCP value, and use the cos option to mark CoS. A CoS value assigned by an ACE overrides the internal CoS value. D-Link DWS-1008 User Manual 191
  • D-Link DWS-1008 | Product Manual - Page 211
    maps the service type value to an internal CoS value. The AP then marks the DSCP value in the IP tunnel header to the switch based on the internal CoS value. For a packet received from a DWS-1008 switch and addressed to same as those used when the QoS mode is WMM. D-Link DWS-1008 User Manual 192
  • D-Link DWS-1008 | Product Manual - Page 212
    separate PSpoll for each buffered packet. U-APSD is supported service profile's SSID. Association to the radios by clients on other SSIDs is not limited. To ensure voice quality, do not map other service profiles to the radio profile you plan to use for voice traffic. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 213
    wireless traffic on an SSID with a specific CoS value. When static CoS is enabled, the AP marks all traffic between clients and the switch for a given SSID with the static CoS value. The static CoS value must be configured on the SSID's service profile. Link DWS-1008 User Manual 194
  • D-Link DWS-1008 | Product Manual - Page 214
    a radio profile, use the following command: set radio-profile name wmm-powersave {enable | disable} For example, the following command enables U-APSD on radio profile rp1: DWS-1008# set radio-profile rp1 qos-mode svp success: change accepted. D-Link DWS-1008 User Manual 195
  • D-Link DWS-1008 | Product Manual - Page 215
    on the SSID. To enable static CoS and set the CoS value, use the following commands: set service-profile name static-cos {enable | disable} set service-profile name cos level The level can be a value from 0 (lowest priority) to 7 (highest priority). The default is 0 D-Link DWS-1008 User Manual 196
  • D-Link DWS-1008 | Product Manual - Page 216
    the following commands: DWS-1008# set service-profile sp1 proxy-arp enabled success: change accepted. DWS-1008# set service-profile sp1 dhcp-restrict enable success: change accepted. DWS-1008# set service-profile sp1 no-broadcast enable success: change accepted. D-Link DWS-1008 User Manual 197
  • D-Link DWS-1008 | Product Manual - Page 217
    : 600 Power ramp interval: 60 Channel Holddown: 300 Countermeasures: none Active-Scan: yes RFID enabled: no WMM Powersave: no QoS Mode: wmm Service profiles: sp1 In this example, the QoS mode is WMM and U-APSD support (WMM powersave) is disabled. D-Link DWS-1008 User Manual 198
  • D-Link DWS-1008 | Product Manual - Page 218
    information for some settings appears in other chapters. To configure transmit rates, or the long or short retry, see "Configuring a Service Profile". To configure the user-idle timeout and idle-client probing, see "Displaying and Changing Network Session Timers". D-Link DWS-1008 User Manual 199
  • D-Link DWS-1008 | Product Manual - Page 219
    value The following command displays the CoS value to which DSCP value 55 is mapped: DWS-1008# show qos dscp-to-cos-map 55 dscp 55 is classified as cos 6 Displaying CoS value 6 is mapped: DWS-1008# show qos cos-to-dscp-map 6 cos 6 is marked with dscp 48 (tos 0xC0) D-Link DWS-1008 User Manual 200
  • D-Link DWS-1008 | Product Manual - Page 220
    port-list] [clear] The clear option clears the counters after displaying their values. The following command shows statistics for the AP forwarding queues on a Distributed AP: DWS-1008 BestEffort 0 0 4,5 Video 0 0 6,7 Voice 0 0 D-Link DWS-1008 User Manual 201
  • D-Link DWS-1008 | Product Manual - Page 221
    vlan-id | port port-list vlan-id}] To enable STP on all VLANs configured on a switch, type the following command: DWS-1008# set spantree enable success: change accepted. To verify the STP state and display the STP parameter settings, enter the show spantree command. D-Link DWS-1008 User Manual 202
  • D-Link DWS-1008 | Product Manual - Page 222
    Mbps 10 Mbps 10 Mbps 10 Mbps Link Type Full Duplex Aggregate Link (Port Group) Full Duplex Full Duplex Aggregate Link(Port Group) Full Duplex Half Duplex Full Duplex Aggregate Link(Port Group) Full Duplex Half Duplex Default Port Path Cost 19 4 19 18 19 19 95 100 D-Link DWS-1008 User Manual 203
  • D-Link DWS-1008 | Product Manual - Page 223
    , type the following command: DWS-1008# set spantree portcost 3,4 cost 20 success: change accepted. To change the cost for the same ports in VLAN mauve, type the following command: DWS-1008# set spantree portvlancost 3,4 cost 20 vlan mauve success: change accepted. D-Link DWS-1008 User Manual 204
  • D-Link DWS-1008 | Product Manual - Page 224
    following command: DWS-1008# set spantree portpri 3-4 priority 48 success: change accepted. To set the priority of ports 3 and 4 to 48 in VLAN mauve, type the following command: DWS-1008# set spantree portvlanpri 3-4 priority 48 vlan mauve success: change accepted. D-Link DWS-1008 User Manual 205
  • D-Link DWS-1008 | Product Manual - Page 225
    applies the change to all VLANs. Alternatively, specify an individual VLAN. To change the hello interval for all VLANs to 4 seconds, type the following command: DWS-1008# set spantree hello 4 all success: change accepted. D-Link DWS-1008 User Manual 206
  • D-Link DWS-1008 | Product Manual - Page 226
    the learning state to the forwarding state is called the forwarding delay. In some configurations, this delay is unnecessary. The switch provides the following fast convergence features to bypass the forwarding delay: � • Port fast • Backbone fast • Uplink fast D-Link DWS-1008 User Manual 207
  • D-Link DWS-1008 | Product Manual - Page 227
    disable port fast convergence, use the following command: set spantree portfast port port-list {enable | disable} To enable port fast convergence on ports 1, 3, and 5, type the following command: DWS-1008# set spantree portfast port 1,3,5 enable success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 228
    port-list] To display port fast convergence information for all ports, type the following command: DWS-1008# show spantree portfast Port example: DWS-1008# show spantree backbonefast Backbonefast is enabled In this example, backbone fast convergence is enabled. D-Link DWS-1008 User Manual 209
  • D-Link DWS-1008 | Product Manual - Page 229
    port information • Blocked ports • Statistics • Port fast, backbone fast, and uplink fast convergence information Note: For information about the show commands for the fast convergence features, see "Configuring and Managing STP Fast Convergence Features". D-Link DWS-1008 User Manual 210
  • D-Link DWS-1008 | Product Manual - Page 230
    19 128 Disabled 4 1 Forwarding 19 128 Disabled 5 1 Blocking 19 128 Disabled 6 1 Blocking 19 128 Disabled In this example, VLAN mauve contains ports 1 through 6. Ports 1 and 4 are forwarding traffic. The other ports are blocking traffic. D-Link DWS-1008 User Manual 211
  • D-Link DWS-1008 | Product Manual - Page 231
    blocked ports on a switch for the default VLAN (VLAN 1), type the following command: DWS-1008# show spantree blockedports vlan default Port Vlan Port-State Cost Prio Portfast 5 190 Blocking 4 128 Disabled Number of blocked ports (segments) in VLAN 1 : 1 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 232
    Configuration Scenario This scenario configures a VLAN named backbone for a switch's connections to the network backbone, adds ports 7 and 8 to the VLAN, and enables STP on the 100BaseTx 7 down down auto network 8 down down auto network D-Link DWS-1008 User Manual 213
  • D-Link DWS-1008 | Product Manual - Page 233
    ID MAC ADDR 00-0b-0e-00-04-0c Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan STP-State Cost Prio Portfast 7 10 Disabled 4 128 Disabled 8 10 Disabled 4 128 Disabled D-Link DWS-1008 User Manual 214
  • D-Link DWS-1008 | Product Manual - Page 234
    Hello Time 2 sec Forward Delay 15 sec Port Vlan STP-State Cost Prio Portfast 7 10 Forwarding 4 128 Disabled 8 10 Blocking 4 128 Disabled 6. Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual 215
  • D-Link DWS-1008 | Product Manual - Page 235
    ports that are connected to members of the group. A multicast group is a set of IP hosts that receive traffic addressed to a specific Class D IP address, the group address. The DWS-1008 switch basis. The current software version supports IGMP versions 1 and 2. Disabling Link DWS-1008 User Manual 216
  • D-Link DWS-1008 | Product Manual - Page 236
    switch also sends a leave message for the group to multicast routers. • Robustness value-Number used as a multiplier to adjust the IGMP timers to the amount of traffic loss that occurs on the network. Set the robustness value higher to adjust for more traffic loss. D-Link DWS-1008 User Manual 217
  • D-Link DWS-1008 | Product Manual - Page 237
    change the robustness value, use the following command: set igmp rv num [vlan vlan-id] You can specify a value from 2 through 255. The default is 2. D-Link DWS-1008 User Manual 218
  • D-Link DWS-1008 | Product Manual - Page 238
    router ports or multicast receiver ports. Ports you add do not age out. Note: You cannot add access ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 239
    mrouter port port-list enable | disable Adding or Removing a Static Multicast Receiver Port To add a static multicast receiver port, use the following command: set igmp receiver port port-list of all multicast parameters you can configure, and multicast statistics. D-Link DWS-1008 User Manual 220
  • D-Link DWS-1008 | Product Manual - Page 240
    08:0a 258 Querier information: Querier for vlan orange Port Querier-IP Querier-MAC TTL 1 193.122.135.178 00:0b:cc:d2:e9: Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 D-Link DWS-1008 User Manual 221
  • D-Link DWS-1008 | Product Manual - Page 241
    -id] To display the multicast routers in VLAN orange, type the following command: DWS-1008# show igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter-IPaddr Mrouter-MAC Type TTL 10 192.28.7.5 00:01:02:03:04:05 dvmrp 33 D-Link DWS-1008 User Manual 222
  • D-Link DWS-1008 | Product Manual - Page 242
    .10.30.31 00:02:04:06:01:0b 112 VLAN: green Session Port Receiver-IP Receiver-MAC TTL 237.255.255.17 11 10.10.40.41 00:02:06:08:02:0c 12 237.255.255.255 6 10.10.60.61 00:05:09:0c:0a:01 111 D-Link DWS-1008 User Manual 223
  • D-Link DWS-1008 | Product Manual - Page 243
    with modification (marking) for class-of-service (CoS) priority treatment. A typical use of security ACLs is to enable users to send and receive packets within the local configuration, and map the ACL to a user session, VLAN, port, virtual port, or Distributed AP. D-Link DWS-1008 User Manual 224
  • D-Link DWS-1008 | Product Manual - Page 244
    be mapped by name to authenticated users, ports, VLANs, virtual ports, or Distributed APs. You can also assign a class-of-service (CoS) level that marks to both a user and a VLAN, and a user's traffic can match both ACLs, only the ACL mapped to the user is applied. D-Link DWS-1008 User Manual 225
  • D-Link DWS-1008 | Product Manual - Page 245
    individual user) • SSID default (attr filter-id acl-name.in or attr filter-id acl-name.out is configured on the SSID's service profile) The user's ACL user's session or map it to a port, VLAN, virtual port, or Distributed AP. Every security ACL must have a name. D-Link DWS-1008 User Manual 226
  • D-Link DWS-1008 | Product Manual - Page 246
    DWS-1008# set security acl ip acl-1 permit 192.168.1.4 0.0.0.0 With the following basic security ACL command, you can specify any of the protocols supported ), and a type-of-service (TOS) level of 0 (normal). GRE is protocol number 47. DWS-1008# set security acl ip acl Link DWS-1008 User Manual 227
  • D-Link DWS-1008 | Product Manual - Page 247
    , you must also include a mask for each in the form source-ip-addr mask and destination-ip-addr mask. The mask octet. Class of Service Class-of-service (CoS) assignment determines the priority treatment of packets transmitted by a switch, corresponding to a forwarding Link DWS-1008 User Manual 228
  • D-Link DWS-1008 | Product Manual - Page 248
    Redirect (5) Echo (8) Time Exceeded (11) Parameter Problem (12) Timestamp (13) Timestamp Reply (14) Service (TOS) and Network Redirect (2) • TOS and Host Redirect (3) None • Time to Live (TTL) Exceeded (0) • Fragment Reassembly Time Exceeded (1) None None None None None D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 249
    any UDP destination port less than 65,535. It puts this ACE first in the ACL, and counts the number of hits generated by the ACE. DWS-1008# set security acl ip acl-5 permit udp 192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.0 lt 65535 precedence 7 tos 15 before 1 hits D-Link DWS-1008 User Manual 230
  • D-Link DWS-1008 | Product Manual - Page 250
    accepted. To commit all the security ACLs in the edit buffer, type the following command: DWS-1008# commit security acl all success: change accepted. Viewing Security ACL Information To determine whether a info all editbuffer show security acl info show security acl D-Link DWS-1008 User Manual 231
  • D-Link DWS-1008 | Product Manual - Page 251
    effect until you map them to something (a user, Distributed AP, VLAN, port, or virtual port). To map an ACL, see "Mapping DWS-1008# show security acl ACL table ACL Type Class Mapping acl-2 IP Static acl-3 IP Static acl-4 IP Static D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 252
    the keyword hits. (For information on setting hits, see "Setting a Source IP ACL".) Type the following command: DWS-1008# show security acl hits ACL hit-counters Index Counter ACL-name 1 0 acl-2 2 0 acl-999 5 916 acl-123 D-Link DWS-1008 User Manual 233
  • D-Link DWS-1008 | Product Manual - Page 253
    switch maps the named ACL automatically to the user's authenticated session. Security ACLs can also be mapped statically to ports, VLANs, virtual ports, or Distributed APs. Userbased ACLs are processed before these ACLs, because they are more specific and closer to the network edge. D-Link DWS-1008
  • D-Link DWS-1008 | Product Manual - Page 254
    instructions, see the documentation for your RADIUS server. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the switch, the user fails authorization and cannot be authenticated. D-Link DWS-1008 User
  • D-Link DWS-1008 | Product Manual - Page 255
    . Plan your security ACL maps to ports, VLANs, virtual ports, and Distributed APs so that only one security ACL filters a flow of packets. If more than one security ACL filters the same traffic, you cannot guarantee the order in which the ACE rules are applied. D-Link DWS-1008 User Manual 236
  • D-Link DWS-1008 | Product Manual - Page 256
    Clearing a security ACL mapping does not stop the current filtering function if the ACL has other mappings. If the security ACL is mapped to another port, a VLAN, a virtual port, or a Distributed AP, you must enter a clear security acl map command to clear each map. D-Link DWS-1008 User Manual 237
  • D-Link DWS-1008 | Product Manual - Page 257
    map command to stop the filtering action of an ACL on a port, VLAN, or virtual port. (See "Clearing a Security ACL Map".) • Use clear security acl plus commit security acl to completely delete the ACL from the switch's configuration. (See "Clearing Security ACLs".) D-Link DWS-1008 User Manual 238
  • D-Link DWS-1008 | Product Manual - Page 258
    command: DWS-1008# show security acl info ACL information for all set security acl ip acl-violet (hits #2 0 1. permit IP source IP 192.168.253.1 0.0.0.255 destination IP any enable-hits 2. permit IP source IP 192.168.123.11 0.0.0.255 destination IP any enable-hits D-Link DWS-1008 User Manual 239
  • D-Link DWS-1008 | Product Manual - Page 259
    acl-111. Follow these steps: 1. To display all committed security ACLs, type the following command: DWS-1008# show security acl info ACL information for all set security acl ip acl-111 (hits #4 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits D-Link DWS-1008 User Manual 240
  • D-Link DWS-1008 | Product Manual - Page 260
    this address. Follow these steps: 1. To display all committed security ACLs, type the following command: DWS-1008# show security acl info ACL information for all set security acl ip acl-111 (hits #4 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits D-Link DWS-1008 User Manual 241
  • D-Link DWS-1008 | Product Manual - Page 261
    acl-111: 1. To display the contents of all committed security ACLs, type the following command: DWS-1008# show security acl info ACL information for all set security acl ip acl-111 (hits #4 0 1, add 1, del 0, modified 0 1. permit SRC source IP 192.168.1.1 0.0.0.0 D-Link DWS-1008 User Manual 242
  • D-Link DWS-1008 | Product Manual - Page 262
    the CoS value assigned by the switch's QoS map. To change CoS values using an ACL, you must map the ACL to the outbound traffic direction on an AP port, Distributed AP, or user VLAN. For example, to remap end, traffic that does not match the other ACE is dropped. D-Link DWS-1008 User Manual 243
  • D-Link DWS-1008 | Product Manual - Page 263
    10.10.90.0 0.0.0.255 dscp 46 success: change accepted. DWS-1008# set security acl ip acl2 permit any success: change accepted. DWS-1008# commit security acl acl2 success: change accepted. DWS-1008# set security acl map acl2 dap 4 out success: change accepted. D-Link DWS-1008 User Manual 244
  • D-Link DWS-1008 | Product Manual - Page 264
    have CoS value 7 when they are forwarded to any 10.10.90. x address on Distributed AP 4: DWS-1008# set security acl ip acl2 permit cos 7 ip 10.10.50.2 0.0.0.0 10.10.90.0 0.0.0.255 precedence 5 tos 12 The CLI rejects an ACE that has this combination of options. D-Link DWS-1008 User Manual 245
  • D-Link DWS-1008 | Product Manual - Page 265
    for Avaya devices. The table on the next page shows how WMM priority information is mapped across the network. When WMM is enabled in MSS, DWS-1008 switches and APs perform these mappings automatically. D-Link DWS-1008 User Manual 246
  • D-Link DWS-1008 | Product Manual - Page 266
    enable VoIP support for TeleSym packets, which use UDP port 3344, for all users in VLAN corp_vlan, perform the following steps: 1. Configure an ACE in ACL voip that assigns IP traffic from any IP address with source UDP port 3344, addressed to any destination address, to CoS queue 6: DWS-1008# set
  • D-Link DWS-1008 | Product Manual - Page 267
    products. D-Link DWS-1008 switches and APs are VIEW certified. This section describes how to configure switches and APs for SVP phones. D-Link recommends that you plan for a maximum of 6 wireless phones per AP. To configure MSS for SVP phones, perform the following configuration tasks: • Install APs
  • D-Link DWS-1008 | Product Manual - Page 268
    vowlan-wpa wpa-ie enable DWS-1008# set service-profile vowlan-wpa auth-dot1x disable DWS-1008# set service-profile vowlan-wpa auth-psk enable DWS-1008# set service-profile vowlan-wpa psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d D-Link DWS-1008 User Manual 249
  • D-Link DWS-1008 | Product Manual - Page 269
    required for SVP.) • Configure a last-resort-ssid user, and set the user's VLAN attribute to the name of the VLAN you create for the voice clients. • Configure an authentication and authorization rule that matches on the last-resort username and on the voice SSID. D-Link DWS-1008 User Manual 250
  • D-Link DWS-1008 | Product Manual - Page 270
    that is not using IP protocol 119. Otherwise, the switch drops this traffic. Every ACL has an implicit ACE at port other than 0. The second ACE sets CoS to 7 for all SVP traffic. The third ACE matches on all traffic that does not match on either of the previous ACEs. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 271
    support the phones to operate in 802.11b mode only. This type of phone expects the AP to operate at 802.11b rates only, not at 802.11g rates. To change a radio to support 802.11b mode only, use the radiotype 11b option with the set port type ap or set dap command. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 272
    .255.255 5. Commit the ACL to the configuration: DWS-1008# commit security acl c2c 6. Map the ACL to the outbound and inbound traffic directions of VLAN vlan-1: DWS-1008# set security acl map c2c vlan vlan-1 out DWS-1008# set security acl map c2c vlan vlan-1 in D-Link DWS-1008 User Manual 253
  • D-Link DWS-1008 | Product Manual - Page 273
    : change accepted. You must then map the security ACL to Natasha's session in RADIUS. For instructions, see the documentation for your RADIUS server. 7. To save your configuration, type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual 254
  • D-Link DWS-1008 | Product Manual - Page 274
    switch (and optionally allows the switch to authenticate the client) through the use of digital signatures. Digital signatures require a public-private key pair. The signature is created with a private key and verified with a public key. TLS enables secure key exchange. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 275
    certificate. • If the switch has a self-signed certificate in its certificate and key store, the switch responds to the request from MSS. If the certificate is not self-signed, the switch looks for a CA's certificate with which to validate the server certificate. D-Link DWS-1008 User Manual 256
  • D-Link DWS-1008 | Product Manual - Page 276
    of each party involved in a transaction through the use of public key cryptography. To have a PKI, the switch requires the following: • A public key • A private key • Digital certificates • A CA • A secure of digital certificates. Private keys are stored securely. D-Link DWS-1008 User Manual 257
  • D-Link DWS-1008 | Product Manual - Page 277
    are from the CA. The Admin, EAP, and WebAAA certificates can be generated by the switch (self-signed) or generated and signed by a CA. If they are signed by a cryptographic information. D-Link supports the PKCS object files listed in the table on the next page. D-Link DWS-1008 User Manual 258
  • D-Link DWS-1008 | Product Manual - Page 278
    on the switch. Instead, use the copy tftp command to copy the file onto the Personal Information switch. Exchange Syntax installed by an unauthorized party. You must know the password in order to install them.) Use the crypto pkcs12 command to unpack the file. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 279
    WPA, and for users connected to wired authentication ports • WebAAA-Web access for network users who can use a web page to log onto an unencrypted SSID Management access to the CLI through Secure Shell (SSH) also requires a key pair, but does not use a certificate. DWS-1008 security also requires
  • D-Link DWS-1008 | Product Manual - Page 280
    instructions. Certificate Installation Installing a CA's Own Certificate" signed certificate (a PEM-encoded PKCS #7 object file). 4. Paste the PEM-encoded file into the CLI to store the certificate on the switch. 5. Obtain and install the CA's own certificate. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 281
    You must include a common name (string) when you generate a self-signed certificate. The other information is optional. Use a fully qualified name if such names are supported on your network. The certificate appears after you enter this information. D-Link DWS-1008 User Manual 262
  • D-Link DWS-1008 | Product Manual - Page 282
    Installing a Key switch. Use the following command: crypto pkcs12 {admin | eap | web} filename The filename is the location of the file on the switch. Note: MSS erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 283
    supported on your network. The other information is optional. For example: DWS-1008 the command returns a Privacy-Enhanced Mail (PEM)formatted PKCS #10 CSR. 2. To install a certificate from a PKCS #7 file, use the following command to prepare the switch to receive Link DWS-1008 User Manual 264
  • D-Link DWS-1008 | Product Manual - Page 284
    install a CA's certificate, use the following command: crypto ca-certificate {admin | eap | web} PEM-formatted-certificate When prompted, paste the certificate under the prompt. For example: DWS-1008 the switch are within the date and time range of the certificate. D-Link DWS-1008 User Manual 265
  • D-Link DWS-1008 | Product Manual - Page 285
    Common Name: DL 6 Email Address: [email protected] Unstructured Name: wiring closet 4 Self-signed cert for eap is success: self-signed cert for eap generated D-Link DWS-1008 User Manual 266
  • D-Link DWS-1008 | Product Manual - Page 286
    Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=CA, L=PLEAS, O=DLINK, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Validity: Not Before: Oct 19 02:02:02 2004 GMT Not After : Oct 19 02:02:02 2005 GMT D-Link DWS-1008 User Manual 267
  • D-Link DWS-1008 | Product Manual - Page 287
    This scenario shows how to use PKCS #12 object files to install public-private key pairs, CA-signed certificates, and CA certifies DWS-1008# crypto otp admin SeC%#6@o%c OTP set DWS-1008# crypto otp eap SeC%#6@o%d OTP set DWS-1008# crypto otp web SeC%#6@o%e OTP set D-Link DWS-1008 User Manual 268
  • D-Link DWS-1008 | Product Manual - Page 288
    . (See "Configuring and Managing Time Parameters".) 2. Generate public-private key pairs: DWS-1008# crypto generate key admin 1024 key pair generated DWS-1008# crypto generate key eap 1024 key pair generated DWS-1008# crypto generate key web 1024 key pair generated D-Link DWS-1008 User Manual 269
  • D-Link DWS-1008 | Product Manual - Page 289
    : DWS-1008# crypto certificate admin Enter PEM-encoded certificate 8. Paste the signed certificate text block into the switch's CLI, below the prompt. 9. Display information about the certificate, to verify it: DWS-1008# show crypto certificate admin D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 290
    13. Paste the CA's signed certificate under the prompt. 14. Display information about the CA's certificate, to verify it: DWS-1008# show crypto ca-certificate admin 15. Repeat step 12 through step 14 to install the CA's certificate for EAP (802.1X) and WebAAA. D-Link DWS-1008 User Manual 271
  • D-Link DWS-1008 | Product Manual - Page 291
    switch's local user database for credentials that match those presented by the user. Depending on the type of authentication rule that matches the SSID or wired authentication port, the required credentials are the username or MAC address, and in some cases, a password. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 292
    or MAC access rules have the wired option set), MSS checks for user lastresort-wired. If this user is configured, the authorization attributes set for the user are applied to the user who is on the wired authentication port and the user is allowed onto the network. D-Link DWS-1008 User Manual 273
  • D-Link DWS-1008 | Product Manual - Page 293
    access rules are configured for wired, and the wired authentication port's fallthru type is last-resort, MSS allows users onto the port without prompting for a username or password. The authorization attributes set on user last-resort-wired are applied to the user. D-Link DWS-1008 User Manual 274
  • D-Link DWS-1008 | Product Manual - Page 294
    access control lists (ACLs) to the user's traffic, and so on. To assign attributes on the RADIUS server, use the standard RADIUS attributes supported on the server. To assign attributes in the switch's local database, use the MSS vendor-specific attributes (VSAs). D-Link DWS-1008 User Manual 275
  • D-Link DWS-1008 | Product Manual - Page 295
    database, you can also configure attributes within a service profile. These authorization attributes are applied to users accessing the SSID managed by the service profile (in addition to any attributes supplied by a RADIUS server or the switch's local database). D-Link DWS-1008 User Manual 276
  • D-Link DWS-1008 | Product Manual - Page 296
    , auditing, and reporting-for example, user identities, connection start and stop times, the number of packets received and sent, and the number of bytes transferred. You can track sessions through accounting information stored locally or on a remote RADIUS server. D-Link DWS-1008 User Manual 277
  • D-Link DWS-1008 | Product Manual - Page 297
    or RADIUS servers for MAC access as well. If you use RADIUS servers, make sure you configure the password for the MAC address user as dlink. (This is the default authorization password. To change it, see "Changing the MAC Authorization Password for RADIUS".) D-Link DWS-1008 User Manual 278
  • D-Link DWS-1008 | Product Manual - Page 298
    find a matching username entry in the local database, the switch tries the next RADIUS server group method. This exception is DWS-1008# set radius server server-1 address 192.168.253.1 key chey3nn3 DWS-1008# set radius server server-2 address 192.168.253.2 key chey3nn3 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 299
    the server side of the • The PEAP portion is connection requires a processed on the switch. certificate. • The MS-CHAP-V2 portion is processed on the RADIUS The client needs only a server or locally, username and password. depending on the configuration. D-Link DWS-1008 User Manual 280
  • D-Link DWS-1008 | Product Manual - Page 300
    ) WebAAA Static WEP No encryption (if SSID is unencrypted) Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be authenticated by an EAP method, a MAC address, or a Web login page served by the switch. D-Link DWS-1008 User Manual 281
  • D-Link DWS-1008 | Product Manual - Page 301
    : DWS-1008# set authentication dot1x ssid marshes *@example.com peap-mschapv2 shorebirds To offload both PEAP and MS-CHAP-V2 processing onto the switch, use the following command: DWS-1008# set authentication dot1x ssid marshes *@example.com peap-mschapv2 local D-Link DWS-1008 User Manual 282
  • D-Link DWS-1008 | Product Manual - Page 302
    . A trusted user can log on from any machine attached to the network. You can use Bonded Auth with Microsoft Windows® clients that support separate 802.1X authentication for the machine itself and for a user who uses the machine to log on to the network. D-Link DWS-1008 User Manual 283
  • D-Link DWS-1008 | Product Manual - Page 303
    itself, and a separate 802.1X authentication rule for the user(s). Use the bonded option in the user authentication rule, but users in the domain: • host/*.mycorp.com (userglob for the machine authentication rule) • *.mycorp.com (userglob for the user authentication rule) D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 304
    mycorp.com (userglob for the user authentication rule) • host/*.de.mycorp.com (userglob for the machine authentication rule) • *.de.mycorp.com (userglob for the user authentication rule) Bonded Auth Period (0), use the following command: clear dot1x bonded-period D-Link DWS-1008 User Manual 285
  • D-Link DWS-1008 | Product Manual - Page 305
    60 seconds, to allow time for WEP users to reauthenticate: DWS-1008# set dot1x bonded-period 60 success: change accepted. Displaying Bonded Auth Configuration Information To display Bonded Auth configuration information, use the following command: show dot1x config D-Link DWS-1008 User Manual 286
  • D-Link DWS-1008 | Product Manual - Page 306
    require a MAC authorization password if RADIUS authentication is desired. The default well-known password is dlink. Caution: Use this method with care. IEEE 802.11 frames can be forged and can result in unauthorized network access if MAC authentication is employed. D-Link DWS-1008 User Manual 287
  • D-Link DWS-1008 | Product Manual - Page 307
    the user is in: DWS-1008# clear mac-user 01:0f:03:04:05:06 group success: change accepted. The clear mac-usergroup command removes the group. To remove a MAC user profile from the local database on the switch, type the following command: clear mac-user mac-address D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 308
    database, use the following command: clear mac-user mac-addr attr attribute-name For example, the following command clears the VLAN assignment from MAC user 01:0f:02:03:04:05: DWS-1008# clear mac-user 01:0f:03:04:05:06 attr vlan-name success: change accepted. D-Link DWS-1008 User Manual 289
  • D-Link DWS-1008 | Product Manual - Page 309
    displays colon-delimited MAC addresses. If the MAC address is in the database, MSS uses the VLAN attribute and other attributes associated with it for user authorization. Otherwise, MSS tries the fallthru authentication type, which can be last-resort, Web, or none. D-Link DWS-1008 User Manual 290
  • D-Link DWS-1008 | Product Manual - Page 310
    attempts to access the network. For a wireless user, this begins when the user's network interface card (NIC) associates with an SSID on a D-Link radio. For a wired authentication user, this begins when the user's NIC sends data on the wired authentication port. 2. MSS starts a portal session for
  • D-Link DWS-1008 | Product Manual - Page 311
    MSS Versions required this special user for WebPortal configurations. Any web-portal-ssid users are removed from the configuration during upgrade to MSS Version 5.0. However, the web-portal-wired user is still required for Web Portal on wired authentication ports. D-Link DWS-1008 User Manual 292
  • D-Link DWS-1008 | Product Manual - Page 312
    fallthru authentication type for an SSID, set it in the service profile for the SSID, using the set service-profile auth-fallthru command. To set it on a wired authentication port, use the auth-fall-thru web-portal parameter of the set port type wired-auth command. D-Link DWS-1008 User Manual 293
  • D-Link DWS-1008 | Product Manual - Page 313
    user will access the network on a wired authentication port, the rule must match on wired. To configure authentication rules, use the set authentication web command. • Web Portal WebAAA must be enabled, using the set web-portal command. The feature is enabled by default. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 314
    , and might be interrupted by a dialog asking the user what to do about the untrusted certificate. Generally, the browser is already configured to trust certificates signed by a CA. Client NIC Recommendations • Configure the NIC to use DHCP to obtain its IP address. D-Link DWS-1008 User Manual 295
  • D-Link DWS-1008 | Product Manual - Page 315
    change accepted. Note: The VLAN does not need to be configured on the switch where you configure Web Portal but the VLAN does need to be configured on a switch somewhere in the network. The user's traffic will be tunneled to the switch where the VLAN is configured. D-Link DWS-1008 User Manual 296
  • D-Link DWS-1008 | Product Manual - Page 316
    users into this VLAN. • Enable RSN (WPA2) data encryption with CCMP. (This example assumes clients support this encryption type.) TKIP is enabled by default and is left enabled in this example. DWS-1008# set service time: 60000ms vlan-name = mycorp-vlan ... D-Link DWS-1008 User Manual 297
  • D-Link DWS-1008 | Product Manual - Page 317
    port 2-3 set interface corpvlan ip 192.168.12.10 255.255.255.0 ... set security acl ip portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl ip portalacl deny 0.0.0.0 255.255.255.255 capture commit security acl portalacl D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 318
    on the network: DWS-1008# show sessions network ssid mycorp User Sess IP or MAC VLAN Port/ Name ID Address Name Radio alice 4* 192.168.12.101 corpvlan 3/1 bob 5* 192.168.12.102 corpvlan 3/1 2 sessions total D-Link DWS-1008 User Manual 299
  • D-Link DWS-1008 | Product Manual - Page 319
    wired authentication users. The wba_form.html page also is served to SSID users if the SSID's service profile does not specify a custom page. • If there is no wba_form.html page and no custom page in the service profile (for an SSID), MSS serves the default page. D-Link DWS-1008 User Manual 300
  • D-Link DWS-1008 | Product Manual - Page 320
    service-profile name ssid-name ssid-name set service-profile name ssid-type clear set service-profile name auth-fallthru web-portal set radio-profile name service-profile name set {ap port directly access the temporary SSID. The switch should serve the login page. 3. Link DWS-1008 User Manual 301
  • D-Link DWS-1008 | Product Manual - Page 321
    profile and radio profile you created for it. DWS-1008# set ap 2 radio 1 radio-profile temprad mode disable success: change accepted. DWS-1008# clear radio-profile temprad success: change accepted. DWS-1008# clear service-profile tempsrvc success: change accepted. D-Link DWS-1008 User Manual 302
  • D-Link DWS-1008 | Product Manual - Page 322
    : received 1202 bytes in 0.402 seconds [ 2112 bytes/sec] DWS-1008# dir mycorp-webaaa file: Filename Size Created file:mycorp-login.html 637 bytes Aug 12 2004, 15:42:26 file:mylogo.gif 1202 bytes Aug 12 2004, 15:57:11 Total: 1839 bytes used, 206577 Kbytes free D-Link DWS-1008 User Manual 303
  • D-Link DWS-1008 | Product Manual - Page 323
    change accepted. When user djoser is successfully authenticated and authorized, MSS redirects the user to the following URL: https://saqqara.org/login.php?user=djoser To verify configuration of a redirect URL and other user attributes, type the show aaa command. D-Link DWS-1008 User Manual 304
  • D-Link DWS-1008 | Product Manual - Page 324
    example, if you want to redirect users to a credit card server, add the ACEs to do so service profile, using the following command: set service-profile name web-portal-acl aclname 7. Verify the change by displaying the service profile. 8. Save the configuration changes. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 325
    this AP or another AP managed by a switch, at which time the Web Portal WebAAA useful if you want to allow a client connecting through Web Portal WebAAA to enter standby or period, use the following command: set service-profile name web-portal-session-timeout seconds You Link DWS-1008 User Manual 306
  • D-Link DWS-1008 | Product Manual - Page 326
    service-profile last-resort-srvcprof wpa-ie enable success: change accepted. DWS-1008# set service-profile last-resort-srvcprof cipher-ccmp enable success: change accepted. DWS-1008# set service-profile last-resort-srvcprof cipher-wep40 enable success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 327
    configure wired authentication port 5 for last-resort access and add the special user: DWS-1008# set port type wired-auth 5 auth-fall-thru last-resort success: change accepted. DWS-1008# set user last-resort-wired attr vlan-name guest-vlan2 success: change accepted. D-Link DWS-1008 User Manual 308
  • D-Link DWS-1008 | Product Manual - Page 328
    , for non-802.1X users), MSS assigns authorization attributes to the user from the RADIUS server's accessaccept response. 6. When the user's session ends, the third-party AP sends a RADIUS stop-accounting record to the switch. The switch then removes the session. D-Link DWS-1008 User Manual 309
  • D-Link DWS-1008 | Product Manual - Page 329
    switch is a RADIUS server to the AP but remains a RADIUS client to the real RADIUS servers. • An authentication proxy rule must be configured for the AP's users. The rule matches based on SSID and username, and selects the authentication method (a RADIUS server group) for proxying. D-Link DWS-1008
  • D-Link DWS-1008 | Product Manual - Page 330
    proxy client address ip-address [port udp-port-number] [acct-port acct-udp-port-number] key string • Configure a proxy authentication rule for the AP's users. Use the following command: set authentication proxy ssid ssid-name user-glob radius-server-group D-Link DWS-1008 User Manual 311
  • D-Link DWS-1008 | Product Manual - Page 331
    value for each SSID you plan to support. The following command configures a MAC authentication rule that matches on the third-party AP's MAC address. Because the AP is connected to the switch on a wired authentication port, the wired option is used. DWS-1008# set authentication mac wired aa:bb:cc
  • D-Link DWS-1008 | Product Manual - Page 332
    in, the user's network access can begin as soon as the user start-date. The user does not need to wait for the user group's start date. The VLAN attribute is required. MSS can authorize a user to access the network only if the VLAN to place the user on is specified. D-Link DWS-1008 User Manual 313
  • D-Link DWS-1008 | Product Manual - Page 333
    attributes supported by enters the switch from users via an access port or wired authentication port, or from the network via a network port. Security user is assigned the name of a Mobility Profile that does not exist on the switch, the user is denied access. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 334
    service profile must be used by a radio profile assigned to D-Link radios in the network. Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date. You also can use start-date, end-date, or both in conjunction with timeof-day. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 335
    ://www.example.com Note: You must include the http://portion. You can dynamically include any of the variables in the URL string: • $u-Username • $v-VLAN • $s-SSID • $p-Service profile name To use the literal character $ or ?, use the following q D-Link DWS-1008 User Manual 316
  • D-Link DWS-1008 | Product Manual - Page 336
    . The switch ignores the user group's start date. To change the value of an authorization attribute, reenter the command with the new value. To assign an authorization attribute to a user's configuration on a RADIUS server, see the documentation for your RADIUS server. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 337
    vlanname attribute set to orange, then that user will have a total of two attributes set: service-type and vlan-name. If the service profile is configured with the vlan-name committed security ACL in the switch, the user fails authorization and cannot be connected. D-Link DWS-1008 User Manual 318
  • D-Link DWS-1008 | Product Manual - Page 338
    to filter traffic sent from the switch to users via an access port or wired authentication port, or from the network via a network port. For example, the following command applies security ACL acl-101 to packets coming into the switch from user Jose: DWS-1008# set user Jose attr filter-id acl-101
  • D-Link DWS-1008 | Product Manual - Page 339
    or types are entered as an authorization attribute into the user or group record in the local database or on the RADIUS server. Encryption-Type is a D-Link vendor-specific attribute (VSA). Clients who attempt to use an unauthorized encryption method are rejected. D-Link DWS-1008 User Manual 320
  • D-Link DWS-1008 | Product Manual - Page 340
    a use or group of users in the local database, use one of the following commands: clear user username attr encryption-type clear usergroup groupname attr encryption-type clear mac-user username attr encryption-type clear mac-usergroup groupname attr encryption-type D-Link DWS-1008 User Manual 321
  • D-Link DWS-1008 | Product Manual - Page 341
    vlan-id command, entered on the roamed-to switch. The name is the name of the service profile for the SSID the user is associated with.) • As shown in the table above, even when keep-initial-vlan is set, a user's VLAN can be reassigned by AAA or a location policy. D-Link DWS-1008 User Manual 322
  • D-Link DWS-1008 | Product Manual - Page 342
    the switch that will be roamed to by users. The following command enables the keep-initial-vlan option on service profile sp3: DWS-1008# set service-profile set or change the user's VLAN assignment, inbound ACL, outbound ACL, or any combination of these attributes D-Link DWS-1008 User Manual 323
  • D-Link DWS-1008 | Product Manual - Page 343
    } if {ssid operator ssid-name | vlan operatorvlan-glob |user operatoruser-glob |port port-list| dap dap-num} [before rule-number | modify rule-number] Note: Asterisks (wildcards) are not supported in SSID names. You must specify the complete SSID name. D-Link DWS-1008 User Manual 324
  • D-Link DWS-1008 | Product Manual - Page 344
    from the switch to users via an AP access port or wired authentication port, or from the network via a network port. For example, the following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN, and applies the security ACL tac_24 to the traffic they receive: DWS-1008# set
  • D-Link DWS-1008 | Product Manual - Page 345
    command: clear location policy rule-number Type show location policy to display the numbers of configured location policy rules. To disable the location policy on a DWS-1008 switch, delete all the location policy rules. D-Link DWS-1008 User Manual 326
  • D-Link DWS-1008 | Product Manual - Page 346
    duration Timestamp VLAN name Client's MAC address AP port number and radio number Access point's MAC address Number of octets received by theswitch Number of octets sent by the switch Number of packets received by the switch Number of packets sent by the switch D-Link DWS-1008 User Manual 327
  • D-Link DWS-1008 | Product Manual - Page 347
    interval attribute value set, or it is set to zero on the switch, then accounting update records are generated only when a user roams from one AP to another. Enabling System Accounting Messages You can further Accounting-On or Accounting-Off messages are generated. D-Link DWS-1008 User Manual 328
  • D-Link DWS-1008 | Product Manual - Page 348
    . The following sample output shows a wireless user roaming from one switch to another switch. From the accounting records, you can determine the user's activities by viewing the Acct-Status-Type =00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 D-Link DWS-1008 User Manual 329
  • D-Link DWS-1008 | Product Manual - Page 349
    -09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 If you configured accounting records to be sent to a RADIUS server, you can view the records of user roaming at the RADIUS mycorp stop-only sg2 set accounting admin Natasha start-stop local user Nin D-Link DWS-1008 User Manual 330
  • D-Link DWS-1008 | Product Manual - Page 350
    rules for 802.1X are first and the rules with any are last: DWS-1008# show aaa ... set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 D-Link DWS-1008 User Manual 331
  • D-Link DWS-1008 | Product Manual - Page 351
    the local database and ignores the command for EXAMPLE/ users. DWS-1008# show aaa ... set accounting dot1x ssid mycorp * start-stop group1 set authentication dot1x ssid mycorp * peap-mschapv2 local set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 D-Link DWS-1008 User Manual 332
  • D-Link DWS-1008 | Product Manual - Page 352
    : DWS-1008# show aaa ... set accounting dot1x ssid mycorp EXAMPLE/* start-stop group1 set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 set accounting dot1x ssid mycorp * start-stop group1 set authentication dot1x ssid mycorp * peap-mschapv2 local D-Link DWS-1008 User Manual 333
  • D-Link DWS-1008 | Product Manual - Page 353
    the following commands: DWS-1008# set mobility-profile name tulip port 2,4-6 success: change accepted. DWS-1008# set mobility-profile mode enable success: change accepted. DWS-1008# show mobility-profile Mobility Profiles Name Ports tulip AP 2 AP 3 AP 4 AP 6 D-Link DWS-1008 User Manual 334
  • D-Link DWS-1008 | Product Manual - Page 354
    user tech Password = 1315021018 (encrypted) user EXAMPLE/nin filter-id = acl.101.in mobility-profile = tulip user EXAMPLE/tamara filter-id = acl.101.in mobility-profile = tulip ... 8. Save the configuration: DWS-1008 save config success: configuration saved. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 355
    DWS-1008# set user Natasha attr vlan-name red 4. To assign Natasha a session timeout value of 1200 seconds, type the following command: DWS-1008# set user Natasha attr session-timeout 1200 5. Save the configuration: DWS-1008 save config success: configuration saved. D-Link DWS-1008
  • D-Link DWS-1008 | Product Manual - Page 356
    server group sg1 members r1 3. To authenticate all 802.1X users of SSID bobblehead in the group mktg using PEAP on the switch and MS-CHAP-V2 on server sg1, type the following command: DWS-1008# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1 D-Link DWS-1008 User Manual 337
  • D-Link DWS-1008 | Product Manual - Page 357
    : DWS-1008# show location policy Id Clauses 1) permit vlan bldgb-teach if vlan eq bldga-prof-* 2) permit vlan bldgb-eng if vlan eq *-techcomm 4. Save the configuration: DWS-1008 save config success: configuration saved. D-Link DWS-1008 User Manual 338
  • D-Link DWS-1008 | Product Manual - Page 358
    timeout timers and transmission attempts, MSS sets the following values by default: • Dead time-0 (zero) minutes (The switch does not designate unresponsive RADIUS servers as unavailable.) • Transmission attempts-3 • Timeout (wait for a server response)-5 seconds D-Link DWS-1008 User Manual 339
  • D-Link DWS-1008 | Product Manual - Page 359
    command: clear radius {deadtime | key | retransmit | timeout} For example, the following command resets the dead-time timer to 0 minutes on all RADIUS servers in the switch configuration: DWS-1008# clear radius deadtime success: change accepted. D-Link DWS-1008 User Manual 340
  • D-Link DWS-1008 | Product Manual - Page 360
    be unique for this RADIUS server on this switch. Do not use the same name for a RADIUS server DWS-1008# set radius server rs1 address 10.6.7.8 key seCret success: change accepted. DWS-1008# set radius server rs2 address 10.6.7.9 key BigSecret success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 361
    groups before you can access them. Deleting RADIUS Servers To remove a RADIUS server from the switch configuration, use the following command: clear radius server server-name Configuring RADIUS Server Groups A change the RADIUS servers in server groups at any time. D-Link DWS-1008 User Manual 342
  • D-Link DWS-1008 | Product Manual - Page 362
    final. If the first method does not respond or results in an error, the switch tries the second method and so on. However, if the local database is the command: DWS-1008# set server group swampbirds members pelican seagull success: change accepted. D-Link DWS-1008 User Manual 343
  • D-Link DWS-1008 | Product Manual - Page 363
    the server group by typing the following command: DWS-1008# show aaa Radius Servers Server Addr Ports T/o Tries Dead State sandpiper 192.168.253.3 DWS-1008# set server group shorebirds members sandpiper heron egret coot success: change accepted. D-Link DWS-1008 User Manual 344
  • D-Link DWS-1008 | Product Manual - Page 364
    address 192.168.243.15 key pine DWS-1008# set radius server sandpiper address 192.168.253.17 key oak 2. Place two of the RADIUS servers into a server group called swampbirds. Type the following command: DWS-1008# set server group swampbirds members pelican seagull D-Link DWS-1008 User Manual 345
  • D-Link DWS-1008 | Product Manual - Page 365
    DWS-1008# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports load-balanced): pelican seagull shorebirds (load-balanced): egret pelican sandpiper D-Link DWS-1008 User Manual 346
  • D-Link DWS-1008 | Product Manual - Page 366
    success: dot1x authcontrol enabled. Setting 802.1X Port Control The following command specifies the way a wired authentication port or group of ports handles user 802.1X authentication attempts: set dot1x port-control {forceauth | forceunauth | auto} port-list D-Link DWS-1008 User Manual 347
  • D-Link DWS-1008 | Product Manual - Page 367
    port control for all wired authentication ports: DWS-1008# clear dot1x port-control success: change accepted. Managing 802.1X Encryption Keys By default, the switch sends encryption key information to a wireless debugging purposes, or change the rotation interval. D-Link DWS-1008 User Manual 348
  • D-Link DWS-1008 | Product Manual - Page 368
    dot1x key-tx {enable | disable} Key transmission is enabled by default. The switch sends EAPoL key messages after successfully authenticating the supplicant (client) and receiving authorization attributes occurring. A good value for Session-Timeout is 30 minutes. D-Link DWS-1008 User Manual 349
  • D-Link DWS-1008 | Product Manual - Page 369
    to be rotated every WEP rekey period for each radio to each connected VLAN. The switch generates the new broadcast and multicast keys and pushes the keys to period to 900 seconds: DWS-1008# set dot1x wep-rekey-period 900 success: dot1x wep-rekey-period set to 900 D-Link DWS-1008 User Manual 350
  • D-Link DWS-1008 | Product Manual - Page 370
    the default setting, type the following command: DWS-1008# clear dot1x max-req success: change accepted. Note: To support SSIDs that have both 802.1X and static .1X wireless supplicants (clients) is enabled on the switch by default. By default, the switch waits 3600 D-Link DWS-1008 User Manual 351
  • D-Link DWS-1008 | Product Manual - Page 371
    the switch: set dot1x reauth {enable | disable} Reauthentication is enabled by default. Type the following command to reenable reauthentication of clients: DWS-1008# network. However, MSS does not remove a wireless client from the network under these circumstances. D-Link DWS-1008 User Manual 352
  • D-Link DWS-1008 | Product Manual - Page 372
    802.1X Reauthentication Period The following command configures the number of seconds that the switch waits before attempting reauthentication: set dot1x reauth-period seconds The default is 3600 seconds default value, use the following command: clear dot1x max-req D-Link DWS-1008 User Manual 353
  • D-Link DWS-1008 | Product Manual - Page 373
    timeout to 60 seconds: DWS-1008# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60. To reset the authorization server timeout to the default, type the following command: DWS-1008# clear dot1x timeout auth-server success: change accepted. D-Link DWS-1008 User Manual 354
  • D-Link DWS-1008 | Product Manual - Page 374
    following command to display active 802.1X clients: DWS-1008# show dot1x clients MAC Address State Vlan Identity 00:20:a6:48:01:1f Connecting (unknown) 00:05:3c:07:6d:7c 00:06:80:00:5c:02 Authenticated vlan-eng EXAMPLE\hhabib D-Link DWS-1008 User Manual 355
  • D-Link DWS-1008 | Product Manual - Page 375
    port 6, authcontrol: auto, max-sessions: 1 port 8, authcontrol: auto, max-sessions: 16 Viewing 802.1X Statistics Type the following command to display 802.1X statistics about connecting and authenticating: DWS-1008 Authenticated: 1 Bad Packets Received: 0 D-Link DWS-1008 User Manual 356
  • D-Link DWS-1008 | Product Manual - Page 376
    a personal firewall is active • Checking that service pack levels are met • Ensuring that critical patches are installed. Custom checks can be implemented based on the or removed upon termination of the user's session, inactivity timeout, or closing of the browser. D-Link DWS-1008 User Manual 357
  • D-Link DWS-1008 | Product Manual - Page 377
    to work with a switch, and the procedure that takes place when a user attempts to connect to an SSID where the SODA functionality is enabled. Note that in the current release, the SODA functionality works only in conjunction with the Web Portal WebAAA feature. D-Link DWS-1008 User Manual 358
  • D-Link DWS-1008 | Product Manual - Page 378
    . c. If the user's computer fails one of the SODA agent checks, then a customizable failure page is loaded in the browser window. The user is then disconnected from the network, or can optionally be granted limited network access, based on a specified security ACL. D-Link DWS-1008 User Manual 359
  • D-Link DWS-1008 | Product Manual - Page 379
    where the SODA agent files for a service profile are located (optional). See "Specifying an Alternate SODA Agent Directory for a Service Profile". 12. Remove the SODA agent files from the switch (optional). See "Uninstalling the SODA Agent Files from the Switch". D-Link DWS-1008 User Manual 360
  • D-Link DWS-1008 | Product Manual - Page 380
    Consequently, Web Portal AAA must be enabled for the service profile for which you want to configure SODA functionality. ZIP) and copy the file to the switch using TFTP, as described in "Copying the SODA Agent to the Switch". Note the following when creating the SODA Link DWS-1008 User Manual 361
  • D-Link DWS-1008 | Product Manual - Page 381
    # install soda agent soda.ZIP agent-directory sp1 This command may take up to 20 seconds... DWS-1008# If SODA functionality is enabled for the service profile that manages SSID sp1, then SODA agent files in this directory are downloaded to clients attempting to connect to SSID sp1. D-Link DWS-1008
  • D-Link DWS-1008 | Product Manual - Page 382
    connecting client must pass the SODA agent checks in order to gain access to the network. For example, the following command enables SODA functionality for service profile sp1: DWS-1008# set service on the switch if you have disabled enforcement of SODA agent checks. D-Link DWS-1008 User Manual 363
  • D-Link DWS-1008 | Product Manual - Page 383
    the switch, as the page to load when a client passes the SODA agent checks: DWS-1008# set service-profile service-profile name soda failure-page page To reset the failure page to the default value, use the following command: clear service-profile name soda failure-page D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 384
    sure the service profile is set to enforce SODA agent checks. For example, the following command configures the switch to apply acl-1 to a client when it loads the failure page: DWS-1008# set service-profile sp1 soda remediation-acl acl-1 success: change accepted. D-Link DWS-1008 User Manual 365
  • D-Link DWS-1008 | Product Manual - Page 385
    with the same name as the SSID configured for the service profile. You can optionally specify a different directory for the SODA agent files used for a service profile. To do this, use the following command: set service-profile name soda agent-directory directory D-Link DWS-1008 User Manual 366
  • D-Link DWS-1008 | Product Manual - Page 386
    This will delete all files in agent-directory, do you wish to continue? (y|n) [n]y Displaying SODA Configuration Information To view information about the SODA configuration for a service profile, use the show service profile command. D-Link DWS-1008 User Manual 367
  • D-Link DWS-1008 | Product Manual - Page 387
    output of the show service profile command for service profile sp1. In the example, the fields related to SODA functionality are highlighted in bold. DWS-1008# show service-profile sp1 ssid-name 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 D-Link DWS-1008 User Manual 368
  • D-Link DWS-1008 | Product Manual - Page 388
    are exchanged during a session. A DWS-1008 switch supports the following kinds of sessions: • Administrative sessions-A network administrator managing the switch • Network sessions-A network user exchanging traffic with a network through the switch The switch session manager manages the sessions for
  • D-Link DWS-1008 | Product Manual - Page 389
    telnet client Session Server Address Server Port Client Port 0 192.168.1.81 23 48000 1 10.10.1.22 23 48001 To clear the administrative sessions of Telnet clients, use the following command: clear sessions telnet [client [session-id]] D-Link DWS-1008 User Manual 370
  • D-Link DWS-1008 | Product Manual - Page 390
    displays summary information about all current network sessions: DWS-1008# show sessions network User Sess IP or MAC VLAN Port/ Name ID Address Name Radio EXAMPLE\wong 5* values that are actually in effect following any changes. D-Link DWS-1008 User Manual 371
  • D-Link DWS-1008 | Product Manual - Page 391
    on: 192.168.12.7, port 1, AP/radio 0422900147/1, as user glob. (For a definition of user globs and their format, see "User Globs" on page 10.) To see all sessions for a specific user or for a group of users, type the following command: show sessions network user user-glob D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 392
    (of 10 total) To clear all the network sessions of a user or group of users, use the following command: clear sessions network user user-glob For example, the following command clears the sessions of users named Bob: DWS-1008# clear sessions network user Bob* D-Link DWS-1008 User Manual 373
  • D-Link DWS-1008 | Product Manual - Page 393
    MAC address 01:05:5d:7e:98:1a: DWS-1008# show sessions net mac-addr 01:05:5d:7e:98:1a User Sess IP or MAC VLAN Port/ Name ID Address Name Radio EXAMPLE\havel 13* use the following command: clear sessions network vlan vlan-glob D-Link DWS-1008 User Manual 374
  • D-Link DWS-1008 | Product Manual - Page 394
    wireless sessions, packet and radio statistics. For example, to display information about session 88, type the following command: DWS-1008# show sessions network session-id 88 Local Id: 88 Global Id: SESS-88-00040f-876766-623fd6 State: ACTIVE SSID: Rack-39-PM Port . D-Link DWS-1008 User Manual 375
  • D-Link DWS-1008 | Product Manual - Page 395
    timer for each user (wireless client). Each DWS-1008# set service-profile sp1 user-idle-timeout 360 success: change accepted. To disable the user idle timeout, use the following command: DWS-1008# set service-profile sp1 user-idle-timeout 0 success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 396
    do not want to issue countermeasures against your neighbor's wireless devices, you can select to issue countermeasures against rogues only. RF Auto-Tuning can automatically change AP radio channels to work around interfering devices without attacking those devices. D-Link DWS-1008 User Manual 377
  • D-Link DWS-1008 | Product Manual - Page 397
    black list-A list of MAC addresses of wireless clients who are not allowed on the network. MSS prevents clients on the list from accessing the network through a switch. If the client is placed on the black of these lists when determining whether a device is a rogue. D-Link DWS-1008 User Manual 378
  • D-Link DWS-1008 | Product Manual - Page 398
    radar on a channel, the radio switches to another channel and does not attempt to use the channel where the radar was detected for 30 minutes. MSS also generates a message. Note: The RF Auto-tuning feature must be enabled. Otherwise MSS cannot change the channel. D-Link DWS-1008 User Manual 379
  • D-Link DWS-1008 | Product Manual - Page 399
    devices only, or against devices explicitly configured in the switch's attack list. Summary of Rogue Detection Features The List of client or AP MAC addresses that are not allowed on the wireless network. MSS drops all packets from these clients or APs. List of D-Link DWS-1008 User Manual 380
  • D-Link DWS-1008 | Product Manual - Page 400
    The permitted vendor list applies only to the switch on which the list is configured. DWS-1008 switches do not share permitted vendor lists. If DWS-1008# clear rfdetect vendor-list client aa:bb:cc:00:00:00 success: aa:bb:cc:00:00:00 is no longer in client vendor-list. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 401
    on the list. The permitted SSID list applies only to the switch on which the list is configured. DWS-1008 switches do not share permitted SSID lists. If you add a device SSID list: DWS-1008# clear rfdetect ssid-list mycorp success: mycorp is no longer in ssid-list. D-Link DWS-1008 User Manual 382
  • D-Link DWS-1008 | Product Manual - Page 402
    the client black list on the switch: DWS-1008# show rfdetect black-list Total number of entries: 1 Blacklist MAC Type Port TTL 11:22:33:44:55 DWS-1008# clear rfdetect black-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer blacklisted. D-Link DWS-1008 User Manual 383
  • D-Link DWS-1008 | Product Manual - Page 403
    shows the attack list on a switch: DWS-1008# show rfdetect attack-list Total number of entries: 1 Attacklist MAC Port/Radio/Chan RSSI SSID 11:22: DWS-1008# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist. D-Link DWS-1008 User Manual 384
  • D-Link DWS-1008 | Product Manual - Page 404
    ignore mac-addr To display the ignore list, use the following command: show rfdetect ignore The following command displays an ignore list containing two BSSIDs: DWS-1008# show rfdetect ignore Total number of entries: 2 Ignore MAC aa:bb:cc:11:22:33 aa:bb:cc:44:55:66 D-Link DWS-1008 User Manual 385
  • D-Link DWS-1008 | Product Manual - Page 405
    Caution: Countermeasures affect wireless service on a radio. issue countermeasures against devices in the switch's attack list: DWS-1008# set radio-profile radprof3 countermeasures configured DWS-1008# clear radio-profile radprof3 countermeasures success: change accepted. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 406
    default, a switch generates a log message when a rogue is detected or disappears. To disable or reenable the log messages, use the following command: set rfdetect log {enable | disable} To display log messages on a switch, use the following command: show log buffer D-Link DWS-1008 User Manual 387
  • D-Link DWS-1008 | Product Manual - Page 407
    Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by to a different channel. • Deauthenticate frames-Spoofed deauthenticate frames form the basis for most DoS attacks, and are the basis Link DWS-1008 User Manual 388
  • D-Link DWS-1008 | Product Manual - Page 408
    . Wireless Bridge A wireless bridge can extend a wireless network outside the desired area. For example, someone can place a wireless bridge near an exterior wall to extend wireless coverage out into the parking lot, where a hacker could then gain access to the network. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 409
    message if an AP or wireless client with an OUI that the network through a switch. If the client is port 2, radio 1 on channel 11 with RSSI -53. Client aa:bb:cc:dd:ee:ff is sending authentication message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 410
    Seen by AP on port 2, radio 1 on channel port 2, radio 1 on channel 11 with RSSI -53 SSID myssid. AP Mac aa:bb:cc:dd:ee:ff(ssid myssid) is masquerading our ssid used by aa:bb:cc:dd:ee:fd. Detected by listener aa:bb: cc:dd:ee:fc(port 2, radio 1), channel 11 with RSSI -53. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 411
    seen on wired network Example Log Message Wireless bridge detected with address aa:bb:cc:dd:ee:ff. Seen by AP on port 2, radio 1 on channel 11 with command is valid on any switch in the Mobility Domain. Displays the BSSIDs detected by a specific D-Link radio. D-Link DWS-1008 User Manual 392
  • D-Link DWS-1008 | Product Manual - Page 412
    mac mac-addr] The following command shows information about all wireless clients detected by a DWS-1008 switch's APs: DWS-1008# show rfdetect clients Total number of entries: 30 Client MAC Client AP MAC AP Port/Radio NoL Type Last Vendor Vendor /Channel seen 00
  • D-Link DWS-1008 | Product Manual - Page 413
    activity detected by the switch on which you enter the command. DWS-1008# show rfdetect counters Type 0 0 Active scans 1796 4383 Wireless bridge frames 196 196 Adhoc client frames log messages for most of these statistics. D-Link DWS-1008 User Manual 394
  • D-Link DWS-1008 | Product Manual - Page 414
    on any DWS-1008 switch in your network. DWS-1008# show rfdetect data Total number of entries: 197 Flags: i = infrastructure, a = ad-hoc c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w = WEP(non-WPA) BSSID Vendor Type Port/Radio/Ch Flags RSSI Age SSID 00:07:50:d5:cc:91 D-Link
  • D-Link DWS-1008 | Product Manual - Page 415
    Total number of entries: 190 Rogue MAC Type Countermeasures IPaddr Port/Radio Radio Mac /Channel 00:0b:0e:00:71:c0 intfr 00:0b:0e:44:55:66 10.1.1.23 dap 4/1/6 00:0b:0e:03:00:80 rogue 00:0b:0e:11:22:33 10.1.1.23 dap 2/1/11 D-Link DWS-1008 User Manual 396
  • D-Link DWS-1008 | Product Manual - Page 416
    #67) TOP 2005-07-21 04:41:00 Model: DWS-1008 Hardware Mainboard: version 24 ; revision 3 ; FPGA version 24 PoE board: version 1 ; FPGA version 6 Serial number 0321300013 Flash: 4.1.0.14 - md0a Kernel: 3.0.0#20: Fri May 20 17:43:51 PDT 2005 BootLoader: 4.10 / 4.1.0 D-Link DWS-1008 User Manual 397
  • D-Link DWS-1008 | Product Manual - Page 417
    boot configuration: Booted version: Booted image: Booted configuration: Product model: 4.1.0.65 boot1:040100.020 file:configuration file:backup.cfg 4.1.0.65 boot1:040100.020 file:configuration DWS-1008 D-Link DWS-1008 User Manual 398
  • D-Link DWS-1008 | Product Manual - Page 418
    the "safe boot" image. If the MSS software cannot be loaded the next time the switch is booted, then the switch automatically attempts to load the safe boot image. Boot failover might occur when an image In the following example, dangdir and old are subdirectories. D-Link DWS-1008 User Manual 399
  • D-Link DWS-1008 | Product Manual - Page 419
    in the old subdirectory: DWS-1008# dir old file: Filename Size Created file:configuration.txt 3541 bytes Sep 22 2003, 22:55:44 file:configuration.xml 24 KB Sep 22 2003, 22:55:44 Total: 27 Kbytes used, 207824 Kbytes free D-Link DWS-1008 User Manual 400
  • D-Link DWS-1008 | Product Manual - Page 420
    free The following command limits the output to the contents of the boot0 partition: DWS-1008# dir boot0: file: Filename Size Created boot0:mx040100.020 9780 KB Aug 23 2005, 15:54:08 Total: 9780 Kbytes used, 207663 Kbytes free D-Link DWS-1008 User Manual 401
  • D-Link DWS-1008 | Product Manual - Page 421
    used to load the currently running image. The maximum supported file size for TFTP is 32 MB. Note: You can copy a file from a switch to a TFTP server or from a TFTP server to a switch, but you cannot use MSS to copy a file directly from one TFTP server to another. D-Link DWS-1008 User Manual 402
  • D-Link DWS-1008 | Product Manual - Page 422
    corpa-login.html from a TFTP server into subdirectory corpa in a DWS-1008 switch's nonvolatile storage, type the following command: DWS-1008# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] D-Link DWS-1008 User Manual 403
  • D-Link DWS-1008 | Product Manual - Page 423
    If you download an image file from the D-link support site and install it in a switch's boot partition, you can verify that the switch to boot from the partition containing the new image. 6. Use the reset system [force] command to restart the switch using the new image. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 424
    in 0.401 seconds [ 910 bytes/sec] DWS-1008# delete testconfig success: file deleted. Creating a Subdirectory You can create subdirectories in the user files area of nonvolatile storage. To create a 23 2003, 21:58:48 Total: 33 Kbytes used, 207822 Kbytes free D-Link DWS-1008 User Manual 405
  • D-Link DWS-1008 | Product Manual - Page 425
    software is rebooted. You also can load a configuration file while the switch is running to change the switch's configuration. When you enter CLI commands to make configuration changes, these commands that set a parameter to a value other than the default. D-Link DWS-1008 User Manual 406
  • D-Link DWS-1008 | Product Manual - Page 426
    # Model DWS-1008 # Last change occurred at 2004-5-10 16:31:14 set vlan 1 port 1 set vlan 10 name backbone tunnel-affinity 5 set vlan 10 port 21 set vlan 10 port 22 set vlan 3 name red tunnel-affinity 5 set igmp mrsol mrsi 60 vlan 1 set igmp mrsol mrsi 60 vlan 10 D-Link DWS-1008 User Manual 407
  • D-Link DWS-1008 | Product Manual - Page 427
    : set boot configuration-file filename To configure a switch to load the configuration file floor2mx from nonvolatile storage following the next software reboot, type the following command: DWS-1008# set boot configuration-file floor2mx success: boot config set. D-Link DWS-1008 User Manual 408
  • D-Link DWS-1008 | Product Manual - Page 428
    newconfig, type the following command: DWS-1008# load config newconfig Reloading configuration may result in lost of connectivity, do you wish to continue? the following command: DWS-1008# clear boot backup-config success: Backup boot config filename was cleared. D-Link DWS-1008 User Manual 409
  • D-Link DWS-1008 | Product Manual - Page 429
    the force option, the command first compares the running configuration to the configuration file. If the files do not match, MSS does not restart the switch but instead displays a message advising you to either save the configuration changes or use the force option. D-Link DWS-1008 User Manual 410
  • D-Link DWS-1008 | Product Manual - Page 430
    . By default, the restore command works only if the MAC address in the archive matches the MAC address of the switch where the restore command is entered. The force option overrides this restriction and allows you to unpack one switch's archive onto another switch. D-Link DWS-1008 User Manual 411
  • D-Link DWS-1008 | Product Manual - Page 431
    0.324 seconds [ 87231 bytes/sec] The following command restores system-critical files on a switch, from archive sysa_bak: DWS-1008# restore system tftp:/10.10.20.9/sysa_bak success: received 11908 bytes in 0.150 seconds [ 79386 bytes/sec] success: restore complete. D-Link DWS-1008 User Manual 412
  • D-Link DWS-1008 | Product Manual - Page 432
    the boot partition to the one with the upgrade image for the next restart. To verify that the new image file is installed, type show boot. 6. Reboot the software. To restart a DWS-1008 switch and reboot the software, type the following command: reset system [force] D-Link DWS-1008 User Manual 413
  • D-Link DWS-1008 | Product Manual - Page 433
    installed on the AP. If the boot image is newer, the AP completes installation of its new boot image by copying the boot image into the AP's flash memory, which takes about 30 seconds, then restarts again. The upgrade of the AP is complete after the second restart. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 434
    provides an extensive snapshot of your switch configuration settings for D-Link Technical Support. Fixing Common Setup Problems The table below contains remedies for some common problems that can occur during basic installation and setup of a DWS-1008 switch. Symptom Diagnosis Remedy Web View
  • D-Link DWS-1008 | Product Manual - Page 435
    ), check the network cables for the VLAN's ports. At least one of the ports in a VLAN must have a physical link to the network for the VLAN to be connected. Recovering the System When the Enable Password is Lost To recover a DWS-1008 switch, use the following procedure. Caution: Recovering the
  • D-Link DWS-1008 | Product Manual - Page 436
    troubleshoot MSS. Event messages for the switch and its attached access points can be stored or sent to the following destinations: • Stored in a local buffer on the switch • Displayed on the switch console port the destinations and defaults for system log messages. D-Link DWS-1008 User Manual 417
  • D-Link DWS-1008 | Product Manual - Page 437
    messages only. No problem exists. Output from debugging. Note: The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by D-Link for troubleshooting and are not intended for administrator use. D-Link DWS-1008 User Manual 418
  • D-Link DWS-1008 | Product Manual - Page 438
    port port-number] severity severity-level [local-facility facility-level] To enable periodic mark messages for use in troubleshooting out queue maintained by the switch. Logging to the buffer is DWS-1008# set log buffer severity warning success: change accepted. D-Link DWS-1008 User Manual 419
  • D-Link DWS-1008 | Product Manual - Page 439
    VLAN, X509, XML, AP, RAPDA, WEBVIEW, EAP, FP, STAT, SSHD, SUP, DNSD, CONFIG, BACKUP. To clear the buffer, type the following command: DWS-1008# clear log buffer To disable logging to the system buffer, type the following command: DWS-1008# set log buffer disable D-Link DWS-1008 User Manual 420
  • D-Link DWS-1008 | Product Manual - Page 440
    event messages to a syslog server, use the following command: set log server ip-addr [port port-number] severity severity-level [local-facility facility-level] Use the IP address of the syslog server and boot messages are sent with facility 20 by default. D-Link DWS-1008 User Manual 421
  • D-Link DWS-1008 | Product Manual - Page 441
    severity-level To enable current session logging, type the following command: DWS-1008# set log current enable success: change accepted To disable current session logging, type the following command: DWS-1008# set log current disable success: change accepted D-Link DWS-1008 User Manual 422
  • D-Link DWS-1008 | Product Manual - Page 442
    accumulated trace data for enabled traces to a file in the switch's nonvolatile storage, use the following command: save trace filename To save trace data into the file trace1 in the subdirectory traces, type the following command: DWS-1008# save trace traces/trace1 D-Link DWS-1008 User Manual 423
  • D-Link DWS-1008 | Product Manual - Page 443
    (sm), and 802.1X users (dot1x), four areas that you might find most helpful. To focus on the object of the trace, you can add one or more of these parameters to the set trace command: set trace [area] [mac-addr mac-addr] [port port-num] [user username] [level level] D-Link DWS-1008 User Manual 424
  • D-Link DWS-1008 | Product Manual - Page 444
    Tracing 802.1X sessions can help diagnose problems with wireless clients. For example, to trace 802.1X activity for user [email protected] at level 4, type the following command: DWS-1008# set trace dot1x user [email protected] level 4 success: change accepted. D-Link DWS-1008 User Manual 425
  • D-Link DWS-1008 | Product Manual - Page 445
    type the following command: DWS-1008# show trace milliseconds spent printing traces: 31.945 Trace Area Level Mac User Port Filter authentication 3 admin 0 for areas processing packets that might be associated with the Telnet session. D-Link DWS-1008 User Manual 426
  • D-Link DWS-1008 | Product Manual - Page 446
    following command copies the log messages in trace buffer 0000000001 to a TFTP server at IP address 192.168.253.11, in a file called log-file: DWS-1008# copy 0000000001 tftp://192.168.253.11/log-file D-Link DWS-1008 User Manual 427
  • D-Link DWS-1008 | Product Manual - Page 447
    # clear log trace List of Trace Areas To see all MSS areas you can trace, type the following command: DWS-1008# set trace ? Using Show Commands To troubleshoot the switch, you can use show commands to display information about different areas of the MSS. The following commands can provide helpful
  • D-Link DWS-1008 | Product Manual - Page 448
    EXAMPLE\* peap-mschapv2 sg1 user sqa password = 08325d4f (encrypted) session-timeout = 3600 mac-user 00:00:a6:47:ad:03 session-timeout = 3600 vlan-name = vlan-wep mac-user 00:00:65:16:0d:69 session-timeout = 3600 vlan-name = vlan-eng D-Link DWS-1008 User Manual 429
  • D-Link DWS-1008 | Product Manual - Page 449
    a protocol analyzer to the observer port to examine the source port's traffic. Both traffic directions (send and receive) are mirrored. Note: Port mirroring enables you to snoop traffic on wired ports. To snoop wireless traffic, see "Remotely Monitoring Traffic". D-Link DWS-1008 User Manual 430
  • D-Link DWS-1008 | Product Manual - Page 450
    Remote traffic monitoring enables you to snoop wireless traffic, by using a Distributed AP as a sniffing device. The AP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal. D-Link DWS-1008 User Manual 431
  • D-Link DWS-1008 | Product Manual - Page 451
    monitor wireless the observer host IP addresses specified by the filter. TZSP uses UDP port 37008 for its transport. (TZSP was created by Chris Waters of restart. However, filter state is not persistent. If the switch or the AP is restarted, the filter is disabled. To Link DWS-1008 User Manual 432
  • D-Link DWS-1008 | Product Manual - Page 452
    to listen to UDP packets on the TZSP port. Configuring a Snoop Filter To configure a snoop filter, use the following command: set snoop filter-name [condition-list] [observer ip-addr] [snap-length num] The filter-name can be up to 15 alphanumeric characters. D-Link DWS-1008 User Manual 433
  • D-Link DWS-1008 | Product Manual - Page 453
    the condition value. The src-mac, destmac, and host-mac conditions also support lt (less than) and gt (greater than). The observer ip-addr DWS-1008# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66 observer 10.10.30.3 snap-length 100 D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 454
    the switch, use the following command: show snoop info [filter-name] The following command shows the snoop filters configured in the examples above: DWS-1008# to radio 2 on Distributed AP 3: DWS-1008# set snoop map snoop1 dap 3 radio 2 success: change accepted. D-Link DWS-1008 User Manual 435
  • D-Link DWS-1008 | Product Manual - Page 455
    | 2} The following command removes snoop filter snoop2 from radio 2 on Distributed AP 3: DWS-1008# clear snoop map snoop2 dap 3 radio 2 success: change accepted. To remove all snoop filter mappings from all radios, use the following command: clear snoop map all D-Link DWS-1008 User Manual 436
  • D-Link DWS-1008 | Product Manual - Page 456
    : show snoop stats [filter-name [dap-num [radio {1 | 2}]]] The following command shows statistics for snoop filter snoop1: DWS-1008# show snoop stats snoop1 Filter Dap Radio Rx Match Tx Match Dropped Stop-After snoop 1 3 1 96 4 0 stopped D-Link DWS-1008 User Manual 437
  • D-Link DWS-1008 | Product Manual - Page 457
    install the following applications on the observer: • Ethereal or Tethereal Version 0.10.8 or later • Netcat (any version), if not already installed : • For Ethereal capture, use ethereal filter port 37008. • For Tethereal capture, use tethereal -V port 37008. D-Link DWS-1008 User Manual 438
  • D-Link DWS-1008 | Product Manual - Page 458
    troubleshooting the problem easier by providing the following: • show tech-support output • Core files • Debug messages • Description of the symptoms and network conditions when the problem occurred The following sections show how to gather system information and send it to TAC. D-Link DWS-1008
  • D-Link DWS-1008 | Product Manual - Page 459
    support Command The show tech-support command combines a group of show commands to provide an in-depth snapshot of the status of the switch. The output displays details about the system image and configuration used after the last reboot, the version, ports free D-Link DWS-1008 User Manual 440
  • D-Link DWS-1008 | Product Manual - Page 460
    a core file, the switch also sends debug messages to the serial console during a system crash. To capture the messages, attach a PC to the port (if one is not already attached) and use the terminal emulation application on the PC to capture a log of the messages. D-Link DWS-1008 User Manual 441
  • D-Link DWS-1008 | Product Manual - Page 461
    browser is installed. Note: If you are configuring a new DWS-1008, you can access Web View without any preconfiguration. Attach your PC directly to the switch's Ethernet management port. Then enter http://192.168.100.1 in the web browser's Location or Address field. D-Link DWS-1008 User Manual 442
  • D-Link DWS-1008 | Product Manual - Page 462
    installed, one of the toolbar's options can cause some of the fields in Web View to be highlighted in yellow. If you want to turn off the yellow highlighting, disable the Automatically highlight fields that Autofill can fill option, which is one of the toolbar's options. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 463
    and Values String. Name of the user to be authenticated. Used only in Request packets. Password of the user to be authenticated, unless a CHAP-Password is used. Password of the user to be authenticated, unless a User-Password is used. IP address sent by the switch. D-Link DWS-1008 User Manual 444
  • D-Link DWS-1008 | Product Manual - Page 464
    support D-Link VSAs. Maximum number of seconds of service allowed the user before reauthentication of the session. Note. If the global reauthentication timeout (set by the set dot1x reauth-period command) is shorter than the session-timeout, MSS uses the global timeout instead. D-Link DWS-1008 User
  • D-Link DWS-1008 | Product Manual - Page 465
    ASCII format, with octet values separated by hyphens (for example, 00 from the port over the course of this service being provided service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or AcctInterim-Update. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 466
    wrapped around 232 over the course of this service being provided. Can be present only in user session started, stopped, or was updated, in seconds since January 1, 1970. Same as VLAN-Name. Physical port that authenticates the user, in the form AP port number/radio. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 467
    with directly connected APs. Several types (for example, ping) Roaming traffic uses IP tunnels, encapsulated with IP protocol 4. To list the TCP port numbers in use on a DWS-1008 switch, including those for the other end of a connection, use the show tcp command. D-Link DWS-1008 User Manual 448
  • D-Link DWS-1008 | Product Manual - Page 468
    • Host connected to a new (unconfigured) DWS-1008, to configure the switch using the Web Quick Start DHCP service for these items is enabled by default. Optionally, you can configure the DHCP server to also provide IP addresses to Distributed APs and to clients. Configuration is supported on an
  • D-Link DWS-1008 | Product Manual - Page 469
    set interface dhcpserver command's primary-dns and secondary-dns options, the MSS DHCP server uses the values set by the set ip dns server command. D-Link DWS-1008 User Manual 450
  • D-Link DWS-1008 | Product Manual - Page 470
    25 success: change accepted. To remove all IP information from a VLAN, including the DHCP client and user-configured DHCP server, use the following command: clear interface vlan-id ip Note: This command clears all IP configuration information from the interface. D-Link DWS-1008 User Manual 451
  • D-Link DWS-1008 | Product Manual - Page 471
    is displayed instead. The following command displays the addresses leased by the DHCP server: DWS-1008# show dhcp-server VLAN Name Address MAC Lease Remaining (sec) 1 default 10.10 interface is an internal VLAN interface for directly connected APs. D-Link DWS-1008 User Manual 452
  • D-Link DWS-1008 | Product Manual - Page 472
    rates of up to 54 Mbps. 802.11b A supplement to the IEEE 802.11 wireless LAN (WLAN) specification, describing transmission through the Physical layer (PHY) based on direct-sequence spread-spectrum (DSSS), at a frequency of 2.4 GHz and data rates of up to 11 Mbps. D-Link DWS-1008 User Manual 453
  • D-Link DWS-1008 | Product Manual - Page 473
    to the IEEE 802.11 wireless LAN (WLAN) specification, for services that provide a secure network connection and a record of user activity, by identifying who the user is, what the user can access, and what services and resources the user is consuming. In a D-Link Mobility System, the DWS-1008 switch
  • D-Link DWS-1008 | Product Manual - Page 474
    set of wireless stations that communicate with one another through an access point (AP). BSSID - Basic service set identifier. The 48-bit media access control (MAC) address of the radio in the access point (AP) that serves the stations in a basic service set (BSS). D-Link DWS-1008 User Manual 455
  • D-Link DWS-1008 | Product Manual - Page 475
    . In a wireless LAN (WLAN), the client (or supplicant) requests access to the services provided by the separated by a Layer 2 switch are within different collision domains. comma-separated values file - See CSV file. communications plenum cable - See plenum-rated cable. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 476
    the sender's end of a connection, and decrypting the encrypted text formatted by Privacy-Enhanced Mail (PEM) protocol according the certificate. CSV file - Comma-separated values file. A text file that - See DES. delivery traffic indication map - See DTIM. DES - Data Link DWS-1008 User Manual 457
  • D-Link DWS-1008 | Product Manual - Page 477
    service set (BSS) is in power-save mode. A DTIM indicates that any buffered broadcast or multicast frames are immediately transmitted by an access point (AP). DXF format - A tagged data representation, in ASCII format, of the information contained in an AutoCAD drawing file. D-Link DWS-1008 User
  • D-Link DWS-1008 | Product Manual - Page 478
    DWS-1008 switches. The connection can consist of two direct physical links from both AP ports to one or two DWS-1008 switches, one or more distributed links and troubleshooting. Enabled access requires a separate enable password. Compare restricted access. D-Link DWS-1008 User Manual 459
  • D-Link DWS-1008 | Product Manual - Page 479
    ) to which the device belongs. FDB entries are either permanent (never deleted), static (not aged, but deleted when the switch is restarted or loses power), or dynamic (learned dynamically and removed through aging or when the switch is restarted or loses power). D-Link DWS-1008 User Manual 460
  • D-Link DWS-1008 | Product Manual - Page 480
    into a gigabit Ethernet port, to link the port with a fiber-optic link between two remote points on a network, created by means of the Generic Routing Encapsulation (GRE) tunneling protocol. GRE encapsulates packets within a transport protocol supported of wireless LAN Link DWS-1008 User Manual 461
  • D-Link DWS-1008 | Product Manual - Page 481
    services, which the access point can grant or deny based on the contents of the association request. Like most corporate wireless LANs (WLANs), which must access a wired LAN for file servers and printers, a D-Link Mobility System is an infrastructure network. Compare ad hoc network. D-Link DWS-1008
  • D-Link DWS-1008 | Product Manual - Page 482
    accounting (AAA)-or assigns a VLAN or security ACL to users without these assignments. Defining location policy rules creates a location policy for local access within a DWS-1008 switch. Each switch can have only one location policy. See also location policy rule. D-Link DWS-1008 User Manual 463
  • D-Link DWS-1008 | Product Manual - Page 483
    policy on a DWS-1008 switch that grants or for a port. Higher-layer protocols use the MAC address at the MAC sublayer of the Data Link layer bytes of the address. See also user glob; VLAN glob. MAC protocol data unit - See MPDU. MAC service data unit - See MSDU. master Link DWS-1008 User Manual 464
  • D-Link DWS-1008 | Product Manual - Page 484
    CHAP. MSDU - MAC service data unit. In IEEE end. If fragmentation is not supported or possible, a packet wireless networking standards IEEE 802.11a and IEEE 802.11g are based on OFDM. orthogonal frequency division multiplexing - See OFDM. pairwise master key - See PMK. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 485
    address, but a different port number. See also NAT. PEM - Privacy-Enhanced Mail. A protocol, defined in routing protocol that supports thousands of services and managed by a certificate management system. See also certificate authority (CA); registration authority (RA). D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 486
    connected. plenum-rated cable - A type of cable approved by an independent test laboratory for installation end, is kept separate from the data signal port address translation - See PAT. Power over Ethernet - See PoE keying material. Privacy-Enhanced Mail - See PEM. Link DWS-1008 User Manual 467
  • D-Link DWS-1008 | Product Manual - Page 487
    separately for each radio. RADIUS - Remote Authentication Dial-In User Service. A client-server security protocol described in RFC 2865 and RFC 2866. RADIUS extensions, including RADIUS support Protocol (TKIP). received signal strength indication - See RSSI. D-Link DWS-1008 User Manual 468
  • D-Link DWS-1008 | Product Manual - Page 488
    software that verifies a user (client) request for a digital certificate and instructs the certificate authority (CA service. robust security network - See RSN. rogue access point - An access point (AP) that is not authorized to operate within a wireless See SSL. D-Link DWS-1008 User Manual 469
  • D-Link DWS-1008 | Product Manual - Page 489
    user, port, virtual LAN (VLAN), or virtual port on a DWS-1008 switch controls the network traffic to or from the user, port, VLAN, or virtual port . SSID - Service set identifier. The unique name shared among all computers and other devices in a wireless LAN (WLAN). Link DWS-1008 User Manual 470
  • D-Link DWS-1008 | Product Manual - Page 490
    , designated by the U.S. Federal Communications Commission (FCC) to provide high-speed wireless networking. The three frequency bands-5.15 GHz through 5.25 GHz (for indoor use only), 5.25 GHz through 5.35 GHz, and 5.725 GHz through 5.825 GHz-were allocated in 1997. D-Link DWS-1008 User Manual 471
  • D-Link DWS-1008 | Product Manual - Page 491
    DWS-1008 switch and its attached DWL-8220AP access points through a Web browser. Web View uses a secure connection that implements Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS). WECA - Wireless Ethernet Compatibility Alliance. See Wi-Fi Alliance. D-Link DWS-1008 User Manual 472
  • D-Link DWS-1008 | Product Manual - Page 492
    wireless security than the Wired-Equivalent Privacy protocol (WEP), WPA is not as secure as IEEE 802.11i, which includes both the RC4 encryption used in WEP and Advanced Encryption Standard (AES) encryption, but is not yet ratified by IEEE. See also AES; RC4; TKIP. D-Link DWS-1008 User Manual
  • D-Link DWS-1008 | Product Manual - Page 493
    wireless frame that contain Wi-Fi Protected Access (WPA) information for the access point or client. For example, a DWL-8220AP access point uses the WPA IE in a beacon frame to advertise the cipher suites and authentication methods that the access point supports . D-Link DWS-1008 User Manual 474
  • D-Link DWS-1008 | Product Manual - Page 494
    • Total wattage budget (all ports): 91.8W • Wattage per port: 15.3W • Cable requirements: PoE on 10/100 Mbps RJ-45 ports using pins 4, 5 (node) and 7, 8 (return) on standard Category 5 UTP or STP Regulatory Safety • UL 60950 • TUV/GS EN 60950 • CSA 22.2 NO. 60950 D-Link DWS-1008 User Manual 475
  • D-Link DWS-1008 | Product Manual - Page 495
    1993) • CISPR 22 Software Specifications IEEE • IEEE Std 802.1X-2001 - Port-Based Network Access Control • IEEE Std 802.11i- Enhanced Security for 802.11 wireless networks based on AES • IEEE Std 802.11h • IEEE Std 802.11d and 2048-bit • CCMP: AES 128-bit (FIPS-197) D-Link DWS-1008 User Manual 476
  • D-Link DWS-1008 | Product Manual - Page 496
    • RFC 1213 MIB-II • RFC 1907 SNMPv2 • RFC 3164 Syslog • Trapeze private MIB IP Multicast • RFC 1112 IGMP v1 • RFC 2236 IGMP v2 Quality of Service • RFC 2472 DiffServ Precedence • RFC 2597 DiffServ Assured Forwarding • RFC 2598 DiffServ Expedited Forwarding D-Link DWS-1008 User Manual 477
  • D-Link DWS-1008 | Product Manual - Page 497
    will be free of physical defects. D-Link's sole obligation shall be to replace the non-conforming Software (or defective media) with software that substantially conforms to D-Link's functional specifications for the Software or to refund at D-Link's sole discretion. D-Link DWS-1008 User Manual 478
  • D-Link DWS-1008 | Product Manual - Page 498
    Link determines in its sole discretion that it is not practical to replace the non-conforming Software, the price invoice for the product) before the warranty service is provided. • After an RMA number is dlink.com for detailed warranty information within Canada) D-Link DWS-1008 User Manual 479
  • D-Link DWS-1008 | Product Manual - Page 499
    LIABILITY OF D-LINK UNDER THIS WARRANTY IS LIMITED TO THE PURCHASE PRICE OF THE PRODUCT COVERED BY THE WARRANTY. THE FOREGOING EXPRESS WRITTEN WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ANY OTHER WARRANTIES OR REMEDIES, EXPRESS, IMPLIED OR STATUTORY. D-Link DWS-1008 User Manual 480
  • D-Link DWS-1008 | Product Manual - Page 500
    the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. For detailed warranty outside the United States, please contact corresponding local D-Link office. D-Link DWS-1008 User Manual 481
  • D-Link DWS-1008 | Product Manual - Page 501
    limits set forth for an uncontrolled environment. The antenna(s) used for this equipment must be installed to provide a separation distance of at least eight inches (20 cm) from all persons. This equipment must not be operated in conjunction with any other antenna. D-Link DWS-1008 User Manual 482
  • D-Link DWS-1008 | Product Manual - Page 502
    Registration Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights. Version 2.0 December 8, 2006 D-Link DWS-1008 User Manual 483
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358
  • 359
  • 360
  • 361
  • 362
  • 363
  • 364
  • 365
  • 366
  • 367
  • 368
  • 369
  • 370
  • 371
  • 372
  • 373
  • 374
  • 375
  • 376
  • 377
  • 378
  • 379
  • 380
  • 381
  • 382
  • 383
  • 384
  • 385
  • 386
  • 387
  • 388
  • 389
  • 390
  • 391
  • 392
  • 393
  • 394
  • 395
  • 396
  • 397
  • 398
  • 399
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 419
  • 420
  • 421
  • 422
  • 423
  • 424
  • 425
  • 426
  • 427
  • 428
  • 429
  • 430
  • 431
  • 432
  • 433
  • 434
  • 435
  • 436
  • 437
  • 438
  • 439
  • 440
  • 441
  • 442
  • 443
  • 444
  • 445
  • 446
  • 447
  • 448
  • 449
  • 450
  • 451
  • 452
  • 453
  • 454
  • 455
  • 456
  • 457
  • 458
  • 459
  • 460
  • 461
  • 462
  • 463
  • 464
  • 465
  • 466
  • 467
  • 468
  • 469
  • 470
  • 471
  • 472
  • 473
  • 474
  • 475
  • 476
  • 477
  • 478
  • 479
  • 480
  • 481
  • 482
  • 483
  • 484
  • 485
  • 486
  • 487
  • 488
  • 489
  • 490
  • 491
  • 492
  • 493
  • 494
  • 495
  • 496
  • 497
  • 498
  • 499
  • 500
  • 501
  • 502