DWS-1008 User’s Manual Table of Contents Table of Contents Product Contents System Requirements Introduction Hardware Overview Features Installation Overview Getting Started Installation 1 1 2 3 4 5 7 8 Configuration CLI Quickstart Command Accessing the CLI Configuration Overview Configuring for Authenticating Users Configuring APs for Wireless Users Configuring a Service Profile 11 12 17 18 28 29 37 Configuring AAA For Administrative and Local Access Overview of AAA Access Types of Administrative Acc
DWS-1008 User’s Manual Logging In to a Remote Device Tracing a Route IP Interfaces and Services Configuration Scenario 109 110 111 Configuring SNMP Enabling SNMP Versions Setting SNMP Security Configuring a Notification Profile Configuring a Notification Target Enabling the SNMP Service Displaying SNMP Information 115 116 120 121 125 127 128 Configuring DWL-8220AP Access Points Overview Service Profiles Radio Profiles Configuring Access Points Specifying the Country of Operation Configuring AP Port Para
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping Disabling or Reenabling IGMP Snooping Disabling or Reenabling Proxy Reporting Enabling the Pseudo-Querier Changing IGMP Timers Enabling Router Solicitation Configuring Static Multicast Ports Displaying Multicast Information 225 225 225 225 226 227 228 228 Configuring and Managing Security ACLs About Security Access Control Lists Creating and Committing a Security ACL Mapping Security ACLs Modifying a Security ACL Using ACLs to Change CoS Enabli
DWS-1008 User’s Manual Managing 802.1X Managing 802.1X on Wired Authentication Ports Managing 802.1X Encryption Keys Managing 802.1X Client Reauthentication Managing Other Timers Displaying 802.
DWS-1008 User’s Manual Product Contents Product Contents DWS-1008 8-Port Wireless Switch Power Supply Serial Cable for Connection to Console Rack-Mount Brackets (2) Rubber Feet (4) Screws (6) Install Guide Manual and Reference Guide on CD System Requirements An existing 10/100 Ethernet network DWL-8220AP Access Point(s) Warning: Installation must be performed by qualified service personnel only. Please follow all warning notices and instructions marked on the product or included in the documentation.
DWS-1008 User’s Manual Introduction Introduction The D-Link® AirPremier® MobileLAN™ DWS-1008 is a wireless LAN switch optimized for deployment in the Small-Medium Enterprise (SME) environment. The DWS-1008 is designed to allow easy user installation and operation yet support advanced wireless switch features such as secure mobility, policy enforcement, and AAA and 802.1x offload capabilities.
DWS-1008 User’s Manual Hardware Overview Hardware Overview (Front Panel) Console Port: The serial console port provides a direct management connection to a DWS-1008 switch’s command-line interface (CLI). The port has a DB-9 female connector and supports the EIA-232D signaling standard. Ethernet Ports (1-6): The 10/100 Ethernet ports on the DWS-1008 switch provide automatic MDI/MDX, which automatically crosses over the send and receive signals if required. Ports 1-6 support PoE.
DWS-1008 User’s Manual Features Features Power Features Power supplies - The DWS-1008 switch contains one 100-120 VAC auto-sensing AC power supply. Management Features • Serial and network command-line interface (CLI) access—You can access the CLI through a direct serial connection or through the network using Secure Shell (SSH) or Telnet. IP Services • IP interfaces - You can configure an IP interface for each VLAN.
DWS-1008 User’s Manual Installation Overview Installation Overview Caution: The DWS-1008 switch has been designed and tested to be installed in an operating ambient temperature of 0° C to +40° C (32° F to 104° F). To reduce the risk of equipment damage, install equipment with consideration to these ambient conditions. Serial Console Cable The serial console port has a female DB-9 connector and supports the EIA-232D signaling standard. You need a standard DB-9-male-to-DB-9-female PC modem cable.
DWS-1008 User’s Manual Installation Hardware and Tools Caution: To reduce the risk of equipment damage, make sure the switch is installed so that the mechanical load on the device is evenly distributed. For example, make sure the switch is level in the equipment rack, is evenly fastened by screws on either side, and does not have a heavy object resting on one side of the switch.
DWS-1008 User’s Manual Getting Started Getting Started Please read the following before you begin: Mobility System Software* (MSS) operates a D-Link Mobility System wireless LAN (WLAN) consisting of DWS-1008 switches, and DWL-8220AP access points (AP). MSS has a command-line interface (CLI) on the switch that you can use to configure and manage the switch and its attached access points. You configure the DWS-1008 switch and DWL-8220AP access points primarily with set, clear, and show commands.
DWS-1008 User’s Manual Installation Installation Equipment Rack Installation 1. Remove the four bracket screws from each side of the switch. 2. Align a bracket over the screw holes: • For a front-mount equipment rack, align the bracket so that the bracket flange is flush with the switch’s front panel and extends away from the switch. • For a center-mount equipment rack, align the bracket so that the bracket flange is located near the center screw holes. 3.
DWS-1008 User’s Manual Installation Installation (continued) Powering On a DWS-1008 Switch (continued) 4. Observe the power supply LED for each connected power supply to verify that the LED is steadily glowing green. This indicates normal power supply operation. Connecting to a Serial Management Console Initial configuration of the DWS-1008 switch requires a connection to the switch’s CLI through the serial console port. To connect a PC to the serial console port: 1.
DWS-1008 User’s Manual Installation Installation (continued) Connecting to the Network Use the following procedures to connect a DWS-1008 switch to DWL-8220AP access points or other 10/100 Ethernet devices. Connecting to a DWL-8220AP or Other 10/100 Ethernet Devices Note: The 10/100 Ethernet ports are configured as wired network ports by default.
DWS-1008 User’s Manual Configuration Configuration You can use CLI (Command Line Interface) to configure a new switch or to continue configuration of a partially configured switch: CLI (Command Line Interface) You can configure a switch using the CLI by attaching a PC to the switch’s Console port. After you configure the switch for SSH or Telnet access, you also can use these protocols to access the CLI. D-Link Systems, Inc.
DWS-1008 User’s Manual Configuration Configuration (continued) CLI Quickstart Command The quickstart command runs a script that interactively helps you configure the following items: • System name • Country code (regulatory domain) • System IP address • Default route • Administrative users and passwords • Unencrypted (clear) SSID names • Encrypted (crypto) SSID names and dynamic WEP encryption for encrypted SSIDs’ wireless traffic • Usernames and passwords for secure access using 802.
DWS-1008 User’s Manual Configuration Configuration (continued) To run the quickstart command: 1. Attach a PC to the DWS-1008 switch’s serial console port. Use the following modem settings: 9600 bps, 8 bits, 1 stop, no parity, hardware flow control disabled. 2.
DWS-1008 User’s Manual Configuration Configuration (continued) • Administrative user admin1, with password letmein. The only management access the switch allows by default is CLI access through the serial connection.
DWS-1008 User’s Manual Configuration Configuration (continued) DWS-1008-aabbcc# quickstart This will erase any existing config. Continue? [n]: y Answer the following questions. Enter ‘?’ for help. ^C to break out System Name [DWS-1008]: DWS-1008-Corp Country Code [US]: US System IP address []: 10.10.10.4 System IP address netmask []: 255.255.255.0 Default route []: 10.10.10.
DWS-1008 User’s Manual Configuration Configuration (continued) 6. Optionally, enable Telnet. DWS-1008-aabbcc# set ip telnet server enable 7. Verify the configuration changes. DWS-1008-aabbcc# show config 8. Save the configuration changes. DWS-1008-aabbcc# save config D-Link Systems, Inc.
DWS-1008 User’s Manual Configuration Configuration (continued) Accessing the CLI To enter the configuration commands in this section, you must log in to the enabled access level of the CLI. The default username and password are null strings. To log in from the serial console to the enabled access level for configuration: 1. Press Enter to display a username prompt. Username: 2. Press Enter again to display a password prompt. Username: Password: 3. Press Enter a third time to display a command prompt.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuration Overview To configure a DWS-1008 switch for basic service, perform the following tasks, in this order: 1. Configure an enable password. (See “Configuring an Enable Password” on page 19.) 2. Configure time and date parameters. (See “Configuring the Time and Date” on page 20.) 3. Configure IP connectivity. (See “Configuring IP Connectivity” on page 22.) 4. Specify the country of operation.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring an Enable Password D-Link recommends that you configure an enable password to provide at least minimal security to the DWS-1008 switch before you proceed to more advanced configuration options. To configure an enable password, use the following command: set enablepass To configure an enable password: 1. If you are not already at the enabled access level, enter the enable command. DWS-1008> enable 2.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring the Time and Date To set the system time and date: 1. Set the time zone to specify the offset from Coordinated Universal Time (UTC). 2. Configure MSS to offset the time by an additional hour for daylight savings time or similar summertime period, if applicable. 3 Specify the IP address of a Network Time Protocol (NTP) server or statically set the time and date.
DWS-1008 User’s Manual Configuration Configuration (continued) Additional commands configure an NTP server and enable the switch’s NTP client. DWS-1008# set timezone PST -8 success: change accepted. DWS-1008# set summertime PDT success: change accepted. DWS-1008# set ntp server 192.168.1.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring IP Connectivity To configure IP connectivity: 1. Configure a VLAN, assign a port to the VLAN that can provide IP connectivity through the network for administrative purposes, and configure an IP address on the VLAN. (See “Configuring VLANs and IP Addresses” below.) 2. Configure a default route. (See “Configuring a Default Route” on page 28.) 3. Test the IP configuration. (See “Verifying IP Connectivity” on page 29.
DWS-1008 User’s Manual Configuration Configuration (continued) Note: To avoid confusion, do not assign numbers as VLAN names. Every VLAN on a DWS-1008 switch has both a VLAN name used for authorization purposes and a VLAN number. VLAN numbers can vary uniquely for each switch and are not related to 802.1Q tag values even when used.
DWS-1008 User’s Manual Configuration Configuration (continued) Verifying IP Connectivity To verify that the switch can send and receive IP traffic, use the following command: ping host The ping command sends an Internet Control Message Protocol (ICMP) echo packet to the specified device and listens for a reply packet. For host, specify the IP address of a host device on the network.
DWS-1008 User’s Manual Configuration Configuration (continued) Specifying the Country of Operation You must specify the country in which you plan to operate the switch and its access points. MSS does not allow you to configure or enable the access point radios until you specify the country of operation. To specify the country, use the following command: set system countrycode code For the country code, specify one of the codes listed below.
DWS-1008 User’s Manual Configuration Configuration (continued) The following example sets the country code to US (United States) and verifies the setting: DWS-1008# set system countrycode US success: change accepted. DWS-1008# show system ============================================================= Product Name: DWS-1008 System Name: DWS-1008 System Countrycode: US System Location: System Contact: System Description: DWS-1008 System IP: 0.0.0.
DWS-1008 User’s Manual Configuration Configuration (continued) To verify the configuration change, use the following command: show system The following commands configure the system IP address to be 10.10.10.4, the IP address on VLAN mgmt, and verify the change: DWS-1008# set system ip-address 10.10.10.4 success: change accepted.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring for Authenticating Users A DWS-1008 switch can provide authentication, authorization, and accounting (AAA) services for wireless and wired users. Wireless users are attached to a switch through an DWL8220AP access point. Wired users are attached to a switch through wired authentication ports. By default, all of the switch’s ports are set as wired network ports.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring APs for Wireless Users A wireless user makes a wireless connection through an AP to the switch. The user must authenticate before connecting to the network. To allow wireless users, you must configure the switch to support an AP. To prepare a DWL-8220AP access point for use, perform the following tasks, in this order: 1. Configure the switch for the AP access it will be supporting and enable Power over Ethernet (PoE) if required.
DWS-1008 User’s Manual Configuration Configuration (continued) The image below shows examples of direct and network DWL-8220AP access point connections. This example has the following configuration requirements for the APs: • AP1 is directly connected to the switch. The DWS-1008 needs port 2 configured as a directly connected AP. • AP2 is connected through a Layer 2 network to the switch. The switch needs a Distributed AP configuration in order to boot and configure AP2.
DWS-1008 User’s Manual Configuration Configuration (continued) The following sections list the configuration requirements for direct attached APs and Distributed APs. Local Connection Requirements When an AP connects directly to a switch’s 10/100 port, the switch’s port must be configured as a DWL-8220AP access port, which supports AP traffic only. There is no intermediate networking equipment between the switch and AP and only one AP is connected to the switch port.
DWS-1008 User’s Manual Configuration Configuration (continued) DNS - If the intermediate network between the switch and Distributed AP includes one or more IP routers, create a TRPZ.mynetwork.com or wlan-switch.mynetwork.com entry on the DNS server. The entry needs to map one of these names to the system IP address of the switch. The DNS entry allows the AP to communicate with a switch that is not on the AP’s subnet.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring for a Directly-Connected AP Caution: When you set the port type for use by locally connected APs, you must specify the PoE state (enabled or disabled) of the port. If you enable PoE on a port connected to another device, physical damage to the device can result.
DWS-1008 User’s Manual Configuration Configuration (continued) The following example sets ports 1, 2, and 4 for the DWL-8220AP access point: DWS-1008# set port type ap 1,2,4 model dwl-8220ap poe enable This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.
DWS-1008 User’s Manual Configuration Configuration (continued) Note: You can configure an AP configuration template for automatically configuring Distributed APs when they boot using the DWS-1008 switch. The following example configures connections for two Distributed APs that are indirectly connected to the switch.
DWS-1008 User’s Manual Configuration Configuration (continued) Configure the same Distributed AP on each of the switches you want to use to manage the AP access point associated with the Distributed AP. Make sure to use the same Distributed AP number and serial ID on each switch.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring a Service Profile A service profile controls advertisement and encryption for an SSID. You can specify the following: • Whether SSIDs that use the service profile are beaconed • Whether the SSIDs are encrypted or clear (unencrypted) • For encrypted SSIDs, the encryption settings to use • The fallthru authentication method for users that are not authenticated with 802.1X or MAC authentication.
DWS-1008 User’s Manual Configuration Configuration (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Values psk-phrase No passphrase defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA clients. psk-raw No preshared key defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA clients. rsn-ie Does not use the RSN IE in transmitted frames.
DWS-1008 User’s Manual Configuration Configuration (continued) To create a service profile and assign an SSID to it, use the following command: set service-profile name ssid-name ssid-name To display a service profile, use the following command: show service-profile name The following commands configure a service profile named corp1, and assign encrypted SSID private_wlan to it: DWS-1008# set service-profile corp1 ssid-name private_wlan success: change accepted.
DWS-1008 User’s Manual Configuration Configuration (continued) The following command configures radio profile rp1: DWS-1008# set radio-profile rp1 success: change accepted. The table below lists the radio profile parameters and their default values. Parameter Default Value 11g-only disable Radio Behavior When Parameter Set To Default Values Allows associations with802.11g and 802.11b clients. This parameter applies only to 802.11b/g radios.
DWS-1008 User’s Manual Configuration Configuration (continued) Parameter Default Value service-profile Not Defined Radio Behavior When Parameter Set To Default Values Default settings for all service profile parameters, including encryption parameters, are used. short-retry 5 Sends a short unicast frame up to five times without acknowledgment. wmm enable Prioritizes traffic based on the Wi-Fi Multimedia (WMM) standard.
DWS-1008 User’s Manual Configuration Configuration (continued) The following command configures radio 1 (the 802.11b/g radio) on Distributed AP 1 to use external antenna model ANT1060*: DWS-1008# set dap 1 radio 1 antennatype ANT1060 success: change accepted.
DWS-1008 User’s Manual Configuration Configuration (continued) Displaying Radio Configuration Information To verify radio configuration changes, use the following commands: show ap config [port-list [radio {1 | 2}]] show dap config [dap-num [radio {1 | 2}]] * Please contact D-Link Sales for information regarding Trapeze antennas.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring User Authentication MSS provides the following types of authentication: • IEEE 802.1X - If the network user’s network interface card (NIC) supports 802.1X, MSS checks for an 802.1X authentication rule that matches the username (and SSID, if wireless access is requested), and that uses the Extensible Authentication Protocol (EAP) requested by the NIC.
DWS-1008 User’s Manual Configuration Configuration (continued) • Local - The switch performs all authentication with information in a local user database configured on the switch. No RADIUS servers are required. In this case, the switch needs a certificate. If you plan to use EAP with Transport Layer Security (EAP-TLS), the clients also need certificates. • Offload - The switch offloads all EAP processing from a RADIUS server by establishing a TLS session between the switch and the client.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring RADIUS Servers for Pass-Through Authentication To configure MSS to use a RADIUS server, use the following command: set radius server {server-name} [address ip-addr] [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit number] [deadtime minutes] [key string] [author-password password] To add the server(s) to a server group, use the following command: set server group group-name members server-name1 [server-n
DWS-1008 User’s Manual Configuration Configuration (continued) DWS-1008# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State -----------------------------------------------------------------------------------------svr1 10.10.70.20 1812 1813 5 3 0 UP svr2 10.10.70.
DWS-1008 User’s Manual Configuration Configuration (continued) Authentication Example for Users in a UNIX Domain The following commands add authentication rules for user globs in a UNIX domain. Users are authenticated by using any supported EAP type to communicate with EAP-capable RADIUS server group grp1. DWS-1008# set authentication dot1x ssid private_wlan *@mktg.example.com pass-through grp1 success: change accepted. DWS-1008# set authentication dot1x ssid private_wlan *@eng.example.
DWS-1008 User’s Manual Configuration Configuration (continued) Configuring EAP Offload with Server Authentication You can configure a DWS-1008 switch to perform all EAP processing locally and use RADIUS servers for authentication and authorization. To configure the DWS-1008 switch to perform EAP processing locally and use RADIUS servers for MS-CHAP-V2: 1. Install server certificates on the switch. You can install certificates assigned by a CA or generate self-signed certificate on the switch. 2.
DWS-1008 User’s Manual Configuration Configuration (continued) DWS-1008# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State -------------------------------------------------------------------------------------svr1 10.10.70.20 1812 1813 5 3 0 UP svr2 10.10.70.
DWS-1008 User’s Manual Configuration Configuration (continued) The following command displays the beginning of the configuration file on a DWS-1008 switch configured with the commands in this chapter: DWS-1008# show config # Configuration nvgen’d at 2005-4-29 14:12:37 # Image 4.0.1 # Model DWS-1008 # Last change occurred at 2005-4-29 14:03:52 set ip route default 10.10.20.19 1 set system name DWS-1008 set system ip-address 10.10.10.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access Configuring AAA for Administrative and Local Access Overview of AAA for Administrative and Local Access D-Link Mobility System Software (MSS) supports authentication, authorization, and accounting (AAA) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before you can configure the DWS-1008 for operation.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access • Accounting for administrative access sessions. Accounting records can be stored and displayed locally or sent to a RADIUS server. Accounting records provide an audit trail of the time an administrative user logged in, the administrator’s username, the number of bytes transferred, and the time the session started and ended.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access Types of Administrative Access MSS allows you access to the switch with the following types of administrative access: • Console - Access via only the console port. • Telnet - Users who access MSS via the Telnet protocol. • Secure Shell (SSH) - Users who access MSS via the SSH protocol.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access Setting the DWS-1008 Switch Enable Password There is one enable password for the entire DWS-1008 switch. You can optionally change the enable password from the default. Setting the DWS-1008 Enable Password for the First Time To set the enable password for the first time: 1. At the enabled prompt, type set enablepass. 2. At the “Enter old password” prompt, press Enter. 3.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access 2. To enforce the use of console authentication via the local database, type the following command: DWS-1008# set authentication console * local Caution: If you type this command before you have created a local username and password, you can lock yourself out of the DWS-1008 switch. Before entering this command, you must configure a local username and password.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access Setting User Passwords Like usernames, passwords are case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. D-Link recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack. User passwords are automatically encrypted when entered in the local database. However, the encryption is not strong.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access To configure accounting for administrative logins over the network at EXAMPLE, enter the following command: set accounting admin EXAMPLE\* start-stop | stop-only aaa-method You can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, whereas start-stop sends both start and stop records, effectively doubling the number of accounting records.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access Displaying the AAA Configuration To display your AAA configuration, type the following command: DWS-1008# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------------------------------------r1 192.168.253.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access Administrative AAA Configuration Scenarios The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. Local Authentication The first time you access a DWS-1008 switch, it requires no authentication.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access DWS-1008# set authentication admin * sg1 success: change accepted. DWS-1008# save config success: configuration saved. Local Override and Backup Local Authentication This scenario illustrates how to enable local override authentication for console users. Local override means that MSS attempts authentication first via the local database.
DWS-1008 User’s Manual Configuring AAA for Administrative and Local Access Authentication When RADIUS Servers Do Not Respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to unconditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Configuring and Managing Ports and VLANs You can configure and display information for the following port parameters: • Port type • Name • Speed and autonegotiation • Port state • Power over Ethernet (PoE) state • Load sharing Setting the Port Type A switch port can be one of the following types: • Network port. A network port is a Layer 2 switch port that connects the switch to other networking devices such as switches and routers.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs To set ports 4 through 6 for the DWL-8220AP and enable PoE on the ports, type the following command: DWS-1008# set port type ap 4-6 model DWL-8220AP poe enable This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted. DWS-1008# set port type ap 2 model DWL-8220AP poe enable radiotype 11b This may affect the power applied on the configured ports.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Setting a Port for a Wired Authentication User To set a port for a wired authentication user, use the following command: set port type wired-auth port-list [tag tag-list] [max-sessions num] [auth-fall-thru {last-resort | none}] You must specify a port list.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Clearing a Port (continued) Note: If clients are connected to a wired authentication port through a downstream third-party switch, the switch attempts to authenticate based on any traffic coming from the switch, such as Spanning Tree Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such as STP BPDUs from downstream switches. If you want to provide a management path to a downstream switch, use MAC authentication.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Configuring Port Operating Parameters Autonegotiation is enabled by default on a switch’s 10/100 Ethernet ports. You can configure the following port operating parameters: • Speed • Autonegotiation • Port state • PoE state You also can toggle a port’s administrative state and PoE setting off and back on to reset the port.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Resetting a Port You can reset a port by toggling its link state and PoE state. MSS disables the port’s link and PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing a DWL-8220 access point that is connected to two DWS-1008 switches to reboot using the port connected to the other switch.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Displaying PoE State To display the PoE state of a port, use the following command: show port poe [port-list] To display PoE information for ports 1 and 3, type the following command: DWS-1008# show port poe 1,3 Link Port PoE PoE Port Name Status Type config Draw ============================================================= 1 1 down AP disabled off 3 3 up AP enabled 1.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Monitoring Port Statistics You can display port statistics in a format that continually updates the counters. When you enable monitoring of port statistics, MSS clears the CLI session window and displays the statistics at the top of the window. MSS refreshes the statistics every 5 seconds. This interval cannot be configured.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs To cycle the display to the next set of statistics, press the Spacebar. In this example, packet statistics are displayed next: Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast ============================================================= 1 Up 54620 62144 68318 62556 ...
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Configuring a Port Group (continued) After you configure a port group, you can use the port group name with commands that change Layer 2 configuration parameters to apply configuration changes to all ports in the port group. For example, Spanning Tree Protocol (STP) and VLAN membership changes affect the entire port group instead of individual ports.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Interoperating with Cisco Systems EtherChannel Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Note. A wireless client cannot join a VLAN if the physical network ports on the switch in the VLAN are down. However, a wireless client that is already in a VLAN whose physical network ports go down remains in the VLAN even though the VLAN is down. Users and VLANs When a user successfully authenticates to the network, the user is assigned to a specific VLAN.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Traffic Forwarding A DWS-1008 switch switches traffic at Layer 2 among ports in the same VLAN. For example, suppose you configure ports 4 and 5 to belong to VLAN 2 and ports 6 and 7 to belong to VLAN 3. As a result, traffic between port 4 and port 5 is switched, but traffic between port 4 and port 6 is not switched and needs to be routed by an external router. 802.1Q Tagging The tagging capabilities of the switch are very flexible.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Creating a VLAN To create a VLAN, use the following command: set vlan vlan-num name name Specify a VLAN number from 2 to 4095, and specify a name up to 16 alphabetic characters long. You cannot use a number as the first character in a VLAN name. D-Link recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not configure two separate VLANs with the names red and RED.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Removing an Entire VLAN or a VLAN Port To remove an entire VLAN or a specific port and tag value from a VLAN, use the following command: clear vlan vlan-id [port port-list [tag tag-value]] The clear vlan command with a VLAN ID but without a port list or tag value clears all ports and tag values from the VLAN. Note: MSS does not remove a port from other VLANs when you add the port to a new VLAN.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs To display information for VLAN burgundy, type the following command: Note: You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but D-Link recommends against it.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs How Entries Enter the Forwarding Database An entry enters the forwarding database in one of the following ways: • Learned from traffic received by the switch - When the switch receives a packet, the switch adds the packet’s source MAC address to the forwarding database if the database does not already contain an entry for that MAC address.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Use a colon between each byte in the address (for example, 11:22:33:aa:bb:cc or 11:22:33:*). You can enter the asterisk (*) at the beginning or end of the address as a wildcard, on any byte boundary. To display all entries in the forwarding database, type the following command: DWS-1008# show fdb all * = Static Entry. + = Permanent Entry. # = System Entry.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs To clear all dynamic forwarding database entries that match all VLANs, type the following command: DWS-1008# clear fdb dynamic success: change accepted. To clear all dynamic forwarding database entries that match ports 3 and 5, type the following command: DWS-1008# clear fdb port 3,5 success: change accepted.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs 1. Assign names to ports to identify their functions, and verify the configuration change. Type the following commands: DWS-1008# set port 1 name mgmt success: change accepted. DWS-1008# set port 2 name finance success: change accepted. DWS-1008# set port 3 name accounting success: change accepted. DWS-1008# set port 4 name shipping success: change accepted. DWS-1008# set port 5 name lobby success: change accepted.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs Boot Time: 2000-03-18 22:59:19 Uptime: 0 days 00:13:45 ============================================================= Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok temp2 ok temp3 ok PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing Memory: 156.08/496.04 (31%) Total Power Over Ethernet : 0.000 ============================================================= 3.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs 4. Configure port 5 and 6 as wired authentication ports and verify the configuration change.
DWS-1008 User’s Manual Configuring and Managing Ports and VLANs 7. Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link Systems, Inc.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Configuring and Managing IP Interfaces and Services MTU Support Mobility System Software (MSS) supports standard maximum transmission units (MTUs) of 1514 bytes for standard Ethernet packets and 1518 bytes for Ethernet packets with an 802.1Q tag. MSS does not support changing of the MTU through software configuration, and MSS does not do path MTU discovery.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Adding an IP Interface You can add an IP interface to a VLAN by statically configuring an IP address or by enabling the Dynamic Host Configuration Protocol (DHCP) client on the VLAN.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services • If the address is not in use, MSS configures the VLAN that has the DHCP client enabled with the IP address received from the DHCP server. MSS then configures the other values as follows: • Default gateway - MSS adds a default route for the gateway, with a metric of 10.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services The IP interface table flags the address assigned by a DHCP server with an asterisk ( * ). In the following example, VLAN corpvlan received IP address 10.3.1.110 from a DHCP server. DWS-1008# show interface * = From DHCP VLAN Name Address Mask Enabled State RIB -------------------------------------------------------------------------------------------------------------------4 corpvlan *10.3.1.110 255.255.255.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Configuring the System IP Address You can designate one of the IP addresses configured on an Switch to be the system IP address of the switch.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services If the IP route table contains an explicit route for a given destination, MSS uses the route. Otherwise, MSS uses a default route. For example, if the route table does not have a route to host 192.168.1.10, the Switch uses the default route to forward a packet addressed to that host. D-Link recommends that you configure at least one default route. You can configure a maximum of four routes per destination.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services This example also shows two static routes, which have a next-hop type (NH-Type) value of Router. Static routes have a gateway router, listed in the Gateway field. The 0.0.0.0 destination represents a default route. Here, gateway router 10.0.1.17 is reachable through the subnet on VLAN 1. Route 10.0.1.1/24 resolves the static route that uses the gateway router. Gateway router 10.0.2.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services To add two default routes and configure MSS to always use the route through 10.2.4.69 when the switch interface to that gateway router is up, type the following commands: DWS-1008# set ip route default 10.2.4.69 1 success: change accepted. DWS-1008# set ip route default 10.2.4.17 2 success: change accepted. To add an explicit route from an Switch to any host on the 192.168.4.x subnet through the local router 10.5.4.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Managing SSH MSS supports Secure Shell (SSH) Version 2. SSH provides secure management access to the CLI over the network. SSH requires a valid username and password for access to the switch. When a user enters a valid username and password, SSH establishes a management session and encrypts the session data.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services You must generate an SSH authentication key before you can enable SSH. You need to generate the key only once. The key must be at least 1024 bytes long. The Switch stores the key in nonvolatile storage where the key remains even after software reboots.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Changing the SSH Service Port Number To change the SSH port the Switch listens on for SSH connections, use the following command: set ip ssh port port-num Caution: If you change the SSH port number from an SSH session, MSS immediately ends the session. To open a new management session, you must configure the SSH client to use the new SSH port number.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Managing Telnet Telnet requires a valid username and password for access to the switch. Telnet Login Timers After the username prompt is displayed, MSS allows 30 seconds to enter a valid username and password to complete the login. If you do not press Enter or complete the login before the timer expires, MSS ends the session. This timer is not configurable. Enabling Telnet Telnet is disabled by default.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Changing the Telnet Service Port Number To change the TCP port the Switch listens on for Telnet connections, use the following command: set ip telnet port-num Caution: If you change the Telnet port number from a Telnet session, MSS immediately ends the session. To open a new management session, you must Telnet to the switch with the new Telnet port number.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Configuring and Managing DNS You can configure an Switch to use a Domain Name Service (DNS) server to resolve hostnames into their IP addresses. This capability is useful in cases where you specify a hostname instead of an IP address in a command. For example, as an alternative to the command ping 192.168.9.1, you can enter the command ping chris.example.com. When you enter ping chris.example.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Enabling or Disabling the DNS Client The DNS client is disabled by default. To enable or disable the DNS client, use the following command: set ip dns {enable | disable} Configuring DNS Servers You can configure an Switch to use one primary DNS server and up to five secondary DNS servers to resolve DNS queries. The Switch always sends a request to the primary DNS server first.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Adding the Default Domain Name To add the default domain name, use the following command: set ip dns domain name Specify a domain name of up to 64 alphanumeric characters.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Adding an Alias To add an alias, use the following command: set ip alias name ip-addr Specify an alias of up to 32 alphanumeric characters. To add an alias HR1 for IP address 192.168.1.2, type the following command: DWS-1008# set ip alias HR1 192.168.1.2 success: change accepted. After configuring the alias, you can use HR1 in commands in place of the IP address. For example, to ping 192.168.1.2, you can type the command ping HR1.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services To statically set the time and date: • Set the time zone (set timezone command) • Set the summertime period (set summertime command) • Set the time and date (set timedate command) Note: Configure summertime before you set the time and date. Otherwise, summertime’s adjustment of the time will make the time incorrect, if the date is within the summertime period.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Clearing the Time Zone To clear the time zone, use the following command: clear timezone Configuring the Summertime Period The summertime period offsets the system time +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. Note: Configure summertime before you set the time and date.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Clearing the Summertime Period To clear the summertime period, use the following command: clear summertime Statically Configuring the System Time and Date To statically configure the system time and date, use the following command: set timedate {date mmm dd yyyy [time hh:mm:ss]} The day of week is automatically calculated from the day you set.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services MSS adjusts the NTP reply according to the following time parameters configured on the switch: • Offset from UTC • Daylight savings time The NTP client is disabled by default. Adding an NTP Server To add an NTP server to the list of NTP servers, use the following command: set ntp server ip-addr To configure an Switch to use NTP server 192.168.1.5, type the following command: DWS-1008# set ntp server 192.168.1.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Resetting the Update Interval to the Default To reset the update interval to the default value, use the following command: clear ntp update-interval Enabling the NTP Client The NTP client is disabled by default.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services Displaying ARP Table Entries To display ARP table entries, use the following command: show arp [ip-addr] Here is an example: DWS-1008# show arp ARP aging time: 1200 seconds Host HW Address VLAN Type State ------------------------------------------------------------------------------------------------------------10.5.4.51 00:0b:0e:02:76:f5 1 DYNAMIC RESOLVED 10.5.4.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services To change the aging timeout, use the following command: set arp agingtime seconds You can specify from 0 to 1,000,000 seconds. To disable aging, specify 0. For example, to disable aging of dynamic ARP entries, type the following command: DWS-1008# set arp agingtime 0 success: set arp aging time to 0 seconds Note: To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services To establish a Telnet session from the switch to 10.10.10.90, type the following command: DWS-1008# telnet 10.10.10.90 Session 0 pty tty2.d Trying 10.10.10.90... Connected to 10.10.10.90 Disconnect character is ‘^t’ Copyright (c) 2002, 2003 D-Link Systems, Inc. Username: When you press Ctrl+t or type exit to end the client session, the management session returns to the local prompt: DWS-1008-remote> Session 0 pty tty2.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services The traceroute facility determines the address of the first hop by examining the source address field of the ICMP time-exceeded message. To identify the next hop, traceroute again sends a UDP packet, but this time with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services * = From DHCP VLAN Name Address Mask Enabled State RIB ------------------------------------------------------------------------------------------------------------------ 1 default 10.10.10.10 255.255.255.0 YES Up ipv4 2 roaming 10.20.10.10 255.255.255.0 YES Up ipv4 2. Configure the IP interface on the roaming VLAN to be the system IP address and verify the configuration change.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services DWS-1008# show ip route Router table for IPv4 Destination/Mask Proto Metric NH-Type Gateway VLAN:Interface ------------------------------------------------------------------------------------------------------------------------0.0.0.0/ 0 Static 1 Router 10.20.10.1 10.10.10.10/24 IP 0 Direct vlan:1:ip 10.10.10.10/32 IP 0 Local vlan:1:ip:10.10.10.10/24 10.20.10.10/24 IP 0 Direct vlan:1:ip 10.20.10.
DWS-1008 User’s Manual Configuring and Managing IP Interfaces and Services DWS-1008# show summertime Summertime is enabled, and set to ‘PDT’. Start : Sun Apr 04 2004, 02:00:00 End : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October. DWS-1008# set ntp server 192.168.1.
Configuring SNMP DWS-1008 User’s Manual Configuring SNMP Overview The MSS SNMP engine (also called the SNMP server or agent) can run any combination of the following SNMP versions: • SNMPv1 - SNMPv1 is the simplest and least secure SNMP version. Community strings are used for authentication. Communications are in the clear (not encrypted). Notifications are traps, which are not acknowledged by the notification target (also called a trap receiver).
DWS-1008 User’s Manual Configuring SNMP Setting the System Location and Contact Strings To set the location and contact strings for a switch, use the following commands: set system location string set system contact string Each string can be up to 256 characters long, with no blank spaces. The following commands set a switch’s location to 3rd_floor_closet and set the contact to sysadmin1: DWS-1008 set system location 3rd_floor_closet success: change accepted.
DWS-1008 User’s Manual Configuring SNMP Configuring Community Strings (SNMPv1 and SNMPv2c Only) To configure a community string for SNMPv1 or SNMPv2c, use the following command: set snmp community name comm-string access {read-only | read-notify | notify-only | read-write | notify-read-write} The comm-string can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 10 community strings.
DWS-1008 User’s Manual Configuring SNMP Creating a USM User for SNMPv3 To create a USM user for SNMPv3, use the following command: set snmp usm usm-username snmp-engine-id {ip ip-addr | local | hex hex-string} access {read-only | read-notify | notify-only | read-write | notify-read-write} auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string} encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string | encrypt-key hex-string} To clear a USM user, use the
DWS-1008 User’s Manual Configuring SNMP The auth-type option specifies the authentication type used to authenticate communications with the remote SNMP engine. You can specify one of the following: • none - No authentication is used. This is the default. • md5 - Message-digest algorithm 5 is used. • sha - Secure Hashing Algorithm (SHA) is used. If the authentication type is md5 or sha, you can specify a passphrase or a hexadecimal key.
DWS-1008 User’s Manual Configuring SNMP Setting SNMP Security By default, MSS allows nonsecure SNMP message exchanges. You can configure MSS to require secure SNMP exchanges instead. Depending on the level of security you want MSS to enforce, you can require authentication of message exchanges only, or of message exchanges and notifications. You also can require encryption in addition to authentication. SNMPv1 and SNMPv2c do not support authentication or encryption.
DWS-1008 User’s Manual Configuring SNMP Configuring a Notification Profile A notification profile is a named list of all the notification types that can be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs. A default notification profile (named default) is already configured in MSS. All notifications in the default profile are dropped by default. You can configure up to 10 notification profiles.
DWS-1008 User’s Manual Configuring SNMP • ClientDot1xFailureTraps - Generated when a client experiences an 802.1X failure. • ClientRoamingTraps - Generated when a client roams. • CounterMeasureStartTraps - Generated when MSS begins countermeasures against a rogue access point. • CounterMeasureStopTraps - Generated when MSS stops countermeasures against a rogue access point.
DWS-1008 User’s Manual Configuring SNMP • RFDetectClientViaRogueWiredAPTraps - Generated when MSS detects, on the wired part of the network, the MAC address of a wireless client associated with a third-party AP. • RFDetectDoSPortTraps - Generated when MSS detects an associate request flood, reassociate request flood, or disassociate request flood.
DWS-1008 User’s Manual Configuring SNMP Command Examples The following command changes the action in the default notification profile from drop to send for all notification types: DWS-1008 set snmp notify profile default send all success: change accepted. The following commands create notification profile snmpprof_rfdetect, and change the action to send for all RF detection notification types: DWS-1008 set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted.
DWS-1008 User’s Manual Configuring SNMP DWS-1008 set snmp notify profile snmpprof_rfdetect send RFDetectSpoofedSsidAPTraps success: change accepted. DWS-1008 set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedAPTraps success: change accepted. DWS-1008 set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedOuiTraps success: change accepted. DWS-1008 set snmp notify profile snmpprof_rfdetect send RFDetectUnAuthorizedSsidTraps success: change accepted.
DWS-1008 User’s Manual Configuring SNMP To configure a notification target for informs from SNMPv2c, use the following command: set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string inform [profile profile-name] [retries num] [timeout num] To configure a notification target for traps from SNMPv2c, use the following command: set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string trap [profile profile-name] To configure a notification target for traps fro
DWS-1008 User’s Manual Configuring SNMP The security option specifies the security level, and is applicable only when the SNMP version is usm: • unsecured - Message exchanges are not authenticated, nor are they encrypted. This is the default. • authenticated - Message exchanges are authenticated, but are not encrypted. • encrypted - Message exchanges are authenticated and encrypted.
DWS-1008 User’s Manual Configuring SNMP Displaying SNMP Information You can display the following SNMP information: • Version and status information • Configured community strings • User-based security model (USM) settings • Notification targets • SNMP statistics counters Displaying SNMP Version and Status Information To display SNMP version and status information, use the following command: DWS-1008 show snmp status Displaying the Configured SNMP Community Strings To display the configu
DWS-1008 User’s Manual Configuring SNMP Displaying SNMP Statistics Counters To display SNMP statistics counters, use the following command: DWS-1008 show snmp counters D-Link Systems, Inc.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Configuring DWL-8220AP Access Points DWL-8220AP access points contain radios that provide networking between your wired network and IEEE 802.11 wireless users. A DWL-8220AP access point connects to the wired network through a 10/100 Ethernet link and connects to wireless users through radio signals.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Directly Connected DWL-8220APs and Distributed APs To configure the switch to support a DWL-8220AP access point, you must first determine how the DWL-8220AP will connect to the switch. There are two types of AP to DWS-1008 connection: direct and distributed. • In direct connection, a DWL-8220AP connects to one or two 10/100 ports on a DWS-1008. The DWS-1008 port is then configured specifically for a direct attachment to a DWL-8220AP.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points subnet. If the AP is unable to locate an DWS-1008 on the subnet it is connected to, the AP sends DNS requests to both TRPZ and wlan-switch, where the DNS suffix for mynetwork.com is learned through DHCP. • If only TRPZ is defined in DNS, the AP contacts the switch whose IP address is returned for TRPZ. • If only wlan-switch is defined in DNS, the AP contacts the switch whose IP address is returned for wlan-switch.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points on the other device: • Disable STP on the other device’s port. • Enable the port fast convergence feature, if supported, on the other device’s port. (On some vendors’ devices, this feature is called PortFast.) • If the other device is running Rapid Spanning Tree or Multiple Spanning Tree, set the port into edge port mode.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual AP Parameters The table below summarizes parameters that apply to individual access points, including dual-homing parameters. Parameter Default Value name Based on AP name. the port or Distributed AP connection number. For example: • DWL-8220AP bias high group None upgrade firmware blink enable D-Link Systems, Inc.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Resiliency and Dual-Homing Options for APs APs can support a wide variety of resiliency options. Redundancy for PoE, for data link connections and for DWS-1008 services can be provided to the AP. • PoE redundancy - On AP models that have two Ethernet ports, you can provide PoE redundancy by connecting both ports to PoE sources. PoE can come from a directly connected DWS-1008 or a PoE injector.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points AP Boot Process A DWL-8220AP access point brings up the link on the AP’s port 1 and attempts the boot process outlined below. If you want the AP to boot from a specific DWS-1008, you must ensure that only one DWS-1008 can respond through the AP’s port 1 with a high bias under normal operation. If the boot process fails to locate any DWS-1008, the AP then attempts the boot process on the AP’s port 2.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points • If an switch that receives the Find DWS-1008 message does not have the Distributed AP in its configuration but another switch in the same MobileLAN does, the switch waits two seconds, then sends a Find DWS-1008 Reply message with the IP address of the best switch to use. The determination of best switch is based on the bias settings for the AP on each switch and on the capacity of each switch to add new active AP connections.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points 6. The DNS server replies with the system IP address of an switch. • If only TRPZ is defined in DNS, the AP sends a unicast Find DWS-1008 message to the switch whose IP address is returned for TRPZ. • If only wlan-switch is defined in DNS, the AP sends a unicast Find DWS-1008 message to the switch whose IP address is returned for wlan-switch.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual Session Load Balancing You can assign DWL-8220AP access points to a load-balancing group. A load-balancing group helps reduce congestion by distributing client sessions among the access points in the group. For example, if an 802.11b/g radio operating on channel 1 is supporting more sessions than a neighboring 802.11b/g radio operating on channel 6, the loadbalancing feature can reject association requests to the radio on channel 1.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual auth-fallthru auth-psk beacon cipher-ccmp cipher-tkip cipher-wep104 cipher-wep40 psk-phrase psk-raw rsn-ie D-Link Systems, Inc. none Denies access to users who do not match an 802.1X or MAC authentication rule for the SSID requested by the user. disable Does not support using a preshared key (PSK) to authenticate WPA clients. enable Sends beacons to advertise the SSID managed by the service profile.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual shared-key-auth disable Does not use shared-key authentication. This parameter does not enable PSK authentication for WPA. To enable PSK encryption for WPA, use the set radio-profile authpsk command. ssid-name dlink Uses the SSID name dlink. ssid-type crypto tkip-mc-time 60000 wep key-index No keys defined Encrypts wireless traffic for the SSID.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual Public and Private SSIDs Each radio can support the following types of SSIDs: • Encrypted SSID - Clients using this SSID must use encryption. Use the encrypted SSID for secured access to your enterprise network. • Clear SSID - Clients using this SSID do not use encryption. Use the clear SSID for public access to nonsecure portions of your network. The DWL-8220AP access point can support up to 32 SSIDs per radio.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual Encryption Encrypted SSIDs can use the following encryption methods: • Wi-Fi Protected Access (WPA) • Non-WPA dynamic Wired Equivalent Privacy (WEP) • Non-WPA static WEP Dynamic WEP is enabled by default. Radio Profiles You can easily assign radio configuration parameters to many radios by configuring a radio profile and assigning the profile to the radios. To use a radio, you must assign a profile to the radio.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual countermeasures Not Does not issue configured countermeasures against any device. dtim-interval 1 frag-threshold 2346 long-retry 5 max-rx-lifetime 2000 max-tx-lifetime 2000 preamble-length short Sends the delivery traffic indication map (DTIM) after every beacon. Transmits frames up to 2346 bytes long without fragmentation. Sends a long unicast frame up to five times without acknowledgment.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual rts-threshold service-profile short-retry wmm 2346 Transmits frames longer than 2346 bytes by means of the Request-to-Send/ Clear-to-Send (RTS/CTS) method. No service Default settings for all profiles service profile parameters, defined including encryption parameters, are used. 5 Sends a short unicast frame up to five times without acknowledgment. enable Prioritizes traffic based on the Wi-Fi Multimedia (WMM) standard.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interference among the radios. Configuring Access Points To configure DWL-8220AP access points, perform the following tasks, in this order: • Specify the country of operation. • Configure a template for automatic configuration of Distributed APs. • Configure AP access ports and dual homing.
DWS-1008 User’s Manual Country Code Australia AU Austria AT Belgium BE Brazil BR Canada CA China CN Czech Republic CZ Denmark DK Finland FI France FR Germany DE Greece GR Hong Kong HK Hungary HU Iceland IS India IN Ireland IE Israel IL Italy IT Japan JP Liechtenstein LI Luxembourg LU Configuring DWL-8220AP Access Points Country Malaysia Mexico Netherlands New Zealand Norway Poland Portugal Saudi Arabia Singapo
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points ============================================================= Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok temp2 ok temp3 ok PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing Memory: 115.09/496.04 (23%) Total Power Over Ethernet : 32.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual To display the AP settings in the template, type the following command: DWS-1008# show dap config auto Dap auto: mode: disabled bias: high fingerprint boot-download-enable: YES load balancing group: none Radio 1: type: 802.11g, mode: enabled, channel: dynamic tx pwr: 15, profile: default auto-tune max-power: default, min-client-rate: 5.5, max-retransmissions: 10 Radio 2: type: 802.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points APs that receive their configurations from the template also receive the radio settings from the radio profile used by the template. Likewise, the SSIDs and encryption settings come from the service profiles mapped to the radio profile. To use a radio profile other than default, you must specify the radio profile you want to use.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Displaying Status Information for APs Configured by the Template To display status information for APs configured by the template, type the following command: DWS-1008# show dap status auto Dap: 100 (auto), IP-addr: 10.8.255.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual Configuring AP Port Parameters To configure a switch for connection to an access point, you must do one of the following: • For an access point directly connected to a switch port, configure the switch port as a DWL-8220AP access port. • For an access point indirectly connected to a switch through an intermediate Layer or Layer network, configure a Distributed AP on the switch.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual 802.1X Port groups IGMP snooping Maximum user sessions Port uses authentication parameters configured for users. Not applicable Enabled as users are authenticated and join VLANs. Not applicable Caution: When you set the port type for AP use, you must specify the PoE state (enable or disable) of the port. Use the switch’s PoE to power D-Link DWL-8220APs only.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points The dap-num parameter identifies the Distributed AP connection for the AP. The range of valid connection ID numbers is from 1-30. For the serial-id parameter, specify the serial ID of the AP. The serial ID is listed on the AP case. To display the serial ID using the CLI, use the show version details command. The model and radiotype parameters have the same options as they do with the set port type ap command.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Changing Bias The CLI commands described in this section enable you to change the bias for an AP. To change the bias of a DWL-8220AP, use the following command: set {ap port-list | dap dap-num} bias {high | low} The default bias is high. To change the bias for a Distributed AP to low, type the following command: DWS-1008# set dap 1 bias low success: change accepted.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points To enable or disable LED blink mode, use the following command: set {ap port-list | dap dap-num} blink {enable | disable} Configuring Security MSS provides security for management traffic between switches and Distributed APs. When you enable the feature, all management traffic between Distributed APs that support encryption and the switch is encrypted. DWS-1008 security is disabled by default.
Configuring DWL-8220AP Access Points DWS-1008 User’s Manual AP Security Requirements AP Security Setting Fingerprint AP Has Verified in Fingerprint MSS? AP Can Establish Management Session with Switch? AP Security Required Yes Yes No No Yes1 Yes1 AP Security Optional No Yes No Yes No Not Applicable Yes No Not Applicable Yes 1.MSS generates a log message listing the AP serial number and fingerprint so you can verify the AP’s identity.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points The fingerprint is displayed regardless of whether it has been verified in MSS. Note: The show dap config command lists an AP’s fingerprint only if the fingerprint has been confirmed in MSS. If the fingerprint has not been confirmed, the fingerprint info in the command output is blank.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Configuring a Service Profile A service profile is a set of parameters that control advertisement (beaconing) and encryption for an SSID. This section describes how to create a service profile and set SSID parameters. To create a service profile and assign an SSID to it, use the following command: set service-profile name ssid-name ssid-name An SSID can be up to 32 alphanumeric characters long.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Changing the Fallthru Authentication Type By default, MSS denies access to users who do not match an 802.1X or MAC authentication rule, and therefore fall through these authentication types. You can change the fallthru method to last-resort.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Changing the Beacon Interval The beacon interval is the rate at which a radio advertises its beaconed SSID(s). To change the beacon interval, use the following command: set radio-profile name beacon-interval interval The interval can be a value from 25 ms through 8191 ms. The default is 100. The beacon interval does not change even when advertisement is enabled for multiple SSIDs.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points When a frame is long enough for the RTS/CTS method to be applicable, the radio sends a Request-To-Send (RTS) message addressed to the intended receiver for the frame. The receiver replies with a Clear-To-Send (CTS) message. When the radio receives the CTS message, the radio transmits the frame and waits for an acknowledgment from the receiver. The radio does not transmit additional frames until receiving the acknowledgment.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Changing the Long Retry Threshold The long retry threshold specifies the number of times a radio can send a long unicast frame without receiving an acknowledgment for the frame. A long unicast frame is a frame that is equal to or longer than the RTS threshold. To change the long retry threshold, use the following command: set radio-profile name long-retry threshold The threshold can be a value from 1 through 15. The default is 5.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Disabling 802.11b Client Associations on 802.11b/g Radios By default, an 802.11b/g radio allows associations from 802.11b clients as well as 802.11g clients. The radio requires a client to support the 802.11b data rates but client support for the higher 802.11g rates is optional. This radio configuration allows both types of clients to associate with the radio and is useful in networks that have a mixture of both types of clients. When 802.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Generally, clients assume access points require long preambles and request to use short preambles only if the access point with which they are associated advertises support for short preambles. You can disable the advertisement of support for short preambles by setting the preamble length value to long. In this case, clients assume that the access point supports long preambles only and the clients request long preambles.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Removing a Radio Profile To remove a radio profile, use the following command: clear radio-profile name Note: You must disable all radios that are using a radio profile before you can remove the profile. To disable the radios that are using radio profile rptest and remove the profile, type the following commands: DWS-1008# set radio-profile rptest mode disable DWS-1008# clear radio-profile rptest success: change accepted.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points The parameters are shown in separate commands for simplicity. However, you can use the channel and tx-power parameters on the same command line. Specify 1 or 2 for the radio number: • For an 802.11b/g radio on a DWL-8220AP specify radio 1. • For an 802.11a radio specify radio 2.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points To map a radio profile to a service profile, use the following command: set radio-profile name service-profile name The following command maps service-profile wpa_clients to radio profile rp2: DWS-1008# set radio-profile rp2 service-profile wpa_clients success: change accepted.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Disabling or Reenabling All Radios Using a Profile To disable or reenable all radios that are using a radio profile, use the following command: set radio-profile name [mode {enable | disable}] The following command enables all radios that use radio profile rp1: DWS-1008# set radio-profile rp1 mode enable success: change accepted.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Restarting an AP To restart an access point, use the following command: reset {ap port-list | dap dap-num} Use the reset ap command to reset an access point configured on an AP access port. Use the reset dap command to reset a Distributed AP. When you enter one of these commands, the access point drops all sessions and reboots. Caution: Restarting a DWL-8220AP access point can cause data loss for users who are currently associated with the AP.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points To display configuration information for a Distributed AP access point configured on connection 1, type the following command: DWS-1008# show dap config 1 Dap 1: serial-id: 12345678, AP model: DWL-8220AP, bias: high, name: DAP01 fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 boot-download-enable: YES load balancing group: none Radio 1: type: 802.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Displaying Connection Information for Distributed APs A Distributed AP can have only one active data connection. To display the system IP address of the switch that has the active connection, use the following command: show dap connection [dap-num | serial-id serial-ID] The serial-id parameter displays the active connection for a Distributed AP even if that AP is not configured on this switch.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points To display radio profile information for the default radio profile, type the following command: DWS-1008# show radio-profile default Beacon Interval: 100 DTIM Interval: Max Tx Lifetime: 2000 Max Rx Lifetime: RTS Threshold: 2346 Frag Threshold: Short Retry Limit: 5 Long Retry Limit: Long Preamble: NO Allow 802.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points Radio 2 type: 802.
DWS-1008 User’s Manual Configuring DWL-8220AP Access Points TxUniPkt TxUniByte RxPkt RxByte UndcrptPkt TxMultiPkt TxMultiByte UndcrptByte PhyError 6.0: 1888 0 632537 0 89354 1947920 0 0 421 9.0: 508 0 149925 0 0 0 0 0 0 12.0: 16 0 768 0 3 681 0 0 1 18.0: 240 0 80769 0 5 1017 0 0 0 24.0: 107057 7694 8085317 629107 1663 63543 0 0 141546 36.0: 453 0 132499 0 254 20533 0 0 1 48.0: 1152 0 601435 0 1303 65461 0 0 27 54.
DWS-1008 User’s Manual Configuring User Encryption Configuring User Encryption Mobility System Software (MSS) encrypts wireless user traffic for all users who are successfully authenticated to join an encrypted SSID and who are then authorized to join a VLAN. MSS supports the following types of encryption for wireless user traffic: • 802.11i • Wi-Fi Protected Access (WPA) • Non-WPA dynamic Wired Equivalent Privacy (WEP) • Non-WPA static WEP WEP is described in the IEEE 802.
Configuring User Encryption DWS-1008 User’s Manual The table below lists the encryption types supported by MSS and their default states. Wireless Encryption Defaults Encryption Type Client Support Default State RSN RSN clients Non-RSN clients Disabled WPA WPA clients Non-WPA clients Disabled Dynamic WEP WEP clients (WPA and RSN not supported) WEP clients (WPA and RSN not supported) Enabled Static WEP D-Link Systems, Inc.
DWS-1008 User’s Manual Configuring User Encryption Configuring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication. If the client does not support 802.1X, you can use a preshared key on the DWL-8200AP access point and the client for authentication.
DWS-1008 User’s Manual Configuring User Encryption • If the recalculated MIC does not match the MIC received with the frame, the frame fails the integrity check. This condition is called a MIC failure. The access point or client discards the frame and also starts a 60-second timer. If another MIC failure does not occur within 60 seconds, the timer expires.
DWS-1008 User’s Manual Configuring User Encryption Note: For a MAC client that authenticates using a PSK, the RADIUS servers or local database still must contain an authentication rule for the client, to assign the client to a VLAN. WPA Information Element A WPA information element (IE) is a set of extra fields in a wireless frame that contain WPA information for the access point or client. To enable WPA support in a service profile, you must enable the WPA IE.
Configuring User Encryption DWS-1008 User’s Manual The table below lists the encryption support for WPA and non-WPA clients.
DWS-1008 User’s Manual Configuring User Encryption To create a new service profile named wpa, type the following command: DWS-1008# set service-profile wpa success: change accepted. Enabling WPA To enable WPA, you must enable the WPA information element (IE) in the service profile.
DWS-1008 User’s Manual Configuring User Encryption set service-profile name tkip-mc-time wait-time To change the countermeasures wait time in service profile wpa to 30 seconds, type the following command: DWS-1008# set service-profile wpa tkip-mc-time 30000 success: change accepted. Enabling PSK Authentication By default, WPA uses 802.1X dynamic keying. If you plan to use static keys, you must enable PSK authentication and configure a passphrase or the raw key.
Configuring User Encryption DWS-1008 User’s Manual Examples: To configure service profile wpa to use a raw PSK with PSK clients, type a command such as the following: DWS-1008# set service-profile wpa psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa 0836162e758100f5f6b87965e59d success: change accepted. Disabling 802.1X Authentication for WPA To disable 802.
DWS-1008 User’s Manual Configuring User Encryption Assigning the Service Profile to Radios and Enabling the Radios After you configure WPA settings in a service profile, you can map the service profile to a radio profile, assign the radio profile to radios, and enable the radios to activate the settings.
DWS-1008 User’s Manual Configuring User Encryption If you plan to use PSK authentication, you also need to enable this authentication method and enter an ASCII passphrase or a hexadecimal (raw) key. Creating a Service Profile for RSN Encryption parameters apply to all users who use the SSID configured by a service profile.
DWS-1008 User’s Manual Configuring User Encryption After you type this command, the service profile supports both TKIP and CCMP. Displaying RSN Settings To display the RSN settings in a service profile, use the following command: show service-profile {name | ?} The RSN settings appear at the bottom of the output. Note. The RSN-related fields appear in the show service-profile output only when RSN is enabled.
DWS-1008 User’s Manual Configuring User Encryption Configuring WEP Wired-Equivalent Privacy (WEP) is a security protocol defined in the 802.11 standard. WEP uses the RC4 encryption algorithm to encrypt data. To provide integrity checking, WEP access points and clients check the integrity of a frame’s cyclic redundancy check (CRC), generate an integrity check value (ICV), and append the value to the frame before sending it.
DWS-1008 User’s Manual Configuring User Encryption The key value parameter specifies the hexadecimal value of the key. Type a 10-character ASCII string (representing a 5-digit hexadecimal number) or type a 26-character ASCII string (representing a 13-digit hexadecimal number). You can use numbers or letters.
DWS-1008 User’s Manual Configuring User Encryption Encryption Configuration Scenarios The following scenarios provide examples of ways in which you can configure encryption for network clients: Enabling WPA with TKIP The following example shows how to configure MSS to provide authentication and TKIP encryption for 801.X WPA clients. This example assumes that pass-through authentication is used for all users. A RADIUS server group performs all authentication and authorization for the users. 1.
DWS-1008 User’s Manual Configuring User Encryption 6. Map service profile wpa to radio profile rp1. Type the following commands: DWS-1008# set radio-profile rp1 service-profile wpa success: change accepted. 7. Apply radio profile rp1 to radio 1 on port 5 and to radios 1 and 2 on port 6, enable the radios, and verify the configuration changes. Type the following commands: DWS-1008# set ap 5,6 radio 1 radio-profile rp1 mode enable success: change accepted.
DWS-1008 User’s Manual Configuring User Encryption 2. Create a service profile named wpa-wep for the SSID. Type the following command: DWS-1008# set service-profile wpa-wep success: change accepted. 3. Set the SSID in the service profile to thiscorp. Type the following command: DWS-1008# set service-profile wpa-wep ssid-name thiscorp success: change accepted. 4. Enable WPA in service profile wpa-wep. Type the following command: DWS-1008# set service-profile wpa-wep wpa-ie enable success: change accepted.
DWS-1008 User’s Manual Configuring User Encryption 8. Apply radio profile rp2 to radio 1 on port 5 and to radios 1 and 2 on port 6, enable the radios, and verify the configuration changes. Type the following commands: DWS-1008# set ap 5,6 radio 1 radio-profile rp2 mode enable success: change accepted. DWS-1008# set ap 6 radio 2 radio-profile rp2 mode enable success: change accepted.
DWS-1008 User’s Manual Configuring User Encryption 3. Add MAC users to MAC user group wpa-for-mac. Type the following commands: DWS-1008# set mac-user aa:bb:cc:dd:ee:ff group wpa-for-mac success: configuration saved. DWS-1008# set mac-user a1:b1:c1:d1:e1:f1 group wpa-for-mac success: configuration saved. 4. Verify the AAA configuration changes.
DWS-1008 User’s Manual Configuring User Encryption 8. Enable the WEP40 cipher suite in service profile wpa-wep-for-mac. Type the following command: DWS-1008# set service-profile wpa-wep-for-mac cipher-wep40 enable success: change accepted. TKIP is already enabled by default when WPA is enabled. 9. Enable PSK authentication in service profile wpa-wep-for-mac. Type the following command: DWS-1008# set service-profile wpa-wep-for-mac auth-psk enable success: change accepted. 10.
DWS-1008 User’s Manual Configuring User Encryption DWS-1008# show ap config Port 4: AP model: DWL-8220AP, POE: enable, bias: high, name: AP04 boot-download-enable: YES load balancing group: none Radio 1: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default, min-client-rate: 5.5, max-retransmissions: 10 Port 6: AP model:DWL-8220AP, POE: enable, bias: high, name: AP06 boot-download-enable: YES load balancing group: none Radio 1: type: 802.
DWS-1008 User’s Manual Configuring RF Auto-Tuning Configuring RF Auto-Tuning RF AutoTuning Overview The RF AutoTuning feature dynamically assigns channel and power settings to AP radios, and adjusts those settings when needed. RF AutoTuning can perform the following tasks: • Assign initial channel and power settings when an AP radio is started. • Periodically assess the RF environment and change the channel or power setting if needed.
DWS-1008 User’s Manual Configuring RF Auto-Tuning Channel and Power Tuning RF AutoTuning can change the channel or power of a radio, to compensate for RF changes such as interference, or to maintain at least the minimum data transmit rate for associated clients. A radio continues to scan on its active data channel and on other channels and reports the results to its switch. Periodically, the switch examines these results to determine whether the channel or the power needs to be changed.
Configuring RF Auto-Tuning DWS-1008 User’s Manual • Utilization, calculated based on the number of multicast packets per second that a radio can send on a channel while continuously sending fixed-size frames over a period of time. • Phy error count, which is the number of frames received by the AP radio that have physical layer errors. A high number of Phy errors can indicate the presence of a non-802.11 device using the same RF spectrum. • Received CRC error count.
Configuring RF Auto-Tuning DWS-1008 User’s Manual channel-interval 3600 Every 3600 seconds, MSS examines the RF information gathered from the network and determines whether the channel needs to be changed to compensate for RF changes. channel-holddown 900 power-config disable MSS maintains the channel setting on a radio for at least 900 seconds regardless of RF changes. MSS uses the highest power level allowed for the country of operation or the highest supported by the hardware, whichever is lower.
Configuring RF Auto-Tuning DWS-1008 User’s Manual max-retransmissions 10 min-client-rate 5.5 for 802.11b/g 24 for 802.11a D-Link Systems, Inc. If more than 10% of the packets received by the radio from a client are retransmissions, the radio lowers the data rate to the client and, if necessary, increases power to reduce the retransmissions. The radio maintains a transmit rate of at least 5.5 Mbps for all 802.11b/g clients and 24 Mbps for all 802.11a clients.
DWS-1008 User’s Manual Configuring RF Auto-Tuning Changing RF AutoTuning Settings Disabling or Reenabling Channel Tuning RF AutoTuning for channels is enabled by default.
DWS-1008 User’s Manual Configuring RF Auto-Tuning Changing Power Tuning Settings Enabling Power Tuning RF AutoTuning for power is disabled by default. To enable or disable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune power-config {enable | disable} To enable power tuning for radios in the rp2 radio profile, type the following command: DWS-1008# set radio-profile rp2 auto-tune power-config enable success: change accepted.
DWS-1008 User’s Manual Configuring RF Auto-Tuning Changing the Maximum Default Power Allowed On a Radio By default, the maximum default power level that RF AutoTuning can set on a radio is the same as the maximum power level allowed for the country of operation. To change the maximum default power level that RF AutoTuning can assign, use the following command: set {ap port-list | dap dap-num} radio {1 | 2} auto-tune max-power power-level The power-level can be a value from 1 to 20.
DWS-1008 User’s Manual Configuring RF Auto-Tuning Displaying RF AutoTuning Information You can display the RF AutoTuning configuration, a list of RF neighbors, and the values of RF attributes. Displaying RF AutoTuning Settings To display the RF AutoTuning settings that you can configure in a radio profile, use the following command: show radio-profile {name | ?} Entering show radio-profile ? displays a list of radio profiles.
DWS-1008 User’s Manual Configuring RF Auto-Tuning To display the RF AutoTuning and other individual radio settings on both radios on the Distributed AP access point configured on connection 1, type the following command: DWS-1008# show dap config 1 Dap 1: serial-id: 12345678, AP model: dwl-8220ap, bias: high, name: DAP01 fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 boot-download-enable: YES load balancing group: none Radio 1: type: 802.
Configuring RF Auto-Tuning DWS-1008 User’s Manual Displaying RF Attributes To display the current values of the RF attributes RF AutoTuning uses to decide whether to change channel or power settings, use the following commands: show auto-tune attributes [ap ap-num [radio {1 | 2| all}]] show auto-tune attributes [dap dap-num [radio {1 | 2| all}]] To display RF attribute information for radio 1 on the directly connected DWL-8220AP access point on port 2, type the following command: DWS-1008# show auto-tune
DWS-1008 User’s Manual Wi-Fi Multimedia Wi-Fi Multimedia MSS supports Wi-Fi Multimedia (WMM). WMM provides wireless Quality of Service for time-sensitive applications such as voice and video. WMM is a pre-standard version of IEEE 802.11e, provided by the Wi-Fi Alliance to enable vendors to provide interoperable multimedia support before ratification of the standard.
DWS-1008 User’s Manual Wi-Fi Multimedia QoS on a DWL-8220AP DWL-8220AP access points use forwarding queues to prioritize traffic to wireless clients. When the AP receives a packet from a DWS-1008 switch, the AP places the packet into one of four forwarding queues. The AP’s queue selection is based on the IP ToS setting in the tunnel header of the encapsulated data packet received from the switch.
DWS-1008 User’s Manual Wi-Fi Multimedia Displaying the WMM State To display the WMM state for a radio profile, use the following command: show radio-profile {name | ?} The WMM state is displayed in the WMM enabled field.
DWS-1008 User’s Manual Configuring and Managing STP Configuring and Managing Spanning Tree Protocol The purpose of the Spanning Tree Protocol (STP) is to maintain a loop-free network. A loop-free path is accomplished when a device recognizes a loop in the topology and blocks one or more redundant paths. Mobility System Software (MSS) supports 802.1D and Per-VLAN Spanning Tree protocol (PVST+). • MSS uses 802.1D bridge protocol data units (BPDUs) on VLAN ports that are untagged.
DWS-1008 User’s Manual Configuring and Managing STP Bridge Priority The bridge priority determines the switch’s eligibility to become the root bridge. You can set this parameter globally or on individual VLANs. The root bridge is elected based on the bridge priority of each device in the spanning tree. The device with the highest bridge priority is elected to be the root bridge for the spanning tree. The bridge priority is a numeric value from 0 through 65,535.
DWS-1008 User’s Manual Configuring and Managing STP Changing the Bridge Priority To change the bridge priority, use the following command: set spantree priority value {all | vlan vlan-id} Specify a bridge priority from 0 through 65,535. The default is 32,768. The all option applies the change globally to all VLANs. Alternatively, specify an individual VLAN. To change the bridge priority of VLAN pink to 70, type the following command: DWS-1008# set spantree priority 70 vlan pink success: change accepted.
DWS-1008 User’s Manual Configuring and Managing STP The command applies only to the ports you specify. The port cost on other ports remains unchanged. To reset the cost of ports 3 and 4 in the default VLAN to the default value, type the following command: DWS-1008# clear spantree portcost 3-4 success: change accepted. To reset the cost of ports 3 and 4 for VLAN beige, type the following command: DWS-1008# clear spantree portvlancost 3-4 vlan beige success: change accepted.
DWS-1008 User’s Manual Configuring and Managing STP Changing Spanning Tree Timers You can change the following STP timers: • Hello interval - The interval between configuration messages sent by a switch when the switch is acting as the root bridge. You can specify an interval from 1 through 10 seconds. The default is 2 seconds. • Forwarding delay - The period of time a bridge other than the root bridge waits after receiving a topology change notification to begin forwarding data packets.
DWS-1008 User’s Manual Configuring and Managing STP Changing the STP Maximum Age To change the maximum age, use the following command: set spantree maxage aging-time {all | vlan vlan-id} Specify an age from 6 through 40 seconds. The default is 20 seconds. The all option applies the change to all VLANs. Alternatively, specify an individual VLAN.
DWS-1008 User’s Manual Configuring and Managing STP Uplink Fast Convergence Uplink fast convergence enables a DWS-1008 switch that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails. Uplink fast convergence bypasses the listening and learning states to immediately enter the forwarding state.
DWS-1008 User’s Manual Configuring and Managing STP Configuring Backbone Fast Convergence To enable or disable backbone fast convergence, use the following command: set spantree backbonefast {enable | disable} To enable backbone fast convergence on all VLANs, type the following command: DWS-1008# set spantree backbonefast enable success: change accepted.
DWS-1008 User’s Manual Configuring and Managing STP Displaying Spanning Tree Information You can use CLI commands to display the following STP information: • Bridge STP settings and individual port information • Blocked ports • Statistics • Port fast, backbone fast, and uplink fast convergence information Displaying STP Bridge and Port Information To display STP bridge and port information, use the following command: show spantree [port-list | vlan vlan-id] [active] By default, STP information for all po
DWS-1008 User’s Manual Configuring and Managing STP Displaying the STP Port Cost on a VLAN Basis To display a brief list of the STP port cost for a port in each of its VLANs, use the following command: show spantree portvlancost port-list This command displays the same information as the show spantree command’s Cost field in a concise format for all VLANs. The show spantree command lists all the STP information separately for each VLAN.
DWS-1008 User’s Manual Configuring and Managing STP To display STP statistics for port 1, type the following command: DWS-1008# show spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for VLAN = 1 port spanning tree enabled state Forwarding port_id 0x8015 port_number 0x15 path cost 0x4 message age (port/VLAN) 0(20) designated_root 00-0b-0e-00-04-30 designated cost 0x0 designated_bridge 00-0b-0e-00-04-30 designated_port 38 top_change_ack FALSE config_pending FALSE port_inc
DWS-1008 User’s Manual Configuring and Managing STP bridge forward delay 15 topology change initiator 0 last topology change occurred: Tue Jul 01 2003 22:33:36. topology change FALSE topology change time 35 topology change detected FALSE topology change count 1 topology change last recvd.
DWS-1008 User’s Manual Configuring and Managing STP DWS-1008# show port status Port Name Admin Oper Config Actual Type Media ============================================================= 1 up up auto 100/full network 10/100BaseTx 2 down down auto network 3 down down auto network 4 up down auto network 10/100BaseTx 5 up down auto network 10/100BaseTx 6 up down auto network 10/100BaseTx 7 up down auto network 10/100BaseTx 8 up down auto network 10/100BaseTx 2.
DWS-1008 User’s Manual Configuring and Managing STP Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port-State Cost Prio Portfast -------------------------------------------------------------------2 10 Disabled 4 128 Disabled 3 10 Disabled 4 128 Disabled 4. Reconnect or reenable ports 2 and 3 and verify the change.
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping Configuring and Managing IGMP Snooping Internet Group Management Protocol (IGMP) snooping controls multicast traffic on a DWS-1008 switch by forwarding packets for a multicast group only on the ports that are connected to members of the group. A multicast group is a set of IP hosts that receive traffic addressed to a specific Class D IP address, the group address.
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping Note: D-Link recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet.
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping Changing the Query Response Interval To set the query response interval, use the following command: set igmp qri tenth-seconds [vlan vlan-id] You can specify a value from 1 through 65,535 tenths of a second. The default is 100 tenths of a second (10 seconds).
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping Configuring Static Multicast Ports A DWS-1008 switch learns about multicast routers and receivers from multicast traffic it receives from those devices. When the switch receives traffic from a multicast router or receiver, the switch adds the port that received the traffic as a multicast router or receiver port.
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping To display multicast information for VLAN orange, type the following command: DWS-1008# show igmp vlan orange VLAN: orange IGMP is enabled Proxy reporting is on Mrouter solicitation is on Querier functionality is off Configuration values: qi: 125 oqi: 300 qri: 100 lmqi: 10 rvalue: 2 Multicast router information: Port Mrouter-IPaddr Mrouter-MAC Type TTL --------------------------------------------------------------------------------1
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping Displaying Multicast Statistics Only To display multicast statistics only without also displaying all the other multicast information, use the following command: show igmp statistics [vlan vlan-id] Clearing Multicast Statistics To clear the multicast statistics counters, use the following command: clear igmp statistics [vlan vlan-id] The counters begin incrementing again, starting from 0.
DWS-1008 User’s Manual Configuring and Managing IGMP Snooping Displaying Multicast Receivers To display information about the multicast receivers only without also displaying all the other multicast information, use the following command: show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] Use the group parameter to display receivers for a specific group or set of groups. For example, to display receivers for multicast groups 237.255.255.1 through 237.255.255.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Configuring and Managing Security ACLs About Security Access Control Lists A security access control list (ACL) filters packets for the purpose of discarding them, permitting them, or permitting them with modification (marking) for class-of-service (CoS) priority treatment.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Overview of Security ACL Commands The figure below provides a visual overview of the way you use MSS commands to set a security ACL, commit the ACL so it is stored in the configuration, and map the ACL to a user session, VLAN, port, virtual port, or Distributed AP. D-Link Systems, Inc.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Creating and Committing a Security ACL The security ACLs you create can filter packets by source address, IP protocol, port type, and other characteristics. When you configure an ACE for a security ACL, MSS stores the ACE in the edit buffer until you commit the ACL to be saved to the permanent configuration.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Common IP Protocol Numbers Number IP Protocol 1 2 6 9 17 46 47 50 51 55 88 89 103 112 115 Internet Message Control Protocol (ICMP) Internet Group Management Protocol (IGMP) Transmission Control Protocol (TCP) Any private interior gateway (used by Cisco for Internet Gateway Routing Protocol) User Datagram Protocol (UDP) Resource Reservation Protocol (RSVP) Generic Routing Encapsulation (GRE) protocol Encapsulation Security Payload for IPSec (I
Configuring and Managing Security ACLs DWS-1008 User’s Manual Class of Service Class-of-service (CoS) assignment determines the priority treatment of packets transmitted by a DWS-1008 switch, corresponding to a forwarding queue on the AP. The table below shows the results of CoS priorities you assign in security ACLs.
Configuring and Managing Security ACLs DWS-1008 User’s Manual The before 1 portion of the ACE places it before any others in the ACL, so it has precedence over any later ACEs for any parameter settings that are met. ICMP includes many messages that are identified by a type field. Some also have a code within that type. The table below lists some common ICMP types and codes.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Setting a TCP ACL The following command filters TCP packets: set security acl ip acl-name {permit [cos cos] | deny} tcp {source-ip-addr mask [operator port [port2]] destination-ip-addr mask [operator port [port2]]} [precedence precedence] [tos tos] [established] [before editbuffer-index | modify editbuffer-index] [hits] For example, the following command permits packets sent from IP address 192.168.1.5 to 192.168.1.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Committing a Security ACL To put the security ACLs you have created into effect, use the commit security acl command with the name of the ACL. For example, to commit acl-99, type the following command: DWS-1008# commit security acl acl-99 success: change accepted. To commit all the security ACLs in the edit buffer, type the following command: DWS-1008# commit security acl all success: change accepted.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Viewing Committed Security ACLs To view a summary of the committed security ACLs in the configuration, type the following command: DWS-1008# show security acl ACL table ACL Type Class Mapping ----------------------------------------------acl-2 IP Static acl-3 IP Static acl-4 IP Static Viewing Security ACL Details You can display the contents of one or all security ACLs that are committed.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Displaying Security ACL Hits Once you map an ACL, you can view the number of packets it has filtered, if you included the keyword hits.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Mapping Security ACLs User-based security ACLs are mapped to an IEEE 802.1X authenticated session during the AAA process. You can specify that one of the authorization attributes returned during authentication is a named security ACL. The switch maps the named ACL automatically to the user’s authenticated session. Security ACLs can also be mapped statically to ports, VLANs, virtual ports, or Distributed APs.
Configuring and Managing Security ACLs DWS-1008 User’s Manual Mapping Target Commands User authenticated set user username attr filter-id acl-name. by a password in set user username attr filter-id acl-name. out User authenticated set mac-user username attr filter-id aclby a MAC address name.in set mac-user username attr filter-id aclname.out When assigned the Filter-Id attribute, an authenticated user with a current session receives packets based on the security ACL.
DWS-1008 User’s Manual Configuring and Managing Security ACLs Displaying ACL Maps to Ports, VLANs, and Virtual Ports Two commands display the port, VLAN, virtual port, and Distributed AP mapping of a specific security ACL.
DWS-1008 User’s Manual Configuring and Managing Security ACLs configuration in the local database on the switch or on the RADIUS servers where packet filters are authorized. To delete a security ACL from a user’s configuration on a RADIUS server, see the documentation for your RADIUS server. If you no longer need the security ACL, delete it from the configuration with the clear security acl and commit security acl commands. (See Clearing Security ACLs.
DWS-1008 User’s Manual Configuring and Managing Security ACLs DWS-1008# set security acl ip acl-violet permit 192.168.123.11 0.0.0.255 hits 3. To commit the updated security ACL acl-violet, type the following command: DWS-1008# commit security acl acl-violet success: change accepted. 4. To display the updated acl-violet, type the following command: DWS-1008# show security acl info all ACL information for all set security acl ip acl-violet (hits #2 0) ---------------------------------------------------1.
DWS-1008 User’s Manual Configuring and Managing Security ACLs DWS-1008# show security acl info all ACL information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------1. deny IP source IP 192.168.254.12 0.0.0.255 destination IP any 2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any set security acl ip acl-2 (hits #1 0) ---------------------------------------------------1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.
DWS-1008 User’s Manual Configuring and Managing Security ACLs DWS-1008# show security acl info all ACL information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any set security acl ip acl-2 (hits #1 0) ---------------------------------------------------1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.
DWS-1008 User’s Manual Configuring and Managing Security ACLs DWS-1008# show security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2) --------------------------------------------------- 1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any 3. deny SRC source IP 192.168.253.1 0.0.0.
DWS-1008 User’s Manual Configuring and Managing Security ACLs DWS-1008# set security acl map acl1 dap 2 out success: change accepted. The default action on an interface and traffic direction that has at least one access control entry (ACE) configured, is to deny all traffic that does not match an ACE on that interface and traffic direction. The permit 0.0.0.0 255.255.255.255 ACE ensures that traffic that does not match the first ACE is permitted.
DWS-1008 User’s Manual Configuring and Managing Security ACLs CLI CoS WMM Priority Value to Desired Enter Background 1 or 2 Best effort 0 or 3 Video 4 or 5 Voice 6 or 7 Enabling Prioritization for Legacy Voice over IP MSS supports Wi-Fi Multimedia (WMM). WMM support is enabled by default and is automatically used for priority traffic between WMM-capable devices. MSS also can provide prioritization for non-WMM VoIP devices.
DWS-1008 User’s Manual Configuring and Managing Security ACLs DWS-1008# commit security acl voip 4. Map the ACL to the outbound traffic direction of VLAN corp_vlan: DWS-1008# set security acl map voip vlan corp_vlan out Enabling SVP Optimization for SpectraLink Phones You can configure MSS to prioritize voice traffic for VoIP phones that use SpectraLink Voice Priority (SVP).
DWS-1008 User’s Manual Configuring and Managing Security ACLs Security ACL Configuration Scenario The following scenario illustrates how to create a security ACL named acl-99 that consists of one ACE to permit incoming packets from one IP address, and how to map the ACL to a port and a user: 1. Type the following command to create and name a security ACL and add an ACE to it. DWS-1008# set security acl ip acl-99 permit 192.168.1.1 0.0.0.0 2.
DWS-1008 User’s Manual Configuring and Managing Security ACLs 7. To save your configuration, type the following command: DWS-1008# save config success: configuration saved. D-Link Systems, Inc.
DWS-1008 User’s Manual Managing Keys and Certificates Managing Keys and Certificates A digital certificate is a form of electronic identification for computers. The DWS-1008 switch requires digital certificates to authenticate its communications to Extensible Authentication Protocol (EAP) clients for which the switch performs all EAP processing. Certificates can be generated on the switch or obtained from a certificate authority (CA).
DWS-1008 User’s Manual Managing Keys and Certificates 2. Inside the switch’s digital certificate is the switch’s public key, which the wireless client uses to encrypt a pre-master secret key. 3. The wireless client then sends the key back to the switch so that both the switch and the client can derive a key from this pre-master secret for secure authentication and wireless session encryption.
DWS-1008 User’s Manual Managing Keys and Certificates Public Key Infrastructures A public-key infrastructure (PKI) is a system of digital certificates and certification authorities that verify and authenticate the validity of each party involved in a transaction through the use of public key cryptography.
Managing Keys and Certificates DWS-1008 User’s Manual PKCS #7, PKCS #10, and PKCS #12 Object Files Public-Key Cryptography Standards (PKCS) are encryption interface standards created by RSA Data Security, Inc., that provide a file format for transferring data and cryptographic information. D-Link supports the PKCS object files listed in PKCS Object Files Supported by D-link.
Managing Keys and Certificates DWS-1008 User’s Manual PKCS #12 Personal Information Exchange Syntax Standard Contains a certificate signed by a CA and a public-private key pair provided by the CA to go with the certificate. Because the key pair comes from the CA, you do not need to generate a key pair or a certificate request on the switch. Instead, use the copy tftp command to copy the file onto The switch. Use the crypto otp command to enter the one-time password assigned to the file by the CA.
DWS-1008 User’s Manual Managing Keys and Certificates • PKCS #12 object file certificate - More secure than using self-signed certificates, but slightly less secure than using a Certificate Signing Request (CSR), because the private key is distributed in a file from the CA instead of generated by the switch itself. The PKCS #12 object file is more complex to deal with than self-signed certificates.
DWS-1008 User’s Manual Managing Keys and Certificates You must include a common name (string) when you generate a self-signed certificate. The other information is optional. Use a fully qualified name if such names are supported on your network. The certificate appears after you enter this information. Installing a Key Pair and Certificate from a PKCS #12 Object File PKCS object files provide a file format for storing and transferring storing data and cryptographic information.
DWS-1008 User’s Manual Managing Keys and Certificates 3. Unpack the PKCS #12 object file into the certificate and key storage area on the switch. Use the following command: crypto pkcs12 {eap} filename The filename is the location of the file on the switch. Creating a CSR and Installing a Certificate from a PKCS #7 Object File After creating a public-private key pair, you can obtain a signed certificate of authenticity from a CA by generating a Certificate Signing Request (CSR) from the switch.
DWS-1008 User’s Manual Managing Keys and Certificates Installing a CA’s Own Certificate If you installed a CA-signed certificate from a PKCS #7 file, you must also install the PKCS #7 certificate of that CA. (If you used the PKCS #12 method, the CA’s certificate is usually included with the key pair and server certificate.) To install a CA’s certificate, use the following command: crypto ca-certificate {eap} PEM-formatted-certificate When prompted, paste the certificate under the prompt.
DWS-1008 User’s Manual Managing Keys and Certificates Key and Certificate Configuration Scenarios The first scenario shows how to generate self-signed certificates. The second scenario shows how to install CA-signed certificates using PKCS #12 object files, and the third scenario shows how to install CA-signed certificates using CSRs (PKCS #10 object files) and PKCS #7 object files. Creating Self-Signed Certificates To manage the security of communication with 802.
DWS-1008 User’s Manual Managing Keys and Certificates 4.
DWS-1008 User’s Manual Managing Keys and Certificates Installing CA-Signed Certificates from PKCS #12 Object Files This scenario shows how to use PKCS #12 object files to install public-private key pairs, CA-signed certificates, and CA certifies for 802.1X (EAP) access. 1. Set time and date parameters, if not already set. 2. Obtain PKCS #12 object files from a certificate authority. 3. Copy the PKCS #12 object files to nonvolatile storage on the switch.
DWS-1008 User’s Manual Managing Keys and Certificates Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a PKCS #7 Object File This scenario shows how to use CSRs to install public-private key pairs, CA-signed certificates, and CA certifies for 802.1X (EAP) access. 1. Set time and date parameters, if not already set. 2. Generate public-private key pairs: DWS-1008# crypto generate key eap 1024 key pair generated 3.
DWS-1008 User’s Manual Managing Keys and Certificates 8. Paste the signed certificate text block into the switch’s CLI, below the prompt. 9. Display information about the certificate, to verify it: DWS-1008# show crypto certificate eap 10. Repeat Create a CSR (PKCS #10 object file) to request an ad through Display information about the certificate, to verify it: to obtain and install EAP (802.1X) certificate. 11. Obtain the CA’s own certificate. 12.
Managing Keys and Certificates DWS-1008 User’s Manual Notes D-Link Systems, Inc.
DWS-1008 User’s Manual Configuring AAA for Network Users Configuring AAA for Network Users About AAA for Network Users Network users include the following types of users: • Wireless users - Users who access the network by associating with an SSID on a D-Link radio. • Wired authentication users - Users who access the network over an Ethernet connection to a switch port that is configured as a wired authentication (wired-auth) port.
DWS-1008 User’s Manual Configuring AAA for Network Users The username or MAC address can be an exact match or can match a userglob or MAC address glob, which allow wildcards to be used for all or part of the username or MAC address. Authentication Types MSS provides the following types of authentication: • IEEE 802.1X - If the network user’s network interface card (NIC) supports 802.1X, MSS checks for an 802.
DWS-1008 User’s Manual Configuring AAA for Network Users Last-resort is described in Authentication Types. None means the user is automatically denied access. The fallthru authentication type for wireless access is associated with the SSID (through a service profile). The fallthru authentication type for wired authentication access is specified with the wired authentication port.
DWS-1008 User’s Manual Configuring AAA for Network Users • For a user to be successfully authenticated by an 802.1X rule, the username and password entered by the user must be configured on the RADIUS servers used by the authentication rule or in the switch’s local database, if the local database is used by the rule.
DWS-1008 User’s Manual Configuring AAA for Network Users • Mobility-Profile - Controls the switch ports a user can access. For wireless users, an MSS Mobility Profile specifies the access points through which the user can access the network. For wired authentication users, the Mobility Profile specifies the wired authentication ports through which the user can access the network. • SSID - SSID the user is allowed to access after authentication.
DWS-1008 User’s Manual Configuring AAA for Network Users AAA for network users controls and monitors their use of the network: • Classification for customized access. As with administrative and console users, you can classify network users through username globbing. Based on the structured username, different AAA treatments can be given to different classes of user. For example, users in the human resources department can be authenticated differently from users in the sales department.
DWS-1008 User’s Manual Configuring AAA for Network Users “Globs” and Groups for Network User Classification “Globbing” lets you classify users by username or MAC address for different AAA treatments. A user glob is a string used by AAA and IEEE 802.1X methods to match a user or set of users. MAC address globs match authentication methods to a MAC address or set of MAC addresses. User globs and MAC address globs can make use of wildcards.
DWS-1008 User’s Manual Configuring AAA for Network Users Local Override Exception The one exception to the operation described in AAA Rollover Process takes place if the local database is the first method in the list and is followed by a RADIUS server group method. If the local method fails to find a matching username entry in the local database, the switch tries the next RADIUS server group method. This exception is referred to as local override.
DWS-1008 User’s Manual Configuring AAA for Network Users 3. If server-2 does not respond, because the switch has no more servers to try in server-group-1, the switch attempts to authenticate using the next AAA method, which is the local method. 4. The switch consults its local database for an entry that matches Jose@example. com. 5. If a suitable local database entry exists, the authentication proceeds. If not, authentication fails and Jose@example.com is not allowed to access the network. IEEE 802.
DWS-1008 User’s Manual PEAP-MS-CHAP-V2 (Protected EAP with Microsoft Challenge Handshake Authentication Protocol version 2) Configuring AAA for Network Users The wireless client authenticates the server (either the switch or a RADIUS server) using TLS to set up an encrypted session. Mutual authentication is performed by MS-CHAP-V2. Wireless and wired authentication: • The PEAP portion is processed on the switch.
DWS-1008 User’s Manual Configuring AAA for Network Users Effects of Authentication Type on Encryption Method Wireless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encrypted by the following methods: • Wi-Fi Protected Access (WPA) encryption • Non-WPA dynamic Wired Equivalent Privacy (WEP) encryption • Non-WPA static WEP encryption The authentication method you assign to a user determines the encryption available to the user.
DWS-1008 User’s Manual Configuring AAA for Network Users 2. The first command whose SSID and user glob matches the SSID and incoming username is used to process this authentication. The command determines exactly how this particular login attempt is processed by the switch. Configuring EAP Offload You can configure the switch to offload all EAP processing from server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols.
DWS-1008 User’s Manual Configuring AAA for Network Users For example, the following command authenticates 802.1X user Jose for wired authentication access via the local database: DWS-1008# set authentication dot1X Jose wired peap-mschapv2 local success: change accepted. Binding User Authentication to Machine Authentication Bonded Auth™ (bonded authentication) is a security feature that binds an 802.1X user’s authentication to authentication of the machine from which the user is attempting to log on.
DWS-1008 User’s Manual Configuring AAA for Network Users The authentication rule for the machine must be higher up in the list of authentication rules than the authentication rule for the user. You must use 802.1X authentication rules. The 802.1X authentication rule for the machine must use pass-through as the protocol. D-Link recommends that you also use pass-through for the user’s authentication rule. The rule for the machine and the rule for the user must use a RADIUS server group as the method.
DWS-1008 User’s Manual Configuring AAA for Network Users If a Bonded Auth user’s session is ended due to 802.1X reauthentication or the RADIUS Session-Timeout parameter, MSS can allow time for the user to reauthenticate. The amount of time that MSS allows for reauthentication is controlled by the Bonded Auth period. If the user does not reauthenticate within the Bonded Auth period, MSS deletes the information about the machine session.
DWS-1008 User’s Manual Configuring AAA for Network Users The following command sets the Bonded Auth period to 60 seconds, to allow time for WEP users to reauthenticate: DWS-1008# set dot1x bonded-period 60 success: change accepted. Displaying Bonded Auth Configuration Information T o display Bonded Auth configuration information, use the following command: show dot1x config In the following example, bob.mycorp.com uses Bonded Auth, and the Bonded Auth period is set to 60 seconds.
DWS-1008 User’s Manual Configuring AAA for Network Users Users authorized by MAC address require a MAC authorization password if RADIUS authentication is desired. The default well-known password is dlink. Caution: Use this method with care. IEEE 802.11 frames can be forged and can result in unauthorized network access if MAC authentication is employed. Adding and Clearing MAC Users and User Groups Locally MAC users and groups can gain network access only through the switch.
DWS-1008 User’s Manual Configuring AAA for Network Users For example, the following command removes MAC user 01:0f:03:04:05:06 from the group the user is in: DWS-1008# clear mac-user 01:0f:03:04:05:06 group success: change accepted. The clear mac-usergroup command removes the group.
DWS-1008 User’s Manual Configuring AAA for Network Users For example, to add the MAC user 00:01:02:03:04:05 to VLAN red: DWS-1008# set mac-user 00:01:02:03:04:05 attr vlan-name red success: change accepted To change the value of an authorization attribute, reenter the command with the new value.
DWS-1008 User’s Manual Configuring AAA for Network Users Configuring Last-Resort Access Users who are not authenticated and authorized by 802.1X methods or a MAC address can gain limited access to the network as guest users. You can optionally configure a special username called last-resort-wired (for wired authentication access) or last-resort-ssid, where ssid is the SSID requested by the user. To match on the wildcard SSID name any, configure user last-resort-any, exactly as spelled here.
DWS-1008 User’s Manual Configuring AAA for Network Users Configuring AAA for Users of Third-Party APs A switch can provide network access for users associated with a third-party AP that has authenticated the users with RADIUS. You can connect a third-party AP to a switch and configure the switch to provide authorization for clients who authenticate and access the network through the AP. Authentication Process for Users of a Third-Party AP 1. MSS uses MAC authentication to authenticate the AP. 2.
DWS-1008 User’s Manual Configuring AAA for Network Users Requirements Third-Party AP Requirements • The third-party AP must be connected to the switch through a wired Layer 2 link. MSS cannot provide data services if the AP and switch are in different Layer 3 subnets. • The AP must be configured as the switch’s RADIUS client. • The AP must be configured so that all traffic for a given SSID is mapped to the same 802.1Q tagged VLAN. If the AP has multiple SSIDs, each SSID must use a different tag value.
DWS-1008 User’s Manual Configuring AAA for Network Users Configuring Authentication for 802.1X Users of a Third-Party AP with Tagged SSIDs To configure MSS to authenticate 802.1X users of a third-party AP, use the commands below to do the following: • Configure the port connected to the AP as a wired authentication port. Use the following command: set port type wired-auth port-list [tag tag-list] [max-sessions num] [auth-fall-thru {last-resort | none}] • Configure a MAC authentication rule for the AP.
DWS-1008 User’s Manual Configuring AAA for Network Users The following command configures a MAC authentication rule that matches on the third-party AP’s MAC address. Because the AP is connected to the switch on a wired authentication port, the wired option is used. DWS-1008# set authentication mac wired aa:bb:cc:01:01:01 srvrgrp1 success: change accepted. The following command maps SSID mycorp to packets received on port 3 or 4, using 802.
DWS-1008 User’s Manual Configuring AAA for Network Users Configuring Access for Any Users of a Non-Tagged SSID If SSID traffic from the third-party AP is untagged, use the same configuration commands as the ones required for 802.1X users, except the set radius proxy port command. This command is not required and is not applicable to untagged SSID traffic. In addition, when configuring the wired authentication port, use the auth-fall-thru option to change the fallthru authentication type to last-resort.
DWS-1008 User’s Manual Configuring AAA for Network Users Authentication Attributes for Local Users Attribute Description encryption-type Type of encryption required for access by the client. Clients who attempt to use an unauthorized encryption method are rejected. end-date D-Link Systems, Inc.
DWS-1008 User’s Manual filter-id (network access mode only) idle-timeout mobility-profile (network access mode only) D-Link Systems, Inc. Configuring AAA for Network Users Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the switch. Name of an existing security ACL, up to 253 alphanumeric characters, with no tabs or spaces. • Use acl-name.
DWS-1008 User’s Manual Configuring AAA for Network Users service-type Type of access the user is requesting. session-timeout (network access mode only) Maximum number of seconds for the user’s session. One of the following numbers: • 2 - Framed; for network user access • 6 - Administrative; for administrative access to the switch, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode.
DWS-1008 User’s Manual ssid (network access mode only) start-date time-of-day (network access mode only) Configuring AAA for Network Users SSID the user is allowed to access after authentication. Name of the SSID you want the user to use. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to D-link radios. Date and time at Date and time, in the following which the user format: becomes eligible to YY/MM/DD-HH:MM access the network.
DWS-1008 User’s Manual vlan-name (network access mode only) Configuring AAA for Network Users Virtual LAN (VLAN) assignment. Name of a VLAN that you want the user to use. Note: On some RADIUS servers, you might need to use the standard RADIUS attribute Tunnel-PvtGroup-ID, instead of VLAN-Name. Assigning Attributes to Users and Groups You can assign authorization attributes to individual users or groups of users.
DWS-1008 User’s Manual Configuring AAA for Network Users Assigning a Security ACL to a User or a Group Once a security access control list (ACL) is defined and committed, it can be applied dynamically and automatically to users and user groups through the 802.1X authentication and authorization process. When you assign a Filter-Id attribute to a user or group, the security ACL name value is entered as an authorization attribute into the user or group record in the local database or RADIUS server.
DWS-1008 User’s Manual Configuring AAA for Network Users The following command applies the incoming filters of acl-101 to the users who belong to the group eastcoasters: DWS-1008# set usergroup eastcoasters attr filter-id acl-101.in success: change accepted. Assigning a Security ACL on a RADIUS Server To assign a security ACL name as the Filter-Id authorization attribute of a user or group record on a RADIUS server, see the documentation for your RADIUS server.
DWS-1008 User’s Manual Configuring AAA for Network Users Assigning and Clearing Encryption Types Locally To restrict wireless uses or groups with user profiles in the local DWS-1008 switch database to particular encryption algorithms for accessing the network, use one of the following commands: set user username attr encryption-type value set usergroup groupname attr encryption-type value set mac-user username attr encryption-type value set mac-usergroup groupname attr encryption-type value MSS supports t
DWS-1008 User’s Manual Configuring AAA for Network Users Assigning and Clearing Encryption Types on a RADIUS Server To assign or delete an encryption algorithm as the Encryption-Type authorization attribute in a user or group record on a RADIUS server, see the documentation for your RADIUS server. Overriding or Adding Attributes Locally with a Location Policy During the login process, the AAA authorization process is started immediately after clients are authenticated to use the switch.
DWS-1008 User’s Manual Configuring AAA for Network Users How the Location Policy Differs from a Security ACL Although structurally similar, the location policy and security ACLs have different functions. The location policy on a switch can be used to locally redirect a user to a different VLAN or locally control the traffic to and from a user. In contrast, security ACLs are packet filters applied to the user throughout a MobileLAN. You can use the location policy to locally apply a security ACL to a user.
DWS-1008 User’s Manual Configuring AAA for Network Users Applying Security ACLs in a Location Policy Rule When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows: • Input filter - Use inacl inacl-name to filter traffic that enters the switch from users via a DWL-8220AP access port or wired authentication port, or from the network via a network port.
DWS-1008 User’s Manual Configuring AAA for Network Users To move the first rule to the end of the list and display the results, type the following commands: DWS-1008 clear location policy 1 success: clause 1 is removed. DWS-1008 set location policy deny if user eq *.theirfirm.com DWS-1008 show location policy Id Clauses ---------------------------------------------------------------1) permit vlan guest_1 if vlan neq *.ourfirm.com 2) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.ourfirm.
DWS-1008 User’s Manual Username Session duration Timestamp VLAN name Client’s MAC address DWL-8220AP port number and radio number DWL-8220AP access point’s MAC address Configuring AAA for Network Users Username Session duration Timestamp VLAN name Client’s MAC address DWL-8220AP port number and radio number DWL-8220AP access point’s MAC address Number of octets received by the switch Number of octets sent by the switch Number of packets received by the switch Number of packets sent by the switch Viewing L
DWS-1008 User’s Manual Configuring AAA for Network Users The user started on DWS-1008-0013: DWS-1008-0013# show accounting statistics May 21 17:01:32 Acct-Status-Type=START Acct-Authentic=2 User-Name=Administrator@example.
DWS-1008 User’s Manual Configuring AAA for Network Users Displaying the AAA Configuration To view the results of the AAA commands you have set and verify their order, type the show aaa command. The order in which the commands appear in the output determines the order in which MSS matches them to users. (Sometimes the order might not be what you intended. See Avoiding AAA Problems in Configuration Order.
DWS-1008 User’s Manual Configuring AAA for Network Users Avoiding AAA Problems in Configuration Order Using the Wildcard “Any” as the SSID Name in Authentication Rules You can configure an authentication rule to match on all SSID strings by using the SSID string any in the rule. For example, the following rule matches on all SSID strings requested by all users: set authentication dot1x ssid any ** sg1 MSS checks authentication rules in the order they appear in the configuration file.
DWS-1008 User’s Manual Configuring AAA for Network Users You then set up PEAP-MS-CHAP-V2 authentication and authorization for all users at EXAMPLE/ at server group 1. Finally, you set up PEAP-MS-CHAP-V2 authentication and authorization for all users in the local DWS-1008 switch database, with the intention that EXAMPLE users are to be processed first: DWS-1008# set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 success: change accepted.
DWS-1008 User’s Manual Configuring AAA for Network Users Configuring a Mobility Profile A Mobility Profile is a way of specifying, on a per-user basis, those users who are allowed access to specified DWL-8220AP access ports and wired authentication ports on a switch. In this way, you can constrain the areas to which a user can roam. You first create a Mobility Profile, assign it to one or more users, and finally enable the Mobility Profile feature on the DWS-1008 switch.
DWS-1008 User’s Manual Configuring AAA for Network Users To display the name of each Mobility Profile and its ports, type the following command: DWS-1008# show mobility-profile Mobility Profiles Name Ports ========================= roses-profile AP 2 AP 3 AP 4 AP 7 AP 9 To remove a Mobility Profile, type the following command: clear mobility-profile name Network User Configuration Scenarios The following scenar
DWS-1008 User’s Manual Configuring AAA for Network Users This command applies the access list named acl-101 to each user at EXAMPLE. 4. To display the ACL, type the following command: DWS-1008# show security acl info acl-101 set security acl ip acl-101 (hits #0 0) ---------------------------------------------------1. permit IP source IP 192.168.1.1 0.0.0.255 destination IP any enable-hits 5.
DWS-1008 User’s Manual Configuring AAA for Network Users set accounting dot1x ssid mycorp EXAMPLE\* stop-only local set authentication dot1x ssid mycorp EXAMPLE\* pass-through shorebirds user tech Password = 1315021018 (encrypted) user EXAMPLE/nin filter-id = acl.101.in mobility-profile = tulip user EXAMPLE/tamara filter-id = acl.101.in mobility-profile = tulip ... 8. Save the configuration: DWS-1008 save config success: configuration saved.
DWS-1008 User’s Manual Configuring AAA for Network Users Enabling PEAP-MS-CHAP-V2 Authentication The following example illustrates how to enable local PEAP-MS-CHAP-V2 authentication for all 802.1X network users. This example includes local usernames, passwords, and membership in a VLAN. This example includes one username and an optional attribute for session-timeout in seconds. Because the switch requires a certificate for authentication, configuration of a self-signed certificate is shown. 1.
DWS-1008 User’s Manual Configuring AAA for Network Users Enabling PEAP-MS-CHAP-V2 Offload The following example illustrates how to enable PEAP-MS-CHAP-V2 offload. In this example, all EAP processing is offloaded from the RADIUS server, but MS-CHAP-V2 authentication and authorization are done via a RADIUS server. The MS-CHAP-V2 lookup matches users against the user list on a RADIUS server. Because the switch requires a certificate for authentication, a self-signed certificate is shown in this example. 1.
DWS-1008 User’s Manual Configuring AAA for Network Users Combining EAP Offload with Pass-Through Authentication The following example illustrates how to enable PEAP-MS-CHAP-V2 offload for the marketing (mktg) group and RADIUS pass-through authentication for members of engineering. This example assumes that engineering members are using DNS-style naming, such as is used with EAP-TLS. A server certificate is also required.
DWS-1008 User’s Manual Configuring AAA for Network Users Overriding AAA-Assigned VLANs The following example shows how to change the VLAN access of wireless users in an organization housed in multiple buildings. Suppose the wireless users on the faculty of a college English department have offices in building A and are authorized to use that building’s bldga-prof- VLANs. These users also teach classes in building B.
DWS-1008 User’s Manual Configuring Communication with RADIUS Configuring Communication with RADIUS RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system. RADIUS servers provide a repository for all usernames and passwords, and can manage and store large groups of users. RADIUS servers store user profiles, which include usernames, passwords, and other AAA attributes.
DWS-1008 User’s Manual Configuring Communication with RADIUS If a server does not respond before the last request attempt times out, MSS holds down further requests to the server, for the duration of the dead time. For example, if you set the dead time to 5 minutes, MSS stops sending requests to the unresponsive server for 5 minutes before reattempting to use the server. During the holddown, it is as if the dead RADIUS server does not exist.
DWS-1008 User’s Manual Configuring Communication with RADIUS Setting the System IP Address as the Source Address By default, RADIUS packets leaving the switch have the source IP address of the outbound interface on the switch. This source address can change when routing conditions change. If you have set a system IP address for the switch, you can use it as a permanent source address for the RADIUS packets sent by the switch.
DWS-1008 User’s Manual Configuring Communication with RADIUS Note: You must provide RADIUS servers with names that are unique. To prevent confusion, D-Link recommends that RADIUS server names differ in ways other than case. For example, avoid naming two servers RS1 and rs1. You can configure additional parameters with set radius server, such as the UDP ports used for AAA services and the timeout period. You must configure RADIUS servers into server groups before you can access them.
DWS-1008 User’s Manual Configuring Communication with RADIUS Note: Any RADIUS servers that do not respond are marked dead (unavailable) for a period of time. The unresponsive server is skipped over, as though it did not exist, during its dead time. Once the dead time elapses, the server is again a candidate for receiving requests. To change the default dead-time timer, use the set radius or set radius server command.
DWS-1008 User’s Manual Configuring Communication with RADIUS The following command disables load balancing for a server group: clear server group group-name load-balance Adding Members to a Server Group To add RADIUS servers to a server group, type the following command: set server group group-name members server-name1 [server-name2] [server-name3] [server-name4]] The keyword members lists the RADIUS servers contained in the named server group.
DWS-1008 User’s Manual Configuring Communication with RADIUS For example, to delete the server group shorebirds, type the following command: DWS-1008# clear server group shorebirds success: change accepted.
DWS-1008 User’s Manual Configuring Communication with RADIUS 6. Display the configuration. Type the following command: DWS-1008# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------------------------------sandpiper 192.168.253.17 1812 1813 5 3 0 UP heron 192.168.253.12 1812 1813 5 3 0 UP egret 192.168.253.
DWS-1008 User’s Manual Managing 802.1X Managing 802.1X Certain settings for IEEE 802.1X sessions on the DWS-1008 switch are enabled by default. For best results, change the settings only if you are aware of a problem with the switch’s 802.1X performance. For settings that you can reset with a clear command, MSS reverts to the default value. Caution: 802.1X parameter settings are global for all SSIDs configured on the switch. Managing 802.
DWS-1008 User’s Manual Managing 802.1X For example, the following command forces port 19 to unconditionally authenticate all 802.1X authentication attempts with an EAP success message: DWS-1008# set dot1x port-control forceauth 19 success: authcontrol for 19 is set to FORCE-AUTH. Similarly, the following command forces port 12 to unconditionally reject any 802.1X attempts with an EAP failure message: DWS-1008# set dot1x port-control forceunauth 12 success: authcontrol for 12 is set to FORCE-UNAUTH.
DWS-1008 User’s Manual Managing 802.1X Configuring 802.1X Key Transmission Time Intervals The following command sets the number of seconds the switch waits before retransmitting an EAPoL packet of key information: set dot1x tx-period seconds The default is 5 seconds. The range for the retransmission interval is from 1 to 65,535 seconds. For example, type the following command to set the retransmission interval to 300 seconds: DWS-1008# set dot1x tx-period 300 success: dot1x tx-period set to 300.
DWS-1008 User’s Manual Managing 802.1X Use the following command to disable WEP rekeying for broadcast and multicast keys: DWS-1008# set dot1x wep-rekey disable success: wep rekeying disabled Note: Reauthentication is not required for using this command. Broadcast and multicast keys are always rotated at the same time, so all members of a given radio and VLAN receive the new keys at the same time.
DWS-1008 User’s Manual Managing 802.1X Note: To support SSIDs that have both 802.1X and static WEP clients, MSS sends a maximum of two ID requests, even if this parameter is set to a higher value. Setting the parameter to a higher value does affect all other types of EAP messages. Managing 802.1X Client Reauthentication Reauthentication of 802.1X wireless supplicants (clients) is enabled on the switch by default. By default, the switch waits 3600 seconds (1 hour) between authentication attempts.
DWS-1008 User’s Manual Managing 802.1X Note: If the number of reauthentications for a wired authentication client is greater than the maximum number of reauthentications allowed, MSS sends an EAP failure packet to the client and removes the client from the network. However, MSS does not remove a wireless client from the network under these circumstances. Setting the 802.
DWS-1008 User’s Manual Managing 802.1X To reset the Bonded Auth period to its default value, use the following command: clear dot1x max-req Managing Other Timers By default, the switch waits 60 seconds before responding to a client whose authentication failed, and times out a request to a RADIUS server or an authentication session with a client after 30 seconds. You can modify these defaults. Setting the 802.
DWS-1008 User’s Manual Managing 802.1X Setting the 802.1X Timeout for a Client Use the following command to set the number of seconds before the switch times out an authentication session with a supplicant (client): set dot1x timeout supplicant seconds The default is 30 seconds. The range of time is from 1 to 65,535 seconds. For example, type the following command to set the number of seconds for a timeout to 300: DWS-1008# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300.
DWS-1008 User’s Manual Managing 802.1X Viewing 802.1X Clients Type the following command to display active 802.
DWS-1008 User’s Manual Managing 802.1X port 5, authcontrol: auto, max-sessions: 16 port 6, authcontrol: auto, max-sessions: 1 port 7, authcontrol: auto, max-sessions: 1 port 8, authcontrol: auto, max-sessions: 16 Viewing 802.1X Statistics Type the following command to display 802.1X statistics about connecting and authenticating: DWS-1008# show dot1x stats 802.
DWS-1008 User’s Manual Managing Sessions Managing Sessions About the Session Manager A session is a related set of communication transactions between an authenticated user (client) and the specific station to which the client is bound. Packets are exchanged during a session.
DWS-1008 User’s Manual Managing Sessions To clear the sessions of all administrative users, type the following command: DWS-1008# clear sessions admin This will terminate manager sessions, do you wish to continue? (y|n) [n]y Displaying and Clearing an Administrative Console Session To view information about the user with administrative access to the switch through a console plugged into the switch, type the following command: DWS-1008> show sessions console Tty Username Time (s) Type ------- ------------
DWS-1008 User’s Manual Managing Sessions To clear the administrative sessions of Telnet clients, use the following command: clear sessions telnet [client [session-id]] You can clear all Telnet client sessions or a particular session.
DWS-1008 User’s Manual Managing Sessions Displaying Verbose Network Session Information In the show sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed information for all network sessions, type the following command: DWS-1008> show sessions network verbose User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ------------------------------ -------------------------- -------------------EXAMPLE\wong 5* 192.168.12.
DWS-1008 User’s Manual Managing Sessions DWS-1008# show sessions network user E* User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ------------------------------ ---- ----------------- --------------EXAMPLE\singh 12* 192.168.12.185 vlan-eng 3/2 EXAMPLE\havel 13* 192.168.12.104 vlan-eng 1/2 2 sessions match criteria (of 3 total) Use the verbose keyword to see more information. For example, the following command displays detailed session information about nin@example.
DWS-1008 User’s Manual Managing Sessions For example, to clear all sessions for MAC address 00:01:02:04:05:06, type the following command: DWS-1008# clear sessions network mac-addr 00:01:02:04:05:06 Displaying and Clearing Network Sessions by VLAN Name You can view all session information for a specific VLAN or VLAN glob.
DWS-1008 User’s Manual Managing Sessions Authentication Method: PEAP, using server 192.168.142.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Rogue Detection and Countermeasures AP radios automatically scan the RF spectrum for other devices transmitting in the same spectrum. The RF scans discover third-party transmitters in addition to other D-Link radios. MSS considers the non-D-Link transmitters to be devices of interest, which are potential rogues. You can display information about the devices of interest.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Rogue Detection Lists Rogue detection lists specify the third-party devices and SSIDs that MSS allows on the network, and the devices MSS classifies as rogues. You can configure the following rogue detection lists: • Permitted SSID list - A list of SSIDs allowed on the network. MSS generates a message if an SSID that is not on the list is detected.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Radios perform both types of scans on all channels allowed for the country of operation. (This is the regulatory domain set by the set system countrycode command.) 802.11b/g radios scan in the 2.4 GHz to 2.4835 GHz spectrum. 802.11a radios scan in the 5.15 GHz to 5.85 GHz spectrum. Both enabled radios and disabled radios perform these scans. D-Link Systems, Inc.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Dynamic Frequency Selection (DFS) Some regulatory domains require conformance to ETSI document EN 301 893. Section 4.6 of that document specifies requirements for Dynamic Frequency Selection (DFS). These requirements apply to radios operating in the 5 GHz band (802.11a radios). In countries where Dynamic Frequency Selection (DFS) is required, MSS performs the appropriate check for radar.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Permitted vendor list List of OUIs to allow on the network. An OUI is the first three octets of a MAC address and uniquely identifies an AP’s or client’s vendor. Yes No Permitted SSID list List of SSIDs allowed on the network. MSS can issue countermeasures against thirdparty APs sending traffic for an SSID that is not on the list.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Active scan Active scan sends probe any requests (probes with a null SSID name) to look for rogue APs. Active scan is configurable on a radio-profile basis. Yes No D-Link AP signature Value in an AP’s management frames that identifies the AP to MSS. AP signatures help prevent spoofing of the AP MAC address. No No Yes Yes Log messages Messages and traps for rogue and traps activity.
DWS-1008 User’s Manual Rogue Detection and Countermeasures The following example shows the permitted vendor list on switch: DWS-1008# show rfdetect vendor-list Total number of entries: 1 OUI Type ----------------- ------aa:bb:cc:00:00:00 client 11:22:33:00:00:00 ap To remove an entry from the permitted vendor list, use the following command: clear rfdetect vendor-list {client | ap} {mac-addr | all} The following command removes client OUI aa:bb:cc:00:00:00 from the permitted vendor list: DWS-1008# cl
DWS-1008 User’s Manual Rogue Detection and Countermeasures The following example shows the permitted SSID list on the switch: DWS-1008# show rfdetect ssid-list Total number of entries: 3 SSID ----------------mycorp corporate guest To remove an SSID from the permitted SSID list, use the following command: clear rfdetect ssid-list ssid-name The following command clears SSID mycorp from the permitted SSID list: DWS-1008# clear rfdetect ssid-list mycorp success: mycorp is no longer in ssid-list.
DWS-1008 User’s Manual Rogue Detection and Countermeasures The following example shows the client black list on switch: DWS-1008# show rfdetect black-list Total number of entries: 1 Blacklist MAC Type Port TTL -----------------------------------------------------------------------11:22:33:44:55:66 configured 11:23:34:45:56:67 assoc req flood 3 25 To remove a MAC address from the client black list, use the following command: clear rfdetect black-list mac-addr The following command removes MAC address 11
DWS-1008 User’s Manual Rogue Detection and Countermeasures To remove a MAC address from the attack list, use the following command: clear rfdetect attack-list mac-addr The following command clears MAC address 11:22:33:44:55:66 from the attack list: DWS-1008# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Enabling Countermeasures Caution: Countermeasures affect wireless service on a radio. When an AP radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures. Countermeasures are disabled by default. You can enable them on an individual radio profile basis.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Enabling AP Signatures An AP signature is a set of bits in a management frame sent by an AP that identifies that AP to MSS. If someone attempts to spoof management packets from a D-Link AP, MSS can detect the spoof attempt. AP signatures are disabled by default. To enable or disable them, use the following command: set rfdetect signature {enable | disable} The command applies only to APs managed by the switch on which you enter the command.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Flood Attacks A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests.
DWS-1008 User’s Manual Rogue Detection and Countermeasures • Fake AP - A rogue device sends beacon frames for randomly generated SSIDs or BSSIDs. This type of attack can cause clients to become confused by the presence of so many SSIDs and BSSIDs, and thus interferes with the clients’ ability to connect to valid APs. This type of attack can also interfere with RF Auto-Tuning when an AP is trying to adjust to its RF neighborhood.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Disallowed Devices or SSIDs You can configure the following types of lists to explicitly allow specific devices or SSIDs: • Permitted SSID list - MSS generates a message if an SSID that is not on the list is detected. • Permitted vendor list - MSS generates a message if an AP or wireless client with an OUI that is not on the list is detected. • Client black list - MSS prevents clients on the list from accessing the network through a switch.
DWS-1008 User’s Manual Management frame 7 flood Management frame D flood Management frame E flood Management frame F flood Associate request flood Reassociate request flood Disassociate request flood Weak WEP initialization vector (IV) Decrypt errors Spoofed Spoofed disassociation frames Null probe responses Broadcast D-Link Systems, Inc. Rogue Detection and Countermeasures Client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 7 message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53.
DWS-1008 User’s Manual Fake AP SSID (when source MAC address is known) Fake AP SSID (when source MAC address is not known) Spoofed SSID Rogue Detection and Countermeasures FakeAP SSID attack detected from aa:bb:cc:dd: ee:ff. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid. FakeAP BSSID attack detected. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid. AP Mac aa:bb:cc:dd:ee:ff(ssid myssid) is masquerading our ssid used by aa:bb:cc:dd:ee: fd.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Displaying RF Detection Information You can use the CLI commands listed in the table below to display rogue detection information. Command Description show rfdetect clients [mac mac-addr] show rfdetect counters Displays all wireless clients detected on the air. Displays statistics for rogue and Intrusion Detection System (IDS) activity detected by the APs managed by a switch.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Displaying Rogue Clients To display the wireless clients detected by a DWS-1008 switch, use the following command: show rfdetect clients [mac mac-addr] The following command shows information about all wireless clients detected by a switch’s APs: DWS-1008# show rfdetect clients Total number of entries: 30 Client MAC Client AP MAC AP Port/Radio NoL Type Last Vendor Vendor Channel seen --------------------------------------------------
DWS-1008 User’s Manual Rogue Detection and Countermeasures DWS-1008# show rfdetect counters Type -------------------------------------------------- Current ------------ Total ------------ Rogue access points Interfering access points Rogue 802.11 clients Interfering 802.11 clients 802.11 adhoc clients Unknown 802.11 clients Interfering 802.11 clients seen on wired network 802.11 probe request flood 802.11 authentication flood 802.11 null data flood 802.11 mgmt type 6 flood 802.
DWS-1008 User’s Manual Rogue Detection and Countermeasures Displaying the APs Detected by an AP Radio To displays the APs detected by an AP radio, use any of the following commands: show rfdetect visible mac-addr show rfdetect visible ap ap-num [radio {1 | 2}] show rfdetect visible dap dap-num [radio {1 | 2}] To following command displays information about the rogues detected by radio 1 on AP port 3: DWS-1008# show rfdetect visible ap 3 radio 1 Total number of entries: 104 Flags: i = infrastructure, a = a
DWS-1008 User’s Manual Managing System Files Managing System Files A DWS-1008 switch contains nonvolatile storage. MSS allows you to manage the files in nonvolatile storage. In addition, you can copy files between the switch and a TFTP server on the network.
DWS-1008 User’s Manual Kernel: BootLoader: Managing System Files 3.0.0#43: Wed Jun 30 05:17:44 PDT 2004 1.19 / 1.7.4 To also display DWL-8220AP access point information, type the following command: DWS-1008# show version details Mobility System Software, Version: 3.0.
DWS-1008 User’s Manual Managing System Files In this example, the switch is running software version 1.1.0. The switch used the 010100.020 image file in boot partition boot1 and the configuration configuration file for the most recent reboot. The switch is set to use image file DWS010100.008 in boot partition boot0 and configuration file newconfig for the next reboot. Working with Files The following section describe how to manage files stored on the switch.
DWS-1008 User’s Manual Managing System Files The following command displays the files in the old subdirectory: DWS-1008# dir old ============================================================= file: Filename Size Created file:configuration.txt 3541 bytes Sep 22 2003, 22:55:44 file:configuration.xml 24 KB Sep 22 2003, 22:55:44 Total: 27 Kbytes used, 207824 Kbytes free Copying a File You can perform the following copy operations: • Copy a file from a TFTP server to nonvolatile storage.
DWS-1008 User’s Manual Managing System Files Note: You can copy a file from an switch to a TFTP server or from a TFTP server to a switch, but you cannot use MSS to copy a file directly from one TFTP server to another. To copy the file floor2 from nonvolatile storage to a TFTP server, type the following command: DWS-1008# copy floor2 tftp://10.1.1.1/floor2 success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] The above command copies the file to the same filename on the TFTP server.
DWS-1008 User’s Manual Managing System Files To copy file corpa-login.html from a TFTP server into subdirectory corpa in a switch’s nonvolatile storage, type the following command: DWS-1008# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] Deleting a File Note: MSS does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, MSS immediately deletes the specified file.
DWS-1008 User’s Manual Managing System Files DWS-1008# mkdir corp2 success: change accepted. DWS-1008# dir ============================================================= file: Filename Size Created file:configuration 17 KB May 21 2004, 18:20:53 file:configuration.
DWS-1008 User’s Manual Managing System Files This section describes how to display the running configuration and the configuration file, and how to save and load configuration changes. A procedure is also provided for resetting the switch to its factory default configuration. Displaying the Running Configuration To display the configuration running on the switch, use the following command: show config [area area] [all] The area area parameter limits the display to a specific configuration area.
DWS-1008 User’s Manual Managing System Files To display only the VLAN configuration commands, type the following command: DWS-1008# show config area vlan # Configuration nvgen’d at 2004-5-10 19:08:38 # Image 2.1.
DWS-1008 User’s Manual Managing System Files Loading a Configuration File Caution: This command completely removes the running configuration and replaces it ith the configuration contained in the file. D-Link recommends that you save a copy of he current running configuration to a backup configuration file before loading a new configuration.
DWS-1008 User’s Manual Managing System Files Backing Up and Restoring the System MSS has commands that enable you to easily backup and restore system and user files: backup system [tftp:/ip-addr/]filename [all | critical] restore system [tftp:/ip-addr/]filename [all | critical] [force] The backup command creates an archive in Unix tape archive (tar) format. The restore command unzips an archive created by the backup command and copies the files from the archive onto the switch.
DWS-1008 User’s Manual Managing System Files Caution: Do not use the force option unless advised to do so by D-Link TAC. If you restore one switch’s system files onto another switch, you must generate new key pairs and certificates on the switch. Managing Configuration Changes The backup command places the boot configuration file into the archive. (The boot configuration file is the Configured boot configuration in the show boot command’s output.
DWS-1008 User’s Manual Appendix A - Troubleshooting Troubleshooting Some common problems that occur during installation and basic configuration are simple to solve. However, to “recover” the system password, you must delete the existing configuration. System logs provide a history of MSS events. Traces display real-time messages from all MSS areas. Some show commands are particularly useful in troubleshooting.
DWS-1008 User’s Manual Client cannot access the network. Configuration information disappears after a software reload. Mgmt LED is quickly blinking amber. CLI stops at boot prompt (boot>). D-Link Systems, Inc. Appendix A - Troubleshooting This symptom has more than one possible cause: • The client might be failing authentication or might not be authorized for a VLAN. 1. Type the show aaa command to ensure that the authentication rules on the switch allow the client to authenticate. 2.
DWS-1008 User’s Manual Appendix A - Troubleshooting Recovering the System Password You can recover the system enable password if you have lost or forgotten it. Caution: Recovering the system password will delete your configuration files. You set the switch password using the set enablepass command. If you forget the password, use one of the following procedures. 1. Reboot the switch, and interrupt the switch boot process. Power the switch off and on again to cause the switch to reboot. 2.
DWS-1008 User’s Manual Appendix A - Troubleshooting Log Message Components Each log message contains the following components: Field Facility Date Severity Description Portion of MSS that is affected Time and date the message is generated Severity level of the message. Tag Identifier for the message Message Description of the error condition Logging Destinations and Levels A logging destination is the location to which logged event messages are sent for storage or display.
DWS-1008 User’s Manual Appendix A - Troubleshooting Specifying a severity level sends log messages for events or conditions at that level or higher to the logging destination. The table below lists the severity levels and their descriptions. Event Severity Levels Severity Description emergency alert critical The switch is unusable. Action must be taken immediately. You must resolve the critical conditions. If the conditions are not resolved, the can reboot or shut down.
DWS-1008 User’s Manual Appendix A - Troubleshooting To stop sending messages to a syslog server, use the following command: clear log server ip-addr Logging to the Log Buffer The system log consists of rolling entries stored as a last-in first-out queue maintained by the switch. Logging to the buffer is enabled by default for events at the error level and higher.
DWS-1008 User’s Manual Appendix A - Troubleshooting To filter the event log by MSS area, use the facility facility-name keyword.
DWS-1008 User’s Manual Appendix A - Troubleshooting Logging Messages to a Syslog Server To send event messages to a syslog server, use the following command: set log server ip-addr severity severity-level [local-facility facility-name] enable Use the IP address of the syslog server to which you want messages sent. Use the optional local-facility keyword to override the default MSS facility numbers and replace them with one local facility number.
DWS-1008 User’s Manual Appendix A - Troubleshooting Changing the Current Telnet Session Defaults By default, log information is not sent to your current Telnet session, and the log level is set to information (info) or higher.
DWS-1008 User’s Manual Appendix A - Troubleshooting Displaying the Log Configuration To display your current log configuration, type the following command: DWS-1008# show log config Logging console: enabled Logging console severity: INFO Logging sessions: enabled Logging sessions severity: INFO Logging buffer: enabled Logging buffer severity: ERROR Logging buffer size: 400 messages Logging trace: enabled Logging trace severity: DEBUG Logging buffer size: 1048576 bytes Logging server: 192
DWS-1008 User’s Manual Appendix A - Troubleshooting Tracing Authentication Activity Tracing authentication activity can help you diagnose authentication problems. You can trace all authentication activity, or only the activity for a specific user, MAC address, or port. For example, to trace all authentication activity at level 4, type the following command: DWS-1008# set trace authentication level 4 success: change accepted.
DWS-1008 User’s Manual DWS-1008# show trace milliseconds spent printing traces: 31.945 Trace Area Level Mac User Port --------------------------------- -----------------authentication 3 admin authorization 5 sm 5 11 dot1x 2 Appendix A - Troubleshooting Filter -------0 0 0 0 Stopping a Trace The clear trace commands deletes running trace commands.
DWS-1008 User’s Manual Appendix A - Troubleshooting Displaying Trace Results To view the output of currently running trace commands, use the following command: show log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] For example, the following command displays a trace log of error-level events: DWS-1008# show log trace severity error KERNEL Jan 15 23:08:10 ERROR duplicate IP address 10.7.122.
DWS-1008 User’s Manual Appendix A - Troubleshooting Clearing the Trace Log To clear all messages from the trace log buffer, type the following command: DWS-1008# clear log trace List of Trace Areas To see all MSS areas you can trace, type the following command: DWS-1008# set trace ? Using Show Commands To troubleshoot the switch, you can use show commands to display information about different areas of the MSS.
DWS-1008 User’s Manual Appendix A - Troubleshooting set authentication dot1x *@xmpl.com pass-through sg1 set authentication dot1x *@xmpl.
DWS-1008 User’s Manual Appendix A - Troubleshooting Remotely Monitoring Traffic Remote traffic monitoring enables you to snoop wireless traffic, by using a Distributed AP as a sniffing device. The AP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal.
DWS-1008 User’s Manual Appendix A - Troubleshooting • If the snoop filter is running on a Distributed AP, and the AP used a DHCP server in its local subnet to configure its IP information, and the AP did not receive a default gateway address as a result, the observer must also be in the same subnet. Without a default gateway, the AP cannot find the observer. • The AP that is running a snoop filter forwards snooped packets directly to the observer.
DWS-1008 User’s Manual Appendix A - Troubleshooting If you omit a condition, all packets match that condition. For example, if you omit frame-type, all frame types match the filter. For most conditions, you can use eq (equal) to match only on traffic that matches the condition value. Use neq (not equal) to match only on traffic that is not equal to the condition value. The observer ip-addr option specifies the IP address of the station where the protocol analyzer is located.
DWS-1008 User’s Manual Appendix A - Troubleshooting Mapping a Snoop Filter to a Radio You can map a snoop filter to a radio on a Distributed AP. To map a snoop filter to a radio, use the following command: set snoop map filter-name dap dap-num radio {1 | 2} You can map the same filter to more than one radio. You can map up to eight filters to the same radio. If more than one filter has the same observer, the AP sends only one copy of a packet that matches a filter to the observer.
DWS-1008 User’s Manual Appendix A - Troubleshooting clear snoop map filter-name dap dap-num radio {1 | 2} The following command removes snoop filter snoop2 from radio 2 on Distributed AP 3: DWS-1008# clear snoop map snoop2 dap 3 radio 2 success: change accepted. To remove all snoop filter mappings from all radios, use the following command: clear snoop map all Enabling or Disabling a Snoop Filter A snoop filter does not take effect until you enable it.
DWS-1008 User’s Manual Appendix A - Troubleshooting DWS-1008# show snoop stats snoop1 Filter Dap Radio Rx Match Tx Match Dropped Stop-After ============================================================= snoop1 3 1 96 4 0 stopped Preparing an Observer and Capturing Traffic To observe monitored traffic, install the following applications on the observer: • Ethereal or Tethereal Version 0.10.8 or later • Netcat (any version), if not already installed Ethereal and Tethereal decode 802.
DWS-1008 User’s Manual Appendix A - Troubleshooting To disable the decryption option in Ethereal: a. In the decode window, right-click on the IEEE 802.11 line. b. Select Protocol Preferences to display the 802.11 Protocol Preferences dialog. c. Click next to Ignore the WEP bit to deselect the option. This option is applicable for any type of data encryption used by AP radios. 6.
DWS-1008 User’s Manual Appendix B - Supported RADIUS Attribites Supported RADIUS Attributes D-Link’s Mobility System Software (MSS) supports the standard and extended RADIUS authentication and accounting attributes listed at the bottom. An attribute is sent to RADIUS accounting only if the table listing it shows Yes or Optional in the column marked Sent in Accounting-Request for the attribute and the attribute is applied to the client’s session configuration.
DWS-1008 User’s Manual Appendix B - Supported RADIUS Attribites ServiceType 5 No Yes Filter-Id 11 Yes No ReplyMessage 18 Yes No No String. Text that can be displayed to the user. Multiple Reply-Messages can be included. If any are displayed, they must appear in the order in which they appear in the packet. State 24 Yes Yes No Can be sent by a RADIUS server in an Access-Challenge message to the switch.
DWS-1008 User’s Manual Appendix B - Supported RADIUS Attribites Class 25 Yes No Yes If received, this information must be sent on, without interpretation, in all subsequent packets sent to the RADIUS server for that client session. VendorSpecific 26 Yes No Yes String. Allows MSS to support D-Link VSAs. SessionTimeout 27 Yes No Maximum number of seconds of service allowed the user before reauthentication of the session. Note.
DWS-1008 User’s Manual Acct-InputOctets Appendix B - Supported RADIUS Attribites 42 No No Yes Number of octets received from the port over the course of this service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update. Acct-Output- 43 Octets No No Yes Number of octets sent on the port in the course of this service being provided.
DWS-1008 User’s Manual Acct-InputGigawords Appendix B - Supported RADIUS Attribites 52 No No Yes Number of times the Acct-Input-octets counter has wrapped around 232 over the course of this service being provided. Can be present only in AccountingRequest records in which Acct-StatusType is set to Acct-Stop or Acct-InterimUpdate. (For details, see RFC 2869.
DWS-1008 User’s Manual Appendix C - DHCP Server DHCP Server MSS has a DHCP server that the switch uses to allocate IP addresses to the following: • Directly connected APs DHCP service is enabled by default. Optionally, you can configure the DHCP server to also provide IP addresses to Distributed APs and to clients. Configuration is supported on an individual VLAN basis.
DWS-1008 User’s Manual Appendix C - DHCP Server How the MSS DHCP Server Works When MSS receives a DHCP Discover packet, the DHCP server allocates an address from the configured range according to RFC 2131 and ARPs the address to ensure that it is not already in use. If the address is in use, the server allocates the next address in the range, and ARPs again. The process continues until MSS finds an address that is not in use.
DWS-1008 User’s Manual Appendix C - DHCP Server The following command enables the DHCP server on VLAN red-vlan to serve addresses from the 192.168.1.5 to 192.168.1.25 range: DWS-1008# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25 success: change accepted.
DWS-1008 User’s Manual Appendix C - DHCP Server DHCP Clients: Hardware Address: 00:01:02:03:04:05 State: BOUND Lease Allocation: 43200 seconds Lease Remaining: 12345 seconds IP Address: 10.10.20.2 Subnet Mask: 255.255.255.0 Default Gateway: 10.10.20.1 DNS Servers: 10.10.20.4 10.10.20.5 DNS Domain Name: mycorp.
DWS-1008 User’s Manual Appendix D - Glossary Glossary 3DES A three-round application of the Data Encryption Standard (DES) that uses a 168-bit encryption key. See also DES. 802.1D The IEEE LAN specification for the operation of media access control (MAC) bridges. 802.1p An IEEE LAN standard method for classifying packets in bridged virtual LANs (VLANs). As part of 802.1Q protocol, 802.1p defines a field in the VLAN tag of a frame header that provides class-of-service (CoS) definitions at Layer 2.
DWS-1008 User’s Manual Appendix D - Glossary 802.11 An IEEE LAN specification that defines the mobile (wireless) network access link layer. The specification includes the 802.11 media access control (MAC) sublayer of the Data Link layer, and two sublayers of the Physical (PHY) layer—a frequency-hopping spread-spectrum (FHSS) physical layer and a direct-sequence spread-spectrum (DSSS) link layer. Later additions to 802.11 include additional physical layers. See also 802.11a; 802.11b; 802.11g; 802.11i. 802.
DWS-1008 User’s Manual Appendix D - Glossary access control list See security ACL. access point (AP) A hardware unit that acts as a communication hub by linking wireless mobile IEEE 802.11 stations such as PCs to a wired backbone network. A D-Link Mobility System has DWL-8220AP access points. See also ad hoc network; infrastructure network. ACE A rule in a security access control list (ACL) that grants or denies a set of network access rights based on one or more criteria.
DWS-1008 User’s Manual Appendix D - Glossary attribute In authentication, authorization, and accounting (AAA), a property used to identify (authenticate) a user or to configure (authorize) or record (account for) a user’s administrative or network session. A user’s AAA attributes are stored in a user profile in the local database on a DWS1008 switch, or on a RADIUS server. Attribute names are casesensitive. See also RADIUS; VSA.
DWS-1008 User’s Manual Appendix D - Glossary BSS Basic service set. A set of wireless stations that communicate with one another through an access point (AP). BSSID Basic service set identifier. The 48-bit media access control (MAC) address of the radio in the access point (AP) that serves the stations in a basic service set (BSS). CA See certificate authority (CA). CBC-MAC See CCMP. CCI Co-channel interference.
DWS-1008 User’s Manual Appendix D - Glossary Challenge Handshake Authentication Protocol See CHAP. CHAP Challenge Handshake Authentication Protocol. An authentication protocol that defines a threeway handshake to authenticate a user (client). CHAP uses the MD5 hash algorithm to generate a response to a challenge that can be checked by the authenticator.
DWS-1008 User’s Manual Appendix D - Glossary cryptography The science of information security. Modern cryptography is typically concerned with the processes of scrambling ordinary text (known as plain text or clear text) into encrypted text at the sender’s end of a connection, and decrypting the encrypted text back into clear text at the receiver’s end.
DWS-1008 User’s Manual Appendix D - Glossary DHCP Dynamic Host Configuration Protocol. A protocol that dynamically assigns IP addresses to stations, from a centralized server. DHCP is the successor to the Bootstrap Protocol (BOOTP). dictionary attack An attempt to gain illegal access to a computer or network by logging in repeatedly with passwords that are based on a list of terms in a dictionary. Diffie-Hellman A key exchange algorithm that was the first public-key algorithm ever published.
DWS-1008 User’s Manual Appendix D - Glossary DSSS Direct-sequence spread-spectrum. One of two types of spread-spectrum radio technology used in wireless LAN (WLAN) transmissions. To increase a data signal’s resistance to interference, the signal at the sending station is combined with a higher-rate bit sequence that spreads the user data in frequency by a factor equal to the spreading ratio. Compare FHSS. DTIM Delivery traffic indication map.
DWS-1008 User’s Manual Appendix D - Glossary EAP over LAN See EAPoL. EAP over Wireless See EAPoL. EAPoW See EAPoL. EAPTLS Extensible Authentication Protocol with Transport Layer Security. An EAP subprotocol for 802.1X authentication. EAP-TLS supports mutual authentication and uses digital certificates to fulfill the mutual challenge. When a user (client) requests access, the authentication server responds with a server certificate.
DWS-1008 User’s Manual Appendix D - Glossary ETSI European Telecommunications Standards Institute. A nonprofit organization that establishes telecommunications and radio standards for Europe. European Telecommunications Standards Institute See ETSI. extended service set See ESS. Extensible Authentication Protocol See EAP. Extensible Markup Language See XML.
DWS-1008 User’s Manual Appendix D - Glossary forwarding database (FDB) A database maintained on a DWS-1008 switch for the purpose of making Layer 2 forwarding and filtering decisions. Each entry consists of the media access control (MAC) address of a source or destination device, an identifier for the port on which the source or destination station is located, and an identifier for the virtual LAN (VLAN) to which the device belongs.
DWS-1008 User’s Manual Appendix D - Glossary group transient key See GTK. H.323 A set of International Telecommunications Union Telecommunication Standardization Sector (ITU-T) standards that define a framework for the transmission of real-time voice signals over IP packet-switched networks. hash A one-way algorithm from whose output the input is computationally infeasible to determine.
DWS-1008 User’s Manual Appendix D - Glossary IEEE Institute of Electrical and Electronic Engineers. An American professional society whose standards for the computer and electronics industry often become national or international standards. In particular, the IEEE 802 standards for LANs are widely followed. IGMP Internet Group Management Protocol. An Internet protocol, defined in RFC 2236, that enables an Internet computer to report its multicast group membership to neighboring multicast routers.
DWS-1008 User’s Manual Appendix D - Glossary integrity check value See ICV. interface A place at which independent systems meet and act on or communicate with each other, or the means by which the interaction or communication is accomplished. International Organization for Standardization See ISO. Internet Authentication Service See IAS. Internet Group Management Protocol See IGMP. Interswitch Link See ISL. ISL Interswitch Link.
DWS-1008 User’s Manual Appendix D - Glossary LDAP Lightweight Directory Access Protocol. A protocol defined in RFC 1777 for management and browser applications that require simple read-write access to an X.500 directory without incurring the resource requirements of Directory Access Protocol (DAP). Protocol elements are carried directly over TCP or other transport, bypassing much of the session and presentation overhead.
DWS-1008 User’s Manual Appendix D - Glossary MAC service data unit See MSDU. master secret A code derived from the pre-master secret. A master secret is used to encrypt Transport Layer Security (TLS) authentication exchanges and also to derive a pairwise master key (PMK). See also PMK; pre-master secret. maximum transmission unit See MTU. MD5 Message-digest algorithm 5. A one-way hashing algorithm used in many authentication algorithms and also to derive cryptographic keys in many algorithms.
DWS-1008 User’s Manual Appendix D - Glossary minimum data transmit rate The lowest rate at which a DWL-8220AP access point can transmit data to its associated mobile clients. If the data rate to a client drops below the minimum, the AP increases power, if RF AutoTuning is enabled. Mobility System Software™ (MSS™) The Trapeze operating system, accessible through a command-line interface (CLI), that enables D-Link Mobility System products to operate as a single system.
DWS-1008 User’s Manual Appendix D - Glossary network address translation See NAT. nonvolatile storage A way of storing images and configurations so that they are maintained in a unit’s memory whether power to the unit is on or off. Odyssey An 802.1X security and access control application for wireless LANs (WLANs), developed by Funk Software, Inc. OFDM Orthogonal frequency division multiplexing. A modulation technique that sends data across a number of narrow subcarriers within a specified frequency band.
DWS-1008 User’s Manual Appendix D - Glossary Per-VLAN Spanning Tree protocol See PVST+. PIM Protocol Independent Multicast protocol. A protocol-independent multicast routing protocol that supports thousands of groups, a variety of multicast applications, and existing Layer 2 subnetwork technologies. PIM can be operated in two modes: dense and sparse. In PIM dense mode (PIM-DM), packets are flooded on all outgoing interfaces to many receivers.
DWS-1008 User’s Manual Appendix D - Glossary PoE Power over Ethernet. A technology, defined in the developing IEEE 802.3af standard, to deliver DC power over twisted-pair Ethernet data cables rather than power cords. The electrical current, which enters the data cable at the power-supply end and comes out at the device end, is kept separate from the data signal so neither interferes with the other.
DWS-1008 User’s Manual Appendix D - Glossary PRNG Pseudorandom number generator. An algorithm of predictable behavior that generates a sequence of numbers with little or no discernible order, except for broad statistical patterns. Protected Extensible Authentication Protocol See PEAP. Protocol Independent Multicast protocol See PIM. pseudorandom function See PRF. pseudorandom number generator See PRNG. PSK Preshared key. The IEEE 802.11 term for a shared secret, also known as a shared key.
DWS-1008 User’s Manual Appendix D - Glossary QoS Quality of service. A networking technology that seeks to measure, improve, and guarantee transmission rates, error rates, and other performance characteristics, based on priorities, policies, and reservation criteria arranged in advance. Some protocols allow packets or streams to include QoS requirements. quality of service See QoS. RA See registration authority (RA).
DWS-1008 User’s Manual Appendix D - Glossary restricted access Permission to use most Mobility System Software (MSS) commandline interface (CLI) commands required for viewing status information (show commands), except those that list security information in clear text. Users with restricted access can clear ARP requests and ping hosts. Compare enabled access.
DWS-1008 User’s Manual Appendix D - Glossary scalability The ability to adapt easily to increased or decreased requirements without impairing performance. secure hashing algorithm See SHA. Secure Shell protocol See SSH. Secure Sockets Layer protocol See SSL. security ACL Security access control list. An ordered list of rules to control access to and from a network by determining whether to forward or filter packets that are entering or exiting it.
DWS-1008 User’s Manual Appendix D - Glossary SIP Session Initialization Protocol. A signaling protocol that establishes real-time calls and conferences over IP networks. Spanning Tree Protocol See STP. SSH Secure Shell protocol. A Telnet-like protocol that establishes an encrypted session. SSID Service set identifier. The unique name shared among all computers and other devices in a wireless LAN (WLAN). SSL Secure Sockets Layer protocol.
DWS-1008 User’s Manual Appendix D - Glossary syslog server A remote repository for log messages. D-Link Mobility System Software (MSS) supports up to four syslog servers on virtual LANs (VLANs) whose locations are configurable. MSS log protocol complies with RFC 3164. TAPA™ Trapeze Access Point Access™ protocol. A point-to-point datagram protocol, developed by D-Link, that defines the way each DWL-8220AP access point communicates with a DWS-1008 switch in a D-Link Mobility System.
DWS-1008 User’s Manual Appendix D - Glossary TTLS Tunneled Transport Layer Security. An Extensible Authentication Protocol (EAP) method developed by Funk Software, Inc., and Certicom for 802.1X authentication. TTLS uses a combination of certificates and password challenge and response for authentication. The entire EAP subprotocol exchange of attribute-value pairs takes place inside an encrypted transport layer security (TLS) tunnel.
DWS-1008 User’s Manual Appendix D - Glossary user glob A D-Link convention for matching fully qualified structured usernames or sets of usernames during authentication by means of known characters plus two special “wildcard” characters. Double asterisks (**) represent all usernames. A single asterisk (*) can appear either before or after the delimiter in a user glob and can represent any number of characters up to the next delimiter. A delimiter can be an at (@) sign or a dot (.).
DWS-1008 User’s Manual Appendix D - Glossary VSA Vendor-specific attribute. A type of RADIUS attribute that enables a vendor to extend RADIUS operations to fit its own products, without conflicting with existing RADIUS attributes or the VSAs of other companies. Companies can create new authentication and accounting attributes as VSAs. WECA Wireless Ethernet Compatibility Alliance. See Wi-Fi Alliance. WEP Wired-Equivalent Privacy protocol. A security protocol, specified in the IEEE 802.
DWS-1008 User’s Manual Appendix D - Glossary Wired-Equivalent Privacy protocol See WEP. Wireless Ethernet Compatibility Alliance See Wi-Fi Alliance. wireless Internet service provider See WISP. wireless LAN See WLAN. WISP Wireless Internet service provider. A company that provides public wireless LAN (WLAN) services. WLAN Wireless LAN. A LAN to which mobile users (clients) can connect and communicate by means of high-frequency radio waves rather than wires. WLANs are defined in the IEEE 802.11 standard.
DWS-1008 User’s Manual Appendix D - Glossary X.500 A standard of the International Organization for Standardization (ISO) and International Telecommunications Union Telecommunication Standardization Sector (ITU-T), for systematically collecting the names of people in an organization into an electronic directory that can be part of a global directory available to anyone in the world with Internet access. X.
Appendix E - Technical Specifications DWS-1008 User’s Manual Technical Specifications Hardware Specifications Physical and Environmental • Dimensions (W x D x H): 17.4 x 8.2 x 1.72 in (44.2 x 20.8 x 4.4 cm) • Weight: 5.
DWS-1008 User’s Manual Appendix E - Technical Specifications Technical Specifications (continued) EMI / EMC • FCC PART 15 • ICES PART 15 • VCCI • EN 55022 • EN 55024 • EN 60101-1-2 (1993) • CISPR 22 Software Specifications IEEE • IEEE Std 802.1X-2001 - Port-Based Network Access Control • IEEE Std 802.11i- Enhanced Security for 802.11 wireless networks based on AES • IEEE Std 802.11h • IEEE Std 802.
DWS-1008 User’s Manual Appendix E - Technical Specifications Technical Specifications (continued) General • RFC 1122 Host requirements • RFC 1393 Traceroute • RFC 1519 CIDR • RFC 1591 DNS (client) • RFC 1769 SNTP • RFC 768 UDP • RFC 783 TFTP • RFC 791 IP • RFC 792 ICMP • RFC 793 TCP • RFC 826 ARP • IEEE 802.1D Spanning Tree • IEEE 802.1Q VLAN tagging • IEEE 802.
Appendix F - Warranty DWS-1008 User’s Manual Warranty Subject to the terms and conditions set forth herein, D-Link Systems, Inc. (“D-Link”) provides this Limited warranty for its product only to the person or entity that originally purchased the product from: • D-Link or its authorized reseller or distributor and • Products purchased and delivered within the fifty states of the United States, the District of Columbia, U.S. Possessions or Protectorates, U.S.
DWS-1008 User’s Manual Appendix F - Warranty Except as otherwise agreed by D-Link in writing, the replacement Software is provided only to the original licensee, and is subject to the terms and conditions of the license granted by D-Link for the Software. Software will be warranted for the remainder of the original Warranty Period from the date or original retail purchase.
DWS-1008 User’s Manual Appendix F - Warranty D-Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements, or for which an RMA number is not visible from the outside of the package. The product owner agrees to pay D-Link’s reasonable handling and return shipping charges for any product that is not packaged and shipped in accordance with the foregoing requirements, or that is determined by D-Link not to be defective or non-conforming.
DWS-1008 User’s Manual Appendix F - Warranty Limitation of Liability: TO THE MAXIMUM EXTENT PERMITTED BY LAW, D-LINK IS NOT LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY LOSS OF USE OF THE PRODUCT, INCONVENIENCE OR DAMAGES OF ANY CHARACTER, WHETHER DIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, LOSS OF REVENUE OR PROFIT, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, FAILURE OF OTHER EQUIPMENT
DWS-1008 User’s Manual Appendix F - Warranty FCC Statement: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communication.
Appendix G - Registration DWS-1008 User’s Manual Registration Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights. Revised: April 26, 2006 Version 1.1 D-Link Systems, Inc.
