Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3200-10 » Manual Viewer

D-Link DGS-3200-10 Product Manual - Page 177

MAC Local Settings, Web-based Access Control (WAC) - d link default ip

UPC - 790069306310

Add to My Manuals
Save this manual to your list of manuals

Page 177 highlights

xStack® DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch MAC Local Settings Users can set a list of M AC addresses, along with their corresponding target VLAN, which will be authenticated for the Switch. Once a queried MAC a ddress is m atched in this wi ndow, it will be placed in the VLAN associated with it he re. The Switch administrator may enter up to 128 MAC addresses to be authenticated using the local method configured here. To view the following window, click Security > MAC-based Access Control (MAC)> MAC Local Settings: Figure 5 - 46. MAC Local Settings window To add a MAC address to t he local aut hentication list, en ter the MAC address and the target VLAN Nam e into their appropriate fields and click Add. To change a M AC address or a VL AN in the list, enter its parameters into the appropriate fields and click Edit. To d elete a MAC address en try, en ter its parameters in to th e appro priate field s and click Delete By MAC. To d elete a VLAN Name, enter its parameters into the appropriate fields and click Delete By VLAN. To search for a specific MAC Address, enter the MAC address in the first field and then click the Find By MAC button. To search for a specific VLAN Name, enter the VLAN name in the second field and then click the Find By VLAN button. Web-based Access Control (WAC) Web-based Authentication Login is a feature designed to authenticate a user when the user is trying t o access the Internet via the Switch. The a uthentication process use s t he HTT P p rotocol. T he Switch en ters th e au thenticating stage whe n us ers attem pt to browse Web pages (e.g., http://www.dlink.com) through a Web browser. When the Switch detects HTTP packets and this port is un-authenticated, the Switch will launch a pop-up user name and password window to query users. Users are not able to access the Internet until the authentication process is passed. The Switch can be the authentication server itself and do the authentication based on a local database, or be a RADIUS client and perform th e au thentication process via the RADIUS protocol with a rem ote RADIUS server. Th e clien t user in itiates th e authentication process of WAC by attempting to gain Web access. D-Link's implementation of WAC uses a virtual IP that is exclusively used by the WAC function and is not known by any other modules of the Switch. In fact, to avoid affecting a Switch's other features, WAC will only use a virtual IP address to communicate with hosts. Thus, all authentication requests must be sent to a virtual IP address but not to the IP address of the Switch's physical interface. Virtual IP works like this, when a host PC communicates with the WAC Switch through a virtual IP, the virtual IP is transformed into the physical IPIF (IP interface) address of the Switch to make the communication possible. The host PC and other servers' IP configurations do not depend on the virtual IP of WAC. The virtual IP does not respond to any ICMP packets or ARP requests, which means it is not allowed to configure a virtual IP on the same subnet as the Switch's IPIF (IP interface) or the same subnet as the host PCs' subnet. As all packets to a virtual IP from authenticated and authenticating hosts will be trapped to the Switch's CPU, if the virtual IP is the same as other servers or PCs, the hosts on the WAC-enabled ports cannot communicate with the server or PC which really own the IP address. If the hosts need to access the server or PC, the virtual IP cannot be the same as the one of the server or PC. If a host PC uses a proxy to access the Web, to make the authentication work properly the user of the PC should add the virtual IP to the exception of the proxy configuration. Whether or not a virtual IP is specified, users can access the WAC pages through the Switch's system IP. When a virtual IP is not specified, the authenticating Web request will be redirected to the Switch's system IP. The Switch's implementation of WAC features a user-defined port number that allows the configuration of the TCP port for either the HTTP or HTTPS protocols. This TCP port for HTTP or HTTPS is used to identify the HTTP or HTTPS packets that will be trapped to the CPU for authentication processing, or to access the login page. If not specified, the default port number for HTTP is 80 and the default port number for HTTPS is 443. If no protocol is specified, the default protocol is HTTP. The following diagram illustrates the basic six steps all parties go through in a successful Web Authentication process: 164

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	10
Safety Cautions	10
General Precautions for Rack-Mountable Products	11
Lithium Battery Precaution	13
Protecting Against Electrostatic Discharge	13
Introduction	14
Logging onto the Web Manager	14
Web-Based User Interface	14
Introduction	14
Logging onto the Web Manager	14
Web-based User Interface	15
Areas of the User Interface	15
Web Pages	16
Device Information	18
System Information	18
Serial Port Settings	18
IP Address	18
IPv6 Interface Settings	18
IPv6 Route Table	18
IPv6 Neighbor Settings	18
Port Configuration	18
Static ARP Settings	18
User Accounts	18
System Log Configuration	18
System Severity Settings	18
DHCP/BOOTP Relay	18
DHCP Local Relay Settings	18
DHCP Auto Configuration Settings	18
MAC Address Aging Time	18
Web Settings	18
Telnet Settings	18
Password Encryption	18
CLI Paging Settings	18
Firmware Information	18
Power Saving Settings	18
Dual Configuration Settings	18
SMTP Settings	18
Ping Test	18
SNTP Settings	18
MAC Notification Settings	18
SNMP Settings	18
CPU Filter L3 Control Packet Settings	18
Single IP Management	18
SD Card FS Settings (DGS-3200-24 only)	18
Device Information	19
System Information	20
Serial Port Settings	21
IP Address	21
Setting the Switch’s IP Address using the Console Interface	23
IPv6 Interface Settings	23
IPv6 Route Table	25
IPv6 Neighbor Settings	26
Port Configuration	27
Port Settings	27
Port Description	28
Port Error Disabled	29
Static ARP Settings	29
User Accounts	31
Admin and User Privileges	31
System Log Configuration	32
System Log Settings	32
System Log Host	33
System Severity Settings	33
DHCP/BOOTP Relay	34
DHCP/BOOTP Relay Global Settings	34
Implementation of DHCP Relay Agent Information Option 82	36
DHCP/BOOTP Relay Interface Settings	37
DHCP Local Relay Settings	37
DHCP Auto Configuration Settings	38
MAC Address Aging Time	39
Web Settings	39
Telnet Settings	40
Password Encryption	40
CLI Paging Settings	41
Firmware Information	41
Power Saving Settings	43
Dual Configuration Settings	44
SMTP Settings	46
Ping Test	47
SNTP Settings	48
Time Settings	48
Time Zone Settings	49
MAC Notification Settings	50
MAC Notification Global Settings	50
MAC Notification Port Settings	51
SNMP Settings	52
Traps	52
MIBs	52
SNMP Global State Settings	53
SNMP Linkchange Trap Settings	53
SNMP View Table	54
SNMP Group Table	55
SNMP User Table	56
SNMP Community Table	57
SNMP Host Table	58
SNMP v6Host Table	59
SNMP Engine ID	60
SNMP Trap Configuration	60
RMON	61
CPU Filter L3 Control Packet Settings	61
Single IP Management	61
Upgrade to v1.61	63
Single IP Settings	63
Topology	65
Tool Tips	67
Right-Click	67
Group Icon	68
Commander Switch Icon	69
Member Switch Icon	69
Candidate Switch Icon	69
Menu Bar	70
File	70
Group	70
Device	70
View	70
Help	70
Firmware Upgrade	71
Configuration File Backup/Restore	71
Upload Log File	71
SD Card FS Settings	72
Jumbo Frame	74
Egress Filter Settings	74
802.1Q VLAN	74
Private VLAN Settings	74
802.1v Protocol VLAN	74
MAC-based VLAN Settings	74
GVRP Settings	74
PVID Auto Assign Settings	74
Port Trunking	74
VLAN Trunk Settings	74
LACP Port Settings	74
Traffic Segmentation	74
IGMP Snooping	74
MLD Snooping Settings	74
Port Mirroring	74
Loopback Detection Settings	74
Spanning Tree	74
Forwarding & Filtering	74
Jumbo Frame	74
Egress Filter Settings	75
802.1Q VLAN	75
Understanding IEEE 802.1p Priority	75
VLAN Description	76
Notes about VLANs on the Switch	76
IEEE 802.1Q VLANs	76
802.1Q VLAN Tags	77
Port VLAN ID	78
Tagging and Untagging	79
Ingress Filtering	79
Default VLANs	79
Port-based VLANs	80
VLAN Segmentation	80
VLAN and Trunk Groups	80
Private VLAN Settings	84
802.1v Protocol VLAN	89
802.1v Protocol Group Settings	89
802.1v Protocol VLAN Settings	90
MAC-based VLAN Settings	91
GVRP Settings	91
PVID Auto Assign Settings	92
Port Trunking	93
Understanding Port Trunk Groups	93
VLAN Trunk Settings	96
LACP Port Settings	97
Traffic Segmentation	98
IGMP Snooping	98
IGMP Snooping Settings	98
Data Driven Learning Settings	102
ISM VLAN Settings	103
Restrictions and Provisos	103
ISM Profile Settings	106
IP Multicast Profile Settings	107
Limited Multicast Address Range Settings	108
Max Multicast Group Settings	109
MLD Snooping Settings	109
MLD Control Messages	110
Port Mirroring	113
Loopback Detection Settings	114
Spanning Tree	115
802.1Q-2005 MSTP	115
802.1D-2004 Rapid Spanning Tree	116
Port Transition States	116
Edge Port	116
P2P Port	116
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	116
STP Bridge Global Settings	118
STP Port Settings	120
MST Configuration Identification	121
STP Instance Settings	122
MSTP Port Information	123
Forwarding & Filtering	124
Unicast Forwarding	124
Multicast Forwarding	124
Multicast Filtering Mode	125
Bandwidth Control	126
Traffic Control	126
802.1p Default Priority	126
802.1p User Priority	126
QoS Scheduling Mechanism	126
Understanding QoS	127
Bandwidth Control	128
Traffic Control	129
802.1p Default Priority	131
802.1p User Priority	131
QoS Scheduling Mechanism	132
Safeguard Engine	133
Trusted Host	133
IP-MAC-Port Binding (IMPB)	133
Port Security	133
DHCP Server Screening	133
Guest VLAN	133
802.1X	133
SSL Settings	133
SSH	133
Access Authentication Control	133
MAC-based Access Control (MAC)	133
Web-based Access Control (WAC)	133
Japanese Web-based Access Control (JWAC)	133
Multiple Authentication	133
IGMP Access Control Settings	133
ARP Spoofing Prevention Settings	133
Safeguard Engine	133
Trusted Host	135
IP-MAC-Port Binding (IMPB)	136
General Overview	136
Common IP Management Security Issues	136
Solutions to Improve IP Management Security	136
ARP Mode	136
ACL Mode	137
Strict and Loose State	137
DHCP Snooping Option	137
IMPB Global Settings	138
IMPB Port Settings	139
IMPB Entry Settings	141
DHCP Snooping Entries	142
MAC Block List	143
Port Security	144
Port Security Settings	144
Port Lock Entries	145
DHCP Server Screening	146
DHCP Screening Port Settings	146
DHCP Offer Filtering	147
Guest VLAN	148
Limitations Using the Guest VLAN	148
802.1X (Port-based and Host-based Access Control)	149
Authentication Server	150
Authenticator	150
Client	151
Authentication Process	151
Understanding 802.1X Port-based and Host-based Network Access Control	152
Port-based Network Access Control	152
Host-based Network Access Control	153
802.1X Settings	154
802.1X User	155
Initialize Port(s)	156
Reauthenticate Port(s)	157
Authentic RADIUS Server	158
SSL Settings	159
SSH	161
SSH Configuration	162
SSH Authmode and Algorithm Settings	163
SSH User Authentication Mode	165
Access Authentication Control	166
Authentication Policy and Parameter Settings	167
Application Authentication Settings	167
Authentication Server Group	168
Authentication Server Host	170
Login Method Lists	171
Enable Method Lists	172
Configure Local Enable Password	173
Enable Admin	173
MAC-based Access Control (MAC)	174
Notes about MAC-based Access Control	174
MAC Settings	174
MAC Local Settings	177
Web-based Access Control (WAC)	177
Conditions and Limitations	179
WAC Global Settings	179
WAC User Settings	180
WAC Port Settings	182
Japanese Web-based Access Control (JWAC)	183
JWAC Global Settings	183
JWAC Port Settings	185
JWAC User Settings	186
JWAC Customize Page Language	186
JWAC Customize Page	187
Multiple Authentication	187
Any (MAC, 802.1X or WAC) Mode	188
Any (MAC, 802.1X or JWAC) Mode	188
802.1X & IMPB Mode	189
IMPB & WAC/JWAC Mode	189
Authorization Network State Settings	190
Multiple Authentication Settings	190
Guest VLAN	191
IGMP Access Control Settings (IGMP Authentication)	192
ARP Spoofing Prevention Settings	193
ACL Configuration Wizard	194
Access Profile List	194
CPU Access Profile List	194
Time Range Settings	194
ACL Configuration Wizard	194
Access Profile List	195
CPU Access Profile List	211
Time Range Settings	223
Device Environment (DGS-3200-16 and DGS-3200-24 only)	225
Cable Diagnostics	225
CPU Utilization	225
Port Utilization	225
Packet Size	225
Packets	225
Errors	225
Port Access Control	225
Browse ARP Table	225
Browse VLAN	225
Browse Router Port	225
Browse MLD Router Port	225
Browse Session Table	225
IGMP Snooping Group	225
MLD Snooping Group	225
WAC Authenticating State	225
JWAC Host Table	225
MAC Address Table	225
System Log	225
MAC Authentication State	225
Device Environment	225
Cable Diagnostics	226
Cable Diagnostics Notes	226
CPU Utilization	227
Port Utilization	228
Packet Size	229
Packets	231
Received (RX)	231
UMB_Cast (RX)	233
Transmitted (TX)	234
Errors	236
Received (RX)	236
Transmitted (TX)	238
Port Access Control	240
RADIUS Authentication	240
RADIUS Account Client	241
Authenticator State	243
Authenticator Statistics	245
Authenticator Session Statistics	248
Authenticator Diagnostics	251
Browse ARP Table	254
Browse VLAN	254
Browse Router Port	255
Browse MLD Router Port	255
Browse Session Table	256
IGMP Snooping Group	256
MLD Snooping Group	257
WAC Authenticating State	258
JWAC Host Table	259
MAC Address Table	260
System Log	261
MAC Authentication State	262
Save Configuration	263
Save Log	263
Save All	263
Download Configuration File/Download Configuration File to NV-RAM (DGS-3200-24 only)	263
Download Configuration File to SD Card (DGS-3200-24 only)	263
Download Firmware/Download Firmware to NV-RAM (DGS-3200-24 only)	263
Download Firmware to SD Card (DGS-3200-24 only)	263
Upload Configuration File/Upload Configuration File to TFTP	263
Upload Log File/Upload Log File to TFTP	263
Reset	263
Reboot System	263
Save Configuration	264
Save Log	264
Save All	265
Download Configuration File/Download Configuration File to NV-RAM	265
Download Configuration File to SD Card	266
Download Firmware/Download Firmware to NV-RAM	266
Download Firmware to SD Card	267
Upload Configuration File/Upload Configuration File to TFTP	267
Upload Log File/Upload Log File to TFTP	268
Reset	268
Reboot System	269
How ARP Spoofing Attacks a Network	273
Prevent ARP Spoofing via Packet Content ACL	274
Log Information	277

Match case Limit results 1 per page

xStack

DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch

164

MAC Local Settings

Users can set a list of MAC addresses, along with their corresponding target VLAN, which will be authenticated for the Switch.

Once a queried MAC a ddress is m atched in this wi ndow, it will be

placed in the VLAN associated with it he re. The Switch

administrator may enter up to 128 MAC addresses to be authenticated using the local method configured here.

To view the following window, click

Security

MAC-based Access Control (MAC)

MAC Local Settings

Figure 5 - 46. MAC Local Settings window

To add a MAC address to the local authentication list, enter the MAC address and the target VLAN Name into their appropriate

fields and click

Add

. To change a MAC address or a VLAN in the list, enter its parameters into the appropriate fields and click

Edit

. To d elete a MAC address en try, en ter its parameters in to th e appro priate field s and click

Delete By MAC

. To delete a

VLAN Name, enter its parameters into the appropriate fields and click

Delete By VLAN

. To search for a specific MAC Address,

enter the MAC address in the first field and then click the

Find By MAC

button. To search for a specific VLAN Name, enter the

VLAN name in the second field and then click the

Find By VLAN

button.

Web-based Access Control (WAC)

Web-based Authentication Login is a feature designed to authenticate a user when the user is trying to access the Internet via the

Switch. The authentication process uses the HTTP protocol. The Switch enters the authenticating stage when users attempt to

browse Web pages (e.g., http://www.dlink.com) through a Web browser. When the Switch detects HTTP packets and this port is

un-authenticated, the Switch will launch a pop-up user name and password window to query users. Users are not able to access the

Internet until the authentication process is passed.

The Switch can be the authentication server itself and do the authentication based on a local database, or be a RADIUS client and

perform th e au thentication process via the RADIUS

protocol with a rem

ote RADIUS server. Th

e clien t user in itiates th e

authentication process of WAC by attempting to gain Web access.

D-Link’s implementation of WAC uses a virtual IP that is exclusively used by the WAC function and is not known by any other

modules of the Switch. In fact, to avoid affecting a Switch’s other features, WAC will only use a virtual IP address to

communicate with hosts. Thus, all authentication requests must be sent to a virtual IP address but not to the IP address of the

Switch’s physical interface.

Virtual IP works like this, when a host PC communicates with the WAC Switch through a virtual IP, the virtual IP is transformed

into the physical IPIF (IP interface) address of the Switch to make the communication possible. The host PC and other servers’ IP

configurations do not depend on the virtual IP of WAC. The virtual IP does not respond to any ICMP packets or ARP requests,

which means it is not allowed to configure a virtual IP on the same subnet as the Switch’s IPIF (IP interface) or the same subnet as

the host PCs’ subnet.

As all packets to a virtual IP from authenticated and authenticating hosts will be trapped to the Switch’s CPU, if the virtual IP is

the same as other servers or PCs, the hosts on the WAC-enabled ports cannot communicate with the server or PC which really

own the IP address. If the hosts need to access the server or PC, the virtual IP cannot be the same as the one of the server or PC. If

a host PC uses a proxy to access the Web, to make the authentication work properly the user of the PC should add the virtual IP to

the exception of the proxy configuration. Whether or not a virtual IP is specified, users can access the WAC pages through the

Switch’s system IP. When a virtual IP is not specified, the authenticating Web request will be redirected to the Switch’s system IP.

The Switch’s implementation of WAC features a user-defined port number that allows the configuration of the TCP port for either

the HTTP or HTTPS protocols. This TCP port for HTTP or HTTPS is used to identify the HTTP or HTTPS packets that will be

trapped to the CPU for authentication processing, or to access the login page. If not specified, the default port number for HTTP is

80 and the default port number for HTTPS is 443. If no protocol is specified, the default protocol is HTTP.

The following diagram illustrates the basic six steps all parties go through in a successful Web Authentication process: