Home » ZyXEL Manuals » Networking » ZyXEL ES-3124PWR » Manual Viewer

ZyXEL ES-3124PWR User Guide - Page 253

SSH Implementation on the Switch, Introduction to HTTPS

Get ZyXEL ES-3124PWR PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 253 highlights

Chapter 30 Access Control 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 30.6 SSH Implementation on the Switch Your Switch supports SSH version 2 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the Switch for remote management and file transfer on port 22. Only one SSH connection is allowed at a time. 30.6.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the Switch over SSH. 30.7 Introduction to HTTPS HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an applicationlevel protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys. HTTPS on the Switch is used so that you may securely access the Switch using the web configurator. The SSL protocol specifies that the SSL server (the Switch) must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the Switch), whereas the SSL client only should authenticate itself when the SSL server requires it to do so. Authenticating client certificates is optional and if selected means the SSLclient must send the Switch a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the Switch. Please refer to the following figure. 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the Switch's WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the Switch's WS (web server). ES-3124 Series User's Guide 253

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
Introduction	21
Introducing the Switch	23
1.1 Overview	23
1.1.1 Backbone Application	23
1.1.2 Bridging Example	24
1.1.3 High-performance Switched Example	25
1.1.4 IEEE 802.1Q VLAN Application Examples	25
1.2 Ways to Manage the Switch	26
1.3 Good Habits for Managing the Switch	27
Hardware	29
Hardware Installation and Connection	31
2.1 Freestanding Installation	31
2.2 Mounting the Switch on a Rack	32
2.2.1 Rack-mounted Installation Requirements	32
2.2.2 Attaching the Mounting Brackets to the Switch	32
2.2.3 Mounting the Switch on a Rack	33
Hardware Overview	35
3.1 Panel Connections	35
3.1.1 Console Port	37
3.1.2 Ethernet Ports	37
3.1.3 Transceiver Slots	38
3.2 Rear Panel	39
3.3 Power Connections Overview	40
3.3.1 AC Power Connection	40
3.3.2 DC Power Connection	41
3.3.3 External Backup Power Supply Connector	42
3.3.4 Powering on the Switch	42
3.4 LEDs	42
Web Configurator	45
The Web Configurator	47
4.1 Introduction	47
4.2 System Login	47
4.3 The Status Screen	48
4.3.1 Change Your Password	53
4.4 Saving Your Configuration	53
4.5 Switch Lockout	54
4.6 Resetting the Switch	54
4.6.1 Reload the Configuration File	54
4.7 Logging Out of the Web Configurator	55
4.8 Help	56
Initial Setup Example	57
5.1 Overview	57
5.1.1 Creating a VLAN	57
5.1.2 Setting Port VID	58
5.2 Configuring Switch Management IP Address	59
System Status and Port Statistics	61
6.1 Overview	61
6.2 Port Status Summary	61
6.2.1 Status: Port Details	62
Basic Setting	67
7.1 Overview	67
7.2 System Information	67
7.3 General Setup	69
7.4 Introduction to VLANs	71
7.5 Switch Setup Screen	72
7.6 IP Setup	74
7.6.1 IP Interfaces	74
7.7 Port Setup	76
VLAN	79
8.1 Introduction to IEEE 802.1Q Tagged VLANs	79
8.1.1 Forwarding Tagged and Untagged Frames	79
8.2 Automatic VLAN Registration	80
8.2.1 GARP	80
8.2.2 GVRP	80
8.3 Port VLAN Trunking	81
8.4 Select the VLAN Type	81
8.5 Static VLAN	81
8.5.1 Static VLAN Status	82
8.5.2 Static VLAN Details	82
8.5.3 Configure a Static VLAN	83
8.5.4 Configure VLAN Port Settings	84
8.6 Subnet Based VLANs	86
8.7 Configuring Subnet Based VLAN	87
8.8 Protocol Based VLANs	88
8.9 Configuring Protocol Based VLAN	89
8.10 Create an IP-based VLAN Example	91
8.11 Port-based VLAN Setup	92
8.11.1 Configure a Port-based VLAN	92
Static MAC Forward Setup	97
9.1 Overview	97
9.2 Configuring Static MAC Forwarding	97
Filtering	99
10.1 Configure a Filtering Rule	99
Spanning Tree Protocol	101
11.1 STP/RSTP Overview	101
11.1.1 STP Terminology	101
11.1.2 How STP Works	102
11.1.3 STP Port States	103
11.1.4 Multiple RSTP	103
11.1.5 Multiple STP	104
11.2 Spanning Tree Protocol Status Screen	106
11.3 Spanning Tree Configuration	107
11.4 Configure Rapid Spanning Tree Protocol	108
11.5 Rapid Spanning Tree Protocol Status	109
11.6 Configure Multiple Rapid Spanning Tree Protocol	111
11.7 Multiple Rapid Spanning Tree Protocol Status	112
11.8 Configure Multiple Spanning Tree Protocol	114
11.9 Multiple Spanning Tree Protocol Status	116
Bandwidth Control	119
12.1 Bandwidth Control Overview	119
12.1.1 CIR and PIR	119
12.2 Bandwidth Control Setup	119
Broadcast Storm Control	121
13.1 Broadcast Storm Control Setup	121
Mirroring	123
14.1 Port Mirroring Setup	123
Link Aggregation	125
15.1 Link Aggregation Overview	125
15.2 Dynamic Link Aggregation	125
15.2.1 Link Aggregation ID	126
15.3 Link Aggregation Status	126
15.4 Link Aggregation Setting	127
15.5 Link Aggregation Control Protocol	128
15.6 Static Trunking Example	130
Port Authentication	133
16.1 Port Authentication Overview	133
16.1.1 IEEE 802.1x Authentication	133
16.1.2 MAC Authentication	134
16.2 Port Authentication Configuration	135
16.2.1 Activate IEEE 802.1x Security	135
16.2.2 Activate MAC Authentication	136
Port Security	139
17.1 About Port Security	139
17.2 Port Security Setup	139
Classifier	143
18.1 About the Classifier and QoS	143
18.2 Configuring the Classifier	143
18.3 Viewing and Editing Classifier Configuration	146
18.4 Classifier Example	147
Policy Rule	149
19.1 Policy Rules Overview	149
19.1.1 DiffServ	149
19.1.2 DSCP and Per-Hop Behavior	149
19.2 Configuring Policy Rules	150
19.3 Viewing and Editing Policy Configuration	152
19.4 Policy Example	153
Queuing Method	155
20.1 Queuing Method Overview	155
20.1.1 Strictly Priority	155
20.1.2 Weighted Fair Queuing	155
20.1.3 Weighted Round Robin Scheduling (WRR)	156
20.2 Configuring Queuing	156
VLAN Stacking	159
21.1 VLAN Stacking Overview	159
21.1.1 VLAN Stacking Example	159
21.2 VLAN Stacking Port Roles	160
21.3 VLAN Tag Format	161
21.3.1 Frame Format	161
21.4 Configuring VLAN Stacking	162
Multicast	165
22.1 Multicast Overview	165
22.1.1 IP Multicast Addresses	165
22.1.2 IGMP Filtering	165
22.1.3 IGMP Snooping	165
22.1.4 IGMP Snooping and VLANs	166
22.2 Multicast Status	166
22.3 Multicast Setting	166
22.4 IGMP Snooping VLAN	168
22.5 IGMP Filtering Profile	170
22.6 MVR Overview	171
22.6.1 Types of MVR Ports	171
22.6.2 MVR Modes	172
22.6.3 How MVR Works	172
22.7 General MVR Configuration	172
22.8 MVR Group Configuration	174
22.8.1 MVR Configuration Example	175
Authentication & Accounting	179
23.1 Authentication, Authorization and Accounting	179
23.1.1 Local User Accounts	179
23.1.2 RADIUS and TACACS+	180
23.2 Authentication and Accounting Screens	180
23.2.1 RADIUS Server Setup	180
23.2.2 TACACS+ Server Setup	182
23.2.3 Authentication and Accounting Setup	184
23.2.4 Vendor Specific Attribute	187
23.3 Supported RADIUS Attributes	188
23.3.1 Attributes Used for Authentication	189
23.3.2 Attributes Used for Accounting	189
IP Source Guard	193
24.1 IP Source Guard Overview	193
24.1.1 DHCP Snooping Overview	193
24.1.2 ARP Inspection Overview	195
24.2 IP Source Guard	197
24.3 IP Source Guard Static Binding	197
24.4 DHCP Snooping	199
24.5 DHCP Snooping Configure	202
24.5.1 DHCP Snooping Port Configure	203
24.5.2 DHCP Snooping VLAN Configure	205
24.6 ARP Inspection Status	206
24.6.1 ARP Inspection VLAN Status	206
24.6.2 ARP Inspection Log Status	207
24.7 ARP Inspection Configure	209
24.7.1 ARP Inspection Port Configure	210
24.7.2 ARP Inspection VLAN Configure	211
Loop Guard	213
25.1 Loop Guard Overview	213
25.2 Loop Guard Setup	215
Static Routing	217
26.1 Configuring Static Routing	217
Differentiated Services	219
27.1 DiffServ Overview	219
27.1.1 DSCP and Per-Hop Behavior	219
27.1.2 DiffServ Network Example	220
27.2 Two Rate Three Color Marker Traffic Policing	220
27.2.1 TRTCM - Color-blind Mode	221
27.2.2 TRTCM - Color-aware Mode	221
27.3 Activating DiffServ	222
27.3.1 Configuring 2-Rate 3 Color Marker Settings	222
27.4 DSCP-to-IEEE 802.1p Priority Settings	224
27.4.1 Configuring DSCP Settings	224
DHCP	227
28.1 DHCP Overview	227
28.1.1 DHCP Modes	227
28.1.2 DHCP Configuration Options	227
28.2 DHCP Status	227
28.3 DHCP Relay	228
28.3.1 DHCP Relay Agent Information	228
28.3.2 Configuring DHCP Global Relay	229
28.3.3 Global DHCP Relay Configuration Example	230
28.4 Configuring DHCP VLAN Settings	230
28.4.1 Example: DHCP Relay for Two VLANs	232
Maintenance	233
29.1 The Maintenance Screen	233
29.2 Load Factory Default	234
29.3 Save Configuration	234
29.4 Reboot System	235
29.5 Firmware Upgrade	235
29.6 Restore a Configuration File	236
29.7 Backup a Configuration File	236
29.8 FTP Command Line	237
29.8.1 Filename Conventions	237
29.8.2 FTP Command Line Procedure	237
29.8.3 GUI-based FTP Clients	238
29.8.4 FTP Restrictions	238
Access Control	239
30.1 Access Control Overview	239
30.2 The Access Control Main Screen	239
30.3 About SNMP	240
30.3.1 SNMP v3 and Security	241
30.3.2 Supported MIBs	241
30.3.3 SNMP Traps	241
30.3.4 Configuring SNMP	247
30.3.5 Configuring SNMP Trap Group	249
30.3.6 Setting Up Login Accounts	250
30.4 SSH Overview	252
30.5 How SSH works	252
30.6 SSH Implementation on the Switch	253
30.6.1 Requirements for Using SSH	253
30.7 Introduction to HTTPS	253
30.8 HTTPS Example	254
30.8.1 Internet Explorer Warning Messages	254
30.8.2 Netscape Navigator Warning Messages	255
30.8.3 The Main Screen	255
30.9 Service Port Access Control	256
30.10 Remote Management	257
Diagnostic	259
31.1 Diagnostic	259
Syslog	261
32.1 Syslog Overview	261
32.2 Syslog Setup	261
32.3 Syslog Server Setup	262
Cluster Management	265
33.1 Clustering Management Status Overview	265
33.2 Cluster Management Status	266
33.2.1 Cluster Member Switch Management	267
33.3 Clustering Management Configuration	268
MAC Table	271
34.1 MAC Table Overview	271
34.2 Viewing the MAC Table	272
ARP Table	273
35.1 ARP Table Overview	273
35.1.1 How ARP Works	273
35.2 Viewing the ARP Table	273
Configure Clone	275
36.1 Configure Clone	275
Troubleshooting and Specifications	277
Troubleshooting	279
37.1 Power, Hardware Connections, and LEDs	279
37.2 Switch Access and Login	280
Product Specifications	283
38.1 General Switch Specifications	283
38.2 Cable Pin Assignments	288
Appendices and Index	291
Setting up Your Computer’s IP Address	293
Pop-up Windows, JavaScripts and Java Permissions	315
IP Addresses and Subnetting	323
Common Services	333
Importing Certificates	337
Legal Information	343

Match case Limit results 1 per page

Chapter 30 Access Control

ES-3124 Series User’s Guide

253

Encryption Method

Once the identification is verified, both the client and server must agree on the type of

encryption method to use.

Authentication and Data Transmission

After the identification is verified and data encryption activated, a secure tunnel is

established between the client and the server. The client then sends its authentication

information (user name and password) to the server to log in to the server.

30.6

SSH Implementation on the Switch

Your Switch supports SSH version 2 using RSA authentication and three encryption methods

(DES, 3DES and Blowfish). The SSH server is implemented on the Switch for remote

management and file transfer on port 22. Only one SSH connection is allowed at a time.

30.6.1

Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating

system) that is used to connect to the Switch over SSH.

30.7

Introduction to HTTPS

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web

protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-

level protocol that enables secure transactions of data by ensuring confidentiality (an

unauthorized party cannot read the transferred data), authentication (one party can identify the

other party) and data integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys.

HTTPS on the Switch is used so that you may securely access the Switch using the web

configurator. The SSL protocol specifies that the SSL server (the Switch) must always

authenticate itself to the SSL client (the computer which requests the HTTPS connection with

the Switch), whereas the SSL client only should authenticate itself when the SSL server

requires it to do so. Authenticating client certificates is optional and if selected means the SSL-

client must send the Switch a certificate. You must apply for a certificate for the browser from

a CA that is a trusted CA on the Switch.

Please refer to the following figure.

HTTPS connection requests from an SSL-aware web browser go to port 443 (by default)

on the Switch’s WS (web server).

HTTP connection requests from a web browser go to port 80 (by default) on the Switch’s

WS (web server).