D-Link Dsh8 Manual
Have a look at the manual D-Link Dsh8 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 48 D-Link manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Chapter 5: Web-Based Management GE-DSH-73/DSH-82 and DSH-82-PoE User Manual 117 X-Ring Configuration The Managed Industrial Switch supports th e function and interface for setting the switch as the ring master or not. The ri ng master can negotiate and place command to other switches in the X-Ring group. If th ere are 2 or more switches in master mode, the software will select the switch with lowest MAC address number as the ring master. The X-Ring master ring mode can be enabled by setting the X-Ring configuration interface. Also , the user can identify whether the switch is the ring master by checking the R.M. LED in dicator on the panel of the Switch. The system also supports the Couple Ring that can connect 2 or more X-Ring group for the redundant backup function; Dual Homing function that can prevent connection lose between X-Ring gr oup and upper level/core switch. Figure 5-62: X-Ring Interface This page includes the following fields: Object Description Enable Ring: To enable the X-Ring function, tick the checkbox beside the Enable Ring string label. If this checkbox is not ticked, all the ring functions are unavailable. Enable Ring Master: Tick the checkbox to enable this switch to be the ring master. 1 st & 2nd Ring Ports: Pull down the selection menu to assign the
Chapter 5: Web-Based Management 118 GE-DSH-73/DSH-82 and DSH-82-PoE User Manual ports as the member ports. 1st Ring Port is the working port and 2nd Ring Port is the backup port. When 1st Ring Port fails, the system will automatically upgrade the 2nd Ring Port to be the working port. Enable Couple Ring: To enable the couple ring function, tick the checkbox beside the Enable Couple Ring string label. Couple Port: Assign the member port which is connected to the other ring group. Control Port: When the Enable Coup le Ring checkbox is ticked, you have to assign the control po rt to form a couple-ring group between the two X-rings. Enable Dual Homing: Set up one of the ports on the switch to be the Dual Homing port. For a switch, there is only one Dual Homing port. Dual Homing function works only when the X-Ring function enabled. NOTE: When the X-Ring function enabled, the user must disable the RSTP. The X-\ Ring function and RSTP function cannot ex ist on a switch at the same time. Remember to execute the Save Config uration action, otherwise the new configuration will lose wh en switch powers off. Security The Security page has the following settings: • 802.1x/Radius, • Static MAC address, • MAC filter Security-802.1X/Radius Configuration 802.1x is an IEEE authentication specific ation which prevents the client from accessing a wireless access point or wired sw itch until it provides authority, like the user name and password that are verified by an authentication server (such as RADIUS server). Understanding IEEE 802.1X Po rt-Based Authentication The IEEE 802.1X standard defines a c lient-server-based access control and authentication protocol that restricts una uthorized clients from connecting to a LAN through publicly accessible ports. The authen tication server authenticates each client
Chapter 5: Web-Based Management GE-DSH-73/DSH-82 and DSH-82-PoE User Manual 119 connected to a switch port before making available any services offered by the switch or the LAN. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through th e port to which the client is connected. After authentication is succ essful, normal traffic can pass through the port. This section includes this conceptual information: • Device Roles • Authentication Initiation and Message Exchange • Ports in Authorized and Unauthorized States • Device Roles With 802.1X port-based authentication, the de vices in the network have specific roles as shown below. Figure 5-63: 802.1x device role • Client-the device (workstation) that re quests access to the LAN and switch services and responds to requests from the switch. The workstation must be running 802.1X-compliant client software such as that offered in the Microsoft Windows XP operating system. (The clie nt is the supplicant in the IEEE 802.1X specification.) • Authentication server-performs the actu al authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to
Chapter 5: Web-Based Management 120 GE-DSH-73/DSH-82 and DSH-82-PoE User Manual the client. In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients. • Switch (802.1X device)-controls the phys ical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. The swi tch includes the RADIUS client, which is responsible for encapsulating and decaps ulating the Extensible Authentication Protocol (EAP) frames and interacting wi th the authentication server. When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulat\ ed in the RADIUS format. The EAP frames ar e not modified or examined during encapsulation, and the authentication serv er must support EAP within the native frame format. When the switch receives frames from the authentication server, the servers frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client. • Authentication Initiation and Message Exchange The switch or the client can initiate au thentication. If you enable authentication on a port by using the dot1x port-contr ol auto interface configuration command, the switch must initiate authentication wh en it determines that the port link state transitions from down to up. It then se nds an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/reque\ st frame followed by one or more requests for authentication information). Upon receipt of the frame, the client responds with an EAP-response/identity frame. However, if during bootup, the client do es not receive an EAP-request/identity frame from the switch, the client can init iate authentication by sending an EAPOL- start frame, which prompts the switch to request the clients identity NOTE: If 802.1X is not enabled or supported on the network access device, any EAPOL frames from the client are dropped. If the client does not receive an EAP- request/identity frame after three attemp ts to start authentication, the client transmits frames as if the port is in the auth orized state. A port in the authorized state effectively means that the client ha s been successfully authenticated. When the client supplies its identity, the sw itch begins its role as the intermediary, passing EAP frames between the client and the authentication server until
Chapter 5: Web-Based Management GE-DSH-73/DSH-82 and DSH-82-PoE User Manual 121 authentication succeeds or fails. If the au thentication succeeds, the switch port becomes authorized. The specific exchange of EAP frames depe nds on the authentication method being used. Figure 5-64 shows a message exchange initiated by the client using the One- Time-Password (OTP) authentication method with a RADIUS server. Figure 5-64: EAP message exchange • Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorize d state. While in this state, the port disallows all ingress and egress traffic exce pt for 802.1X protocol packets. When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the client to flow normally. If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the clients identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.
Chapter 5: Web-Based Management 122 GE-DSH-73/DSH-82 and DSH-82-PoE User Manual In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol, the client initiates the au thentication process by sending the EAPOL- start frame. When no response is received, the client sends the request for a fixed number of times. Because no response is re ceived, the client begins sending frames as if the port is in the authorized state If the client is successfully authentica ted (receives an Accept frame from the authentication server), the port state chan ges to authorized, and all frames from the authenticated client are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but au thentication can be retried. If the authentication server cannot be reached, the switch can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and netw ork access is not granted. When a client logs off, it sends an EAPOL- logoff message, causing the switch port to transition to the unauthorized state. If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. System Configuration After enabling the IEEE 802.1X function, yo u can configure the parameters of this function. Figure 5-65: 802.1x System Configuration interface
Chapter 5: Web-Based Management GE-DSH-73/DSH-82 and DSH-82-PoE User Manual 123 This page includes the following fields: Object Description IEEE 802.1x Protocol: Enable or disable 802.1x protocol. Radius Server IP: Assign the RADIUS Server IP address. Server Port: Set the UDP destination port for authentication requests to the specified RADIUS Server. Accounting Port: Set the UDP destination port for accounting requests to the specified RADIUS Server. Shared Key: Set an encryption key for using during authentication sessions with the specified RADIUS server. This key must match the encryption key used on the RADIUS Server. NAS, Identifier: Set the identifier for the RADIUS client. Port Configuration You can configure the 802.1x authentication state for each port. The state provides Disable, Accept, Reject, and Authorize. Figure 5-66: 802.1x Per Port Setting interface
Chapter 5: Web-Based Management 124 GE-DSH-73/DSH-82 and DSH-82-PoE User Manual This page includes the following fields: Object Description Reject: The specified port is required to be held in the unauthorized state. Accept: The specified port is required to be held in the authorized state. Authorize: The specified port is set to the Authorized or Unauthorized state in accordance with the outcome of an authentication exchange between the Supplicant and the authentication server. Disable: When disabled, the specified port works without complying with 802.1x protocol. Port Configuration You can configure the 802.1x authentication state for each port. The state provides Disable, Accept, Reject, and Authorize. Figure 5-67: 802.1x Misc Configuration interface
Chapter 5: Web-Based Management GE-DSH-73/DSH-82 and DSH-82-PoE User Manual 125 This page includes the following fields: Object Description Quiet Period: Set the period, which the port doesn’t try to acquire a supplicant. TX Period: Set the period the port waits for retransmit next EAPOL PDU during an authentication session. Supplicant Timeout: Set the period of time the switch waits for a supplicant response to an EAP request. Server Timeout: Set the period of time the switch waits for a server response to an authentication request. Max Requests: Set the number of authentication that must time-out before authentication fails and the authentication session ends. Reauth period: Set the period of time which clients connected must be re- authenticated. MAC Address Table Use the MAC address table to ensure the port security. Static MAC Address You can add a static MAC address that re mains in the switchs address table regardless of whether the device is physica lly connected to the switch. This saves the switch from having to re-learn a devi ces MAC address when the disconnected or powered-off device is active on the network again. Via this interface, you can add / modify / delete a static MAC address. • Add the Static MAC Address You can add static MAC address in the switch MAC table here.
Chapter 5: Web-Based Management 126 GE-DSH-73/DSH-82 and DSH-82-PoE User Manual Figure 5-68: Static MAC Addresses interface This page includes the following fields: Object Description MAC Address: Enter the MAC address of the port that should permanently forward traffic, regardless of the device network activity. Port No.: Pull down the selection menu to select the port number.