DGS-3224TGR Gigabit Ethernet Switch User’s Guide

19

Port VLAN ID

Packets that are tagged (are carrying the 802.1Q VID information) can be transmitted from one 802.1Q compliant network

device to another with the VLAN information intact. This allows 802.1Q VLANs to span network devices (and indeed, the

entire network – if all network devices are 802.1Q compliant).

Unfortunately, not all network devices are 802.1Q compliant. These devices are referred to as

tag-unaware.

802.1Q

devices are referred to as

tag-aware.

Prior to the adoption 802.1Q VLANs, port-based and MAC-based VLANs were in common use. These VLANs relied upon

a Port VLAN ID (PVID) to forward packets. A packet received on a given port would be assigned that port’s PVID and

then be forwarded to the port that corresponded to the packet’s destination address (found in the switch’s forwarding table).

If the PVID of the port that received the packet is different from the PVID of the port that is to transmit the packet, the

switch will drop the packet.

Within the switch, different PVIDs mean different VLANs (remember that two VLANs cannot communicate without an

external router).

So, VLAN identification based upon the PVIDs cannot create VLANs that extend outside a given switch.

Every physical port on a switch has a PVID. 802.1Q ports are also assigned a PVID, for use within the switch. If no

VLANs are defined on the switch, all ports are then assigned to a default VLAN with a PVID equal to 1. Untagged packets

are assigned the PVID of the port on which they were received. Forwarding decisions are based upon this PVID, in so far as

VLANs are concerned. Tagged packets are forwarded according to the VID contained within the tag. Tagged packets are

also assigned a PVID, but the PVID is not used to make packet forwarding decisions, the VID is.

Tag-aware switches must keep a table to relate PVIDs within the switch to VIDs on the network. The switch will compare

the VID of a packet to be transmitted to the VID of the port that is to transmit the packet. If the two VIDs are different, the

switch will drop the packet. Because of the existence of the PVID for untagged packets and the VID for tagged packets,

tag-aware and tag-unaware network devices can coexist on the same network.

A switch port can have only one PVID, but can have as many VIDs as the switch has memory in its VLAN table to store

them.

Because some devices on a network may be tag-unaware, a decision must be made at each port on a tag-aware device

before packets are transmitted – should the packet to be transmitted have a tag or not? If the transmitting port is connected

to a tag-unaware device, the packet should be untagged. If the transmitting port is connected to a tag-aware device, the

packet should be tagged.

Tagging and Untagging

Every port on an 802.1Q compliant switch can be configured as

tagging

or

untagging.

Ports with tagging enabled will put the VID number, priority and other VLAN information into the header of all packets

that flow into and out of it. If a packet has previously been tagged, the port will not alter the packet, thus keeping the VLAN

information intact. The VLAN information in the tag can then be used by other 802.1Q-compliant devices on the network to

make packet forwarding decisions.

Ports with untagging enabled will strip the 802.1Q tag from all packets that flow into and out of those ports. If the packet

doesn’t have an 802.1Q VLAN tag, the port will not alter the packet. Thus, all packets received by and forwarded by an

untagging port will have no 802.1Q VLAN information (Remember that the PVID is only used internally within the

switch). Untagging is used to send packets from an 802.1Q-compliant network device to a non-compliant network device.

Ingress Filtering

A port on a switch where packets are flowing into the switch and VLAN decisions must be made is referred to as an

ingress

port

. If ingress filtering is enabled for a port, the switch will examine the VLAN information in the packet header (if

present) and decide whether or not to forward the packet.

If the packet is tagged with VLAN information, the ingress port will first determine if the ingress port itself is a member of

the tagged VLAN. If it is not, the packet will be dropped. If the ingress port is a member of the 802.1Q VLAN, the switch

then determines if the destination port is a member of the 802.1Q VLAN. If it is not, the packet is dropped. If the

destination port is a member of the 802.1Q VLAN, the packet is forwarded and the destination port transmits it to its

attached network segment.

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

20

If the packet is not tagged with VLAN information, the ingress port will tag the packet with its own PVID as a VID. The

switch then determines if the destination port is a member of the same VLAN (has the same VID) as the ingress port. If it

does not, the packet is dropped. If it has the same VID, the packet is forwarded and the destination port transmits it on its

attached network segment.

This process is referred to as

ingress filtering

and is used to conserve bandwidth within the switch by dropping packets that

are not on the same VLAN as the ingress port at the point of reception

.

This eliminates the subsequent processing of

packets that will just be dropped by the destination port.

802.1x Port-Based and MAC-Based Access Control

The IEEE 802.1x standard is a security measure for authorizing and authenticating users to gain access to various wired or

wireless devices on a specified Local Area Network by using a Client and Server based access control model. This is

accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible

Authentication Protocol over LAN (EAPOL) packets between the Client and the Server. The following figure represents a

basic EAPOL packet:

Figure 5- 4. The EAPOL Packet

Utilizing this method, unauthorized devices are restricted from connecting to a LAN through a port to which the user is

connected. EAPOL packets are the only traffic that can be transmitted through the specific port until authorization is

granted. The 802.1x Access Control method holds three roles, each of which are vital to creating and upkeeping a stable

and working Access Control security method.

Figure 5- 5. The three roles of 802.1x

The following section will explain the three roles of Client, Authenticator and Authentication Server in greater detail.

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

21

Authentication Server

The Authentication Server is a remote device that is connected to the same network as the Client and Authenticator, must be

running a RADIUS Server program and must be configured properly on the Authenticator (Switch). Clients connected to a

port on the Switch must be authenticated by the Authentication Server (RADIUS) before attaining any services offered by

the Switch on the LAN. The role of the Authentication Server is to certify the identity of the Client attempting to access the

network by exchanging secure information between the RADIUS server and the Client through EAPOL packets and, in

turn, informs the Switch whether or not the Client is granted access to the LAN and/or switches services.

Figure 5- 6. The Authentication Server

Authenticator

The Authenticator (the Switch) is an intermediary between the Authentication Server and the Client. The Authenticator

servers two purposes when utilizing 802.1x. The first purpose is to request certification information from the Client through

EAPOL packets, which is the only information allowed to pass through the Authenticator before access is granted to the

Client. The second purpose of the Authenticator is to verify the information gathered from the Client with the

Authentication Server, and to then relay that information back to the Client.

Three steps must be implemented on the Switch to properly configure the Authenticator.

1.

The 802.1x State must be

Enabled

. (

Configuration

/

Switch Information

/

Advanced Settings

/

802.1x Statu

s)

2.

The 802.1x settings must be implemented by port (

Port Access Entity

/

PAE System Control

/

Port Capability

/

Capability

)

3.

A RADIUS server must be configured on the Switch. (

Port Access Entity

/

RADIUS Server

/

Authentic

RADIUS Server

)

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

22

Figure 5- 7. The Authenticator

Client

The Client is simply the endstation that wishes to gain access to the LAN or switch services. All endstations must be

running software that is compliant with the 802.1x protocol. For users running Windows XP, that software is included

within the operating system. All other users are required to attain 802.1x client software from an outside source. The Client

will request access to the LAN and or Switch through EAPOL packets and, in turn will respond to requests from the

Switch.

Figure 5- 8. The Client

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

23

Authentication Process

Utilizing the three roles stated above, the 802.1x protocol provides a stable and secure way of authorizing and

authenticating users attempting to access the network. Only EAPOL traffic is allowed to pass through the specified port

before a successful authentication is made. This port is “locked” until the point when a Client with the correct username and

password (and MAC address if 802.1x is enabled by MAC address) is granted access and therefore successfully “unlocks”

the port. Once unlocked, normal traffic is allowed to pass through the port. The following figure displays a more detailed

explanation of how the authentication process is completed between the three roles stated above.

Figure 5- 9. The 802.1x Authentication Process

The D-Link implementation of 802.1x allows network administrators to choose between two types of Access Control used

on the Switch, which are:

1.

Port-Based Access Control – This method requires only one user to be authenticated per port by a remote RADIUS

server to allow the remaining users on the same port access to the network.

2.

MAC-Based Access Control – Using this method, the Switch will automatically learn up to three MAC addresses

by port and set them in a list. Each MAC address must be authenticated by the Switch using a remote RADIUS

server before being allowed access to the Network.

Port-Based Network Access Control

The original intent behind the development of 802.1x was to leverage the characteristics of point-to-point in LANs. Any

single LAN segment in such an infrastructures has no more than two devices attached to it, one of which is a Bridge Port.

The Bridge Port detects events that indicate the attachment of an active device at the remote end of the link, or an active

device becoming inactive. These events can be used to control the authorization state of the Port and initiate the process of

authenticating the attached device if the Port is unauthorized. This is the Port-Based Network Access Control.