Home » D-Link Manuals » Bridges & Routers » D-Link DGS-3426 » Manual Viewer

D-Link DGS-3426 User Manual - Page 246

Secure Socket Layer (SSL), Download Certificate

Add to My Manuals
Save this manual to your list of manuals

Page 246 highlights

xStack DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch Secure Socket Layer (SSL) Secure Sockets Layer or SSL is a security feature that will provide a secure communication path between a host and client through the use of authentication, digital signatures and encryption. These security functions are implemented through the use of a ciphersuite, which is a security string that determines the exact cryptographic parameters, specific encryption algorithms and key sizes to be used for an authentication session and consists of three levels: 1. Key Exchange: The first part of the cyphersuite string specifies the public key algorithm to be used. This switch utilizes the Rivest Shamir Adleman (RSA) public key algorithm and the Digital Signature Algorithm (DSA), specified here as the DHE DSS Diffie-Hellman (DHE) public key algorithm. This is the first authentication process between client and host as they "exchange keys" in looking for a match and therefore authentication to be accepted to negotiate encryptions on the following level. 2. Encryption: The second part of the ciphersuite that includes the encryption used for encrypting the messages sent between client and host. The Switch supports two types of cryptology algorithms: Stream Ciphers - There are two types of stream ciphers on the Switch, RC4 with 40-bit keys and RC4 with 128-bit keys. These keys are used to encrypt messages and need to be consistent between client and host for optimal use. CBC Block Ciphers - CBC refers to Cipher Block Chaining, which means that a portion of the previously encrypted block of encrypted text is used in the encryption of the current block. The Switch supports the 3DES EDE encryption code defined by the Data Encryption Standard (DES) to create the encrypted text. 3. Hash Algorithm: This part of the ciphersuite allows the user to choose a message digest function, which will determine a Message Authentication Code. This Message Authentication Code will be encrypted with a sent message to provide integrity and prevent against replay attacks. The Switch supports two hash algorithms, MD5 (Message Digest 5) and SHA (Secure Hash Algorithm). These three parameters are uniquely assembled in four choices on the Switch to create a three-layered encryption code for secure communication between the server and the host. The user may implement any one or combination of the ciphersuites available, yet different ciphersuites will affect the security level and the performance of the secured connection. The information included in the ciphersuites is not included with the Switch and requires downloading from a third source in a file form called a certificate. This function of the Switch cannot be executed without the presence and implementation of the certificate file and can be downloaded to the Switch by utilizing a TFTP server. The Switch supports SSLv3. Other versions of SSL may not be compatible with this Switch and may cause problems upon authentication and transfer of messages from client to host. Download Certificate This window is used to download a certificate file for the SSL function on the Switch from a TFTP server. The certificate file is a data record used for authenticating devices on the network. It contains information on the owner, keys for authentication and digital signatures. Both the server and the client must have consistent certificate files for optimal use of the SSL function. The Switch only supports certificate files with .der file extensions. Currently, all xStack DGS-3400 Series switch come with a certificate pre-loaded though the user may need to download more, depending on user circumstances. To view the following window, click Security > SSL at the top of the window: Figure 10- 38. Download Certificate menu To download certificates, set the following parameters and click Apply. 232

Section	Page
Table of Contents	3
Intended Readers	10
Typographical Conventions	10
Notes, Notices, and Cautions	11
Safety Instructions	12
Safety Cautions	12
General Precautions for Rack-Mountable Products	13
Lithium Battery Precaution	14
Protecting Against Electrostatic Discharge	14
Ethernet Technology	15
Switch Description	15
Features	15
Ports	15
Front-Panel Components	15
Side Panel Description	15
Rear Panel Description	15
Gigabit Combo Ports	15
Ethernet Technology	15
Fast Ethernet Technology	15
Switch Description	15
Features	16
Ports	17
Front-Panel Components	18
DGS-3426	18
DGS-3426P	18
DGS-3427	18
DGS-3450	18
LED Indicators	19
Rear Panel Description	21
DGS-3426	21
DGS-3426P	21
DGS-3427	21
DGS-3450	21
Side Panel Description	22
Package Contents	23
Installation Guidelines	23
Installing the Switch without the Rack	23
Rack Installation	23
Power On	23
The Optional Module	23
Redundant Power System	23
Package Contents	23
Installation Guidelines	23
Installing the Switch without the Rack	24
Installing the Switch in a Rack	24
Mounting the Switch in a Standard 19\	25
Power On	25
Power Failure	25
Installing the SFP ports	26
The Optional Module	27
Installing the Module	28
External Redundant Power System	29
Switch to End Node	31
Switch to Switch	31
Connecting To Network Backbone or Server	31
Switch to End Node	31
Switch to Switch	31
Connecting To Network Backbone or Server	32
Management Options	33
Connecting the Console Port (RS-232 DCE)	33
First Time Connecting to the Switch	33
Password Protection	33
SNMP Settings	33
IP Address Assignment	33
Connecting Devices to the Switch	33
Management Options	33
1. Web-based Management Interface	33
2. SNMP-Based Management	33
3. Command Line Console Interface through the Serial Port	33
Connecting the Console Port (RS-232 DCE)	34
Managing the Switch for the First Time	35
Password Protection	36
SNMP Settings	37
Traps	37
MIBs	37
IP Address Assignment	38
Introduction	40
Logging on to the Web Manager	40
Web-Based User Interface	40
Basic Setup	40
Reboot	40
Basic Switch Setup	40
Network Management	40
Switch Utilities	40
Network Monitoring	40
IGMP Snooping Status	40
Introduction	40
Logging in to the Web Manager	40
Web-based User Interface	41
Areas of the User Interface	41
Web Pages	42
DGS-3400 Web Management Tool	44
IP Address	44
Interface Settings	44
Stacking	44
Port Configuration	44
User Accounts	44
Port Mirroring	44
System Log	44
System Severity Settings	44
SNTP Settings	44
MAC Notification Settings	44
TFTP Services	44
Multiple Image Services	44
Ping Test	44
Safeguard Engine	44
Static ARP Settings	44
IPv6 Neighbor	44
Routing Table	44
DHCP/BOOTP Relay	44
DHCP Auto Configuration	44
SNMP Manager	44
IP-MAC-Port Binding	44
PoE	44
Single IP Management Settings	44
Device Information	45
IPv6	47
Overview	47
Packet Format	48
IPv6 Header	48
Extension Headers	49
Packet Fragmentation	49
Address Format	49
Types	50
ICMPv6	51
Neighbor Discovery	51
Neighbor Unreachability Detection	51
Duplicate Address Detection (DAD)	52
Assigning IP Addresses	52
IP Interface Setup	52
IP Address	53
Setting the Switch's IP Address using the Console Interface	54
Interface Settings	55
IPv4 Interface Settings	55
IPv6 Interface Settings	56
Stacking	60
Stack Switch Swapping	61
Stacking Mode Settings	62
Box Information	62
Port Configuration	63
Port Error Disabled	64
Port Description	65
Cable Diagnostics	65
User Accounts	67
Port Mirroring	68
Mirroing within the Switch Stack	69
System Log	70
System Log Save Mode Settings	71
System Severity Settings	73
SNTP Settings	74
Time Settings	74
Time Zone and DST	75
MAC Notification Settings	77
TFTP Services	78
Multiple Image Services	80
Firmware Information	80
Config Firmware Image	81
Ping Test	82
IPv4 Ping Test	82
IPv6 Ping Test	83
Safeguard Engine	84
Safeguard Engine Settings	85
Static ARP Settings	86
IPv6 Neighbor	87
IPv6 Neighbor Settings	87
Routing Table	89
IPv4 Static/Default Route Settings	89
IPv6 Static/Default Route Settings	90
DHCP/BOOTP Relay	92
DHCP / BOOTP Relay Global Settings	92
The Implementation of DHCP Information Option 82	94
DHCP/BOOTP Relay Interface Settings	95
DHCP Auto Configuration Settings	96
SNMP Manager	97
Traps	97
MIBs	97
SNMP Trap Settings	98
SNMP User Table	98
SNMP View Table	100
SNMP Group Table	101
SNMP Community Table	103
SNMP Host Table	104
SNMP Engine ID	105
IP-MAC-Port Binding	106
ACL Mode	106
IP-MAC Binding Port	108
IP-MAC Binding Table	109
IP-MAC Binding Blocked	110
PoE Configuration	111
PoE System Settings	111
PoE Port Settings	113
Single IP Management (SIM) Overview	115
The Upgrade to v1.61	116
Single IP vs. Switch Stacking	117
SIM Using the Web Interface	117
Topology	118
Tool Tips	121
Right Click	123
Group Icon	123
Commander Switch Icon	124
Member Switch Icon	124
Candidate Switch Icon	124
Menu Bar	125
File	125
Group	125
Device	125
View	126
Help	126
Firmware Upgrade	126
Configuration Backup/Restore	126
Upload Log	127
VLAN	128
Trunking	128
IGMP Snooping	128
MLD Snooping	128
Loopback Detection Global Settings	128
Spanning Tree	128
Forwarding and Filtering	128
VLANs	128
Understanding IEEE 802.1p Priority	128
VLAN Description	128
Notes about VLANs on the DGS-3400 Series	129
IEEE 802.1Q VLANs	129
802.1Q VLAN Tags	130
Port VLAN ID	131
Tagging and Untagging	131
Ingress Filtering	132
Default VLANs	132
Port-based VLANs	132
VLAN Segmentation	133
VLAN and Trunk Groups	133
Protocol VLANs	133
Static VLAN Entry	133
GVRP Settings	137
Double VLANs	138
Regulations for Double VLANs	139
Double VLAN	140
PVID Auto Assign	142
MAC-based VLAN Settings	143
Trunking	144
Understanding Port Trunk Groups	144
Link Aggregation	145
LACP Port Settings	148
IGMP Snooping	151
IGMP Snooping Settings	151
Router Port Settings	152
ISM VLAN	154
Restrictions and Provisos	154
Limited Multicast Address Range	156
MLD Snooping	158
MLD Control Messages	158
MLD Snooping Settings	158
MLD Router Port Settings	160
Loopback Detection Global Settings	162
Spanning Tree	164
802.1s MSTP	164
802.1w Rapid Spanning Tree	164
Port Transition States	164
Edge Port	165
P2P Port	165
802.1D/802.1w/802.1s Compatibility	165
STP Bridge Global Settings	166
MST Configuration Identification	169
MSTP Port Information	171
STP Instance Settings	173
STP Port Settings	174
Forwarding & Filtering	176
Unicast Forwarding	176
Multicast Forwarding	176
Multicast Filtering Mode	177
Bandwidth Control	179
QoS Scheduling Mechanism	179
QoS Output Scheduling	179
802.1P Default Priority	179
802.1P User Priority	179
QoS	179
The Advantages of QoS	179
Understanding QoS	180
Bandwidth Control	182
QoS Scheduling Mechanism	183
QoS Output Scheduling	184
Configuring the Combination Queue	185
802.1P Default Priority	186
802.1P User Priority	187
Time Range	188
Access Profile Table	188
CPU Interface Filtering	188
Time Range	188
Access Profile Table	190
CPU Interface Filtering	203
CPU Interface Filtering State Settings	203
CPU Interface Filtering Table	203
Authorization Network State Settings	216
Traffic Control	216
Port Security	216
802.1X	216
Trust Host	216
Access Authentication Control	216
MAC Based Access Control	216
Traffic Segmentation	216
SSL	216
SSH	216
JWAC	216
Authorization Network State Settings	216
Traffic Control	217
Port Security	219
Port Security Entries	220
802.1X	221
802.1x Port-Based and MAC-Based Access Control	221
Authentication Server	221
Authenticator	222
Client	222
Authentication Process	223
Understanding 802.1x Port-based and MAC-based Network Access Control	223
Port-Based Network Access Control	224
MAC-Based Network Access Control	225
Guest VLANs	226
Limitations Using the Guest VLAN	226
Configure 802.1X Authenticator	227
Configure 802.1x Guest VLAN	229
Authentic RADIUS Server	230
Trust Host	231
Access Authentication Control	232
Authentication Policy & Parameters	233
Application's Authentication Settings	233
Authentication Server Group	234
Authentication Server Host	235
Login Method Lists	237
Enable Method Lists	238
Configure Local Enable Password	241
Enable Admin	241
MAC Based Access Control	242
MAC Based Access Control Global Settings	242
MAC Based Access Control Local MAC Settings	243
Traffic Segmentation	245
Secure Socket Layer (SSL)	246
Download Certificate	246
SSL Configuration	247
Secure Shell (SSH)	249
SSH Server Configuration	249
SSH Authentication Mode	250
SSH User Authentication Mode	252
JWAC (Japanese Web-based Access Control)	254
JWAC Global Configuration	254
JWAC Port Settings	256
JWAC User Account	259
JWAC Host Information	260
Device Status	261
Stacking Information	261
Module Information	261
CPU Utilization	261
Port Utilization	261
Packets	261
Errors	261
Packet Size	261
Browse Router Port	261
Browse MLD Router Port	261
VLAN Status	261
VLAN Status Port	261
Port Access Control	261
MAC Address Table	261
IGMP Snooping Group	261
MLD Snooping Group	261
Switch Logs	261
Browse ARP Table	261
Session Table	261
IP Forwarding Table	261
Browse Routing Table	261
MAC Based Control Authentication Status	261
Device Status	262
Stacking Information	262
Module Information	263
CPU Utilization	264
Port Utilization	265
Packets	266
Received (Rx)	266
UMB Cast (RX)	268
Transmitted (TX)	270
Errors	272
Received (RX)	272
Transmitted (TX)	274
Packet Size	276
Browse Router Port	279
Browse MLD Router Port	280
VLAN Status	281
VLAN Status Port	282
Port Access Control	283
RADIUS Authentication	283
RADIUS Account Client	284
MAC Address Table	286
IGMP Snooping Group	287
MLD Snooping Group	288
Switch Logs	289
Browse ARP Table	290
Session Table	291
IP Forwarding Table	292
Browse Routing Table	293
MAC Based Access Control Authentication Status	294
Reset	295
Reboot System	295
Save Services	295
Logout	295
Reset	295
Reboot System	296
Save Services	297
Save Changes	297
Configuration Information	298
Current Configuration Settings	299
Logout	299
Technical Specifications	300
Cables and Connectors	302
Cable Lengths	303
Switch Log Entries	304
Log Information	304
Copyright Statement: No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976 and any amendments thereto. Contents are subject to change without prior notice. Copyright 2004 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	323
FCC Statement: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communication. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential environment is likely to cause harmful interference to radio or television reception. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:	323
Warranty beneficiary	325
Duration of Limited Lifetime Warranty	325
Replacement, Repair or Refund Procedure for Hardware	325

Match case Limit results 1 per page

xStack DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch

Secure Socket Layer (SSL)

Secure Sockets Layer

SSL

is a security feature that will provide a secure communication path between a host and client through

the use of authentication, digital signatures and encryption. These security functions are implemented through the use of a

ciphersuite

, which is a security string that determines the exact cryptographic parameters, specific encryption algorithms and key

sizes to be used for an authentication session and consists of three levels:

Key Exchange:

The first part of the cyphersuite string specifies the public key algorithm to be used. This switch utilizes

the Rivest Shamir Adleman (RSA) public key algorithm and the Digital Signature Algorithm (DSA), specified here as the

DHE DSS

Diffie-Hellman (DHE) public key algorithm. This is the first authentication process between client and host as

they “exchange keys” in looking for a match and therefore authentication to be accepted to negotiate encryptions on the

following level.

Encryption:

The second part of the ciphersuite that includes the encryption used for encrypting the messages sent

between client and host. The Switch supports two types of cryptology algorithms:

Stream Ciphers – There are two types of stream ciphers on the Switch,

RC4 with 40-bit keys

and

RC4 with 128-bit keys

. These

keys are used to encrypt messages and need to be consistent between client and host for optimal use.

CBC Block Ciphers – CBC refers to Cipher Block Chaining, which means that a portion of the previously encrypted block of

encrypted text is used in the encryption of the current block. The Switch supports the

3DES EDE

encryption code defined by the

Data Encryption Standard (DES) to create the encrypted text.

Hash Algorithm

: This part of the ciphersuite allows the user to choose a message digest function, which will determine a

Message Authentication Code. This Message Authentication Code will be encrypted with a sent message to provide

integrity and prevent against replay attacks. The Switch supports two hash algorithms,

MD5

(Message Digest 5) and

SHA

(Secure Hash Algorithm).

These three parameters are uniquely assembled in four choices on the Switch to create a three-layered encryption code for secure

communication between the server and the host. The user may implement any one or combination of the ciphersuites available,

yet different ciphersuites will affect the security level and the performance of the secured connection. The information included in

the ciphersuites is not included with the Switch and requires downloading from a third source in a file form called a

certificate

This function of the Switch cannot be executed without the presence and implementation of the certificate file and can be

downloaded to the Switch by utilizing a TFTP server. The Switch supports SSLv3. Other versions of SSL may not be compatible

with this Switch and may cause problems upon authentication and transfer of messages from client to host.

Download Certificate

This window is used to download a certificate file for the SSL function on the Switch from a TFTP server. The certificate file is a

data record used for authenticating devices on the network. It contains information on the owner, keys for authentication and

digital signatures. Both the server and the client must have consistent certificate files for optimal use of the SSL function. The

Switch only supports certificate files with .der file extensions. Currently, all xStack DGS-3400 Series switch come with a

certificate pre-loaded though the user may need to download more, depending on user circumstances.

To view the following window, click

Security > SSL

at the top of the window:

Figure 10- 38. Download Certificate menu

To download certificates, set the following parameters and click

Apply.

232