Home » ZyXEL Manuals » Networking » ZyXEL ES3500-24 » Manual Viewer

ZyXEL ES3500-24 User Guide - Page 308

SSH Implementation on the Switch, Introduction to HTTPS

Get ZyXEL ES3500-24 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 308 highlights

Chapter 39 Access Control 39.7 SSH Implementation on the Switch Your Switch supports SSH version 2 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the Switch for remote management and file transfer on port 22. Only one SSH connection is allowed at a time. 39.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the Switch over SSH. 39.8 Introduction to HTTPS HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys. HTTPS on the Switch is used so that you may securely access the Switch using the web configurator. The SSL protocol specifies that the SSL server (the Switch) must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the Switch), whereas the SSL client only should authenticate itself when the SSL server requires it to do so. Authenticating client certificates is optional and if selected means the SSL-client must send the Switch a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the Switch. Please refer to the following figure. 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the Switch's WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the Switch's WS (web server). Figure 186 HTTPS Implementation 308 ES3500 Series User's Guide

Section	Page
ES3500 Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	17
Getting to Know Your Switch	19
1.1 Introduction	19
1.1.1 Backbone Application	19
1.1.2 Bridging Example	20
1.1.3 High Performance Switching Example	20
1.1.4 IEEE 802.1Q VLAN Application Examples	21
1.1.5 IPv6 Support	22
1.2 Ways to Manage the Switch	22
1.3 Good Habits for Managing the Switch	23
Hardware Installation and Connection	25
2.1 Installation Scenarios	25
2.2 Desktop Installation Procedure	25
2.3 Mounting the Switch on a Rack	25
2.3.1 Rack-mounted Installation Requirements	26
2.3.2 Attaching the Mounting Brackets to the Switch	26
2.3.3 Mounting the Switch on a Rack	27
Hardware Overview	28
3.1 Front and Rear Panels	28
3.1.1 Console Port	30
3.1.2 Ethernet Ports	30
3.1.3 Transceiver Slots	31
3.1.4 Power Connector	33
3.2 LEDs	33
The Web Configurator	37
4.1 Introduction	37
4.2 System Login	37
4.3 The Web Configurator Layout	38
4.3.1 Change Your Password	43
4.4 Saving Your Configuration	43
4.5 Switch Lockout	43
4.6 Resetting the Switch	44
4.6.1 Reload the Configuration File	44
4.7 Logging Out of the Web Configurator	45
4.8 Help	45
Initial Setup Example	47
5.1 Overview	47
5.1.1 Creating a VLAN	47
5.1.2 Setting Port VID	49
5.2 Configuring Switch Management IP Address	50
Tutorials	52
6.1 How to Use DHCP Snooping on the Switch	52
6.2 How to Use DHCP Relay on the Switch	55
6.2.1 DHCP Relay Tutorial Introduction	56
6.2.2 Creating a VLAN	56
6.2.3 Configuring DHCP Relay	58
6.2.4 Troubleshooting	59
6.3 How to Use PPPoE IA on the Switch	59
6.3.1 Configuring Switch A	60
6.3.2 Configuring Switch B	62
6.4 How to Use Error Disable and Recovery on the Switch	65
6.5 How to Set Up a Guest VLAN	67
6.5.1 Creating a Guest VLAN	67
6.5.2 Enabling IEEE 802.1x Port Authentication	70
6.5.3 Enabling Guest VLAN	71
6.6 How to Do Port Isolation in a VLAN	72
6.6.1 Creating a VLAN	73
6.6.2 Creating a Private VLAN Rule	75
Technical Reference	77
System Status and Port Statistics	79
7.1 Overview	79
7.2 Port Status Summary	79
7.2.1 Status: Port Details	81
Basic Setting	84
8.1 Overview	84
8.2 System Information	84
8.3 General Setup	86
8.4 Introduction to VLANs	87
8.4.1 Smart Isolation	88
8.5 Switch Setup	89
8.6 IP Setup	91
8.6.1 Management IP Addresses	91
8.7 Port Setup	93
8.8 PoE	94
8.8.1 PoE Setup	96
VLAN	99
9.1 Introduction to IEEE 802.1Q Tagged VLANs	99
9.1.1 Forwarding Tagged and Untagged Frames	99
9.2 Automatic VLAN Registration	100
9.2.1 GARP	100
9.2.2 GVRP	100
9.3 Port VLAN Trunking	101
9.4 Select the VLAN Type	101
9.5 Static VLAN	101
9.5.1 VLAN Status	102
9.5.2 VLAN Details	103
9.5.3 Configure a Static VLAN	104
9.5.4 Configure VLAN Port Settings	105
9.6 Subnet Based VLANs	106
9.7 Configuring Subnet Based VLAN	107
9.8 Protocol Based VLANs	109
9.9 Configuring Protocol Based VLAN	110
9.10 Create an IP-based VLAN Example	111
9.11 Port-based VLAN Setup	112
9.11.1 Configure a Port-based VLAN	112
Static MAC Forward Setup	116
10.1 Overview	116
10.2 Configuring Static MAC Forwarding	116
Static Multicast Forward Setup	118
11.1 Static Multicast Forwarding Overview	118
11.2 Configuring Static Multicast Forwarding	119
Filtering	122
12.1 Configure a Filtering Rule	122
Spanning Tree Protocol	124
13.1 STP/RSTP Overview	124
13.1.1 STP Terminology	124
13.1.2 How STP Works	125
13.1.3 STP Port States	125
13.1.4 Multiple RSTP	126
13.1.5 Multiple STP	126
13.2 Spanning Tree Protocol Status Screen	129
13.3 Spanning Tree Configuration	129
13.4 Configure Rapid Spanning Tree Protocol	130
13.5 Rapid Spanning Tree Protocol Status	132
13.6 Configure Multiple Rapid Spanning Tree Protocol	133
13.7 Multiple Rapid Spanning Tree Protocol Status	134
13.8 Configure Multiple Spanning Tree Protocol	136
13.8.1 Multiple Spanning Tree Protocol Port Configuration	139
13.9 Multiple Spanning Tree Protocol Status	140
Bandwidth Control	142
14.1 Bandwidth Control Overview	142
14.1.1 CIR and PIR	142
14.2 Bandwidth Control Setup	143
Broadcast Storm Control	145
15.1 Broadcast Storm Control Setup	145
Mirroring	147
16.1 Port Mirroring Setup	147
Link Aggregation	149
17.1 Link Aggregation Overview	149
17.2 Dynamic Link Aggregation	149
17.2.1 Link Aggregation ID	150
17.3 Link Aggregation Status	150
17.4 Link Aggregation Setting	152
17.5 Link Aggregation Control Protocol	154
17.6 Static Trunking Example	155
Port Authentication	157
18.1 Port Authentication Overview	157
18.1.1 IEEE 802.1x Authentication	157
18.1.2 MAC Authentication	158
18.2 Port Authentication Configuration	159
18.2.1 Activate IEEE 802.1x Security	160
18.2.2 Guest VLAN	161
18.2.3 Activate MAC Authentication	163
Port Security	165
19.1 About Port Security	165
19.2 Port Security Setup	165
Classifier	167
20.1 About the Classifier and QoS	167
20.2 Configuring the Classifier	167
20.3 Viewing and Editing Classifier Configuration	169
20.4 Classifier Example	171
Policy Rule	172
21.1 Policy Rules Overview	172
21.1.1 DiffServ	172
21.1.2 DSCP and Per-Hop Behavior	172
21.2 Configuring Policy Rules	172
21.3 Viewing and Editing Policy Configuration	175
21.4 Policy Example	176
Queuing Method	177
22.1 Queuing Method Overview	177
22.1.1 Strictly Priority Queuing	177
22.1.2 Weighted Fair Queuing	177
22.1.3 Weighted Round Robin Scheduling (WRR)	178
22.2 Configuring Queuing	178
VLAN Stacking	180
23.1 VLAN Stacking Overview	180
23.1.1 VLAN Stacking Example	180
23.2 VLAN Stacking Port Roles	181
23.3 VLAN Tag Format	182
23.3.1 Frame Format	182
23.4 Configuring VLAN Stacking	183
23.4.1 Port-based Q-in-Q	184
23.4.2 Selective Q-in-Q	185
Multicast	187
24.1 Multicast Overview	187
24.1.1 IP Multicast Addresses	187
24.1.2 IGMP Filtering	187
24.1.3 IGMP Snooping	187
24.1.4 IGMP Snooping and VLANs	188
24.2 Multicast Status	188
24.3 Multicast Setting	189
24.4 IGMP Snooping VLAN	192
24.5 IGMP Filtering Profile	193
24.6 MVR Overview	194
24.6.1 Types of MVR Ports	195
24.6.2 MVR Modes	195
24.6.3 How MVR Works	195
24.7 General MVR Configuration	196
24.8 MVR Group Configuration	198
24.8.1 MVR Configuration Example	199
AAA	202
25.1 Authentication, Authorization and Accounting (AAA)	202
25.1.1 Local User Accounts	202
25.1.2 RADIUS and TACACS+	203
25.2 AAA Screens	203
25.2.1 RADIUS Server Setup	203
25.2.2 TACACS+ Server Setup	206
25.2.3 AAA Setup	208
25.2.4 Vendor Specific Attribute	210
25.2.5 Tunnel Protocol Attribute	211
25.3 Supported RADIUS Attributes	211
25.3.1 Attributes Used for Authentication	212
25.3.2 Attributes Used for Accounting	212
IP Source Guard	215
26.1 IP Source Guard Overview	215
26.1.1 DHCP Snooping Overview	215
26.1.2 ARP Inspection Overview	217
26.2 IP Source Guard	219
26.3 IP Source Guard Static Binding	219
26.4 DHCP Snooping	221
26.5 DHCP Snooping Configure	223
26.5.1 DHCP Snooping Port Configure	225
26.5.2 DHCP Snooping VLAN Configure	226
26.6 ARP Inspection Status	227
26.6.1 ARP Inspection VLAN Status	228
26.6.2 ARP Inspection Log Status	229
26.7 ARP Inspection Configure	230
26.7.1 ARP Inspection Port Configure	231
26.7.2 ARP Inspection VLAN Configure	233
Loop Guard	234
27.1 Loop Guard Overview	234
27.2 Loop Guard Setup	236
VLAN Mapping	238
28.1 VLAN Mapping Overview	238
28.1.1 VLAN Mapping Example	238
28.2 Enabling VLAN Mapping	239
28.3 Configuring VLAN Mapping	240
Layer 2 Protocol Tunneling	242
29.1 Layer 2 Protocol Tunneling Overview	242
29.1.1 Layer-2 Protocol Tunneling Mode	243
29.2 Configuring Layer 2 Protocol Tunneling	244
sFlow	246
30.1 sFlow Overview	246
30.2 sFlow Port Configuration	247
30.2.1 sFlow Collector Configuration	248
PPPoE	250
31.1 PPPoE Intermediate Agent Overview	250
31.1.1 PPPoE Intermediate Agent Tag Format	250
31.1.2 Sub-Option Format	250
31.1.3 Port State	251
31.2 The PPPoE Screen	252
31.3 PPPoE Intermediate Agent	252
31.3.1 PPPoE IA Per-Port	254
31.3.2 PPPoE IA Per-Port Per-VLAN	255
31.3.3 PPPoE IA for VLAN	257
Error Disable	258
32.1 CPU Protection Overview	258
32.2 Error-Disable Recovery Overview	258
32.3 The Error Disable Screen	259
32.4 CPU Protection Configuration	259
32.5 Error-Disable Detect Configuration	260
32.6 Error-Disable Recovery Configuration	261
Private VLAN	263
33.1 Private VLAN Overview	263
33.2 Configuring Private VLAN	264
Green Ethernet	265
34.1 Green Ethernet Overview	265
34.2 Configuring Green Ethernet	266
Static Route	267
35.1 Static Routing Overview	267
35.2 Configuring Static Routing	268
Differentiated Services	270
36.1 DiffServ Overview	270
36.1.1 DSCP and Per-Hop Behavior	270
36.1.2 DiffServ Network Example	270
36.2 Two Rate Three Color Marker Traffic Policing	271
36.2.1 TRTCM-Color-blind Mode	272
36.2.2 TRTCM-Color-aware Mode	272
36.3 Activating DiffServ	272
36.3.1 Configuring 2-Rate 3 Color Marker Settings	273
36.3.2 Configuring DSCP Profiles	275
36.4 DSCP-to-IEEE 802.1p Priority Settings	276
36.4.1 Configuring DSCP Settings	276
DHCP	278
37.1 DHCP Overview	278
37.1.1 DHCP Modes	278
37.1.2 DHCP Configuration Options	278
37.2 DHCP Status	278
37.3 DHCP Relay	279
37.3.1 DHCP Relay Agent Information	279
37.3.2 Configuring DHCP Global Relay	280
37.3.3 Global DHCP Relay Configuration Example	281
37.4 Configuring DHCP VLAN Settings	282
37.4.1 Example: DHCP Relay for Two VLANs	283
Maintenance	285
38.1 The Maintenance Screen	285
38.2 Load Factory Default	286
38.3 Save Configuration	286
38.4 Reboot System	286
38.5 Firmware Upgrade	287
38.6 Restore a Configuration File	288
38.7 Backup a Configuration File	288
38.8 FTP Command Line	289
38.8.1 Filename Conventions	289
38.8.2 FTP Command Line Procedure	290
38.8.3 GUI-based FTP Clients	290
38.8.4 FTP Restrictions	290
Access Control	292
39.1 Access Control Overview	292
39.2 The Access Control Main Screen	292
39.3 About SNMP	292
39.3.1 SNMP v3 and Security	293
39.3.2 Supported MIBs	294
39.3.3 SNMP Traps	294
39.3.4 Configuring SNMP	301
39.3.5 Configuring SNMP Trap Group	302
39.3.6 Configuring SNMP User	303
39.4 Setting Up Login Accounts	305
39.5 SSH Overview	306
39.6 How SSH works	307
39.7 SSH Implementation on the Switch	308
39.7.1 Requirements for Using SSH	308
39.8 Introduction to HTTPS	308
39.9 HTTPS Example	309
39.9.1 Internet Explorer Warning Messages	309
39.9.2 Mozilla Firefox Warning Messages	312
39.9.3 The Main Screen	313
39.10 Service Port Access Control	314
39.11 Remote Management	315
Diagnostic	317
40.1 Diagnostic	317
Syslog	318
41.1 Syslog Overview	318
41.2 Syslog Setup	319
41.3 Syslog Server Setup	320
Cluster Management	321
42.1 Cluster Management Status Overview	321
42.2 Cluster Management Status	322
42.2.1 Cluster Member Switch Management	323
42.3 Clustering Management Configuration	325
MAC Table	327
43.1 MAC Table Overview	327
43.2 Viewing the MAC Table	328
ARP Table	330
44.1 ARP Table Overview	330
44.1.1 How ARP Works	330
44.2 The ARP Table Screen	331
Configure Clone	332
45.1 Configure Clone	332
Troubleshooting	335
46.1 Power, Hardware Connections, and LEDs	335
46.2 Switch Access and Login	337
46.3 Switch Configuration	339
Common Services	341
Legal Information	345
Safety Warnings	348

Match case Limit results 1 per page

Chapter 39 Access Control

ES3500 Series User’s Guide

308

39.7

SSH Implementation on the Switch

Your Switch supports SSH version 2 using RSA authentication and three encryption methods (DES,

3DES and Blowfish). The SSH server is implemented on the Switch for remote management and file

transfer on port 22. Only one SSH connection is allowed at a time.

39.7.1

Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system)

that is used to connect to the Switch over SSH.

39.8

Introduction to HTTPS

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol

that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol

that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot

read the transferred data), authentication (one party can identify the other party) and data

integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys.

HTTPS on the Switch is used so that you may securely access the Switch using the web

configurator. The SSL protocol specifies that the SSL server (the Switch) must always authenticate

itself to the SSL client (the computer which requests the HTTPS connection with the Switch),

whereas the SSL client only should authenticate itself when the SSL server requires it to do so.

Authenticating client certificates is optional and if selected means the SSL-client must send the

Switch a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA

on the Switch.

Please refer to the following figure.

HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the

Switch’s WS (web server).

HTTP connection requests from a web browser go to port 80 (by default) on the Switch’s WS (web

server).

Figure 186

HTTPS Implementation