1. Home
    2. /
  2. Manuals
    3. /
  3. Linksys
    4. /
  4. SRW224
    5. /
  5. 14
Page 66 / 104 Scroll up to view Page 61 - 65
58
Chapter 5: Configuring the Switch through the Web Utility
Security
24-Port 10/100 + 2-Port Gigabit Switch with Webview and Power over Ethernet
Protocol
. Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol
number (0-255). (Options: TCP, UDP, Others; Default: TCP)
Source/Destination Port (0-65535)
. Source/destination port number for the specified protocol type. (Range: 0-
65535)
Control Code (0-63)
. Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP
header. (Range: 0-63)
Control Code Bitmask (0-63)
. Decimal number representing the code bits to match. The control bitmask is a
decimal number (for an equivalent binary bit mask) that is applied to the control code. Enter a decimal number,
where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit. The following bits may be
specified:
1 (fin) – Finish
2 (syn) – Synchronize
4 (rst) – Reset
8 (psh) – Push
16 (ack) – Acknowledgement
32 (urg) – Urgent pointer
For example, use the code value and mask below to catch packets with the following flags set:
- SYN flag valid, use control-code 2, control bitmask 2
- Both SYN and ACK valid, use control-code 18, control bitmask 18
- SYN valid and ACK invalid, use control-code 2, control bitmask 18
Page 67 / 104
59
Chapter 5: Configuring the Switch through the Web Utility
Security
24-Port 10/100 + 2-Port Gigabit Switch with Webview and Power over Ethernet
MAC ACL
To configure a MAC ACL do the following.
Specify the action (that is, Permit or Deny). Specify the source and/or destination addresses. Select the address
type (Any, Host, or MAC). If you select “Host,” enter a specific address (for example, 11-22-33-44-55-66). If you
select “MAC,” enter a base address and a hexadecimal bitmask for an address range. Set any other required
criteria, such as VID, Ethernet type, or packet format. Then click
Add
.
Action
. An ACL can contain any combination of permit or deny rules.
Source/Destination Address Type
. Use “Any” to include all possible addresses, “Host” to indicate a specific
MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host,
MAC; Default: Any)
Source/Destination MAC Address
. Source or destination MAC address.
Source/Destination Bitmask
. Hexidecimal mask for source or destination MAC address.
VID
. VLAN ID. (Range: 1-4094)
Ethernet Type.
This option can only be used to filter Ethernet II formatted packets. (Range: 0-65535) A detailed
listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP),
0806 (ARP), 8137 (IPX).
NOTE:
When configuring a MAC ACL that includes the
rule "deny any any" for a specific VLAN, the following
restrictions apply: Received unicast packets with
unknown addresses are not flooded to all ports in the
VLAN. All dynamically learned MAC addresses in the
specified VLAN are flushed from the switch's MAC
address table. Other rules in the MAC ACL allow only
specific Host source or destination MAC addresses to
be specified.
NOTE:
MAC addresses specified in MAC ACLs will
conflict with any user-defined static MAC addresses.
Figure 5-42: ACL Conf - Adding/Editing MAC ACL
Page 68 / 104
60
Chapter 5: Configuring the Switch through the Web Utility
Security
24-Port 10/100 + 2-Port Gigabit Switch with Webview and Power over Ethernet
ACL Port Binding
After configuring Access Control Lists (ACL), you should bind them to the ports that need to filter traffic. You can
assign one IP access list to any port, but you can only assign one MAC access list to all the ports on the switch.
You must configure a mask for an ACL rule before you can bind it to a port.
This switch only supports ACLs for ingress filtering. You can only bind one IP ACL to any port, and one MAC ACL
globally, for ingress filtering.
Mark the Enable checkbox for the port you want to bind to an ACL. Select the required ACL from the drop-down
menu.
Port – Fixed port or SFP module. (Range: 1-26)
IP
. Specifies the IP Access List to enable for a port.
MAC
. Specifies the MAC Access List to enable globally.
IN
. ACL for ingress packets.
ACL Name
. Name of the ACL.
Click
Submit
to save the changes.
802.1xUsers
Network switches can provide open and easy access to network resources by simply attaching a client PC.
Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to
easily intrude and possibly gain access to sensitive network data.
The IEEE 802.1X (dot1X) standard defines a port-based access control procedure that prevents unauthorized
access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in
a network can be centrally controlled from a server, which means that authorized users can use the same
credentials for authentication from any point within the network.
Figure 5-43: Security - ACL Port Binding
Page 69 / 104
61
Chapter 5: Configuring the Switch through the Web Utility
Security
24-Port 10/100 + 2-Port Gigabit Switch with Webview and Power over Ethernet
This Switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol
messages with the client, and a remote RADIUS authentication server to verify user identity and access rights.
When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL
identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which
it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge
back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication
method to be used. The client can reject the authentication method and request another, depending on the
configuration of the client software and the RADIUS server. The authentication method must be MD5. The client
responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server
verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the
switch allows the client to access the network. Otherwise, network access is denied and the port remains
blocked.
The operation of 802.1X on the switch requires the following:
The switch must have an IP address assigned.
RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified.
802.1X must be enabled globally for the switch.
Each switch port that will be used must be set to dot1X “Auto” mode.
Each client that needs to be authenticated must have dot1X client software installed and properly
configured.
The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the
EAP packets from the server to the client.)
The RADIUS server and client also have to support the same EAP authentication type – MD5. (Some clients
have native support in Windows, otherwise the dot1x client must support it.)
To enable 802.1X System Authentication Control, mark the Enable checkbox.
Click
submit
to save the changes.
Figure 5-44: Security - 802.1x Users
Page 70 / 104
62
Chapter 5: Configuring the Switch through the Web Utility
Security
24-Port 10/100 + 2-Port Gigabit Switch with Webview and Power over Ethernet
802.1xPort Conf.
When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between
the client and the switch (that is, authenticator), as well as the client identity lookup process that runs between
the switch and authentication server. These parameters are described in this section.
Modify the parameters required using the drop-down menus and textfields provided, and click
Submit
.
Max-Req
. Sets the maximum number of times the switch port will retransmit an EAP request packet to the client
before it times out the authentication session. (Range: 1-10; Default 2)
Quiet Period
. Sets the time that a switch port waits after the Max Request Count has been exceeded before
attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds)
Re-authen Period
. Sets the time period after which a connected client must be re-authenticated. (Range: 1-
65535 seconds; Default: 3600 seconds)
TX Period
. Sets the time period during an authentication session that the switch waits before re-transmitting an
EAP packet. (Range: 1-65535; Default: 30 seconds)
Supplicant
. This Indicates the MAC address of a connected client.
Radius Server
Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus
(TACACS+) are logon authentication protocols that use software running on a central server to control access to
RADIUS-aware or TACACS-aware devices on the network. An authentication server contains a database of
multiple user name/password pairs with associated privilege levels for each user that requires management
access.
RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair.
The user name, password, and privilege level must be configured on the authentication server.
To configure local or remote authentication preferences, specify the authentication sequence (that is, one to three
methods), fill in the parameters for RADIUS or TACACS+ authentication if selected.
Secret Text String
. Encryption key used to authenticate logon access for client. Do not use blank spaces in the
string. (Maximum length: 20 characters)
Click
Submit
to save the changes.
Figure 5-45: Security - 802.1x Port Conf
Figure 5-46: Security - RADIUS Server

Rate

4.5 / 5 based on 2 votes.

Popular Linksys Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top