Page 41 / 96 Scroll up to view Page 36 - 40
Chapter 5
Advanced Configuration
34
WebView Switches
The GVRP Error Statistics Table contains the following
fields:
Invalid Protocol ID
Displays the device GVRP Invalid
Protocol ID statistics.
Invalid Attribute Type
Displays the device GVRP Invalid
Attribute ID statistics.
Invalid Attribute Value
Displays the device GVRP Invalid
Attribute Value statistics.
Invalid Attribute Length
Displays the device GVRP
Invalid Attribute Length statistics.
Invalid Event
Displays the device GVRP Invalid Events
statistics.
Use the
Clear All Counters
button to reset all tables.
ACL > IP Based ACL
The
IP Based ACL (Access Control List)
screen contains
information for defining IP-based Access Control Lists
(ACLs).
ACL > IP Based ACL
ACL Name
Displays the user-defined IP based ACLs.
New ACL Name
Define a new user-defined IP based ACL,
the name cannot include spaces.
Delete ACL
Deletes the selected ACL.
Action
Indicates the action assigned to the packet
matching the ACL. Packets are forwarded or dropped. In
addition, the port can be shut down, a trap can be sent
to the network administrator, or a packet assigned rate
limiting restrictions for forwarding. The options are as
follows:
Permit
Forwards
packets
which
meet
the
ACL
criteria.
Deny
Drops packets which meet the ACL criteria.
Shutdown
Drops
packet
that
meets
the
ACL
criteria, and disables the port to which the packet
was addressed. Ports are reactivated from the
Port
Management
screen.
Protocol
Creates an Access Control Entry (ACE) based on
a specific protocol.
Select from List
Selects from a protocols list on which
ACE can be based. The possible field values are:
Any
Matches the protocol to any protocol.
EIGRP
Indicates
that
the
Enhanced
Interior
Gateway Routing Protocol (EIGRP) is used to classify
network flows.
ICMP
Indicates that the Internet Control Message
Protocol (ICMP) is used to classify network flows.
IGMP
Indicates
that
the
Internet
Group
Management Protocol (IGMP) is used to classify
network flows.
TCP
Indicates
that
the
Transmission
Control
Protocol is used to classify network flows.
OSPF
Matches the packet to the Open Shortest
Path First (OSPF) protocol.
UDP
Indicates that the User Datagram Protocol is
used to classify network flows.
Protocol ID To Match
Adds user-defined protocols to
which packets are matched to the ACE. Each protocol
has a specific protocol number which is unique. The
possible field range is
0–255
.
TCP Flags
Filters packets by TCP flag. Filtered packets
are either forwarded or dropped. Filtering packets by TCP
flags increases packet control, which increases network
security. The values that can be assigned are:
Set
Enables filtering packets by selected flags.
Unset
Disables filtering packets by selected flags.
Don’t care
Indicates that selected packets do not
influence the packet filtering process.
The TCP Flags that can be selected are:
Urg
Indicates the packet is urgent.
Ack
Indicates the packet is acknowledged.
Psh
Indicates the packet is pushed.
Rst
Indicates the connection is dropped.
Syn
Indicates request to start a session.
Fin
Indicates request to close a session.
Page 42 / 96
Chapter 5
Advanced Configuration
35
WebView Switches
Source Port
Defines the TCP/UDP source port to which
the ACE is matched. This field is active only if 800/6-TCP or
800/17-UDP are selected in the
Select from List
drop-down
menu. The possible field range is
0–65,535
.
Destination
Port
Defines
the
TCP/UDP
destination
port. This field is active only if 800/6-TCP or 800/17-UDP
are selected in the
Select from List
drop-down menu. The
possible field range is
0–65,535
.
Source IP Address
Matches the source port IP address to
which packets are addressed to the ACE.
Wildcard
Mask
Defines
the
source
IP
address
wildcard mask. Wildcard masks specify which bits
are used and which bits are ignored. A wild card
mask of
255.255.255.255
indicates that no bit is
important. A wildcard of
0.0.0.0
indicates that all
the bits are important. For example, if the source IP
address
149.36.184.198
and the wildcard mask is
255.36.184.00
, the first eight bits of the IP address are
ignored, while the last eight bits are used.
Dest. IP Address
Matches the destination port IP address
to which packets are addressed to the ACE.
Wildcard Mask
Defines the destination IP address
wildcard mask.
Match DSCP
Matches the packet DSCP value to the ACE.
Either the DSCP value or the IP Precedence value is used to
match packets to ACLs. The possible field range is
0–63
.
Match IP Precedence
Matches the packet IP Precedence
value to the ACE. Either the DSCP value or the IP Precedence
value is used to match packets to ACLs. The possible field
range is
0–7
.
The
Add to List
button adds the configured IP Based ACLs
to the IP Based ACL Table at the bottom of the screen.
ACL > MAC Based ACL
The
MAC Based ACL
screen allows a MAC based ACL to be
defined. ACEs can be added only if the ACL is not bound
to an interface.
ACL > Mac Based ACL
ACL Name
Displays the user-defined MAC based ACLs.
New ACL Name
Specifies a new user-defined MAC based
ACL name, the name cannot include spaces.
Delete ACL
Deletes the selected ACL.
Action
Indicates the ACL forwarding action. Possible field
values are:
Permit
Forwards
packets
which
meet
the
ACL
criteria.
Deny
Drops packets which meet the ACL criteria.
Shutdown
Drops packet that meet the ACL criteria,
and disables the port to which the packet was
addressed.
Source MAC Address
Matches the source MAC address
to which packets are addressed to the ACE.
Wildcard
Mask
Defines
the
source
IP
address
wildcard mask. Wildcard masks specify which bits
are used and which bits are ignored. A wild card
mask of
255.255.255.255
indicates that no bit is
important. A wildcard of
0.0.0.0
indicates that all
the bits are important. For example, if the source IP
address
149.36.184.198
and the wildcard mask is
255.36.184.00
, the first eight bits of the IP address are
ignored, while the last eight bits are used.
Dest.
MAC
Address
Matches
the
destination
MAC
address to which packets are addressed to the ACE.
Wildcard Mask
Defines the destination IP address
wildcard mask.
VLAN ID
Matches the packet’s VLAN ID to the ACE. The
possible field values are
2–4094
.
Page 43 / 96
Chapter 5
Advanced Configuration
36
WebView Switches
Ether Type
Specifies the packet’s Ethernet type.
Use the
Add to List
button to add the configured MAC
Based ACLs to the MAC Based ACL Table at the bottom of
the screen.
Security > ACL Binding
When an ACL is bound to an interface, all the ACE rules
that have been defined are applied to the selected
interface. Whenever an ACL is assigned on a port, LAG or,
VLAN, flows from that ingress interface that do not match
the ACL are matched to the default rule, which is
Drop
unmatched packets
.
Security > ACL Binding
Interface
Indicates the interface to which the ACL is
bound.
ACL Name
Indicates the ACL which is bound to the
interface.
Use the
Add to List
button to add the ACL Binding
configuration to the ACL Binding Table at the bottom of
the screen.
Security > RADIUS
Remote Authorization Dial-In User Service (RADIUS)
servers provide additional security for networks. RADIUS
servers provide a centralized authentication method for
web access.
Security > RADIUS
IP Address
The Authentication Server IP address.
Priority
The server priority. The possible values are
0–65,535
, where 1 is the highest value. The RADIUS Server
priority is used to configure the server query order.
Authentication Port
Identifies the authentication port.
The authentication port is used to verify the RADIUS server
authentication. The authenticated port default is
1812
.
Number of Retries
Defines the number of transmitted
requests sent to RADIUS server before a failure occurs. The
possible field values are
1–10
. The default value is
3
.
Timeout for Reply
Defines the amount of the time in
seconds the device waits for an answer from the RADIUS
server before retrying the query, or switching to the next
server. The possible field values are
1–30
. The default
value is
3
.
Dead Time
Defines the amount of time (minutes) that a
RADIUS server is bypassed for service requests. The range
is
0–2000
. The Dead Time default is
0
minutes.
Key String
Defines the default key string used for
authenticating and encrypting all RADIUS communications
between the device and the RADIUS server. This key must
match the RADIUS encryption.
Source IP Address
Defines the source IP address that is
used for communication with RADIUS servers.
Usage Type
Specifies the RADIUS server authentication
type. The default value is
Login
. The possible field values
are:
Login
Indicates that the RADIUS server is used for
authenticating user name and passwords.
Page 44 / 96
Chapter 5
Advanced Configuration
37
WebView Switches
802.1X
Indicates that the RADIUS server is used for
802.1X authentication.
All
Indicates that the RADIUS server is used for
authenticating user name and passwords, and 802.1X
port authentication.
Use the
Add to List
button to add the RADIUS configuration
to the RADIUS Table at the bottom of the screen.
Security > TACACS+
The device provides Terminal Access Controller Access
Control System (TACACS+) client support. TACACS+
provides centralized security for validation of users
accessing the device. TACACS+ provides a centralized user
management system, while still retaining consistency with
RADIUS and other authentication processes. The TACACS+
protocol ensures network integrity through encrypted
protocol exchanges between the device and TACACS+
server.
Security > TACACS+
Host
IP
Address
Displays
the TACACS+
Server
IP
address.
Priority
Displays the order in which the TACACS+ servers
are used. The default is
0
.
Source IP Address
Displays the device source IP address
used for the TACACS+ session between the device and the
TACACS+ server.
Key String
Defines the authentication and encryption key
for TACACS+ server. The key must match the encryption
key used on the TACACS+ server.
Authentication Port
Displays the port number through
which the TACACS+ session occurs. The default is port
49
.
Timeout for Reply
Displays the amount of time that
passes before the connection between the device and
the TACACS+ server times out. The field range is
1–30
seconds.
Status
Displays the connection status between the
device and the TACACS+ server. The possible field values
are:
Connected
There is currently a connection between
the device and the TACACS+ server.
Not Connected
There is not currently a connection
between the device and the TACACS+ server.
Single Connection
Maintains a single open connection
between the device and the TACACS+ server when
selected
Use the
Add to List
button to add the TACACS+
configuration to the TACACS+ table at the bottom of the
screen.
Security > 802.1x Settings
Port based authentication enables authenticating system
users on a per-port basis via an external server. Only
authenticated and approved system users can transmit
and receive data. Ports are authenticated via the RADIUS
server using the Extensible Authentication Protocol
(EAP).
Security > 802.1x Settings
Enable 802.1x
Select the checkbox to enable 802.1x
authentication.
Port
Indicates the port name.
Status Port Control
Specifies the port authorization
state. The possible field values are as follows:
Force-Unauthorized
The controlled port state is set
to Force-Unauthorized (discard traffic).
Auto
The controlled port state is set by the system.
Force-Authorized
The controlled port state is set to
Force-Authorized (forward traffic).
Enable Periodic Reauthentication
Permits immediate
port reauthentication.
Page 45 / 96
Chapter 5
Advanced Configuration
38
WebView Switches
Use the
Setting Timer
button to open the
Setting Timer
screen to configure ports for 802.1x functionality.
802.1x Settings > Setting Timer
802.1x Settings > Setting Timer
Port
Indicates the port name.
Reauthentication
Period
Specifies
the
number
of
seconds in which the selected port is reauthenticated
(Range:
300–4,294,967,295
). The field default is
3600
seconds.
Quiet Period
Specifies the number of seconds that
the switch remains in the quiet state following a failed
authentication exchange (Range:
0–65,535
).
Resending EAP
Specifies the number of seconds that the
switch waits for a response to an EAP - request/identity
frame, from the supplicant (client), before resending the
request.
Max EAP Requests
Displays the total amount of EAP
requests sent. If a response is not received after the
defined period, the authentication process is restarted.
The field default is
2
retries.
Supplicant Timeout
Displays the number of seconds that
lapses before EAP requests are resent to the supplicant
(Range:
1–65,535
). The field default is
30
seconds.
Server
Timeout
Specifies
the
number
of
seconds
(
1–65,535
) that lapses before the switch resends a request
to the authentication server. The default is
30
seconds.
Security > Port Security
Network security can be increased by limiting access on
a specific port only to users with specific MAC addresses.
MAC addresses can be dynamically learned or statically
configured. Locked port security monitors both received
and learned packets that are received on specific ports.
Access to the locked port is limited to users with specific
MAC addresses. These addresses are either manually
defined on the port, or learned on that port up to the
point when it is locked. When a packet is received on a
locked port, and the packet source MAC address is not tied
to that port (either it was learned on a different port, or it
is unknown to the system), the protection mechanism is
invoked, and can provide various options. Unauthorized
packets arriving at a locked port are either:
Forwarded
Discarded with no trap
Discarded with a trap
Cause the port to be shut down.
Locked port security also enables storing a list of MAC
addresses in the configuration file. The MAC address list
can be restored after the device has been reset.
Disabled ports are activated from the
Port Security
page.
Security > Port Security
Interface
Displays the port or LAG name.
Lock Interface
Selecting this option locks the specified
interface.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top