List of Figures List of Figures Figure 1. Web Interface Panel-Example .............. 28 Figure 2. Web Interface Panel-Example .............. 29 Figure 3. Configuring an SNMP V3 User Profile ..........29 Figure 4. System Description Page............... 31 Figure 5. VLAN Example Network Diagram............34 Figure 6.
About This Book This document provides an understanding of the CLI and Web configuration options for D-Link DWS-3000 features. Document Organization This document shows examples of the use of the Unified Switch in a typical network. It describes the use and advantages of specific functions provided by the Unified Switch and includes information about configuring those functions using the command-line interface (CLI) and Web interface.
CLI/Web Examples - Slot/Port Designations To help you understand configuration tasks, this document contains examples from the CLI and Web Interfaces. The examples are based on the D-Link DWS-3000 switch and use the slot/port naming convention for interfaces, e.g. 0/2...
Getting Started Connect a terminal to the switch to begin configuration. In-Band and Out-of-Band Connectivity Ask the system administrator to determine whether you will configure the switch for in-band or out-of-band connectivity. To use the Web Interface, you must set up your system for in-band connectivity.
Getting Started Subnet Subnet mask for the LAN. Gateway IP address of the default router, if the switch is a node outside the IP range of the LAN. 6. To enable these changes to be retained during a reset of the switch, type to return CTRL+Z to the main prompt, type...
Since a number of the Quick Setup commands admin require administrator account rights, D-Link suggests logging into an administrator account. Do not enter a password because the default mode does not use a password - after typ- press Enter two times.
Getting Started Quick Start up User Account Management Quick Start up User Account Management Table 3. Command Details Displays all of the users who are allowed to access the network- show users ing device (Privileged EXEC Mode) Access Mode - Shows whether the user is able to change parameters on the networking device(Read/Write) or is only able to view them (Read Only).
Getting Started Quick Start up Uploading from Networking Device to Out-of-Band PC (XMODEM) Uploading from Networking Device to Out-of-Band PC (XMODEM) Table 5. Command Details Starts the upload, displays the mode and type of copy nvram:startup-config <url> upload, and confirms the upload is progressing. (Privileged EXEC Mode) The types are: •...
Using the Web Interface This chapter is a brief introduction to the Web interface — it explains how to access the Web- based management panels to configure and manage the system. Tip: Use the Web interface for configuration instead of the CLI interface. Web configuration is quicker and easier than entering multiple required CLI commands.
Using the Web Interface Figure 2. Web Interface Panel-Example Configuring an SNMP V3 User Profile Configuring an SNMP V3 user profile is a part of user configuration. Any user can connect to the switch using the SNMPv3 protocol, but for authentication and encryption, additional steps are needed.
Using the Web Interface Switching the Date/Time Zone To configure the system date and time, from the Administration navigation menu, select System Description (see Figure 4). System Description Page Figure 4. Starting the Web Interface...
Virtual LANs Adding Virtual LAN (VLAN) support to a Layer 2 switch offers some of the benefits of both bridging and routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast. Like a router, it partitions the network into logical segments, which provides better administration, security and management of multicast traffic.
Virtual LANs CLI Examples The following examples show how to create VLANs, assign ports to the VLANs, and assign a VLAN as the default VLAN to a port. Example #1: Create Two VLANs Use the following commands to create two VLANs and to assign the VLAN IDs while leaving the names blank.
Virtual LANs To specify the handling of untagged frames on receipt use the LAN> L2 Features > VLAN > Port Configuration page. Figure 7. VLAN Port Configuration Private Edge VLANs Use the Private Edge VLAN feature to prevent ports on the switch from forwarding traffic to each other even if they are on the same VLAN.
Virtual LANs Figure 8. Voice VLAN Configuration The Voice VLAN Configuration page contains the following fields: • Voice VLAN Admin Mode — Click Enable or Disable to administratively turn the Voice VLAN feature on or off for all ports. • Unit/Slot/Port —...
Storm Control A traffic storm is a condition that occurs when incoming packets flood the LAN, which creates performance degradation in the network. The Unified Switch’s Storm Control feature protects against this condition. The Unified Switch provides broadcast, multicast, and unicast storm recovery for individual interfaces or for all interfaces.
Storm Control Web Interface The Storm Control configuration options are available on the Port Configuration Web page under the Administration folder. Figure 9. Port Configuration (Storm Control) Web Interface...
Trunking (Link Aggregation) This section shows how to use the Trunking feature (also known as Link Aggregation) to configure port-channels by using the CLI and the Web interface. The Link Aggregation (LAG) feature allows the switch to treat multiple physical links between two end-points as a single logical link called a port-channel.
Trunking (Link Aggregation) (DWS-3024) #show port-channel all Port- Link Log. Channel Adm. Trap Port Port Intf Name Link Mode Mode Mode Type Ports Speed Active ------ ------------- ----- ---- ---- ------ ------- ------ --------- ------ lag_10 Down Dis. Dynamic lag_20 Down Dis.
IGMP Snooping This section describes the Internet Group Management Protocol (IGMP) feature: IGMPv3 and IGMP Snooping. The IGMP Snooping feature enables the switch to monitor IGMP transactions between hosts and routers. It can help conserve bandwidth by allowing the switch to forward IP multicast traffic only to connected hosts that request multicast traffic.
IGMP Snooping Web Examples The following web pages are used in the IGMP Snooping feature. Click Help for more information on the web interface. Figure 12. IGMP Snooping - Global Configuration and Status Page Web Examples...
Port Mirroring This section describes the Port Mirroring feature, which can serve as a diagnostic tool, debugging tool, or means of fending off attacks. Overview Port mirroring selects network traffic from specific ports for analysis by a network analyzer, while allowing the same traffic to be switched to its destination. You can configure many switch ports as source ports and one switch port as a destination port.
Port Mirroring Web Examples The following web pages are used with the Port Mirroring feature. Figure 20. Multiple Port Mirroring Figure 21. Multiple Port Mirroring - Add Source Ports Web Examples...
Link Layer Discovery Protocol The Link Layer Discovery Protocol (LLDP) feature allows individual interfaces on the switch to advertise major capabilities and physical descriptions. Network managers can view this information and identify system topology and detect bad configurations on the LAN. LLDP has separately configurable transmit and receive functions.
Link Layer Discovery Protocol Using the Web Interface to Configure LLDP The LLDP menu page contains links to the following features: • LLDP Configuration • LLDP Statistics • LLDP Connections • LLDP Configuration Use the LLDP Global Configuration page to specify LLDP parameters. Figure 23.
Link Layer Discovery Protocol Figure 25. LLDP Interface Summary Figure 26. LLDP Statistics You can also use the pages in the LAN> Monitoring > LLDP Status folder to view information about local and remote devices. Using the Web Interface to Configure LLDP...
Denial of Service Attack Protection This section describes the D-Link DWS-3000 switch’s Denial of Service Protection feature. Overview Denial of Service: • Spans two categories: Protection of the Unified Switch Protection of the network • Protects against the exploitation of a number of vulnerabilities which would make the host or network unstable •...
Port Routing The first networks were small enough for the end stations to communicate directly. As networks grew, Layer 2 bridging was used to segregate traffic, a technology that worked well for unicast traffic, but had problems coping with large quantities of multicast packets. The next major development was routing, where packets were examined and redirected at Layer 3.
Page 71
Port Routing Network directed broadcast frames are dropped and the maximum transmission unit (MTU) size is 1500 bytes. config interface 0/2 routing ip address 192.150.2.2 255.255.255.0 exit exit config interface 0/3 routing ip address 192.130.3.1 255.255.255.0 exit exit config interface 0/5 routing ip address 192.64.4.1 255.255.255.0 exit...
VLAN Routing You can configure the Unified Switch with some ports supporting VLANs and some supporting routing. You can also configure the Unified Switch to allow traffic on a VLAN to be treated as if the VLAN were a router port. When a port is enabled for bridging (default) rather than routing, all normal bridge processing is performed for an inbound packet, which is then associated with a VLAN.
VLAN Routing Next specify the VLAN ID assigned to untagged frames received on the ports. config interface 0/1 vlan pvid 10 exit interface 0/2 vlan pvid 10 exit interface 0/3 vlan pvid 20 exit exit Example 2: Set Up VLAN Routing for the VLANs and the Switch. The following commands show how to enable routing for the VLANs: vlan database vlan routing 10...
VLAN Routing Use the LAN> L3 Features > VLAN Routing > Configuration page to enable VLAN routing and configure the ports. Figure 34. VLAN Routing Configuration To enable routing for the switch, use the LAN> L3 Features > IP > Configuration page. Figure 35.
Virtual Router Redundancy Protocol When an end station is statically configured with the address of the router that will handle its routed traffic, a single point of failure is introduced into the network. If the router goes down, the end station is unable to communicate. Since static configuration is a convenient way to assign router addresses, Virtual Router Redundancy Protocol (VRRP) was developed to provide a backup mechanism.
Virtual Router Redundancy Protocol Specify the IP address that the virtual router function will recognize. Note that the virtual IP address on port 0/2 is the same as the port’s actual IP address, therefore this router will always be the VRRP master when it is active. And the priority default is 255. ip vrrp 20 ip 192.150.2.1 Enable VRRP on the port.
Virtual Router Redundancy Protocol To enable VRRP for the switch, use the LAN> L3 Features > VRRP > VRRP Configuration page. Figure 40. VRRP Configuration To configure virtual router settings, use the LAN> L3 Features > VRRP > Virtual Router Configuration page.
Proxy Address Resolution Protocol (ARP) This section describes the Proxy Address Resolution Protocol (ARP) feature. Overview • Proxy ARP allows a router to answer ARP requests where the target IP address is not the router itself but a destination that the router can reach. •...
Example #2: ip proxy-arp DWS-3024) (Interface 0/24)#ip proxy-arp ? <cr> Press Enter to execute the command. (DWS-3024) (Interface 0/24)#ip proxy-arp Web Example The following web pages are used in the proxy ARP feature. Figure 42. Proxy ARP Configuration Web Example...
Routing Information Protocol (RIP) This section describes the Routing Information Protocol (RIP). RIP is an Interior Gateway Protocol (IGP) based on the Bellman-Ford algorithm and targeted at smaller networks (network diameter no greater than 15 hops). Overview The routing information is propagated in RIP update packets that are sent out both periodically and in the event of a network topology change.
ACL Logging, you augment the ACL deny rule specification with a ‘log’ parameter that enables hardware hit count collection and reporting. The D-Link DWS-3000 switch uses a fixed five minute logging interval, at which time trap log entries are written for each ACL logging rule that accumulated a non-zero hit count during that interval.
Access Control Lists (ACLs) ACL Configuration Process To configure ACLs, follow these steps: • Create a MAC ACL by specifying a name. • Create an IP ACL by specifying a number. • Add new rules to the ACL. • Configure the match criteria for the rules. •...
Access Control Lists (ACLs) Example #5: Specify MAC ACL Attributes (DWS-3024) (Config)#mac access-list extended mac1 (DWS-3024) (Config-mac-access-list)#deny ? <srcmac> Enter a MAC Address. Configure a match condition for all the source MAC addresses in the Source MAC Address field. (DWS-3024) (Config-mac-access-list)#deny any ? <dstmac>...
Access Control Lists (ACLs) Example #7 Set up an ACL with Permit Action (DWS-3024) (Config)#mac access-list extended mac2 (DWS-3024) (Config-mac-access-list)#permit ? <srcmac> Enter a MAC Address. Configure a match condition for all the source MAC addresses in the Source MAC Address field. (DWS-3024) (Config-mac-access-list)#permit any ? <dstmac>...
Access Control Lists (ACLs) Figure 49. MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask Figure 50. MAC ACL Rule Configuration Page - View the Current Settings Web Examples...
Access Control Lists (ACLs) Figure 53. MAC ACL Rule Summary IP ACL Web Pages The following figures show the pages available to view and configure standard and extended IP ACL settings. Figure 54. IP ACL Configuration Page - Create a New IP ACL Web Examples...
802.1X Network Access Control Port-based network access control allows the operation of a system’s port(s) to be controlled to ensure that access to its services is permitted only by systems that are authorized to do so. Port Access Control provides a means of preventing unauthorized access by supplicants or users to the services offered by a System.
802.1X Network Access Control Guest VLAN The Guest VLAN feature allows a switch to provide a distinguished service to unauthenticated users. This feature provides a mechanism to allow visitors and contractors to have network access to reach external network with no ability to surf internal LAN. When a client that does not support 802.1X is connected to an unauthorized port that is 802.1X-enabled, the client does not respond to the 802.1X requests from the switch.
802.1X Network Access Control Configuring Dynamic VLAN Assignment The software also supports VLAN assignment for clients based on the RADIUS server authentication. To enable the switch to accept VLAN assignment by the RADIUS server, use the command in Global Config mode. authorization network radius To enable the VLAN Assignment Mode by using the Web interface, use the LAN>...
Captive Portal The Captive Portal (CP) feature allows you to block wired and wireless clients from accessing the network until user verification has been established. The example in this section shows how to configure a captive portal and associate it with a physical interface so that any wired client that attempts to access the network through that interface must enter a username and password that is verified by a local user database.
Captive Portal C. In the Interface List column, CTRL + Click to select interface Slot 0 Port 1 through Slot 0 Port 10. D. Click Add. CLI Example Use the following commands to perform the same configuration by using the CLI. (DWS-3024) #configure captive-portal enable...
Description: Maximum number of octets the user is allowed to transmit. After this limit has been reached the user will be disconnected. If the attribute is 0 or not present then use the value configured for the captive portal. Range: Integer Usage: Optional Radius Attribute: D-Link-Max- Output-Octets Number: 171, 125 Captive Port Rate Limiting...
Port Security This section describes the Port Security feature. Overview Port Security: • Allows for limiting the number of MAC addresses on a given port. • Packets that have a matching MAC address (secure packets) are forwarded; all other pack- ets (unsecure packets) are restricted.
Port Security Web Examples The following Web pages are used in the Port Security feature. Figure 66. Port Security Administration Figure 67. Port Security Interface Configuration Web Examples...
RADIUS Making use of a single database of accessible information – as in an Authentication Server – can greatly simplify the authentication and management of users in a large network. One such type of Authentication Server supports the Remote Authentication Dial In User Service (RADIUS) protocol as defined by RFC 2865.
RADIUS RADIUS failthrough mode is not available for Captive Portal client authenti- NOTE: cation and RADIUS-based MAC authentication. RADIUS Configuration Examples Configuring RADIUS for Wired Clients This example configures two RADIUS servers at 10.10.10.10 and 11.11.11.11. Each server has a unique shared secret key. The shared secrets are configured to be secret1 and secret2 respectively.
RADIUS Figure 76. Set the User Login Configuring RADIUS Fail-through on a Managed AP This example configures a secondary Radius Server,and Radius fail-through feature in the global profile for an AP managed by a DWS-3000 Switch. (This example assumes that a primary RADIUS server has already been configured in the AP profile.) Note that the same commands can be used in Network Profile mode to configure these parameters on particular wireless network.
TACACS+ TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network.
TACACS+ Configuring TACACS+ by Using the Web Interface The following Web screens show how to perform the configuration described in the example. Figure 78. Add a TACACS+ Server Figure 79. Configuring the TACACS+ Server TACACS+ Configuration Example...
Class of Service Queuing The Class of Service (CoS) feature lets you give preferential treatment to certain types of traffic over others. To set up this preferential treatment, you can configure the ingress ports, the egress ports, and individual queues on the egress ports to provide customization that suits your environment.
• Queue management - tail drop Queue Management Type The D-Link DWS-3000 switch supports the tail drop method of queue management. This means that any packet forwarded to a full queue is dropped regardless of its importance. CLI Examples Figure 83 illustrates the network operation as it relates to CoS mapping and queue configuration.
Class of Service Queuing Figure 83. CoS Mapping and Queue Configuration Ingress packet A Port 0/10 UserPri=3 mode='trust dot1p' 802.1p->COS Q Map packet B UserPri=7 packet C (untagged) packet D UserPri=6 port default priority->traffic class Egress Forward via Port 0/8 switch fabric to egress Port 0/8 strict...
Class of Service Queuing Web Examples The following web pages are used for the Class of Service feature. Figure 85. 802.1p Priority Mapping Page Figure 86. CoS Trust Mode Configuration Page Web Examples...
Policy – Defines the QoS attributes for one or more traffic classes. An example of an attri- bute is the ability to mark a packet at ingress. The D-Link DWS-3000 switch supports the ability to assign traffic classes to output CoS queues.
Page 149
Differentiated Services 2. Create a DiffServ class of type “all” for each of the departments, and name them. Define the match criteria -- Source IP address -- for the new classes. class-map match-all finance_dept match srcip 172.16.10.0 255.255.255.0 exit class-map match-all marketing_dept match srcip 172.16.20.0 255.255.255.0 exit class-map match-all test_dept...
Differentiated Services 3. View information about the DiffServ policy and class configuration. In the following example, the interface specified is interface 0/1. The policy is attached to interfaces 0/1 through 0/4. (DWS-3024) #show diffserv service 0/1 in DiffServ Admin Mode......Enable Interface........
Differentiated Services Figure 94. DiffServ Class Configuration - Add Match Criteria Figure 95. Source IP Address Using the Web Interface to Configure Diffserv...
Differentiated Services Figure 98. DiffServ Policy Configuration Figure 99. DiffServ Policy Configuration Using the Web Interface to Configure Diffserv...
Differentiated Services Figure 102. DiffServ Policy Summary Figure 103. DiffServ Policy Attribute Summary Using the Web Interface to Configure Diffserv...
Differentiated Services Configuring the Color-Aware Attribute by Using the Web The following screens show the additional steps to take to configure the finance_dept class with a color-aware attribute. 1. Add a new class to serve as the auxiliary traffic class. A.
Differentiated Services DiffServ for VoIP Configuration Example One of the most valuable uses of DiffServ is to support Voice over IP (VoIP). VoIP traffic is inherently time-sensitive: for a network to provide acceptable service, a guaranteed transmission rate is vital. This example shows one way to provide the necessary quality of service: how to set up a class for UDP traffic, have that traffic marked on the inbound side, and then expedite the traffic on the outbound side.
DHCP Filtering This section describes the Dynamic Host Configuration Protocol (DHCP) Filtering feature. Overview DHCP filtering provides security by filtering untrusted DHCP messages. An untrusted message is a message that is received from outside the network or firewall, and that can cause traffic attacks within network.
DHCP Filtering Use the DHCP Filtering Configuration page to configure the DHCP Filtering admin mode on the switch. Figure 107. DHCP Filtering Configuration Use the DHCP Filtering Interface Configuration page to configure DHCP Filtering on specific interfaces. Figure 108. DHCP Filtering Interface Configuration To view the DHCP Filtering settings on each interface, use the DHCP Filter Binding Information page under LAN >...
Traceroute This section describes the Traceroute feature. Use Traceroute to discover the routes that packets take when traveling on a hop-by-hop basis to their destination through the network. • Maps network routes by sending packets with small Time-to-Live (TTL) values and watches the ICMP time-out announcements •...
Configuration Scripting Configuration Scripting allows you to generate a text-formatted script file that shows the current configuration of the system. You can generate multiple scripts and upload and apply them to more than one switch. Overview Configuration Scripting: • Provides scripts that can be uploaded and downloaded to the system. •...
Configuration Scripting Example #5: copy nvram: script Use this command to upload a configuration script. (DWS-3024) #copy nvram: script running-config.scr tftp://192.168.77.52/running-config.scr Mode......TFTP Set TFTP Server IP... 192.168.77.52 TFTP Path...../ TFTP Filename....running-config.scr Data Type....Config Script Source Filename....running-config.scr Are you sure you want to start? (y/n) y File transfer operation completed successfully.
Outbound Telnet This section describes the Outbound Telnet feature. Overview Outbound Telnet: • Feature establishes an outbound telnet connection between a device and a remote host. • When a telnet connection is initiated, each side of the connection is assumed to originate and terminate at a “Network Virtual Terminal”...
Outbound Telnet <0-5> Configure the maximum number of outbound telnet sessions allowed. (DWS-3024) (Line)#session-limit 5 (DWS-3024) (Line)#session-timeout ? <1-160> Enter time in minutes. (DWS-3024) (Line)#session-timeout 15 Web Example You can set up the Outbound Telnet session through the Web interface. You can: •...
Pre-Login Banner This section describes the Pre-Login Banner feature. Overview Pre-Login Banner: • Allows you to create message screens when logging into the CLI Interface • By default, no Banner file exists • Banner can be uploaded or downloaded • File size cannot be larger than 2K The Pre-Login Banner feature is only for the CLI interface.
Simple Network Time Protocol (SNTP) This section describes the Simple Network Time Protocol (SNTP) feature. Overview SNTP: • Used for synchronizing network resources • Adaptation of NTP • Provides synchronized network timestamp • Can be used in broadcast or unicast mode •...
Simple Network Time Protocol (SNTP) Example #6: configuring sntp server (DWS-3024)(Config) #sntp server 192.168.10.234 ? <cr> Press Enter to execute the command. <1-3> Enter SNTP server priority from 1 to 3. Example #7: configure sntp client port (DWS-3024)(Config) #sntp client port 1 ? <cr>...
Syslog This section provides information about the Syslog feature. Overview Syslog: • Allows you to store system messages and/or errors • Can store to local files on the switch or a remote server running a syslog daemon • Method of collecting message logs from many systems Interpreting Log Files <130>...
Syslog Example #3: show logging traplogs (DWS-3024) #show logging traplogs Number of Traps Since Last Reset....16 Trap Log Capacity......256 Number of Traps Since Log Last Viewed..0 Log System Up Time Trap --- ------------------------ --------------------------------------- 0 6 days 20:22:35 Failed User Login: Unit: 1 User ID: 1 6 days 19:19:58 Multiple Users: Unit: 0 Slot: 3 Port: 1...
Syslog Web Examples The following web pages are used with the Syslog feature. Figure 116. Log - Syslog Configuration Page Figure 117. Buffered Log Configuration Page Web Examples...
Port Description The Port Description feature lets you specify an alphanumeric interface identifier that can be used for SNMP network management. CLI Example Use the commands shown below for the Port Description feature. Example #1: Enter a Description for a Port This example specifies the name “Test”...