Home » D-Link Manuals » Hubs & Switches » D-Link DWS-1008 » Manual Viewer

D-Link DWS-1008 Product Manual - Page 344

Applying Security ACLs in a Location Policy Rule

UPC - 790069282911

Add to My Manuals
Save this manual to your list of manuals

Page 344 highlights

You must specify whether to permit or deny access, and you must identify a VLAN, username, or access port to match. Use one of the following operators to specify how the rule must match the VLAN or username: • eq-Applies the location policy rule to all users assigned VLAN names matching vlan-glob or having usernames that match user-glob. (Like a user glob, a VLAN glob is a way to group VLANs for use in this command. For more information, see "VLAN Globs" on page 12.) • neq-Applies the location policy rule to all users assigned VLAN names not matching vlan-glob or having usernames that do not match user-glob. For example, the following command denies network access to all users matching *.theirfirm.com, causing them to fail authorization: DWS-1008# set location policy deny if user eq *.theirfirm.com The following command authorizes access to the guest_1 VLAN for all users who do not match *.ourfirm. com: DWS-1008# set location policy permit vlan guest_1 if user neq *.ourfirm.com The following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1: DWS-1008# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a success: change accepted. Applying Security ACLs in a Location Policy Rule When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows: • Input filter-Use inacl inacl-name to filter traffic that enters the switch from users via an AP access port or wired authentication port, or from the network via a network port. • Output filter-Use outacl outacl-name to filter traffic sent from the switch to users via an AP access port or wired authentication port, or from the network via a network port. For example, the following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN, and applies the security ACL tac_24 to the traffic they receive: DWS-1008# set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny. ourfirm.com The following command authorizes access to users on VLANs with names matching bld4.* and applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive: DWS-1008# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.* You can optionally add the suffixes .in and .out to inacl-name and outacl-name for consistency with their usage in entries stored in the local database. D-Link DWS-1008 User Manual 325

Section	Page
Product Overview	20
Product Contents	20
System Requirements	20
Introduction	21
Hardware Overview (Front Panel)	22
Features	23
Text and Syntax Conventions	24
Installation	25
Serial Console Cable	25
10/100 Ethernet Cable Wiring	25
Installation Hardware and Tools	26
Getting Started	27
Using the Command-Line Interface	28
CLI Conventions	28
Command Prompts	28
Syntax Notation	29
Text Entry Conventions and Allowed Characters	29
MAC Address Notation	30
IP Address and Mask Notation	30
Globs	31
User Globs	31
MAC Address Globs	32
VLAN Globs	32
Matching Order for Globs	32
Port Lists	33
Command-Line Editing	34
Keyboard Shortcuts	34
History Buffer	34
Tabs	34
Single-Asterisk (*) Wildcard Character	35
Double-Asterisk (**) Wildcard Characters	35
Using CLI Help	35
Understanding Command Descriptions	36
DWS-1008 Setup Methods	37
Overview	37
Quick Starts	37
CLI	37
Web View	37
Web Quick Start	38
Web Quick Start Parameters	38
Web Quick Start Requirements	38
Accessing the Web Quick Start	39
CLI quickstart Command	41
Quickstart Example	42
Overview	44
Configuring AAA for Administrative and Local Access	44
Before You Start	45
About Administrative Access	45
Access Modes	45
Types of Administrative Access	45
First-Time Configuration via the Console	46
Enabling an Administrator	46
Setting the Switch Enable Password	47
Setting the Enable Password for the First Time	47
Authenticating at the Console	48
Customizing AAA with “Globs” and Groups	49
Setting User Passwords	49
Adding and Clearing Local Users for Administrative Access	50
Configuring Accounting for Administrative Users	50
Displaying the AAA Configuration	51
Saving the Configuration	52
Administrative AAA Configuration Scenarios	52
Local Authentication	52
Local Authentication for Console Users and RADIUS Authentication for Telnet Users	53
Local Override and Backup Local Authentication	53
Authentication When RADIUS Servers Do Not Respond	54
Configuring and Managing Ports and VLANs	55
Configuring and Managing Ports	55
Setting the Port Type	55
Setting a Port for a Directly Connected Access Point	56
Configuring for a Distributed AP	57
Setting a Port for a Wired Authentication User	57
Clearing a Port	58
Clearing a Distributed AP	59
Configuring a Port Name	59
Setting a Port Name	59
Removing a Port Name	59
Configuring Port Operating Parameters	60
Autonegotiation and Port Speed	60
Disabling or Reenabling a Port	60
Disabling or Reenabling Power over Ethernet	61
Resetting a Port	61
Displaying Port Information	61
Displaying Port Configuration and Status	61
Displaying PoE State	62
Displaying Port Statistics	62
Clearing Statistics Counters	63
Monitoring Port Statistics	63
Configuring Load-Sharing Port Groups	64
Load Sharing	64
Link Redundancy	64
Configuring a Port Group	65
Removing a Port Group	66
Displaying Port Group Information	66
Interoperating with Cisco Systems EtherChannel	66
Configuring and Managing VLANs	67
Understanding VLANs in MSS	67
VLANs, IP Subnets, and IP Addressing	67
Users and VLANs	68
VLAN Names	68
Traffic Forwarding	68
802.1Q Tagging	68
Configuring a VLAN	69
Creating a VLAN	69
Adding Ports to a VLAN	70
Removing an Entire VLAN or a VLAN Port	70
Restricting Layer 2 Forwarding Among Clients	71
Displaying VLAN Information	72
Managing the Layer 2 Forwarding Database	73
Types of Forwarding Database Entries	73
How Entries Enter the Forwarding Database	73
Displaying Forwarding Database Information	74
Displaying the Size of the Forwarding Database	74
Displaying Forwarding Database Entries	74
Adding an Entry to the Forwarding Database	75
Removing Entries from the Forwarding Database	75
Configuring the Aging Timeout Period	76
Displaying the Aging Timeout Period	76
Changing the Aging Timeout Period	76
Port and VLAN Configuration Scenario	77
Configuring and Managing IP Interfaces and Services	80
MTU Support	80
Configuring and Managing IP Interfaces	80
Adding an IP Interface	81
Statically Configuring an IP Interface	81
Enabling the DHCP Client	81
How MSS Resolves Conflicts with Statically Configured IP Parameters	82
Configuring the DHCP Client	82
Displaying DHCP Client Information	83
Disabling or Reenabling an IP Interface	83
Removing an IP Interface	83
Displaying IP Interface Information	84
Configuring the System IP Address	84
Designating the System IP Address	84
Displaying the System IP Address	84
Clearing the System IP Address	84
Configuring and Managing IP Routes	85
Displaying IP Routes	86
Adding a Static Route	87
Removing a Static Route	88
Managing the Management Services	88
Managing SSH	88
Login Timeouts	88
Enabling SSH	89
Adding an SSH User	89
Changing the SSH Service Port Number	90
Managing SSH Server Sessions	90
Managing SSH Server Sessions	91
Managing Telnet	91
Telnet Login Timers	91
Enabling Telnet	91
Adding a Telnet User	92
Displaying Telnet Status	92
Changing the Telnet Service Port Number	92
Resetting the Telnet Service Port Number to Its Default	92
Managing Telnet Server Sessions	93
Managing HTTPS	93
Enabling HTTPS	93
Displaying HTTPS Information	94
Changing the Idle Timeout for CLI Management Sessions	94
Configuring and Managing DNS	95
Enabling or Disabling the DNS Client	95
Configuring DNS Servers	95
Adding a DNS Server	96
Removing a DNS Server	96
Configuring a Default Domain Name	96
Adding the Default Domain Name	96
Removing the Default Domain Name	96
Displaying DNS Server Information	97
Configuring and Managing Aliases	97
Adding an Alias	97
Removing an Alias	98
Displaying Aliases	98
Configuring and Managing Time Parameters	98
Setting the Time Zone	99
Displaying the Time Zone	99
Clearing the Time Zone	99
Configuring the Summertime Period	100
Displaying the Summertime Period	100
Clearing the Summertime Period	100
Statically Configuring the System Time and Date	101
Displaying the Time and Date	101
Configuring and Managing NTP	101
Adding an NTP Server	102
Removing an NTP Server	102
Changing the NTP Update Interval	102
Resetting the Update Interval to the Default	103
Enabling the NTP Client	103
Displaying NTP Information	103
Managing the ARP Table	104
Displaying ARP Table Entries	104
Adding an ARP Entry	105
Changing the Aging Timeout	105
Pinging Another Device	106
Logging In to a Remote Device	107
Tracing a Route	108
Configuring SNMP	109
Overview	109
Configuring SNMP	109
Setting the System Location and Contact Strings	110
Enabling SNMP Versions	110
Configuring Community Strings (SNMPv1 and SNMPv2c Only)	110
Creating a USM User for SNMPv3	111
Command Examples	113
Setting SNMP Security	113
Command Example	114
Configuring a Notification Profile	114
Command Examples	116
Configuring a Notification Target	117
Command Examples	119
Enabling the SNMP Service	119
Displaying SNMP Information	119
Displaying SNMP Version and Status Information	119
Displaying the Configured SNMP Community Strings	120
Displaying USM Settings	120
Displaying Notification Profiles	120
Displaying Notification Targets	120
Displaying SNMP Statistics Counters	120
Configuring DWL-8220AP Access Points	121
Overview	121
Country of Operation	122
Directly Connected APs and Distributed APs	122
Distributed AP Network Requirements	123
Distributed APs and STP	124
Distributed APs and DHCP Option 43	124
AP Parameters	125
Resiliency and Dual-Homing Options for APs	126
Boot Process for Distributed APs	127
Establishing Connectivity on the Network	127
How a Distributed AP Obtains an IP Address through DHCP	127
Static IP Address Configuration for Distributed APs	128
Contacting a Switch	128
How a Distributed AP Contacts a Switch (DHCP-Obtained Address)	128
How a Distributed AP Contacts an Switch (Statically Configured Address)	130
Loading and Activating an Operational Image	132
Obtaining Configuration Information from the Switch	132
Session Load Balancing	133
Service Profiles	133
Public and Private SSIDs	136
Encryption	136
Radio Profiles	137
RF Auto-Tuning	138
Default Radio Profile	138
Radio-Specific Parameters	138
Configuring DWL-8220AP Access Points	139
Specifying the Country of Operation	139
Configuring an Auto-AP Profile for Automatic AP Configuration	141
How an Unconfigured AP Finds a Switch To Configure It	141
Configured APs Have Precedence Over Unconfigured APs	142
Configuring an Auto-AP Profile	142
Changing AP Parameter Values	143
Enabling the Auto-AP Profile	144
Specifying the Radio Profile Used by the Auto-AP Profile	144
Displaying Status Information for APs Configured by the Auto-AP Profile	144
Converting an AP Configured by the Auto-AP Profile into a Permanent AP	145
Configuring AP Port Parameters	145
Setting the Port Type for a Directly Connected AP	146
Configuring an Indirectly Connected AP	146
Configuring Static IP Addresses on Distributed APs	147
Specifying IP Information	147
Specifying Switch Information	147
Specifying VLAN information	148
Clearing an AP from the Configuration	148
Changing AP Names	149
Changing Bias	149
Configuring a Load-Balancing Group	149
Disabling or Reenabling Automatic Firmware Upgrades	150
Forcing an AP To Download its Operational Image from the DWS-1008	150
Enabling LED Blink Mode	151
Configuring AP-Switch Security	151
Encryption Key Fingerprint	151
Encryption Options	152
Verifying an AP’s Fingerprint on a Switch	152
Finding the Fingerprint	152
Verifying a Fingerprint on the Switch	153
Fingerprint Log Message	154
Configuring a Service Profile	154
Creating a Service Profile	154
Removing a Service Profile	155
Changing a Service Profile Setting	155
Disabling or Reenabling Encryption for an SSID	155
Disabling or Reenabling Beaconing of an SSID	156
Changing the Fallthru Authentication Type	156
Changing Transmit Rates	156
Disabling Idle-Client Probing	158
Changing the User Idle Timeout	158
Changing the Short Retry Threshold	159
Changing the Long Retry Threshold	159
Configuring a Radio Profile	159
Creating a New Profile	160
Changing Radio Parameters	160
Changing the Beacon Interval	160
Changing the DTIM Interval	161
Changing the RTS Threshold	161
Changing the Fragmentation Threshold	162
Changing the Maximum Receive Threshold	162
Changing the Maximum Transmit Threshold	162
Changing the Preamble Length	163
Resetting a Radio Profile Parameter to its Default Value	163
Removing a Radio Profile	164
Configuring Radio-Specific Parameters	164
Configuring the Channel and Transmit Power	164
Mapping the Radio Profile to Service Profiles	166
Assigning a Radio Profile and Enabling Radios	166
Disabling or Reenabling Radios	167
Enabling or Disabling Individual Radios	167
Disabling or Reenabling All Radios Using a Profile	167
Resetting a Radio to its Factory Default Settings	168
Restarting an AP	168
Displaying AP Information	168
Displaying AP Configuration Information	169
Displaying Connection Information for Distributed APs	170
Displaying a List of Distributed APs that Are Not Configured	170
Displaying Active Connection Information for Distributed APs	171
Displaying Service Profile Information	171
Displaying Radio Profile Information	172
Displaying AP Status Information	172
Displaying Static IP Address Information for Distributed APs	173
Displaying AP Statistics Counters	174
Configuring User Encryption	175
Configuring WPA	176
WPA Cipher Suites	176
TKIP Countermeasures	177
WPA Authentication Methods	178
WPA Information Element	178
Client Support	179
Configuring WPA	180
Creating a Service Profile for WPA	180
Enabling WPA	180
Specifying the WPA Cipher Suites	180
Changing the TKIP Countermeasures Timer Value	181
Enabling PSK Authentication	182
Disabling 802.1X Authentication for WPA	183
Displaying WPA Settings	183
Assigning the Service Profile to Radios and Enabling the Radios	184
Configuring RSN (802.11i)	185
Creating a Service Profile for RSN	185
Enabling RSN	185
Specifying the RSN Cipher Suites	186
Changing the TKIP Countermeasures Timer Value	186
Enabling PSK Authentication	186
Displaying RSN Settings	186
Assigning the Service Profile to Radios and Enabling the Radios	187
Configuring WEP	187
Setting Static WEP Key Values	188
Assigning Static WEP Keys	188
Encryption Configuration Scenarios	189
Enabling WPA with TKIP	189
Enabling Dynamic WEP in a WPA Network	190
Configuring Encryption for MAC Clients	192
Configuring RF Auto-Tuning	195
RF Auto-Tuning Overview	195
Initial Channel and Power Assignment	195
How Channels Are Selected	196
Channel and Power Tuning	196
Power Tuning	196
Channel Tuning	197
Tuning the Transmit Data Rate	198
RF Auto-Tuning Parameters	198
Changing RF Auto-Tuning Settings	199
Changing Channel Tuning Settings	199
Disabling or Reenabling Channel Tuning	199
Changing the Channel Tuning Interval	199
Changing the Channel Holddown Interval	200
Changing Power Tuning Settings	200
Enabling Power Tuning	200
Changing the Power Tuning Interval	200
Changing the Maximum Default Power Allowed On a Radio	201
Locking Down Tuned Settings	201
Displaying RF Auto-Tuning Information	202
Displaying RF Auto-Tuning Settings	202
Displaying RF Neighbors	203
Displaying RF Attributes	204
Configuring APs To Be AeroScout Listeners	205
Configuring AP Radios to Listen for AeroScout RFID Tags	205
Locating an RFID Tag	207
Configuring Quality of Service	208
About QoS	208
Summary of QoS Features	208
QoS Mode	209
WMM QoS Mode	210
WMM QoS on the DWS-1008 Switch	210
WMM QoS on an AP	211
SVP QoS Mode	211
U-APSD Support	212
Call Admission Control	212
Broadcast Control	213
Static CoS	213
Overriding CoS	213
Changing QoS Settings	214
Changing the QoS Mode	214
Enabling U-APSD Support	214
Configuring Call Admission Control	215
Enabling CAC	215
Changing the Maximum Number of Active Sessions	215
Configuring Static CoS	215
Changing CoS Mappings	216
Enabling Broadcast Control	216
Displaying QoS Information	217
Displaying a Radio Profile’s QoS Settings	217
Displaying a Service Profile’s QoS Settings	218
Displaying CoS Mappings	219
Displaying the Default CoS Mappings	219
Displaying a DSCP-to-CoS Mapping	219
Displaying a CoS-to-DSCP Mapping	219
Displaying the DSCP Table	220
Displaying AP Forwarding Queue Statistics	220
Configuring and Managing Spanning Tree Protocol	221
Enabling the Spanning Tree Protocol	221
Changing Standard Spanning Tree Parameters	222
Bridge Priority	222
Port Cost	222
Port Priority	223
Changing the Bridge Priority	223
Changing STP Port Parameters	223
Changing the STP Port Cost	223
Resetting the STP Port Cost to the Default Value	224
Changing the STP Port Priority	224
Resetting the STP Port Priority to the Default Value	225
Changing Spanning Tree Timers	225
Changing the STP Hello Interval	225
Changing the STP Forwarding Delay	226
Changing the STP Maximum Age	226
Configuring and Managing STP Fast Convergence Features	226
Port Fast Convergence	227
Backbone Fast Convergence	227
Uplink Fast Convergence	227
Configuring Port Fast Convergence	227
Displaying Port Fast Convergence Information	228
Configuring Backbone Fast Convergence	228
Displaying the Backbone Fast Convergence State	228
Configuring Uplink Fast Convergence	229
Displaying Uplink Fast Convergence Information	229
Displaying Spanning Tree Information	229
Displaying STP Bridge and Port Information	230
Displaying the STP Port Cost on a VLAN Basis	231
Displaying Blocked STP Ports	231
Displaying Spanning Tree Statistics	232
Clearing STP Statistics	232
Spanning Tree Configuration Scenario	232
Configuring and Managing IGMP Snooping	235
Disabling or Reenabling IGMP Snooping	235
Disabling or Reenabling Proxy Reporting	235
Enabling the Pseudo-Querier	236
Changing IGMP Timers	236
Changing the Query Interval	237
Changing the Other-Querier-Present Interval	237
Changing the Query Response Interval	237
Changing the Last Member Query Interval	237
Changing Robustness	237
Enabling Router Solicitation	238
Changing the Router Solicitation Interval	238
Configuring Static Multicast Ports	238
Adding or Removing a Static Multicast Router Port	239
Adding or Removing a Static Multicast Receiver Port	239
Displaying Multicast Information	239
Displaying Multicast Configuration Information and Statistics	239
Displaying Multicast Statistics Only	241
Clearing Multicast Statistics	241
Displaying Multicast Queriers	241
Displaying Multicast Routers	241
Displaying Multicast Receivers	242
Configuring and Managing Security ACLs	243
About Security Access Control Lists	243
Overview of Security ACL Commands	243
Security ACL Filters	244
Order in Which ACLs are Applied to Traffic	244
Traffic Direction	245
Selection of User ACLs	245
Creating and Committing a Security ACL	245
Setting a Source IP ACL	246
Wildcard Masks	247
Class of Service	247
Setting an ICMP ACL	248
Setting TCP and UDP ACLs	249
Setting a TCP ACL	249
Setting a UDP ACL	249
Determining the ACE Order	250
Committing a Security ACL	250
Viewing Security ACL Information	250
Viewing the Edit Buffer	251
Viewing Committed Security ACLs	251
Viewing Security ACL Details	252
Displaying Security ACL Hits	252
Clearing Security ACLs	253
Mapping Security ACLs	253
Mapping User-Based Security ACLs	254
Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed APs	255
Displaying ACL Maps to Ports, VLANs, and Virtual Ports	256
Clearing a Security ACL Map	256
Modifying a Security ACL	257
Adding Another ACE to a Security ACL	258
Placing One ACE before Another	259
Modifying an Existing Security ACL	260
Clearing Security ACLs from the Edit Buffer	261
Using ACLs to Change CoS	262
Filtering Based on DSCP Values	263
Using the dscp Option	263
Using the precedence and tos Options	264
Enabling Prioritization for Legacy Voice over IP	265

Match case Limit results 1 per page

D-Link DWS-1008 User Manual

²±´

You must specify whether to permit or deny access, and you must identify a VLAN, username, or

access port to match. Use one of the following operators to specify how the rule must match the VLAN

or username:

•

—Applies the location policy rule to all users assigned VLAN names matching

vlan-glob

or having usernames that match

user-glob

. (Like a user glob, a VLAN glob is a way to

group VLANs for use in this command. For more information, see “VLAN Globs” on page

12.)

•

neq

—Applies the location policy rule to all users assigned VLAN names not matching

vlan-glob

or having usernames that do not match

user-glob

For example, the following command denies network access to all users matching *.theirﬁrm.com,

causing them to fail authorization:

DWS-1008#

set location policy deny if user eq *.theirﬁrm.com

The following command authorizes access to the

guest_1

VLAN for all users who do not match *.ourﬁrm.

com:

DWS-1008#

set location policy permit vlan guest_1 if user neq *.ourﬁrm.com

The following command places all users who are authorized for SSID

tempvendor_a

into

VLAN

kiosk_1

DWS-1008#

set location policy permit vlan kiosk_1 if ssid eq tempvendor_a

success: change accepted.

Applying Security ACLs in a Location Policy Rule

When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as

follows:

•

Input ﬁlter

—Use

inacl

inacl-name

to ﬁlter trafﬁc that enters the switch from users via an

AP access port or wired authentication port, or from the network via a network port.

•

Output ﬁlter

—Use

outacl

outacl-name

to ﬁlter trafﬁc sent from the switch to users via an

AP access port or wired authentication port, or from the network via a network port.

For example, the following command authorizes users at *.ny.ourﬁrm.com to access the

bld4.tac

VLAN,

and applies the security ACL

tac_24

to the trafﬁc they receive:

DWS-1008#

set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny.

ourﬁrm.com

The following command authorizes access to users on VLANs with names matching

bld4

.* and applies

security ACLs

svcs_2

to the trafﬁc they send and

svcs_3

to the trafﬁc they receive:

DWS-1008#

set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.*

You can optionally add the sufﬁxes

.in

and

.out

inacl-name

and

outacl-name

for consistency with

their usage in entries stored in the local database.