Netgear GSM4248P Product Datasheet - Page 14

Private VLANs with Primary VLAN, Isolated VLAN

Get Netgear GSM4248P PDF manuals and user guides View all Netgear GSM4248P manuals
Add to My Manuals
Save this manual to your list of manuals

Page 14 highlights

Datasheet | M4250 series AV Line Managed Switches With Successive Tiering, the Authentication Manager allows for authentication methods per port for a Tiered Authentication based on configured time-outs • By default, configuration authentication methods are tried in this order: Dot1x, then MAB, then Captive Portal (web authentication) • With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies -- For instance, when a client is connecting, M4300 tries to authenticate the user/client using the three methods above, the one after the other • The admin can restrict the configuration such that no other method is allowed to follow the captive portal method, for instance Double VLANs (DVLAN) pass traffic from one customer domain to another through the "metro core" in a multi-tenancy environment: customer VLAN IDs are preserved and a service provider VLAN ID is added to the traffic so the traffic can pass the metro core in a simple, secure manner Private VLANs (with Primary VLAN, Isolated VLAN, Community VLAN, Promiscuous port, Host port, Trunks) provide Layer 2 isolation between ports that share the same broadcast domain, allowing a VLAN broadcast domain to be partitioned into smaller point-to-multipoint subdomains accross switches in the same Layer 2 network • Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but need to communicate with a router • They remove the need for more complex port-based VLANs with respective IP interface/subnets and associated L3 routing • Another Private VLANs typical application are carrier-class deployments when users shouldn't see, snoop or attack other users' traffic SSL version 3 and TLS version 2 ensure Web GUI sessions are secured Secure Shell (SSH version 2) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured 2048-bit RSA key pairs, SHA2-256 and SHA2-512 cryptographic hash functions for SSLv3 and SSHv2 are supported on all M4300 models TACACS+ and RADIUS enhanced administrator management provides strict "Login" and "Enable" authentication enforcement for the switch configuration, based on latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password Superior quality of service Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization 8 queues (7 in a stack) for priorities and various QoS policies based on 802.1p (CoS) and DiffServ can be applied to interfaces and VLANs Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity Single Rate Policing feature enables support for Single Rate Policer as defined by RFC 2697 • Committed Information Rate (average allowable rate for the class) • Committed Burst Size (maximum amount of contiguous packets for the class) • Excessive Burst Size (additional burst size for the class with credits refill at a slower rate than committed burst size) • DiffServ feature applied to class maps Automatic Voice over IP prioritization with protocol-based (SIP, H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls Flow Control 802.3x Flow Control implementation per IEEE 802.3 Annex 31B specifications with Symmetric flow control, Asymmetric flow control or No flow control • Asymmetric flow control allows the switch to respond to received PAUSE frames, but the ports cannot generate PAUSE frames • Symmetric flow control allows the switch to both respond to, and generate MAC control PAUSE frames Allows traffic from one device to be throttled for a specified period of time: a device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame • A device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame UDLD Support UDLD implementation detects unidirectional links physical ports (UDLD must be enabled on both sides of the link in order to detect an unidirectional link) • UDLD protocol operates by exchanging packets containing information about neighboring devices • The purpose is to detect and avoid unidirectional link forwarding anomalies in a Layer 2 communication channel Both "normal-mode" and "aggressive-mode" are supported for perfect compatibility with other vendors implementations, including port "D-Disable" triggering cases in both modes PAGE 14 of 63

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
With Successive Tiering, the Authentication Manager
allows for authentication methods per port for a
Tiered Authentication based on configured time-outs
• By default, configuration authentication methods are tried in this order: Dot1x, then MAB, then Captive Portal
(web authentication)
With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies
For instance, when a client is connecting, M4300 tries to authenticate the user/client using the three
methods above, the one after the other
The admin can restrict the configuration such that no other method is allowed to follow the
captive portal
method, for instance
Double VLANs (DVLAN) pass traffic from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are preserved
and a service provider VLAN ID is added to the traffic so the traffic can pass the metro core in a simple, secure manner
Private VLANs (with Primary VLAN, Isolated VLAN,
Community VLAN, Promiscuous port, Host port,
Trunks) provide Layer 2 isolation between ports that
share the same broadcast domain, allowing a VLAN
broadcast domain to be partitioned into smaller
point-to-multipoint subdomains accross switches in
the same Layer 2 network
Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but need
to communicate with a router
They remove the need for more complex port-based VLANs with respective IP interface/subnets and
associated L3 routing
Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop or
attack other users’ traffic
SSL version 3 and TLS version 2 ensure Web GUI sessions are secured
Secure Shell (SSH version 2) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured
2048-bit RSA key pairs, SHA2-256 and SHA2-512 cryptographic hash functions for SSLv3 and SSHv2 are supported on all M4300 models
TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch configuration,based on
latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP
and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password
Superior quality of service
Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
8 queues (7 in a stack) for priorities and various QoS policies based on 802.1p (CoS) and DiffServ can be applied to interfaces and VLANs
Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity
Single Rate Policing feature enables support for
Single Rate Policer as defined by RFC 2697
• Committed Information Rate (average allowable rate for the class)
• Committed Burst Size (maximum amount of contiguous packets for the class)
Excessive Burst Size (additional burst size for the class with credits refill at a slower rate than committed
burst size)
DiffServ feature applied to class maps
Automatic Voice over IP prioritization with protocol-based (SIP,H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls
Flow Control
802.3x Flow Control implementation per IEEE 802.3
Annex 31B specifications with Symmetric flow
control, Asymmetric flow control or No flow control
Asymmetric flow control allows the switch to respond to received PAUSE frames, but the ports cannot
generate PAUSE frames
• Symmetric flow control allows the switch to both respond to,and generate MAC control PAUSE frames
Allows traffic from one device to be throttled for a
specified period of time: a device that wishes to in-
hibit transmission of data frames from another device
on the LAN transmits a PAUSE frame
A device that wishes to inhibit transmission of data frames from another device on the LAN transmits a
PAUSE frame
UDLD Support
UDLD implementation detects unidirectional links
physical ports (UDLD must be enabled on both sides
of the link in order to detect an unidirectional link)
UDLD protocol operates by exchanging packets containing information about neighboring devices
The purpose is to detect and avoid unidirectional link forwarding anomalies in a Layer 2 communication
channel
Both “normal-mode” and “aggressive-mode” are supported for perfect compatibility with other vendors implementations, including port “D-Disable” triggering cases in
both modes
PAGE 14 of 63
AV Line Managed Switches
Datasheet |
M4250 series
AV Line Managed Switches