Home » ZyXEL Manuals » Networking » ZyXEL MES3500-24F » Manual Viewer

ZyXEL MES3500-24F User Guide - Page 303

SSH Implementation on the Switch, Introduction to HTTPS

Get ZyXEL MES3500-24F PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 303 highlights

Chapter 38 Access Control 38.7 SSH Implementation on the Switch Your Switch supports SSH version 2 using RSA authentication and three encryption methods (DES, 3DES and Blowfish). The SSH server is implemented on the Switch for remote management and file transfer on port 22. Only one SSH connection is allowed at a time. 38.7.1 Requirements for Using SSH You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the Switch over SSH. 38.8 Introduction to HTTPS HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys. HTTPS on the Switch is used so that you may securely access the Switch using the web configurator. The SSL protocol specifies that the SSL server (the Switch) must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the Switch), whereas the SSL client only should authenticate itself when the SSL server requires it to do so. Authenticating client certificates is optional and if selected means the SSL-client must send the Switch a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the Switch. Please refer to the following figure. 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the Switch's WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the Switch's WS (web server). Figure 180 HTTPS Implementation MES3500-24/24F User's Guide 303

Section	Page
MES3500-24/24F	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	5
Contents Overview	7
Table of Contents	9
User’s Guide	21
Getting to Know Your Switch	23
1.1 Introduction	23
1.1.1 Backbone Application	23
1.1.2 Bridging Example	24
1.1.3 High Performance Switching Example	24
1.1.4 IEEE 802.1Q VLAN Application Examples	25
1.1.5 IPv6 Support	25
1.2 Ways to Manage the Switch	26
1.3 Good Habits for Managing the Switch	26
Hardware Installation and Connection	27
2.1 Installation Scenarios	27
2.2 Desktop Installation Procedure	27
2.3 Mounting the Switch on a Rack	27
2.3.1 Rack-mounted Installation Requirements	27
2.3.2 Attaching the Mounting Brackets to the Switch	28
2.3.3 Mounting the Switch on a Rack	29
Hardware Overview	30
3.1 Front Panel	30
3.1.1 Console Port	31
3.1.2 Ethernet Ports	32
3.1.3 Transceiver Slots	32
3.1.4 Power Connector	34
3.1.5 Signal Slot	35
3.2 LEDs	37
The Web Configurator	39
4.1 Introduction	39
4.2 System Login	39
4.3 The Web Configurator Layout	40
4.3.1 Change Your Password	44
4.4 Saving Your Configuration	44
4.5 Switch Lockout	44
4.6 Resetting the Switch	45
4.6.1 Reload the Configuration File	45
4.7 Logging Out of the Web Configurator	46
4.8 Help	46
Initial Setup Example	49
5.1 Overview	49
5.1.1 Creating a VLAN	49
5.1.2 Setting Port VID	50
5.2 Configuring Switch Management IP Address	51
Tutorials	53
6.1 How to Use DHCP Snooping on the Switch	53
6.2 How to Use DHCP Relay on the Switch	56
6.2.1 DHCP Relay Tutorial Introduction	57
6.2.2 Creating a VLAN	57
6.2.3 Configuring DHCP Relay	59
6.2.4 Troubleshooting	60
6.3 How to Use PPPoE IA on the Switch	60
6.3.1 Configuring Switch A	61
6.3.2 Configuring Switch B	63
6.4 How to Use Error Disable and Recovery on the Switch	66
6.5 How to Set Up a Guest VLAN	68
6.5.1 Creating a Guest VLAN	68
6.5.2 Enabling IEEE 802.1x Port Authentication	71
6.5.3 Enabling Guest VLAN	72
6.6 How to Do Port Isolation in a VLAN	73
6.6.1 Creating a VLAN	74
6.6.2 Creating a Private VLAN Rule	76
Technical Reference	79
System Status and Port Statistics	81
7.1 Overview	81
7.2 Port Status Summary	81
7.2.1 Status: Port Details	83
Basic Setting	86
8.1 Overview	86
8.2 System Information	86
8.3 General Setup	88
8.4 Introduction to VLANs	89
8.4.1 Smart Isolation	90
8.5 Switch Setup	91
8.6 IP Setup	93
8.6.1 Management IP Addresses	93
8.7 Port Setup	95
VLAN	97
9.1 Introduction to IEEE 802.1Q Tagged VLANs	97
9.1.1 Forwarding Tagged and Untagged Frames	97
9.2 Automatic VLAN Registration	98
9.2.1 GARP	98
9.2.2 GVRP	98
9.3 Port VLAN Trunking	99
9.4 Select the VLAN Type	99
9.5 Static VLAN	99
9.5.1 VLAN Status	100
9.5.2 VLAN Details	101
9.5.3 Configure a Static VLAN	102
9.5.4 Configure VLAN Port Settings	103
9.6 Subnet Based VLANs	104
9.7 Configuring Subnet Based VLAN	105
9.8 Protocol Based VLANs	107
9.9 Configuring Protocol Based VLAN	108
9.10 Create an IP-based VLAN Example	109
9.11 Port-based VLAN Setup	110
9.11.1 Configure a Port-based VLAN	111
Static MAC Forward Setup	114
10.1 Overview	114
10.2 Configuring Static MAC Forwarding	114
Static Multicast Forward Setup	116
11.1 Static Multicast Forwarding Overview	116
11.2 Configuring Static Multicast Forwarding	117
Filtering	120
12.1 Configure a Filtering Rule	120
Spanning Tree Protocol	122
13.1 STP/RSTP Overview	122
13.1.1 STP Terminology	122
13.1.2 How STP Works	123
13.1.3 STP Port States	123
13.1.4 Multiple RSTP	124
13.1.5 Multiple STP	124
13.2 Spanning Tree Protocol Status Screen	127
13.3 Spanning Tree Configuration	127
13.4 Configure Rapid Spanning Tree Protocol	128
13.5 Rapid Spanning Tree Protocol Status	130
13.6 Configure Multiple Rapid Spanning Tree Protocol	131
13.7 Multiple Rapid Spanning Tree Protocol Status	133
13.8 Configure Multiple Spanning Tree Protocol	135
13.8.1 Multiple Spanning Tree Protocol Port Configuration	138
13.9 Multiple Spanning Tree Protocol Status	139
Bandwidth Control	141
14.1 Bandwidth Control Overview	141
14.1.1 CIR and PIR	141
14.2 Bandwidth Control Setup	142
Broadcast Storm Control	144
15.1 Broadcast Storm Control Setup	144
Mirroring	146
16.1 Port Mirroring Setup	146
Link Aggregation	148
17.1 Link Aggregation Overview	148
17.2 Dynamic Link Aggregation	148
17.2.1 Link Aggregation ID	149
17.3 Link Aggregation Status	149
17.4 Link Aggregation Setting	151
17.5 Link Aggregation Control Protocol	153
17.6 Static Trunking Example	154
Port Authentication	156
18.1 Port Authentication Overview	156
18.1.1 IEEE 802.1x Authentication	156
18.1.2 MAC Authentication	157
18.2 Port Authentication Configuration	158
18.2.1 Activate IEEE 802.1x Security	159
18.2.2 Guest VLAN	160
18.2.3 Activate MAC Authentication	162
Port Security	164
19.1 About Port Security	164
19.2 Port Security Setup	164
Classifier	166
20.1 About the Classifier and QoS	166
20.2 Configuring the Classifier	166
20.3 Viewing and Editing Classifier Configuration	168
20.4 Classifier Example	170
Policy Rule	171
21.1 Policy Rules Overview	171
21.1.1 DiffServ	171
21.1.2 DSCP and Per-Hop Behavior	171
21.2 Configuring Policy Rules	171
21.3 Viewing and Editing Policy Configuration	174
21.4 Policy Example	175
Queuing Method	176
22.1 Queuing Method Overview	176
22.1.1 Strictly Priority Queuing	176
22.1.2 Weighted Fair Queuing	176
22.1.3 Weighted Round Robin Scheduling (WRR)	177
22.2 Configuring Queuing	177
VLAN Stacking	179
23.1 VLAN Stacking Overview	179
23.1.1 VLAN Stacking Example	179
23.2 VLAN Stacking Port Roles	180
23.3 VLAN Tag Format	181
23.3.1 Frame Format	181
23.4 Configuring VLAN Stacking	182
23.4.1 Port-based Q-in-Q	183
23.4.2 Selective Q-in-Q	184
Multicast	186
24.1 Multicast Overview	186
24.1.1 IP Multicast Addresses	186
24.1.2 IGMP Filtering	186
24.1.3 IGMP Snooping	186
24.1.4 IGMP Snooping and VLANs	187
24.2 Multicast Status	187
24.3 Multicast Setting	188
24.4 IGMP Snooping VLAN	191
24.5 IGMP Filtering Profile	192
24.6 MVR Overview	193
24.6.1 Types of MVR Ports	194
24.6.2 MVR Modes	194
24.6.3 How MVR Works	194
24.7 General MVR Configuration	195
24.8 MVR Group Configuration	197
24.8.1 MVR Configuration Example	198
AAA	201
25.1 Authentication, Authorization and Accounting (AAA)	201
25.1.1 Local User Accounts	201
25.1.2 RADIUS and TACACS+	202
25.2 AAA Screens	202
25.2.1 RADIUS Server Setup	202
25.2.2 TACACS+ Server Setup	205
25.2.3 AAA Setup	207
25.2.4 Vendor Specific Attribute	209
25.2.5 Tunnel Protocol Attribute	210
25.3 Supported RADIUS Attributes	210
25.3.1 Attributes Used for Authentication	211
25.3.2 Attributes Used for Accounting	211
IP Source Guard	214
26.1 IP Source Guard Overview	214
26.1.1 DHCP Snooping Overview	214
26.1.2 ARP Inspection Overview	216
26.2 IP Source Guard	218
26.3 IP Source Guard Static Binding	218
26.4 DHCP Snooping	220
26.5 DHCP Snooping Configure	222
26.5.1 DHCP Snooping Port Configure	224
26.5.2 DHCP Snooping VLAN Configure	225
26.6 ARP Inspection Status	226
26.6.1 ARP Inspection VLAN Status	227
26.6.2 ARP Inspection Log Status	228
26.7 ARP Inspection Configure	229
26.7.1 ARP Inspection Port Configure	230
26.7.2 ARP Inspection VLAN Configure	232
Loop Guard	233
27.1 Loop Guard Overview	233
27.2 Loop Guard Setup	235
VLAN Mapping	237
28.1 VLAN Mapping Overview	237
28.1.1 VLAN Mapping Example	237
28.2 Enabling VLAN Mapping	238
28.3 Configuring VLAN Mapping	239
Layer 2 Protocol Tunneling	241
29.1 Layer 2 Protocol Tunneling Overview	241
29.1.1 Layer-2 Protocol Tunneling Mode	242
29.2 Configuring Layer 2 Protocol Tunneling	243
sFlow	245
30.1 sFlow Overview	245
30.2 sFlow Port Configuration	246
30.2.1 sFlow Collector Configuration	247
PPPoE	249
31.1 PPPoE Intermediate Agent Overview	249
31.1.1 PPPoE Intermediate Agent Tag Format	249
31.1.2 Sub-Option Format	249
31.1.3 Port State	250
31.2 The PPPoE Screen	251
31.3 PPPoE Intermediate Agent	251
31.3.1 PPPoE IA Per-Port	253
31.3.2 PPPoE IA Per-Port Per-VLAN	254
31.3.3 PPPoE IA for VLAN	256
Error Disable	257
32.1 CPU Protection Overview	257
32.2 Error-Disable Recovery Overview	257
32.3 The Error Disable Screen	258
32.4 CPU Protection Configuration	258
32.5 Error-Disable Detect Configuration	259
32.6 Error-Disable Recovery Configuration	260
Private VLAN	262
33.1 Private VLAN Overview	262
33.2 Configuring Private VLAN	263
Static Route	265
34.1 Static Routing Overview	265
34.2 Configuring Static Routing	266
Differentiated Services	268
35.1 DiffServ Overview	268
35.1.1 DSCP and Per-Hop Behavior	268
35.1.2 DiffServ Network Example	268
35.2 Two Rate Three Color Marker Traffic Policing	269
35.2.1 TRTCM-Color-blind Mode	270
35.2.2 TRTCM-Color-aware Mode	270
35.3 Activating DiffServ	270
35.3.1 Configuring 2-Rate 3 Color Marker Settings	271
35.3.2 Configuring DSCP Profiles	273
35.4 DSCP-to-IEEE 802.1p Priority Settings	274
35.4.1 Configuring DSCP Settings	274
DHCP	276
36.1 DHCP Overview	276
36.1.1 DHCP Modes	276
36.1.2 DHCP Configuration Options	276
36.2 DHCP Status	276
36.3 DHCP Relay	277
36.3.1 DHCP Relay Agent Information	277
36.3.2 Configuring DHCP Global Relay	278
36.3.3 Global DHCP Relay Configuration Example	279
36.4 Configuring DHCP VLAN Settings	280
36.4.1 Example: DHCP Relay for Two VLANs	281
Maintenance	283
37.1 The Maintenance Screen	283
37.2 Load Factory Default	284
37.3 Save Configuration	284
37.4 Reboot System	284
37.5 Firmware Upgrade	285
37.6 Restore a Configuration File	286
37.7 Backup a Configuration File	286
37.8 FTP Command Line	287
37.8.1 Filename Conventions	287
37.8.2 FTP Command Line Procedure	288
37.8.3 GUI-based FTP Clients	288
37.8.4 FTP Restrictions	288
Access Control	290
38.1 Access Control Overview	290
38.2 The Access Control Main Screen	290
38.3 About SNMP	290
38.3.1 SNMP v3 and Security	291
38.3.2 Supported MIBs	292
38.3.3 SNMP Traps	292
38.3.4 Configuring SNMP	296
38.3.5 Configuring SNMP Trap Group	297
38.3.6 Configuring SNMP User	298
38.4 Setting Up Login Accounts	299
38.5 SSH Overview	301
38.6 How SSH works	302
38.7 SSH Implementation on the Switch	303
38.7.1 Requirements for Using SSH	303
38.8 Introduction to HTTPS	303
38.9 HTTPS Example	304
38.9.1 Internet Explorer Warning Messages	304
38.9.2 Mozilla Firefox Warning Messages	307
38.9.3 The Main Screen	308
38.10 Service Port Access Control	309
38.11 Remote Management	310
Diagnostic	312
39.1 Diagnostic	312
Syslog	313
40.1 Syslog Overview	313
40.2 Syslog Setup	314
40.3 Syslog Server Setup	315
Cluster Management	316
41.1 Cluster Management Status Overview	316
41.2 Cluster Management Status	317
41.2.1 Cluster Member Switch Management	318
41.3 Clustering Management Configuration	320
MAC Table	322
42.1 MAC Table Overview	322
42.2 Viewing the MAC Table	323
ARP Table	325
43.1 ARP Table Overview	325
43.1.1 How ARP Works	325
43.2 The ARP Table Screen	326
Configure Clone	327
44.1 Configure Clone	327
Troubleshooting	329
45.1 Power, Hardware Connections, and LEDs	329
45.2 Switch Access and Login	330
45.3 Switch Configuration	332
Common Services	333
Legal Information	337

Match case Limit results 1 per page

Chapter 38 Access Control

MES3500-24/24F User’s Guide

303

38.7

SSH Implementation on the Switch

Your Switch supports SSH version 2 using RSA authentication and three encryption methods (DES,

3DES and Blowfish). The SSH server is implemented on the Switch for remote management and file

transfer on port 22. Only one SSH connection is allowed at a time.

38.7.1

Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system)

that is used to connect to the Switch over SSH.

38.8

Introduction to HTTPS

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol

that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol

that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot

read the transferred data), authentication (one party can identify the other party) and data

integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys.

HTTPS on the Switch is used so that you may securely access the Switch using the web

configurator. The SSL protocol specifies that the SSL server (the Switch) must always authenticate

itself to the SSL client (the computer which requests the HTTPS connection with the Switch),

whereas the SSL client only should authenticate itself when the SSL server requires it to do so.

Authenticating client certificates is optional and if selected means the SSL-client must send the

Switch a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA

on the Switch.

Please refer to the following figure.

HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the

Switch’s WS (web server).

HTTP connection requests from a web browser go to port 80 (by default) on the Switch’s WS (web

server).

Figure 180

HTTPS Implementation