Home » ZyXEL Manuals » Networking » ZyXEL XGS4700-48F » Manual Viewer

ZyXEL XGS4700-48F User Guide - Page 193

Guest VLAN

Get ZyXEL XGS4700-48F PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 193 highlights

Chapter 18 Port Authentication Table 44 Advanced Application > Port Authentication > 802.1x (continued) LABEL Max-Req DESCRIPTION Specify the number of times the Switch tries to authenticate client(s) before sending unresponsive ports to the Guest VLAN. Reauth Reauth-period Quiet-period Tx-period Supp-Timeout Apply Cancel This is set to 2 by default. That is, the Switch attempts to authenticate a client twice. If the client does not respond to the first authentication request, the Switch tries again. If the client still does not respond to the second request, the Switch sends the client to the Guest VLAN. The client needs to send a new request to be authenticated by the Switch again. Specify if a subscriber has to periodically re-enter his or her username and password to stay connected to the port. Specify the length of time required to pass before a client has to re-enter his or her username and password to stay connected to the port. Specify the number of seconds the port remains in the HELD state and rejects further authentication requests from the connected client after a failed authentication exchange. Specify the number of seconds the Switch waits for client's response before re-sending an identity request to the client. Specify the number of seconds the Switch waits for client's response to a challenge request before sending another request. Click Apply to save your changes to the Switch's run-time memory. The Switch loses these changes if it is turned off or loses power, so use the Save link on the top navigation panel to save your changes to the nonvolatile memory when you are done configuring. Click Cancel to begin configuring this screen afresh. 18.2.2 Guest VLAN When 802.1x port authentication is enabled on the Switch and its ports, clients that do not have the correct credentials are blocked from using the port(s). You can configure your Switch to have one VLAN that acts as a guest VLAN. If you enable the guest VLAN (102 in the example) on a port (2 in the example), the user (A in the example) that is not IEEE 802.1x capable or fails to enter the correct username and password can still access the port, but traffic from the user is forwarded to the guest VLAN. That is, unauthenticated users can have access to limited network resources in the same guest VLAN, such as the Internet. The XGS4700-48F User's Guide 193

Section	Page
XGS4700-48F	1
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
User’s Guide	25
Getting to Know Your Switch	27
1.1 Introduction	27
1.1.1 Bridging Example	27
1.1.2 High Performance Switching Example	28
1.1.3 Gigabit Ethernet to the Desktop	29
1.1.4 IEEE 802.1Q VLAN Application Example	29
1.1.5 IPv6 Support	30
1.2 Ways to Manage the Switch	30
1.3 Good Habits for Managing the Switch	31
Hardware Installation and Connection	33
2.1 Freestanding Installation	33
2.2 Mounting the Switch on a Rack	34
2.2.1 Rack-mounted Installation Requirements	34
2.2.2 Attaching the Mounting Brackets to the Switch	34
2.2.3 Mounting the Switch on a Rack	35
2.3 Connecting the Frame Ground	35
2.4 Power Module Installation	36
2.4.1 Installing a Power Module	36
2.4.2 Removing a Power Module	38
Hardware Overview	41
3.1 Front Panel Connections	41
3.1.1 Mini-GBIC Slots	41
3.1.2 Console Port	43
3.1.3 Signal Slot	43
3.2 Rear Panel	46
3.2.1 Removing and Installing the Fan Module	47
3.2.2 Uplink Module	48
3.2.3 Rear Panel Connections	48
3.2.4 Management Port	49
3.2.5 Power Connector	49
3.3 Power Connection	49
3.3.1 AC Power Connections	50
3.3.2 DC Power Connections	50
3.3.3 Procedure to Turn on the Switch Power	51
3.3.4 Disconnecting the Power	51
3.4 LEDs	52
The Web Configurator	55
4.1 Introduction	55
4.2 System Login	55
4.3 The Web Configurator Layout	56
4.3.1 Change Your Password	61
4.4 Saving Your Configuration	62
4.5 Switch Lockout	62
4.6 Resetting the Switch	62
4.6.1 Reload the Configuration File	63
4.7 Logging Out of the Web Configurator	64
4.8 Help	64
Initial Setup Example	65
5.1 Overview	65
5.1.1 Configuring an IP Interface	65
5.1.2 Configuring DHCP Server Settings	67
5.1.3 Creating a VLAN	67
5.1.4 Setting Port VID	69
5.1.5 Enabling RIP	70
Tutorials	71
6.1 How to Use DHCP Snooping on the Switch	71
6.2 How to Use DHCP Relay on the Switch	75
6.2.1 DHCP Relay Tutorial Introduction	75
6.2.2 Creating a VLAN	76
6.2.3 Configuring DHCP Relay	79
6.2.4 Troubleshooting	79
6.3 How to Use PPPoE IA on the Switch	80
6.3.1 Configuring Switch A	81
6.3.2 Configuring Switch B	83
6.4 How to Use Error Disable and Recovery on the Switch	85
6.5 How to Set Up a Guest VLAN	88
6.5.1 Creating a Guest VLAN	89
6.5.2 Enabling IEEE 802.1x Port Authentication	91
6.5.3 Enabling Guest VLAN	92
6.6 How to Configure Routing Policy	93
6.6.1 Create a Layer-3 Classifier	94
6.6.2 Create a Policy Routing Rule	95
Technical Reference	97
System Status and Port Statistics	99
7.1 Overview	99
7.2 Port Status Summary	99
7.2.1 Status: Port Details	101
Basic Setting	105
8.1 Overview	105
8.2 System Information	106
8.3 General Setup	108
8.4 Introduction to VLANs	110
8.5 Switch Setup Screen	111
8.6 IP Setup	113
8.6.1 IP Interfaces	113
8.7 Port Setup	115
VLAN	119
9.1 Introduction to IEEE 802.1Q Tagged VLANs	119
9.1.1 Forwarding Tagged and Untagged Frames	119
9.2 Automatic VLAN Registration	120
9.2.1 GARP	120
9.2.2 GVRP	120
9.3 Port VLAN Trunking	121
9.4 Select the VLAN Type	122
9.5 Static VLAN	122
9.5.1 VLAN Status	123
9.5.2 VLAN Details	124
9.5.3 Configure a Static VLAN	124
9.5.4 Configure VLAN Port Settings	126
9.6 Subnet Based VLANs	128
9.7 Configuring Subnet Based VLAN	129
9.8 Protocol Based VLANs	130
9.9 Configuring Protocol Based VLAN	131
9.10 Create an IP-based VLAN Example	133
9.11 Port-based VLAN Setup	134
9.11.1 Configure a Port-based VLAN	134
Static MAC Forward Setup	139
10.1 Overview	139
10.2 Configuring Static MAC Forwarding	139
Static Multicast Forward Setup	143
11.1 Static Multicast Forwarding Overview	143
11.2 Configuring Static Multicast Forwarding	144
Filtering	147
12.1 Configure a Filtering Rule	147
Spanning Tree Protocol	149
13.1 STP/RSTP Overview	149
13.1.1 STP Terminology	149
13.1.2 How STP Works	150
13.1.3 STP Port States	151
13.1.4 Multiple RSTP	151
13.1.5 Multiple STP	152
13.2 Spanning Tree Protocol Status Screen	155
13.3 Spanning Tree Configuration	155
13.4 Configure Rapid Spanning Tree Protocol	156
13.5 Rapid Spanning Tree Protocol Status	158
13.6 Configure Multiple Rapid Spanning Tree Protocol	160
13.7 Multiple Rapid Spanning Tree Protocol Status	162
13.8 Configure Multiple Spanning Tree Protocol	164
13.8.1 Multiple Spanning Tree Protocol Port Configuration	167
13.9 Multiple Spanning Tree Protocol Status	168
Bandwidth Control	171
14.1 Bandwidth Control Overview	171
14.1.1 CIR and PIR	171
14.2 Bandwidth Control Setup	172
Broadcast Storm Control	175
15.1 Broadcast Storm Control Setup	175
Mirroring	177
16.1 Port Mirroring Setup	177
Link Aggregation	179
17.1 Link Aggregation Overview	179
17.2 Dynamic Link Aggregation	179
17.2.1 Link Aggregation ID	180
17.3 Link Aggregation Status	181
17.4 Link Aggregation Setting	183
17.5 Link Aggregation Control Protocol	185
17.6 Static Trunking Example	186
Port Authentication	189
18.1 Port Authentication Overview	189
18.1.1 IEEE 802.1x Authentication	189
18.1.2 MAC Authentication	190
18.2 Port Authentication Configuration	191
18.2.1 Activate IEEE 802.1x Security	192
18.2.2 Guest VLAN	193
18.2.3 Activate MAC Authentication	196
Port Security	199
19.1 About Port Security	199
19.2 Port Security Setup	200
19.3 VLAN MAC Address Limit	201
Classifier	203
20.1 About the Classifier and QoS	203
20.2 Configuring the Classifier	204
20.3 Viewing and Editing Classifier Configuration	206
20.4 Classifier Example	208
Policy Rule	209
21.1 Policy Rules Overview	209
21.1.1 DiffServ	209
21.1.2 DSCP and Per-Hop Behavior	209
21.2 Configuring Policy Rules	210
21.3 Viewing and Editing Policy Configuration	213
21.4 Policy Example	215
Queuing Method	217
22.1 Queuing Method Overview	217
22.1.1 Strictly Priority	217
22.1.2 Weighted Fair Queuing	217
22.1.3 Weighted Round Robin Scheduling (WRR)	218
22.2 Configuring Queuing	219
VLAN Stacking	221
23.1 VLAN Stacking Overview	221
23.1.1 VLAN Stacking Example	221
23.2 VLAN Stacking Port Roles	222
23.3 VLAN Tag Format	223
23.3.1 Frame Format	223
23.4 Configuring VLAN Stacking	224
23.4.1 Port-based Q-in-Q	225
23.4.2 Selective Q-in-Q	226
Multicast	229
24.1 Multicast Overview	229
24.1.1 IP Multicast Addresses	229
24.1.2 IGMP Filtering	229
24.1.3 IGMP Snooping	230
24.1.4 IGMP Snooping and VLANs	230
24.2 Multicast Status	230
24.3 Multicast Setting	231
24.4 IGMP Snooping VLAN	234
24.5 IGMP Filtering Profile	235
24.6 MVR Overview	237
24.6.1 Types of MVR Ports	237
24.6.2 MVR Modes	238
24.6.3 How MVR Works	238
24.7 General MVR Configuration	239
24.8 MVR Group Configuration	241
24.8.1 MVR Configuration Example	242
AAA	245
25.1 Authentication, Authorization and Accounting (AAA)	245
25.1.1 Local User Accounts	246
25.1.2 RADIUS and TACACS+	246
25.2 AAA Screens	246
25.2.1 RADIUS Server Setup	247
25.2.2 TACACS+ Server Setup	249
25.2.3 AAA Setup	251
25.2.4 Vendor Specific Attribute	254
25.2.5 Tunnel Protocol Attribute	255
25.3 Supported RADIUS Attributes	256
25.3.1 Attributes Used for Authentication	256
25.3.2 Attributes Used for Accounting	257
IP Source Guard	261
26.1 IP Source Guard Overview	261
26.1.1 DHCP Snooping Overview	262
26.1.2 ARP Inspection Overview	264
26.2 IP Source Guard	265
26.3 IP Source Guard Static Binding	266
26.4 DHCP Snooping	268
26.5 DHCP Snooping Configure	271
26.5.1 DHCP Snooping Port Configure	273
26.5.2 DHCP Snooping VLAN Configure	274
26.6 ARP Inspection Status	276
26.6.1 ARP Inspection VLAN Status	277
26.6.2 ARP Inspection Log Status	278
26.7 ARP Inspection Configure	279
26.7.1 ARP Inspection Port Configure	281
26.7.2 ARP Inspection VLAN Configure	282
Loop Guard	285
27.1 Loop Guard Overview	285
27.2 Loop Guard Setup	287
VLAN Mapping	289
28.1 VLAN Mapping Overview	289
28.1.1 VLAN Mapping Example	289
28.2 Enabling VLAN Mapping	290
28.3 Configuring VLAN Mapping	291
Layer 2 Protocol Tunneling	293
29.1 Layer 2 Protocol Tunneling Overview	293
29.1.1 Layer-2 Protocol Tunneling Mode	294
29.2 Configuring Layer 2 Protocol Tunneling	295
sFlow	297
30.1 sFlow Overview	297
30.2 sFlow Port Configuration	298
30.2.1 sFlow Collector Configuration	299
PPPoE	301
31.1 PPPoE Intermediate Agent Overview	301
31.1.1 PPPoE Intermediate Agent Tag Format	301
31.1.2 Sub-Option Format	302
31.1.3 Port State	303
31.2 The PPPoE Screen	304
31.3 PPPoE Intermediate Agent	304
31.3.1 PPPoE IA Per-Port	305
31.3.2 PPPoE IA Per-Port Per-VLAN	307
31.3.3 PPPoE IA for VLAN	309
Error Disable	311
32.1 CPU Protection Overview	311
32.2 Error-Disable Recovery Overview	311
32.3 The Error Disable Screen	312
32.4 CPU Protection Configuration	312
32.5 Error-Disable Detect Configuration	313
32.6 Error-Disable Recovery Configuration	315
Static Route	317
33.1 Static Routing Overview	317
33.2 Configuring Static Routing	318
Policy Routing	321
34.1 Policy Route Overview	321
34.1.1 Benefits	321
34.2 Configuring Policy Routing Profile	322
34.2.1 Policy Routing Rule Configuration	323
RIP	325
35.1 RIP Overview	325
35.1.1 Administrative Distance	325
35.2 Configuring RIP	326
OSPF	329
36.1 OSPF Overview	329
36.1.1 OSPF Autonomous Systems and Areas	329
36.1.2 How OSPF Works	330
36.1.3 Interfaces and Virtual Links	330
36.1.4 OSPF and Router Elections	331
36.1.5 Configuring OSPF	331
36.2 OSPF Status	332
36.3 OSPF Configuration	334
36.4 Configure OSPF Areas	335
36.4.1 View OSPF Area Information Table	337
36.5 Configuring OSPF Redistribution	337
36.6 Configuring OSPF Interfaces	339
36.7 OSPF Virtual-Links	341
IGMP	343
37.1 IGMP Overview	343
37.1.1 How IGMP Works	344
37.2 Port-based IGMP	345
37.3 Configuring IGMP	346
DVMRP	347
38.1 DVMRP Overview	347
38.2 How DVMRP Works	347
38.2.1 DVMRP Terminology	348
38.3 Configuring DVMRP	348
38.3.1 DVMRP Configuration Error Messages	349
38.4 Default DVMRP Timer Values	350
Differentiated Services	351
39.1 DiffServ Overview	351
39.1.1 DSCP and Per-Hop Behavior	351
39.1.2 DiffServ Network Example	352
39.2 Two Rate Three Color Marker Traffic Policing	352
39.2.1 TRTCM - Color-blind Mode	353
39.2.2 TRTCM - Color-aware Mode	353
39.3 Activating DiffServ	354
39.3.1 Configuring 2-Rate 3 Color Marker Settings	355
39.4 DSCP-to-IEEE 802.1p Priority Settings	357
39.4.1 Configuring DSCP Settings	358
DHCP	359
40.1 DHCP Overview	359
40.1.1 DHCP Modes	359
40.1.2 DHCP Configuration Options	359
40.2 DHCP Status	360
40.3 DHCP Server Status Detail	360
40.4 DHCP Relay	362
40.4.1 DHCP Relay Agent Information	362
40.4.2 Configuring DHCP Global Relay	363
40.4.3 Global DHCP Relay Configuration Example	364
40.5 Configuring DHCP VLAN Settings	365
40.5.1 Example: DHCP Relay for Two VLANs	367
VRRP	369
41.1 VRRP Overview	369
41.2 VRRP Status	370
41.3 VRRP Configuration	371
41.3.1 IP Interface Setup	371
41.3.2 VRRP Parameters	373
41.3.3 Configuring VRRP Parameters	374
41.3.4 Configuring VRRP Parameters	375
41.4 VRRP Configuration Examples	375
41.4.1 One Subnet Network Example	376
41.4.2 Two Subnets Example	377
ARP Learning	379
42.1 ARP Overview	379
42.1.1 How ARP Works	379
42.1.2 ARP Learning Mode	379
42.2 Configuring ARP Learning	382
Load Sharing	385
43.1 Load Sharing Overview	385
43.2 Configuring Load Sharing	385
Maintenance	387
44.1 The Maintenance Screen	387
44.2 Load Factory Default	388
44.3 Save Configuration	388
44.4 Reboot System	389
44.5 Firmware Upgrade	389
44.6 Restore a Configuration File	390
44.7 Backup a Configuration File	391
44.8 FTP Command Line	391
44.8.1 Filename Conventions	391
44.8.2 FTP Command Line Procedure	393
44.8.3 GUI-based FTP Clients	393
44.8.4 FTP Restrictions	394
Access Control	395
45.1 Access Control Overview	395
45.2 The Access Control Main Screen	395
45.3 About SNMP	396
45.3.1 SNMP v3 and Security	397
45.3.2 Supported MIBs	397
45.3.3 SNMP Traps	398
45.3.4 Configuring SNMP	402
45.3.5 Configuring SNMP Trap Group	404
45.3.6 Configuring SNMP User	405
45.4 Setting Up Login Accounts	407
45.5 SSH Overview	408
45.6 How SSH works	409
45.7 SSH Implementation on the Switch	410
45.7.1 Requirements for Using SSH	410
45.8 Introduction to HTTPS	410
45.9 HTTPS Example	411
45.9.1 Internet Explorer Warning Messages	411
45.9.2 Mozilla Firefox Warning Messages	414
45.9.3 The Main Screen	415
45.10 Service Port Access Control	416
45.11 Remote Management	417
Diagnostic	421
46.1 Diagnostic	421
Syslog	423
47.1 Syslog Overview	423
47.2 Syslog Setup	424
47.3 Syslog Server Setup	425
Cluster Management	427
48.1 Clustering Management Status Overview	427
48.2 Cluster Management Status	428
48.2.1 Cluster Member Switch Management	429
48.3 Clustering Management Configuration	432
MAC Table	435
49.1 MAC Table Overview	435
49.2 Viewing the MAC Table	436
IP Table	439
50.1 IP Table Overview	439
50.2 Viewing the IP Table	440
ARP Table	443
51.1 ARP Table Overview	443
51.1.1 How ARP Works	443
51.2 The ARP Table Screen	444
Routing Table	445
52.1 Overview	445
52.2 Viewing the Routing Table Status	445
Configure Clone	447
53.1 Configure Clone	447
Troubleshooting	449
54.1 Power, Hardware Connections, and LEDs	449
54.2 Switch Access and Login	450
54.3 Switch Configuration	453
Product Specifications	455
Common Services	465
Legal Information	469

Match case Limit results 1 per page

Chapter 18 Port Authentication

XGS4700-48F User’s Guide

193

18.2.2

Guest VLAN

When 802.1x port authentication is enabled on the Switch and its ports, clients

that do not have the correct credentials are blocked from using the port(s). You

can configure your Switch to have one VLAN that acts as a guest VLAN. If you

enable the guest VLAN (

102

in the example) on a port (

in the example), the

user (

in the example) that is not IEEE 802.1x capable or fails to enter the

correct username and password can still access the port, but traffic from the user

is forwarded to the guest VLAN. That is, unauthenticated users can have access to

limited network resources in the same guest VLAN, such as the Internet. The

Max-Req

Specify the number of times the Switch tries to authenticate client(s)

before sending unresponsive ports to the Guest VLAN.

This is set to 2 by default. That is, the Switch attempts to authenticate a

client twice. If the client does not respond to the first authentication

request, the Switch tries again. If the client still does not respond to the

second request, the Switch sends the client to the Guest VLAN. The

client needs to send a new request to be authenticated by the Switch

again.

Reauth

Specify if a subscriber has to periodically re-enter his or her username

and password to stay connected to the port.

Reauth-period

Specify the length of time required to pass before a client has to re-enter

his or her username and password to stay connected to the port.

Quiet-period

Specify the number of seconds the port remains in the HELD state and

rejects further authentication requests from the connected client after a

failed authentication exchange.

Tx-period

Specify the number of seconds the Switch waits for client’s response

before re-sending an identity request to the client.

Supp-Timeout

Specify the number of seconds the Switch waits for client’s response to a

challenge request before sending another request.

Apply

Click

Apply

to save your changes to the Switch’s run-time memory. The

Switch loses these changes if it is turned off or loses power, so use the

Save

link on the top navigation panel to save your changes to the non-

volatile memory when you are done configuring.

Cancel

Click

Cancel

to begin configuring this screen afresh.

Table 44

Advanced Application > Port Authentication > 802.1x

(continued)

LABEL

DESCRIPTION