Home » ZyXEL Manuals » Networking » ZyXEL XGS4700-48F » Manual Viewer

ZyXEL XGS4700-48F User Guide - Page 253

Advanced Application > AAA > AAA Setup, continued

Get ZyXEL XGS4700-48F PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 253 highlights

Chapter 25 AAA Table 71 Advanced Application > AAA > AAA Setup (continued) LABEL Type DESCRIPTION Set whether the Switch provides the following services to a user. Active Method • Exec: Allow an administrator which logs in the Switch through Telnet or SSH to have different access privilege level assigned via the external server. • Dot1x: Allow an IEEE 802.1x client to have different bandwidth limit or VLAN ID assigned via the external server. Select this to activate authorization for a specified event types. Select whether you want to use RADIUS or TACACS+ for authorization of specific types of events. Accounting Update Period Type RADIUS is the only method for IEEE 802.1x authorization. Use this section to configure accounting settings on the Switch. This is the amount of time in minutes before the Switch sends an update to the accounting server. This is only valid if you select the start-stop option for the Exec or Dot1x entries. The Switch supports the following types of events to be sent to the accounting server(s): Active Broadcast • System - Configure the Switch to send information when the following system events occur: system boots up, system shuts down, system accounting is enabled, system accounting is disabled • Exec - Configure the Switch to send information when an administrator logs in and logs out via the console port, telnet or SSH. • Dot1x - Configure the Switch to send information when an IEEE 802.1x client begins a session (authenticates via the Switch), ends a session as well as interim updates of a session. • Commands - Configure the Switch to send information when commands of specified privilege level and higher are executed on the Switch. Select this to activate accounting for a specified event types. Select this to have the Switch send accounting information to all configured accounting servers at the same time. Mode If you don't select this and you have two accounting servers set up, then the Switch sends information to the first accounting server and if it doesn't get a response from the accounting server then it tries the second accounting server. The Switch supports two modes of recording login events. Select: Method • start-stop - to have the Switch send information to the accounting server when a user begins a session, during a user's session (if it lasts past the Update Period), and when a user ends a session. • stop-only - to have the Switch send information to the accounting server only when a user ends a session. Select whether you want to use RADIUS or TACACS+ for accounting of specific types of events. Privilege TACACS+ is the only method for recording Commands type of event. This field is only configurable for Commands type of event. Select the threshold command privilege level for which the Switch should send accounting information. The Switch will send accounting information when commands at the level you specify and higher are executed on the Switch. XGS4700-48F User's Guide 253

Section	Page
XGS4700-48F	1
About This User's Guide	3
Document Conventions	5
Safety Warnings	7
Contents Overview	9
Table of Contents	11
User’s Guide	25
Getting to Know Your Switch	27
1.1 Introduction	27
1.1.1 Bridging Example	27
1.1.2 High Performance Switching Example	28
1.1.3 Gigabit Ethernet to the Desktop	29
1.1.4 IEEE 802.1Q VLAN Application Example	29
1.1.5 IPv6 Support	30
1.2 Ways to Manage the Switch	30
1.3 Good Habits for Managing the Switch	31
Hardware Installation and Connection	33
2.1 Freestanding Installation	33
2.2 Mounting the Switch on a Rack	34
2.2.1 Rack-mounted Installation Requirements	34
2.2.2 Attaching the Mounting Brackets to the Switch	34
2.2.3 Mounting the Switch on a Rack	35
2.3 Connecting the Frame Ground	35
2.4 Power Module Installation	36
2.4.1 Installing a Power Module	36
2.4.2 Removing a Power Module	38
Hardware Overview	41
3.1 Front Panel Connections	41
3.1.1 Mini-GBIC Slots	41
3.1.2 Console Port	43
3.1.3 Signal Slot	43
3.2 Rear Panel	46
3.2.1 Removing and Installing the Fan Module	47
3.2.2 Uplink Module	48
3.2.3 Rear Panel Connections	48
3.2.4 Management Port	49
3.2.5 Power Connector	49
3.3 Power Connection	49
3.3.1 AC Power Connections	50
3.3.2 DC Power Connections	50
3.3.3 Procedure to Turn on the Switch Power	51
3.3.4 Disconnecting the Power	51
3.4 LEDs	52
The Web Configurator	55
4.1 Introduction	55
4.2 System Login	55
4.3 The Web Configurator Layout	56
4.3.1 Change Your Password	61
4.4 Saving Your Configuration	62
4.5 Switch Lockout	62
4.6 Resetting the Switch	62
4.6.1 Reload the Configuration File	63
4.7 Logging Out of the Web Configurator	64
4.8 Help	64
Initial Setup Example	65
5.1 Overview	65
5.1.1 Configuring an IP Interface	65
5.1.2 Configuring DHCP Server Settings	67
5.1.3 Creating a VLAN	67
5.1.4 Setting Port VID	69
5.1.5 Enabling RIP	70
Tutorials	71
6.1 How to Use DHCP Snooping on the Switch	71
6.2 How to Use DHCP Relay on the Switch	75
6.2.1 DHCP Relay Tutorial Introduction	75
6.2.2 Creating a VLAN	76
6.2.3 Configuring DHCP Relay	79
6.2.4 Troubleshooting	79
6.3 How to Use PPPoE IA on the Switch	80
6.3.1 Configuring Switch A	81
6.3.2 Configuring Switch B	83
6.4 How to Use Error Disable and Recovery on the Switch	85
6.5 How to Set Up a Guest VLAN	88
6.5.1 Creating a Guest VLAN	89
6.5.2 Enabling IEEE 802.1x Port Authentication	91
6.5.3 Enabling Guest VLAN	92
6.6 How to Configure Routing Policy	93
6.6.1 Create a Layer-3 Classifier	94
6.6.2 Create a Policy Routing Rule	95
Technical Reference	97
System Status and Port Statistics	99
7.1 Overview	99
7.2 Port Status Summary	99
7.2.1 Status: Port Details	101
Basic Setting	105
8.1 Overview	105
8.2 System Information	106
8.3 General Setup	108
8.4 Introduction to VLANs	110
8.5 Switch Setup Screen	111
8.6 IP Setup	113
8.6.1 IP Interfaces	113
8.7 Port Setup	115
VLAN	119
9.1 Introduction to IEEE 802.1Q Tagged VLANs	119
9.1.1 Forwarding Tagged and Untagged Frames	119
9.2 Automatic VLAN Registration	120
9.2.1 GARP	120
9.2.2 GVRP	120
9.3 Port VLAN Trunking	121
9.4 Select the VLAN Type	122
9.5 Static VLAN	122
9.5.1 VLAN Status	123
9.5.2 VLAN Details	124
9.5.3 Configure a Static VLAN	124
9.5.4 Configure VLAN Port Settings	126
9.6 Subnet Based VLANs	128
9.7 Configuring Subnet Based VLAN	129
9.8 Protocol Based VLANs	130
9.9 Configuring Protocol Based VLAN	131
9.10 Create an IP-based VLAN Example	133
9.11 Port-based VLAN Setup	134
9.11.1 Configure a Port-based VLAN	134
Static MAC Forward Setup	139
10.1 Overview	139
10.2 Configuring Static MAC Forwarding	139
Static Multicast Forward Setup	143
11.1 Static Multicast Forwarding Overview	143
11.2 Configuring Static Multicast Forwarding	144
Filtering	147
12.1 Configure a Filtering Rule	147
Spanning Tree Protocol	149
13.1 STP/RSTP Overview	149
13.1.1 STP Terminology	149
13.1.2 How STP Works	150
13.1.3 STP Port States	151
13.1.4 Multiple RSTP	151
13.1.5 Multiple STP	152
13.2 Spanning Tree Protocol Status Screen	155
13.3 Spanning Tree Configuration	155
13.4 Configure Rapid Spanning Tree Protocol	156
13.5 Rapid Spanning Tree Protocol Status	158
13.6 Configure Multiple Rapid Spanning Tree Protocol	160
13.7 Multiple Rapid Spanning Tree Protocol Status	162
13.8 Configure Multiple Spanning Tree Protocol	164
13.8.1 Multiple Spanning Tree Protocol Port Configuration	167
13.9 Multiple Spanning Tree Protocol Status	168
Bandwidth Control	171
14.1 Bandwidth Control Overview	171
14.1.1 CIR and PIR	171
14.2 Bandwidth Control Setup	172
Broadcast Storm Control	175
15.1 Broadcast Storm Control Setup	175
Mirroring	177
16.1 Port Mirroring Setup	177
Link Aggregation	179
17.1 Link Aggregation Overview	179
17.2 Dynamic Link Aggregation	179
17.2.1 Link Aggregation ID	180
17.3 Link Aggregation Status	181
17.4 Link Aggregation Setting	183
17.5 Link Aggregation Control Protocol	185
17.6 Static Trunking Example	186
Port Authentication	189
18.1 Port Authentication Overview	189
18.1.1 IEEE 802.1x Authentication	189
18.1.2 MAC Authentication	190
18.2 Port Authentication Configuration	191
18.2.1 Activate IEEE 802.1x Security	192
18.2.2 Guest VLAN	193
18.2.3 Activate MAC Authentication	196
Port Security	199
19.1 About Port Security	199
19.2 Port Security Setup	200
19.3 VLAN MAC Address Limit	201
Classifier	203
20.1 About the Classifier and QoS	203
20.2 Configuring the Classifier	204
20.3 Viewing and Editing Classifier Configuration	206
20.4 Classifier Example	208
Policy Rule	209
21.1 Policy Rules Overview	209
21.1.1 DiffServ	209
21.1.2 DSCP and Per-Hop Behavior	209
21.2 Configuring Policy Rules	210
21.3 Viewing and Editing Policy Configuration	213
21.4 Policy Example	215
Queuing Method	217
22.1 Queuing Method Overview	217
22.1.1 Strictly Priority	217
22.1.2 Weighted Fair Queuing	217
22.1.3 Weighted Round Robin Scheduling (WRR)	218
22.2 Configuring Queuing	219
VLAN Stacking	221
23.1 VLAN Stacking Overview	221
23.1.1 VLAN Stacking Example	221
23.2 VLAN Stacking Port Roles	222
23.3 VLAN Tag Format	223
23.3.1 Frame Format	223
23.4 Configuring VLAN Stacking	224
23.4.1 Port-based Q-in-Q	225
23.4.2 Selective Q-in-Q	226
Multicast	229
24.1 Multicast Overview	229
24.1.1 IP Multicast Addresses	229
24.1.2 IGMP Filtering	229
24.1.3 IGMP Snooping	230
24.1.4 IGMP Snooping and VLANs	230
24.2 Multicast Status	230
24.3 Multicast Setting	231
24.4 IGMP Snooping VLAN	234
24.5 IGMP Filtering Profile	235
24.6 MVR Overview	237
24.6.1 Types of MVR Ports	237
24.6.2 MVR Modes	238
24.6.3 How MVR Works	238
24.7 General MVR Configuration	239
24.8 MVR Group Configuration	241
24.8.1 MVR Configuration Example	242
AAA	245
25.1 Authentication, Authorization and Accounting (AAA)	245
25.1.1 Local User Accounts	246
25.1.2 RADIUS and TACACS+	246
25.2 AAA Screens	246
25.2.1 RADIUS Server Setup	247
25.2.2 TACACS+ Server Setup	249
25.2.3 AAA Setup	251
25.2.4 Vendor Specific Attribute	254
25.2.5 Tunnel Protocol Attribute	255
25.3 Supported RADIUS Attributes	256
25.3.1 Attributes Used for Authentication	256
25.3.2 Attributes Used for Accounting	257
IP Source Guard	261
26.1 IP Source Guard Overview	261
26.1.1 DHCP Snooping Overview	262
26.1.2 ARP Inspection Overview	264
26.2 IP Source Guard	265
26.3 IP Source Guard Static Binding	266
26.4 DHCP Snooping	268
26.5 DHCP Snooping Configure	271
26.5.1 DHCP Snooping Port Configure	273
26.5.2 DHCP Snooping VLAN Configure	274
26.6 ARP Inspection Status	276
26.6.1 ARP Inspection VLAN Status	277
26.6.2 ARP Inspection Log Status	278
26.7 ARP Inspection Configure	279
26.7.1 ARP Inspection Port Configure	281
26.7.2 ARP Inspection VLAN Configure	282
Loop Guard	285
27.1 Loop Guard Overview	285
27.2 Loop Guard Setup	287
VLAN Mapping	289
28.1 VLAN Mapping Overview	289
28.1.1 VLAN Mapping Example	289
28.2 Enabling VLAN Mapping	290
28.3 Configuring VLAN Mapping	291
Layer 2 Protocol Tunneling	293
29.1 Layer 2 Protocol Tunneling Overview	293
29.1.1 Layer-2 Protocol Tunneling Mode	294
29.2 Configuring Layer 2 Protocol Tunneling	295
sFlow	297
30.1 sFlow Overview	297
30.2 sFlow Port Configuration	298
30.2.1 sFlow Collector Configuration	299
PPPoE	301
31.1 PPPoE Intermediate Agent Overview	301
31.1.1 PPPoE Intermediate Agent Tag Format	301
31.1.2 Sub-Option Format	302
31.1.3 Port State	303
31.2 The PPPoE Screen	304
31.3 PPPoE Intermediate Agent	304
31.3.1 PPPoE IA Per-Port	305
31.3.2 PPPoE IA Per-Port Per-VLAN	307
31.3.3 PPPoE IA for VLAN	309
Error Disable	311
32.1 CPU Protection Overview	311
32.2 Error-Disable Recovery Overview	311
32.3 The Error Disable Screen	312
32.4 CPU Protection Configuration	312
32.5 Error-Disable Detect Configuration	313
32.6 Error-Disable Recovery Configuration	315
Static Route	317
33.1 Static Routing Overview	317
33.2 Configuring Static Routing	318
Policy Routing	321
34.1 Policy Route Overview	321
34.1.1 Benefits	321
34.2 Configuring Policy Routing Profile	322
34.2.1 Policy Routing Rule Configuration	323
RIP	325
35.1 RIP Overview	325
35.1.1 Administrative Distance	325
35.2 Configuring RIP	326
OSPF	329
36.1 OSPF Overview	329
36.1.1 OSPF Autonomous Systems and Areas	329
36.1.2 How OSPF Works	330
36.1.3 Interfaces and Virtual Links	330
36.1.4 OSPF and Router Elections	331
36.1.5 Configuring OSPF	331
36.2 OSPF Status	332
36.3 OSPF Configuration	334
36.4 Configure OSPF Areas	335
36.4.1 View OSPF Area Information Table	337
36.5 Configuring OSPF Redistribution	337
36.6 Configuring OSPF Interfaces	339
36.7 OSPF Virtual-Links	341
IGMP	343
37.1 IGMP Overview	343
37.1.1 How IGMP Works	344
37.2 Port-based IGMP	345
37.3 Configuring IGMP	346
DVMRP	347
38.1 DVMRP Overview	347
38.2 How DVMRP Works	347
38.2.1 DVMRP Terminology	348
38.3 Configuring DVMRP	348
38.3.1 DVMRP Configuration Error Messages	349
38.4 Default DVMRP Timer Values	350
Differentiated Services	351
39.1 DiffServ Overview	351
39.1.1 DSCP and Per-Hop Behavior	351
39.1.2 DiffServ Network Example	352
39.2 Two Rate Three Color Marker Traffic Policing	352
39.2.1 TRTCM - Color-blind Mode	353
39.2.2 TRTCM - Color-aware Mode	353
39.3 Activating DiffServ	354
39.3.1 Configuring 2-Rate 3 Color Marker Settings	355
39.4 DSCP-to-IEEE 802.1p Priority Settings	357
39.4.1 Configuring DSCP Settings	358
DHCP	359
40.1 DHCP Overview	359
40.1.1 DHCP Modes	359
40.1.2 DHCP Configuration Options	359
40.2 DHCP Status	360
40.3 DHCP Server Status Detail	360
40.4 DHCP Relay	362
40.4.1 DHCP Relay Agent Information	362
40.4.2 Configuring DHCP Global Relay	363
40.4.3 Global DHCP Relay Configuration Example	364
40.5 Configuring DHCP VLAN Settings	365
40.5.1 Example: DHCP Relay for Two VLANs	367
VRRP	369
41.1 VRRP Overview	369
41.2 VRRP Status	370
41.3 VRRP Configuration	371
41.3.1 IP Interface Setup	371
41.3.2 VRRP Parameters	373
41.3.3 Configuring VRRP Parameters	374
41.3.4 Configuring VRRP Parameters	375
41.4 VRRP Configuration Examples	375
41.4.1 One Subnet Network Example	376
41.4.2 Two Subnets Example	377
ARP Learning	379
42.1 ARP Overview	379
42.1.1 How ARP Works	379
42.1.2 ARP Learning Mode	379
42.2 Configuring ARP Learning	382
Load Sharing	385
43.1 Load Sharing Overview	385
43.2 Configuring Load Sharing	385
Maintenance	387
44.1 The Maintenance Screen	387
44.2 Load Factory Default	388
44.3 Save Configuration	388
44.4 Reboot System	389
44.5 Firmware Upgrade	389
44.6 Restore a Configuration File	390
44.7 Backup a Configuration File	391
44.8 FTP Command Line	391
44.8.1 Filename Conventions	391
44.8.2 FTP Command Line Procedure	393
44.8.3 GUI-based FTP Clients	393
44.8.4 FTP Restrictions	394
Access Control	395
45.1 Access Control Overview	395
45.2 The Access Control Main Screen	395
45.3 About SNMP	396
45.3.1 SNMP v3 and Security	397
45.3.2 Supported MIBs	397
45.3.3 SNMP Traps	398
45.3.4 Configuring SNMP	402
45.3.5 Configuring SNMP Trap Group	404
45.3.6 Configuring SNMP User	405
45.4 Setting Up Login Accounts	407
45.5 SSH Overview	408
45.6 How SSH works	409
45.7 SSH Implementation on the Switch	410
45.7.1 Requirements for Using SSH	410
45.8 Introduction to HTTPS	410
45.9 HTTPS Example	411
45.9.1 Internet Explorer Warning Messages	411
45.9.2 Mozilla Firefox Warning Messages	414
45.9.3 The Main Screen	415
45.10 Service Port Access Control	416
45.11 Remote Management	417
Diagnostic	421
46.1 Diagnostic	421
Syslog	423
47.1 Syslog Overview	423
47.2 Syslog Setup	424
47.3 Syslog Server Setup	425
Cluster Management	427
48.1 Clustering Management Status Overview	427
48.2 Cluster Management Status	428
48.2.1 Cluster Member Switch Management	429
48.3 Clustering Management Configuration	432
MAC Table	435
49.1 MAC Table Overview	435
49.2 Viewing the MAC Table	436
IP Table	439
50.1 IP Table Overview	439
50.2 Viewing the IP Table	440
ARP Table	443
51.1 ARP Table Overview	443
51.1.1 How ARP Works	443
51.2 The ARP Table Screen	444
Routing Table	445
52.1 Overview	445
52.2 Viewing the Routing Table Status	445
Configure Clone	447
53.1 Configure Clone	447
Troubleshooting	449
54.1 Power, Hardware Connections, and LEDs	449
54.2 Switch Access and Login	450
54.3 Switch Configuration	453
Product Specifications	455
Common Services	465
Legal Information	469

Match case Limit results 1 per page

Chapter 25 AAA

XGS4700-48F User’s Guide

253

Type

Set whether the Switch provides the following services to a user.

•

Exec

: Allow an administrator which logs in the Switch through Telnet

or SSH to have different access privilege level assigned via the

external server.

•

Dot1x

: Allow an IEEE 802.1x client to have different bandwidth limit

or VLAN ID assigned via the external server.

Active

Select this to activate authorization for a specified event types.

Method

Select whether you want to use RADIUS or TACACS+ for authorization of

specific types of events.

RADIUS is the only method for IEEE 802.1x authorization.

Accounting

Use this section to configure accounting settings on the Switch.

Update Period

This is the amount of time in minutes before the Switch sends an update

to the accounting server. This is only valid if you select the

start-stop

option for the

Exec

Dot1x

entries.

Type

The Switch supports the following types of events to be sent to the

accounting server(s):

•

System

- Configure the Switch to send information when the

following system events occur: system boots up, system shuts down,

system accounting is enabled, system accounting is disabled

•

Exec

- Configure the Switch to send information when an

administrator logs in and logs out via the console port, telnet or SSH.

•

Dot1x

- Configure the Switch to send information when an IEEE

802.1x client begins a session (authenticates via the Switch), ends a

session as well as interim updates of a session.

•

Commands

- Configure the Switch to send information when

commands of specified privilege level and higher are executed on the

Switch.

Active

Select this to activate accounting for a specified event types.

Broadcast

Select this to have the Switch send accounting information to all

configured accounting servers at the same time.

If you don’t select this and you have two accounting servers set up, then

the Switch sends information to the first accounting server and if it

doesn’t get a response from the accounting server then it tries the

second accounting server.

Mode

The Switch supports two modes of recording login events. Select:

•

start-stop

- to have the Switch send information to the accounting

server when a user begins a session, during a user’s session (if it

lasts past the

Update Period

), and when a user ends a session.

•

stop-only

- to have the Switch send information to the accounting

server only when a user ends a session.

Method

Select whether you want to use RADIUS or TACACS+ for accounting of

specific types of events.

TACACS+ is the only method for recording

Commands

type of event.

Privilege

This field is only configurable for

Commands

type of event. Select the

threshold command privilege level for which the Switch should send

accounting information. The Switch will send accounting information

when commands at the level you specify and higher are executed on the

Switch.

Table 71

Advanced Application > AAA > AAA Setup

(continued)

LABEL

DESCRIPTION