Page 31 / 160 Scroll up to view Page 26 - 30
DGS-3224TGR Gigabit Ethernet Switch User’s Guide
19
Port VLAN ID
Packets that are tagged (are carrying the 802.1Q VID information) can be transmitted from one 802.1Q compliant network
device to another with the VLAN information intact. This allows 802.1Q VLANs to span network devices (and indeed, the
entire network – if all network devices are 802.1Q compliant).
Unfortunately, not all network devices are 802.1Q compliant. These devices are referred to as
tag-unaware.
802.1Q
devices are referred to as
tag-aware.
Prior to the adoption 802.1Q VLANs, port-based and MAC-based VLANs were in common use. These VLANs relied upon
a Port VLAN ID (PVID) to forward packets. A packet received on a given port would be assigned that port’s PVID and
then be forwarded to the port that corresponded to the packet’s destination address (found in the switch’s forwarding table).
If the PVID of the port that received the packet is different from the PVID of the port that is to transmit the packet, the
switch will drop the packet.
Within the switch, different PVIDs mean different VLANs (remember that two VLANs cannot communicate without an
external router).
So, VLAN identification based upon the PVIDs cannot create VLANs that extend outside a given switch.
Every physical port on a switch has a PVID. 802.1Q ports are also assigned a PVID, for use within the switch. If no
VLANs are defined on the switch, all ports are then assigned to a default VLAN with a PVID equal to 1. Untagged packets
are assigned the PVID of the port on which they were received. Forwarding decisions are based upon this PVID, in so far as
VLANs are concerned. Tagged packets are forwarded according to the VID contained within the tag. Tagged packets are
also assigned a PVID, but the PVID is not used to make packet forwarding decisions, the VID is.
Tag-aware switches must keep a table to relate PVIDs within the switch to VIDs on the network. The switch will compare
the VID of a packet to be transmitted to the VID of the port that is to transmit the packet. If the two VIDs are different, the
switch will drop the packet. Because of the existence of the PVID for untagged packets and the VID for tagged packets,
tag-aware and tag-unaware network devices can coexist on the same network.
A switch port can have only one PVID, but can have as many VIDs as the switch has memory in its VLAN table to store
them.
Because some devices on a network may be tag-unaware, a decision must be made at each port on a tag-aware device
before packets are transmitted – should the packet to be transmitted have a tag or not? If the transmitting port is connected
to a tag-unaware device, the packet should be untagged. If the transmitting port is connected to a tag-aware device, the
packet should be tagged.
Tagging and Untagging
Every port on an 802.1Q compliant switch can be configured as
tagging
or
untagging.
Ports with tagging enabled will put the VID number, priority and other VLAN information into the header of all packets
that flow into and out of it. If a packet has previously been tagged, the port will not alter the packet, thus keeping the VLAN
information intact. The VLAN information in the tag can then be used by other 802.1Q-compliant devices on the network to
make packet forwarding decisions.
Ports with untagging enabled will strip the 802.1Q tag from all packets that flow into and out of those ports. If the packet
doesn’t have an 802.1Q VLAN tag, the port will not alter the packet. Thus, all packets received by and forwarded by an
untagging port will have no 802.1Q VLAN information (Remember that the PVID is only used internally within the
switch). Untagging is used to send packets from an 802.1Q-compliant network device to a non-compliant network device.
Ingress Filtering
A port on a switch where packets are flowing into the switch and VLAN decisions must be made is referred to as an
ingress
port
. If ingress filtering is enabled for a port, the switch will examine the VLAN information in the packet header (if
present) and decide whether or not to forward the packet.
If the packet is tagged with VLAN information, the ingress port will first determine if the ingress port itself is a member of
the tagged VLAN. If it is not, the packet will be dropped. If the ingress port is a member of the 802.1Q VLAN, the switch
then determines if the destination port is a member of the 802.1Q VLAN. If it is not, the packet is dropped. If the
destination port is a member of the 802.1Q VLAN, the packet is forwarded and the destination port transmits it to its
attached network segment.
Page 32 / 160
DGS-3224TGR Gigabit Ethernet Switch User’s Guide
20
If the packet is not tagged with VLAN information, the ingress port will tag the packet with its own PVID as a VID. The
switch then determines if the destination port is a member of the same VLAN (has the same VID) as the ingress port. If it
does not, the packet is dropped. If it has the same VID, the packet is forwarded and the destination port transmits it on its
attached network segment.
This process is referred to as
ingress filtering
and is used to conserve bandwidth within the switch by dropping packets that
are not on the same VLAN as the ingress port at the point of reception
.
This eliminates the subsequent processing of
packets that will just be dropped by the destination port.
802.1x Port-Based and MAC-Based Access Control
The IEEE 802.1x standard is a security measure for authorizing and authenticating users to gain access to various wired or
wireless devices on a specified Local Area Network by using a Client and Server based access control model. This is
accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible
Authentication Protocol over LAN (EAPOL) packets between the Client and the Server. The following figure represents a
basic EAPOL packet:
Figure 5- 4. The EAPOL Packet
Utilizing this method, unauthorized devices are restricted from connecting to a LAN through a port to which the user is
connected. EAPOL packets are the only traffic that can be transmitted through the specific port until authorization is
granted. The 802.1x Access Control method holds three roles, each of which are vital to creating and upkeeping a stable
and working Access Control security method.
Figure 5- 5. The three roles of 802.1x
The following section will explain the three roles of Client, Authenticator and Authentication Server in greater detail.
Page 33 / 160
DGS-3224TGR Gigabit Ethernet Switch User’s Guide
21
Authentication Server
The Authentication Server is a remote device that is connected to the same network as the Client and Authenticator, must be
running a RADIUS Server program and must be configured properly on the Authenticator (Switch). Clients connected to a
port on the Switch must be authenticated by the Authentication Server (RADIUS) before attaining any services offered by
the Switch on the LAN. The role of the Authentication Server is to certify the identity of the Client attempting to access the
network by exchanging secure information between the RADIUS server and the Client through EAPOL packets and, in
turn, informs the Switch whether or not the Client is granted access to the LAN and/or switches services.
Figure 5- 6. The Authentication Server
Authenticator
The Authenticator (the Switch) is an intermediary between the Authentication Server and the Client. The Authenticator
servers two purposes when utilizing 802.1x. The first purpose is to request certification information from the Client through
EAPOL packets, which is the only information allowed to pass through the Authenticator before access is granted to the
Client. The second purpose of the Authenticator is to verify the information gathered from the Client with the
Authentication Server, and to then relay that information back to the Client.
Three steps must be implemented on the Switch to properly configure the Authenticator.
1.
The 802.1x State must be
Enabled
. (
Configuration
/
Switch Information
/
Advanced Settings
/
802.1x Statu
s)
2.
The 802.1x settings must be implemented by port (
Port Access Entity
/
PAE System Control
/
Port Capability
/
Capability
)
3.
A RADIUS server must be configured on the Switch. (
Port Access Entity
/
RADIUS Server
/
Authentic
RADIUS Server
)
Page 34 / 160
DGS-3224TGR Gigabit Ethernet Switch User’s Guide
22
Figure 5- 7. The Authenticator
Client
The Client is simply the endstation that wishes to gain access to the LAN or switch services. All endstations must be
running software that is compliant with the 802.1x protocol. For users running Windows XP, that software is included
within the operating system. All other users are required to attain 802.1x client software from an outside source. The Client
will request access to the LAN and or Switch through EAPOL packets and, in turn will respond to requests from the
Switch.
Figure 5- 8. The Client
Page 35 / 160
DGS-3224TGR Gigabit Ethernet Switch User’s Guide
23
Authentication Process
Utilizing the three roles stated above, the 802.1x protocol provides a stable and secure way of authorizing and
authenticating users attempting to access the network. Only EAPOL traffic is allowed to pass through the specified port
before a successful authentication is made. This port is “locked” until the point when a Client with the correct username and
password (and MAC address if 802.1x is enabled by MAC address) is granted access and therefore successfully “unlocks”
the port. Once unlocked, normal traffic is allowed to pass through the port. The following figure displays a more detailed
explanation of how the authentication process is completed between the three roles stated above.
Figure 5- 9. The 802.1x Authentication Process
The D-Link implementation of 802.1x allows network administrators to choose between two types of Access Control used
on the Switch, which are:
1.
Port-Based Access Control – This method requires only one user to be authenticated per port by a remote RADIUS
server to allow the remaining users on the same port access to the network.
2.
MAC-Based Access Control – Using this method, the Switch will automatically learn up to three MAC addresses
by port and set them in a list. Each MAC address must be authenticated by the Switch using a remote RADIUS
server before being allowed access to the Network.
Port-Based Network Access Control
The original intent behind the development of 802.1x was to leverage the characteristics of point-to-point in LANs. Any
single LAN segment in such an infrastructures has no more than two devices attached to it, one of which is a Bridge Port.
The Bridge Port detects events that indicate the attachment of an active device at the remote end of the link, or an active
device becoming inactive. These events can be used to control the authorization state of the Port and initiate the process of
authenticating the attached device if the Port is unauthorized. This is the Port-Based Network Access Control.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top