Home » Netgear Manuals » Hubs & Switches » Netgear CSM4532 » Manual Viewer

Netgear CSM4532 Software Administration Manual - Page 20

Security Features

Add to My Manuals
Save this manual to your list of manuals

Page 20 highlights

1.2. Security Features 1.2.1. Configurable Access and Authentication Profiles You can configure rules to limit access to the switch management interface based on criteria such as access type and source IP address of the management host. You can also require the user to be authenticated locally or by an external server, such as a RADIUS server. 1.2.2. AAA Command Authorization This feature enables AAA Command Authorization on the switch. 1.2.3. Password-protected Management Access Access to the CLI and SNMP management interfaces is password protected, and there are no default users on the system. 1.2.4. Strong Password Enforcement The Strong Password feature enforces a baseline password strength for all locally administered users. Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The strength of a password is a function of length, complexity and randomness. Using strong passwords lowers overall risk of a security breach. 1.2.5. MAC-based Port Security The port security feature limits access on a port to users with specific MAC addresses. These addresses are manually defined or learned on that port. When a frame is seen on a locked port, and the frame source MAC address is not tied to that port, the protection mechanism is invoked. 1.2.6. RADIUS Client The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up to 32 authentication and accounting RADIUS servers. 1.2.7. TACACS+ Client The switch has a TACACS+ client. TACACS+ provides centralized security for validation of users accessing the switch. TACACS+ provides a centralized user management system while still retaining consistency with RADIUS and other authentication processes. NETGEAR M4500 Series Switches Software Administration Manual 20

Section	Page
1. Supported Features on the M4500 Series Switches	12
1.1. Switching Features Introduction	12
1.1.1. VLAN Support	12
1.1.2. Double VLANs	12
1.1.3. Switching Modes	12
1.1.4. Spanning Tree Protocols (STP)	12
1.1.5. Rapid Spanning Tree	12
1.1.6. Multiple Spanning Tree	13
1.1.7. Bridge Protocol Data Unit (BPDU) Guard	13
1.1.8. Port-channel	13
1.1.9. Link Aggregate Control Protocol (LACP)	13
1.1.10. Multi Chassis Link Aggregation Group (MLAG)	13
1.1.11. Flow Control Support (IEEE 802.3x)	13
1.1.12. Asymmetric Flow Control	14
1.1.13. Alternate Store and Forward (ASF)	14
1.1.14. Jumbo Frames Support	14
1.1.15. Auto-MDI/MDIX Support	14
1.1.16. Unidirectional Link Detection (UDLD)	14
1.1.17. Expandable Port Configuration	14
1.1.18. VLAN-aware MAC-based Switching	15
1.1.19. Back Pressure Support	15
1.1.20. Auto Negotiation	15
1.1.21. Storm Control	15
1.1.22. Port Mirroring	15
1.1.23. sFlow	16
1.1.24. Static and Dynamic MAC Address Tables	16
1.1.25. Link Layer Discovery Protocol (LLDP)	16
1.1.26. Link Layer Discovery Protocol (LLDP) for Media Endpoint Device	16
1.1.27. DHCP Layer 2 Relay	16
1.1.28. MAC Multicast Support	16
1.1.29. IGMP Snooping	17
1.1.30. SDVoE	17
1.1.31. Source Specific Multicasting (SSM)	17
1.1.32. Control Packet Flooding	17
1.1.33. Flooding to mRouter Ports	17
1.1.34. IGMP Snooping Querier	17
1.1.35. Management and Control Plane ACLs	18
1.1.36. Remote Switched Port Analyzer (RSPAN)	18
1.1.37. Link Dependency	18
1.1.38. IPv6 Router Advertisement Guard	18
1.1.39. FIP Snooping	19
1.1.40. ECN Support	19
1.2. Security Features	20
1.2.1. Configurable Access and Authentication Profiles	20
1.2.2. AAA Command Authorization	20
1.2.3. Password-protected Management Access	20
1.2.4. Strong Password Enforcement	20
1.2.5. MAC-based Port Security	20
1.2.6. RADIUS Client	20
1.2.7. TACACS+ Client	20
1.2.8. Dot1x Authentication (IEEE 802.1X)	21
1.2.9. MAC Authentication Bypass	21
1.2.10. DHCP Snooping	21
1.2.11. DHCPv6 Snooping	21
1.2.12. Dynamic ARP Inspection	22
1.2.13. IP Source Address Guard	22
1.3. Quality of Service Features	22
1.3.1. Access Control Lists (ACL)	22
1.3.2. ACL Remarks	22
1.3.3. ACL Rule Priority	22
1.3.4. Differentiated Service (DIffServ)	23
1.3.5. Class of Service (CoS)	23
1.4. Management Features	23
1.4.1. Management Options	23
1.4.2. Management of Basic Network Information	23
1.4.3. File Management	23
1.4.4. Malicious Code Detection	24
1.4.5. Automatic Installation of Firmware and Configuration	24
1.4.6. Warm Reboot	24
1.4.7. SNMP Alarms and Trap Logs	24
1.4.8. Remote Monitoring (RMON)	24
1.4.9. Statistics Application	24
1.4.10. Log Messages	25
1.4.11. System Time Management	25
1.4.12. Source IP Address Configuration	25
1.4.13. Multiple Linux Routing Tables	25
1.4.14. Open Network Install Environment Support	25
1.4.15. Interface Error Disable and Auto Recovery	25
1.4.16. CLI Scheduler	26
1.5. Routing Features	26
1.5.1. IP Unnumbered	26
1.5.2. Open Shortest Path First (OSPF)	26
1.5.3. Border Gateway Protocol (BGP)	26
1.5.4. VLAN Routing	27
1.5.5. IP Configuration	27
1.5.6. Address Resolution Protocol (ARP) Table Management	28
1.5.7. BOOTP/DHCP Relay Agent	28
1.5.8. IP Helper and UDP Relay	28
1.5.9. Routing Table	28
1.5.10. Virtual Router Redundancy Protocol (VRRP)	28
1.5.11. Algorithmic Longest Prefix Match (ALPM)	28
1.5.12. Bidirectional Forwarding Detection	28
1.5.13. VRF Lite Operation and Configuration	29
1.6. Layer 3 Multicast Features	29
1.6.1. Internet Group Management Protocol	29
1.6.2. Protocol Independent Multicast	29
1.6.2.1. Spare Mode (PIM-SM)	29
1.6.2.2. Source Specific Multicast (PIM-SSM)	29
1.6.2.3. PIM IPv6 Support	29
1.6.3. MLD/MLDv2 (RFC2710/RFC3810)	30
1.7. Data Center Features	30
1.7.1. Priority-Based Flow Control	30
1.7.2. Data Center Bridging Exchange Protocol	30
1.7.3. CoS Queuing and Enhanced Transmission Selection	30
1.7.4. VXLAN Gateway	30
2. Getting Started	32
2.1. Accessing the switch Command-Line Interface	32
2.1.1. Connecting to the Switch Console	32
2.1.2. Login User ID and Password	33
2.1.3. Accessing the Switch CLI through the Network	33
2.1.4. Using the Service Port or Management VLAN Interface for Remote Management	34
2.1.4.1. Configuring Service Port Information	34
2.1.4.2. Configuring the In-Band Management Interface	34
2.1.5. DHCP Option 61	35
2.1.5.1. Configuring DHCP Option 61	35
2.2. Understanding the User Interfaces	36
2.2.1. Using the Command-Line Interface	37
2.2.2. Using SNMP	37
2.2.2.1. SNMPv3	37
2.2.2.2. SNMP Configuration example	38
3. Configuring L2 Switching Features	43
3.1. Port Configuration	43
3.1.1. 100G Port-mode Command	43
3.1.1.1. 100G Port Mode Configuration Example	43
3.2. Virtual Local Area Networks	44
3.2.1. VLAN Tagging	45
3.2.2. Double-VLAN Tagging	46
3.2.3. Default VLAN Behavior	47
3.2.4. VLAN Configuration Example	47
3.2.4.1. Configuring the VLANs and Ports on Switch 1	49
3.2.4.2. Configuring the VLANs and Ports on Switch 2	51
3.3. Switchport Modes	51
3.4. Port-channels – Operation and Configuration	53
3.4.1. Static and Dynamic Port-channel	53
3.4.2. Port-channel Hashing	54
3.4.2.1. Resilient Hashing	54
3.4.2.2. Hash Prediction with ECMP and Port-channel	55
3.4.3. Port-channel Interface Overview	55
3.4.4. Port-channel Interaction with Other Features	56
3.4.4.1. VLAN	56
3.4.4.2. STP	56
3.4.4.3. Statistics	57
3.4.5. Port-channel Configuration Guidelines	57
3.4.5.1. Port-channel Configuration Examples	57
3.4.5.2. Configuration Dynamic Port-channels	57
3.4.5.3. Configuration Static Port-channels	58
3.5. LACP Fallback Configuration	60
3.5.1. Configuring Dynamic Port-channels	60
3.5.2. Configuring Static Port-channels	61
3.6. MLAG – Operation and Configuration	62
3.6.1. Overview	62
3.6.2. Deployment Scenarios	63
3.6.2.1. Definitions	64
3.6.2.2. Configuration Consistency	65
3.6.3. MLAG Fast Failover	67
3.6.4. MLAG Configuration	67
3.7. Unidirectional Link Detection (UDLD)	70
3.7.1. UDLD Modes	71
3.7.2. UDLD and Port-channel Interfaces	71
3.7.3. Configuring UDLD	71
3.8. Port Mirroring	73
3.8.1. Configuring Port Mirroring	73
3.8.2. Configuring RSPAN	74
3.8.2.1. Configuration on the Source Switch (SW1)	74
3.8.2.2. Configuration on the Intermediate Switch (SW2)	75
3.8.2.3. Configuration on the Destination Switch (SW3)	76
3.8.3. VLAN-based Mirroring	76
3.8.4. Flow-based Mirroring	76
3.9. Spanning Tree Protocol	77
3.9.1. Classic STP, Multiple STP, and Rapid STP	77
3.9.2. STP Operation	77
3.9.3. MSTP in the Network	78
3.9.4. Optional STP Features	81
3.9.4.1. BPDU Flooding	81
3.9.4.2. Edge Port	81
3.9.4.3. Root Guard	82
3.9.4.4. Loop Guard	82
3.9.4.5. BPDU Protection	82
3.9.5. STP Configuring Examples	83
3.9.5.1. Configuring MSTP	83
3.10. IGMP Snooping	84
3.10.1. IGMP Snooping Querier	84
3.10.2. Configuring IGMP Snooping	85
3.10.3. IGMPv3/SSM Snooping	88
3.11. SDVoE	88
3.11.1. IGMP & IGMP Snooping Enhancements for IGMP V1 & V2	88
3.11.2. SDVoE Configuration Example	91
3.12. MLD Snooping	93
3.12.1. MLD Snooping Configuration Example	93
3.12.1.1. MLD Snooping Configuration Example	95
3.12.1.2. MLD Snooping Verification Example	95
3.12.2. MLD Snooping First Leave Configuration Example	96
3.12.2.1. MLD Snooping Configuration	96
3.12.3. MLD Snooping Querier Configuration Example	97
3.13. LLDP and LLDP-MED	98
3.13.1. LLDP and Data Center Application	99
3.13.2. Configuring LLDP	99
3.14. sFlow	101
3.14.1. sFlow Sampling	102
3.14.1.1. Packet Flow Sampling	102
3.14.1.2. Counter Sampling	102
3.14.2. Configuring sFlow	103
3.15. Link Dependency	104
3.16. FIP Snooping	105
3.17. ECN	109
3.17.1. Enabling ECN in Microsoft Windows	110
3.17.2. Example 1: SLA Example	110
3.17.3. Example 2: Data Center TCP (DCTCP) Configuration	113
3.18. Storm Control	114
3.18.1. Storm Control Configuration Example	114
3.19. Jumbo Frames	115
3.19.1. Jumbo Frame Configuration Example	115
3.20. Port-Backup	116
3.20.1. Port-Backup Configuration Example	116
3.21. PTP End-to-End Transparent Clock	117
3.21.1. PTP Time Stamp Operation	118
3.21.2. PTP Transparent Clocks	119
3.21.3. Manage the PTP End-to-End Transparent Clock	119
3.21.3.1. Globally Disable PTP End-to-End Transparent Clock	119
3.21.3.2. Disable PTP End-to-End Transparent Clock for an Interface	120
3.21.4. Globally Reenable PTP End-to-End Transparent Clock	120
3.21.5. Reenable PTP End-to-End Transparent Clock for an Interface	120
3.21.6. Display the PTP End-to-End Transparent Clock Status	120
4. Configuring Security Features	122
4.1. Controlling Management Access	122
4.1.1. Using RADIUS Servers for Management Security	122
4.1.2. Using TACACS+ to Control Management Access	123
4.1.3. Configuring and Applying Authentication Profiles	124
4.1.3.1. Configuring Authentication Profiles for Post-based Authentication	125
4.1.4. Configuring the Primary and Secondary RADIUS Servers	126
4.1.5. Configuring an Authentication Profile	126
4.2. Configuring DHCP Snooping, DAI, and IPSG	128
4.2.1. DHCP Snooping Overview	128
4.2.1.1. Populating the DHCP Snooping Bindings Database	129
4.2.1.2. DHCP Snooping and VLANs	129
4.2.1.3. DHCP Snooping Logging and Rate Limits	130
4.2.2. IP Source Guard Overview	130
4.2.2.1. IPSG and Port Security	130
4.2.3. Dynamic ARP Inspection Overview	131
4.2.3.1. Optional DAI Features	131
4.2.4. Increasing Security with DHCP Snooping, DAI, and IPSG	131
4.2.5. Configuring DHCP Snooping	132
4.2.6. Configuring IPSG	133
4.3. Configuring DHCPv6 Snooping	134
4.3.1. DHCPv6 Snooping Configuration Example	134
4.4. ACLs	136
4.4.1. MAC ACLs	137
4.4.2. IP ACLs	137
4.4.3. ACL Redirect Function	138
4.4.4. ACL Mirror Function	138
4.4.5. ACL Logging	138
4.4.6. Time-based ACLs	138
4.4.7. ACL Rule Remarks	139
4.4.8. ACL Rule Priority	139
4.4.9. ACL Limitations	140
4.4.10. ACL Configuration Process	140
4.4.11. Preventing False ACL Matches	140
4.4.12. IPv6 ACL Qualifies	141
4.4.13. ACL Configuration Examples	142
4.4.13.1. Configuring an IP ACL	142
4.4.13.2. Configuring a MAC ACL	143
4.4.13.3. Configuring a Time-based ACL	145
4.5. Control Plane Policing (CoPP)	146
4.5.1. CoPP Configuration Examples	146
5. Configuring Quality of Service	149
5.1. CoS	149
5.1.1. Trusted and Untrusted Port Modes	149
5.1.2. Traffic Shaping on Egress Traffic	149
5.1.3. Defining Traffic Queues	150
5.1.3.1. Supported Queue Management Methods	150
5.1.3.2. CoS Configuration Example	150
5.2. DiffServ	152
5.2.1. DiffServ Functionality and Switch Roles	153
5.2.2. Elements of DiffServ Configuration	153
5.2.3. Configuration DiffServ to Provide Subnets Equal Access to External Network	154
6. Configuring Switch Management Features	156
6.1. Managing Images and Files	156
6.1.1. Supported File Management Methods	157
6.1.2. Uploading and Downloading Files	157
6.1.3. Managing Configuration Files	157
6.1.3.1. Editing and Downloading Configuration Files	158
6.1.3.2. Creating and Applying Configuration Scripts	158
6.1.3.3. Non-Disruptive Configuration Management	159
6.1.4. Saving the Running Configuration	159
6.1.5. File and Image Management Configuration Examples	159
6.1.5.1. Upgrading the Firmware	159
6.1.5.2. Managing Configuration Scripts	160
6.2. Enabling Automatic System Configuration	163
6.2.1. DHCP Auto Install Process	163
6.2.1.1. Obtaining IP address Information	163
6.2.1.2. Obtaining Other Dynamic Information	163
6.2.1.3. Obtaining the Configuration File	164
6.2.2. Monitoring and Completing the DHCP Auto Install Process	164
6.2.2.1. Saving a Configuration	164
6.2.2.2. Stopping and Restarting the Auto Install Process	164
6.2.2.3. Managing Downloaded Configuration Files	164
6.2.3. DHCP Auto Install Dependencies	165
6.2.4. Default Auto Install Values	165
6.2.5. Enabling DHCP Auto Install	165
6.3. Configuring System Log Example	166
6.3.1. Example 1 to Add Syslog Host	166
6.3.2. Example 2 to Verify Syslog Host Configuration	166
6.4. Configuring CLI Scheduler (Kron)	169
6.4.1. CLI Scheduler Policy Lists	169
6.4.2. CLI Scheduler Occurrences	170
6.4.3. Configuration Example	170
7. Configuring Routing	171
7.1. Basic Routing and Features	171
7.1.1. VLAN Routing	171
7.1.1.1. When to Configure VLAN Routing	172
7.1.2. IP Routing Configuration Example	172
7.1.2.1. Configuring Switch A	173
7.1.2.2. Configuring Switch B	174
7.1.3. IP Unnumbered Configuration Example	175
7.2. OSPF	177
7.2.1. Configuring an OSPF Border Router and Setting Interface Costs	178
7.3. VRRP	180
7.3.1. VRRP Operation in the Network	180
7.3.1.1. VRRP Router Priority	180
7.3.1.2. VRRP Preemption	181
7.3.1.3. VRRP Accept Mode	181
7.3.1.4. VRRP Route and Interface Tracking	181
7.3.2. VRRP Configuration Example	182
7.3.2.1. VRRP with Load Sharing	182
7.3.2.2. VRRP with Route and Interface Tracking	184
7.4. IP Helper	187
7.4.1. Relay Agent Configuration Example	189
7.5. Border Gateway Patrol (BGP)	191
7.5.1. BGP Topology	192
7.5.1.1. External BGP Peering	192
7.5.1.2. Internal BGP Peering	192
7.5.1.3. Advertising Network Layer Reachability Information	193
7.5.2. BGP Behavior	193
7.5.2.1. BGP Route Selection	194
7.5.3. BGP Configuration Example	194
7.5.3.1. Configuring BGP on Router 9	195
7.5.3.2. Configuring BGP on Router 3	198
7.6. IPv6 Routing	199
7.6.1. How Does IPv6 Compare with IPv6	199
7.6.2. How are IPv6 Interface Configured	200
7.6.3. Default IPv6 Routing Values	200
7.6.4. Configuring IPv6 Routing Features	201
7.6.4.1. Configuring Global IP Routing Settings	201
7.6.4.2. Configuring IPv6 Interface Settings	202
7.6.4.3. Configuring IPv6 Neighbor Discovery	202
7.6.4.4. Configuring IPv6 Route Table Entries and Route Preferences	204
7.6.4.5. IPv6 Show Commands	205
7.7. ECMP Hash Selection	205
7.8. Bidirectional Forwarding Detection	206
7.8.1. Configuring BFD	206
7.9. VRF Lite Operation and Configuration	207
7.9.1. Route Leaking	208
7.9.2. Adding Leaked Routes	208
7.9.3. Using Leaked Routes	208
7.9.4. CPU-Originated Traffic	208
7.9.5. VRF Features Support	209
7.9.6. VRF Lite Development Scenarios	211
7.9.7. VRF Configuration Example	213
8. Configuring Multicast Routing	215
8.1. L3 Multicast Overview	215
8.1.1. IP Multicast Traffic	215
8.1.2. Multicast Protocol Switch Support	215
8.1.3. Multicast Protocol Roles	216
8.1.4. Multicast Switch Requirements	216
8.1.5. Determining which Multicast Protocols to Enable	216
8.1.6. Multicast Routing Tables	216
8.1.7. Multicast Tunneling	216
8.1.8. IGMP	217
8.1.8.1. IGMP Proxy	217
8.1.9. MLD Protocol	217
8.1.9.1. Join Mechanism	218
8.1.9.2. Leave Mechanism	218
8.1.10. PIM Protocol	218
8.1.10.1. Using PIM-SM as the Multicast Routing Protocol	218
8.2. Default L3 Multicast Values	219
8.3. L3 Multicast Configuration Examples	221
8.3.1. Configuring Multicast VLAN Routing with IGMP and PIM-SM	221
8.3.2. Example 1: MLDv1 Configuration	223
8.3.3. Example 2: MLDv2 Configuration	224
8.3.4. Example 3: MLD Configuration Verification	225
9. Configuring Data Center Features	226
9.1. Data Center Technology Overview	226
9.2. Priority-based Flow Control	226
9.2.1. PFC Operation and Behavior	227
9.2.2. Configuring PFC	227
9.3. Data Center Bridging Exchange Protocol	228
9.3.1. Interoperability with IEEE DCBX	229
9.3.2. DCBX and Port Roles	229
9.3.3. Configuration Source Port Selection Process	230
9.3.4. Configuring DCBX	231
9.4. CoS Queuing	232
9.4.1. CoS Queuing Function and Behavior	233
9.4.1.1. Trusted Port Queue Mappings	233
9.4.1.2. Un-trusted Port Default Priority	234
9.4.1.3. Queue Configuration	234
9.4.1.4. Traffic Class Groups	234
9.4.2. Configuring CoS Queuing and ETS	235
9.5. Enhanced Transmission Selection	237
9.5.1. ETS Operation and Dependencies	237
9.6. VXLAN Gateway Operation and Configuration	238
9.6.1. Overview	238
9.6.1.1. VXLAN	238
9.6.2. Functional Description	239
9.6.2.1. VTEP to VN Association	239
9.6.2.2. Configuration of Remote VTEPs	240
9.6.2.3. VTEP Next-hop Resolution	240
9.6.2.4. VXLAN UDP Destination Port	241
9.6.2.5. Tunnels	241
9.6.2.6. MAC Learning and Aging	242
9.6.2.7. Host Configuration	242
9.6.2.8. ECMP	243
9.6.2.9. MTU	243
9.6.2.10. TTL and DSCP/TOS	243
9.6.2.11. Packet Forwarding	243
9.6.3. VXLAN Configuration Examples	244
9.6.3.1. Unicast VXLAN Configuration	245

Match case Limit results 1 per page

NETGEAR M4500 Series Switches Software Administration Manual

1.2.

Security Features

1.2.1.

Configurable Access and Authentication Profiles

You can configure rules to limit access to the switch management interface based on criteria such as access

type and source IP address of the management host. You can also require the user to be authenticated locally

or by an external server, such as a RADIUS server.

1.2.2.

AAA Command Authorization

This feature enables AAA Command Authorization on the switch.

1.2.3.

Password-protected Management Access

Access to the CLI and SNMP management interfaces is password protected, and there are no default users on

the system.

1.2.4.

Strong Password Enforcement

The Strong Password feature enforces a baseline password strength for all locally administered users.

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force

attacks. The strength of a password is a function of length, complexity and randomness. Using strong

passwords lowers overall risk of a security breach.

1.2.5.

MAC-based Port Security

The port security feature limits access on a port to users with specific MAC addresses. These addresses are

manually defined or learned on that port. When a frame is seen on a locked port, and the frame source MAC

address is not tied to that port, the protection mechanism is invoked.

1.2.6.

RADIUS Client

The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up to 32

authentication and accounting RADIUS servers.

1.2.7.

TACACS+ Client

The switch has a TACACS+ client. TACACS+ provides centralized security for validation of users accessing the

switch. TACACS+ provides a centralized user management system while still retaining consistency with RADIUS

and other authentication processes.