Configuration Guide Product Model : DWS-3000 Series Unified Wired & Wireless Access System Release 3.0 February 2011 ©Copyright 2011. All rights reserved.
Configuration Guide 2 © 2001- 2011 D-Link Corporation. All Rights Reserved.
Table of Contents List of Figures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Document Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI/Web Examples - Slot/Port Designations . . . . . . . . . . . . . . . . . . . . . . .
Configuration Guide 4 Storm Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 CLI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Example #1: Set Broadcast Storm Control for All Interfaces . . . . . . . . . . . . . Example #2: Set Multicast Storm Control for All Interfaces . . . . . . . . . . . . . . Example #3: Set Unicast Storm Control for All Interfaces . . . . . . . . . . . . . . .
CLI Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Example 1. Enabling Routing for the Switch . . . . . . . . . . . . . . . . . . . . . . . . . Example 2. Enabling Routing for Ports on the Switch . . . . . . . . . . . . . . . . . . 70 70 Using the Web Interface to Configure Routing . . . . . . . . . . . . . . . . . . . . . . 72 11 VLAN Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Guide Example #8: Show MAC Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Web Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 MAC ACL Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 IP ACL Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 16 802.1X Network Access Control . . . . . . . . . . . . .
Queue Management Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 140 143 22 Differentiated Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 CLI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Guide 27 Pre-Login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 177 28 Simple Network Time Protocol (SNTP). . . . . . . . . . . . . . . . . .179 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List of Figures List of Figures Figure 1. Web Interface Panel-Example .............................................................. 28 Figure 2. Web Interface Panel-Example .............................................................. 29 Figure 3. Configuring an SNMP V3 User Profile ................................................ 29 Figure 4. System Description Page....................................................................... 31 Figure 5. VLAN Example Network Diagram...........................
Configuration Guide Figure 44. RIP Interface Configuration ................................................................ 88 Figure 45. RIP Route Redistribution Configuration............................................. 89 Figure 46. IP ACL Example Network Diagram ................................................... 93 Figure 47. MAC ACL Configuration Page - Create New MAC ACL ................. 98 Figure 48. MAC ACL Rule Configuration - Create New Rule ............................ 98 Figure 49.
List of Figures Figure 88. CoS Interface Configuration Page..................................................... 144 Figure 89. CoS Interface Queue Configuration Page ......................................... 145 Figure 90. CoS Interface Queue Status Page ...................................................... 145 Figure 91. DiffServ Internet Access Example Network Diagram ...................... 148 Figure 92. DiffServ Configuration......................................................................
Configuration Guide 12 © 2001- 2011 D-Link Corporation. All Rights Reserved.
List of Tables List of Tables Table 1. Quick Start up Software Version Information . . . . . . . . . . . . . . . . . . . . 22 Table 2. Quick Start up Physical Port Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Table 3. Quick Start up User Account Management . . . . . . . . . . . . . . . . . . . . . . 23 Table 4. Quick Start up IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Table 5.
Configuration Guide 14 © 2001- 2011 D-Link Corporation. All Rights Reserved.
About This Book This document provides an understanding of the CLI and Web configuration options for D-Link DWS-3000 features. Document Organization This document shows examples of the use of the Unified Switch in a typical network. It describes the use and advantages of specific functions provided by the Unified Switch and includes information about configuring those functions using the command-line interface (CLI) and Web interface.
Configuration Guide • Management - DHCP Filtering - Traceroute - Configuration Scripting - Outbound Telnet - Pre-Login Banner - Simple Network Time Protocol (SNTP) - Syslog - Port Description CLI/Web Examples - Slot/Port Designations To help you understand configuration tasks, this document contains examples from the CLI and Web Interfaces. The examples are based on the D-Link DWS-3000 switch and use the slot/port naming convention for interfaces, e.g.
1 Getting Started Connect a terminal to the switch to begin configuration. In-Band and Out-of-Band Connectivity Ask the system administrator to determine whether you will configure the switch for in-band or out-of-band connectivity. To use the Web Interface, you must set up your system for in-band connectivity. Configuring for In-Band Connectivity In-band connectivity allows you to access the switch from a remote workstation using the Ethernet network.
Configuration Guide Gateway IP address of the default router, if the switch is a node outside the IP range of the LAN MAC Address MAC address of the switch When you connect the switch to the network for the first time after setting up the BootP or DHCP server, it is configured with the information supplied above. The switch is ready for inband connectivity over the network.
1 Getting Started Subnet Subnet mask for the LAN. Gateway IP address of the default router, if the switch is a node outside the IP range of the LAN. 6. To enable these changes to be retained during a reset of the switch, type CTRL+Z to return to the main prompt, type save config at the main menu prompt, and type y to confirm the changes. 7. To view the changes and verify in-band information, issue the command: show network. 8.
Configuration Guide Starting the Switch 1. Make sure that the switch console port is connected to a VT100 terminal or a VT100 terminal emulator via the RS-232 crossover cable. 2. Locate an AC power receptacle. 3. Deactivate the AC power receptacle. 4. Connect the switch to the AC receptacle. 5. Activate the AC power receptacle. When the power is turned on with the local terminal already connected, the switch goes through a power-on self-test (POST).
1 Getting Started Unified Switch Installation This section contains procedures to help you become acquainted quickly with the switch software. Before installing the Unified Switch, you should verify that the switch operates with the most recent firmware. Quick Starting the Networking Device 1. Configure the switch for In-band or Out-of-Band connectivity. In-band connectivity allows access to the Unified Switch locally or from a remote workstation.
Configuration Guide This command saves the changes to the configuration file. You must be in the correct mode to execute the command. If you do not save the configuration, all changes are lost when you power down or reset the networking device. Quick Start up Software Version Information Table 1. Quick Start up Software Version Information Command Details show hardware Switch: 1 (Privileged EXEC Mode) System Description..................... D-Link DWS-3026 Machine Model..........................
1 Getting Started Quick Start up User Account Management Table 3. Quick Start up User Account Management Command show users (Privileged EXEC Mode) Details Displays all of the users who are allowed to access the networking device Access Mode - Shows whether the user is able to change parameters on the networking device(Read/Write) or is only able to view them (Read Only). As a factory default, the admin user has Read/Write access and the guest user has Read Only access.
Configuration Guide Quick Start up IP Address To view the network parameters the operator can access the device by the following three methods. • • • Simple Network Management Protocol - SNMP Telnet Web Browser NOTE: Helpful Hint: The user should do a ‘copy system:running-config nvram:startup-config’ after configuring the network parameters so that the configurations are not lost Table 4.
1 Getting Started Quick Start up Uploading from Networking Device to Out-of-Band PC (XMODEM) Table 5. Uploading from Networking Device to Out-of-Band PC (XMODEM) Command copy nvram:startup-config (Privileged EXEC Mode) Details Starts the upload, displays the mode and type of upload, and confirms the upload is progressing.
Configuration Guide Quick Start up Downloading from TFTP Server Before starting a TFTP server download, the operator must complete the Quick Start up for the IP Address. Table 7. Downloading from TFTP Server Command Details copy // > nvram:startup-config (Privileged EXEC Mode) Sets the destination (download) datatype to be an image (system:image) or a configuration file (nvram:startup-config).
2 Using the Web Interface This chapter is a brief introduction to the Web interface — it explains how to access the Webbased management panels to configure and manage the system. Tip: Use the Web interface for configuration instead of the CLI interface. Web configuration is quicker and easier than entering multiple required CLI commands. You can manage your switch through a Web browser and Internet connection. This is referred to as Web-based management.
Configuration Guide Starting the Web Interface Follow these steps to start the switch Web interface: 1. Enter the IP address of the switch in the Web browser address field. 2. Enter the appropriate User Name and Password. The User Name and associated Password are the same as those used for the terminal interface. Click on the Login button. Figure 1. Web Interface Panel-Example 3. The System Description Menu displays as shown in Figure 2, with the navigation tree appearing to the left of the screen. 4.
2 Using the Web Interface Figure 2. Web Interface Panel-Example Configuring an SNMP V3 User Profile Configuring an SNMP V3 user profile is a part of user configuration. Any user can connect to the switch using the SNMPv3 protocol, but for authentication and encryption, additional steps are needed. Use the following steps to configure an SNMP V3 new user profile. Figure 3. Configuring an SNMP V3 User Profile 1. From the LAN navigation menu, select LAN> Administration> User Accounts (see Figure 3).
Configuration Guide 2. Using the User pull-down menu, select Create to create a new user. 3. Enter a new user name in the User Name field. 4. Enter a new user password in the Password field and then retype it in the Confirm Password field. NOTE: If SNMPv3 Authentication is to be implemented for this user, set a password of eight or more alphanumeric characters. 5. If you do not need authentication, go to Step 9. 6.
2 Using the Web Interface Switching the Date/Time Zone To configure the system date and time, from the Administration navigation menu, select System Description (see Figure 4). Figure 4.
Configuration Guide 32 © 2001- 2011 D-Link Corporation. All Rights Reserved.
3 Virtual LANs Adding Virtual LAN (VLAN) support to a Layer 2 switch offers some of the benefits of both bridging and routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast. Like a router, it partitions the network into logical segments, which provides better administration, security and management of multicast traffic. A VLAN is a set of end stations and the switch ports that connect them.
Configuration Guide VLAN Configuration Example The diagram in this section shows a switch with four ports configured to handle the traffic for two VLANs. Port 0/2 handles traffic for both VLANs, while port 0/1 is a member of VLAN 2 only, and ports 0/3 and 0/4 are members of VLAN 3 only. The script following the diagram shows the commands you would use to configure the switch as shown in the diagram. Figure 5.
3 Virtual LANs CLI Examples The following examples show how to create VLANs, assign ports to the VLANs, and assign a VLAN as the default VLAN to a port. Example #1: Create Two VLANs Use the following commands to create two VLANs and to assign the VLAN IDs while leaving the names blank.
Configuration Guide (DWS-3024) (Interface 0/4)#exit (DWS-3024) (Config)#exit Example #4: Assign VLAN3 as the Default VLAN This example shows how to assign VLAN 3 as the default VLAN for port 0/2. (DWS-3024) (DWS-3024) (DWS-3024) (DWS-3024) (DWS-3024) #config (Config)#interface 0/2 (Interface 0/2)#vlan pvid 3 (Interface 0/2)#exit (Config)#exit Example #5: Assign IP Addresses to VLAN 2 (DWS-3024) #vlan database (DWS-3024) (Vlan)#vlan association subnet 192.168.10.10 255.255.255.
3 Virtual LANs To specify the handling of untagged frames on receipt use the LAN> L2 Features > VLAN > Port Configuration page. Figure 7. VLAN Port Configuration Private Edge VLANs Use the Private Edge VLAN feature to prevent ports on the switch from forwarding traffic to each other even if they are on the same VLAN. • • Protected ports cannot forward traffic to other protected ports in the same group, even if they have the same VLAN membership. Protected ports can forward traffic to unprotected ports.
Configuration Guide CLI Example Example #1: switchport protected (DWS-3024) (DWS-3024) (DWS-3024) Press (DWS-3024) #config (Config)#interface 0/1 (Interface 0/1)#switchport protected ? Enter to execute the command. (Interface 0/1)#switchport protected Example #2: show switchport protected (DWS-3024) #show switchport protected 0/1 Voice VLAN The voice VLAN feature enables switch ports to carry voice traffic with defined settings so that voice and data traffic are separated when coming onto the port.
3 Virtual LANs Figure 8. Voice VLAN Configuration The Voice VLAN Configuration page contains the following fields: • • • • • Voice VLAN Admin Mode — Click Enable or Disable to administratively turn the Voice VLAN feature on or off for all ports. Unit/Slot/Port — Specifies Select the stack unit, slot, and port to configure this service on. Voice VLAN Interface Mode — Select one of the following interface modes: - Disable: The voice VLAN service is disabled on this interface.
Configuration Guide 40 © 2001- 2011 D-Link Corporation. All Rights Reserved.
4 Storm Control A traffic storm is a condition that occurs when incoming packets flood the LAN, which creates performance degradation in the network. The Unified Switch’s Storm Control feature protects against this condition. The Unified Switch provides broadcast, multicast, and unicast storm recovery for individual interfaces or for all interfaces. Unicast Storm Control protects against traffic whose MAC addresses are not known by the system.
Configuration Guide Enter the storm-control threshold as percent of port speed. (DWS-3024) (Config)#storm-control broadcast all level 7 (DWS-3024) (Config)#exit (DWS-3024) Example #2: Set Multicast Storm Control for All Interfaces (DWS-3024) #config (DWS-3024) (Config)#storm-control multicast all ? level Press Enter to execute the command. Configure storm-control thresholds.
4 Storm Control Web Interface The Storm Control configuration options are available on the Port Configuration Web page under the Administration folder. Figure 9.
Configuration Guide 44 © 2001- 2011 D-Link Corporation. All Rights Reserved.
5 Trunking (Link Aggregation) This section shows how to use the Trunking feature (also known as Link Aggregation) to configure port-channels by using the CLI and the Web interface. The Link Aggregation (LAG) feature allows the switch to treat multiple physical links between two end-points as a single logical link called a port-channel. All of the physical links in a given port-channel must operate in full-duplex mode at the same speed.
Configuration Guide Figure 10 shows the example network. Figure 10.
5 Trunking (Link Aggregation) (DWS-3024) #show port-channel all PortLink Log. Channel Adm. Trap STP Mbr Port Port Intf Name Link Mode Mode Mode Type Ports Speed Active ------ ------------- ----- ---- ---- ------ ------- ------ --------- -----3/1 lag_10 Down En. En. Dis. Dynamic 3/2 lag_20 Down En. En. Dis.
Configuration Guide Web Interface Configuration — LAGs/Port-channels To perform the same configuration using the Web interface, use the LAN> L2 Features > Trunking > Configuration page. Figure 11. Trunking Configuration To create the port-channels, specify port participation and enable Link Aggregation (LAG) support on the switch. 48 © 2001- 2011 D-Link Corporation. All Rights Reserved.
6 IGMP Snooping This section describes the Internet Group Management Protocol (IGMP) feature: IGMPv3 and IGMP Snooping. The IGMP Snooping feature enables the switch to monitor IGMP transactions between hosts and routers. It can help conserve bandwidth by allowing the switch to forward IP multicast traffic only to connected hosts that request multicast traffic.
Configuration Guide Example #2: show mac-address-table igmpsnooping (DWS-3024) #show mac-address-table igmpsnooping ? Press Enter to execute the command.
6 IGMP Snooping Web Examples The following web pages are used in the IGMP Snooping feature. Click Help for more information on the web interface. Figure 12.
Configuration Guide Figure 13. IGMP Snooping - Interface Configuration Page Figure 14. IGMP Snooping VLAN Configuration 52 © 2001- 2011 D-Link Corporation. All Rights Reserved.
6 IGMP Snooping Figure 15. IGMP Snooping - VLAN Status Page Figure 16.
Configuration Guide Figure 17. IGMP Snooping - Multicast Router Configuration Page Figure 18. IGMP Snooping - Multicast Router VLAN Statistics Page 54 © 2001- 2011 D-Link Corporation. All Rights Reserved.
6 IGMP Snooping Figure 19.
Configuration Guide 56 © 2001- 2011 D-Link Corporation. All Rights Reserved.
7 Port Mirroring This section describes the Port Mirroring feature, which can serve as a diagnostic tool, debugging tool, or means of fending off attacks. Overview Port mirroring selects network traffic from specific ports for analysis by a network analyzer, while allowing the same traffic to be switched to its destination. You can configure many switch ports as source ports and one switch port as a destination port. You can also configure how traffic is mirrored on a source port.
Configuration Guide Example #2: Show the Port Mirroring Session (DWS-3024) #show monitor session 1 Session ID ---------1 Admin Mode ---------Enable Probe Port Mirrored Port Type -------------------------0/8 0/7 Rx,Tx (DWS-3024) #Monitor session ID “1” - “1” is a hardware limitation.
7 Port Mirroring Web Examples The following web pages are used with the Port Mirroring feature. Figure 20. Multiple Port Mirroring Figure 21.
Configuration Guide Figure 22. System - Port Utilization Summary 60 © 2001- 2011 D-Link Corporation. All Rights Reserved.
8 Link Layer Discovery Protocol The Link Layer Discovery Protocol (LLDP) feature allows individual interfaces on the switch to advertise major capabilities and physical descriptions. Network managers can view this information and identify system topology and detect bad configurations on the LAN. LLDP has separately configurable transmit and receive functions. Interfaces can transmit and receive LLDP information.
Configuration Guide (DWS-3024) # Example #2: Set Interface LLDP Parameters The following commands configure interface 0/10 to transmit and receive LLDP information. (DWS-3024) #config (DWS-3024) (Config)#interface 0/10 (DWS-3024) (Interface 0/10)#lldp ? notification receive transmit transmit-mgmt transmit-tlv Enable/Disable LLDP remote data change notifications. Enable/Disable LLDP receive capability. Enable/Disable LLDP transmit capability. Include/Exclude LLDP management address TLV.
8 Link Layer Discovery Protocol Using the Web Interface to Configure LLDP The LLDP menu page contains links to the following features: • • • • LLDP Configuration LLDP Statistics LLDP Connections LLDP Configuration Use the LLDP Global Configuration page to specify LLDP parameters. Figure 23. LLDP Global Configuration The LLDP Global Configuration page contains the following fields: • • • • Transmit Interval (1-32768) — Specifies the interval at which frames are transmitted. The default is 30 seconds.
Configuration Guide Use the LLDP Interface Configuration screen to specify transmit and receive functions for individual interfaces. Figure 24. LLDP Interface Configuration Interface Parameters • • • • • • 64 Interface — Specifies the port to be affected by these parameters. Transmit Mode — Enables or disables the transmit function. The default is disabled. Receive Mode — Enables or disables the receive function. The default is disabled.
8 Link Layer Discovery Protocol Figure 25. LLDP Interface Summary Figure 26. LLDP Statistics You can also use the pages in the LAN> Monitoring > LLDP Status folder to view information about local and remote devices.
Configuration Guide 66 © 2001- 2011 D-Link Corporation. All Rights Reserved.
9 Denial of Service Attack Protection This section describes the D-Link DWS-3000 switch’s Denial of Service Protection feature. Overview Denial of Service: • • • • Spans two categories: - Protection of the Unified Switch - Protection of the network Protects against the exploitation of a number of vulnerabilities which would make the host or network unstable Compliant with Nessus. Nessus is a widely-used vulnerability assessment tool.
Configuration Guide First Fragment Mode............................ Min TCP Hdr Size............................... TCP Fragment Mode.............................. TCP Flag Mode.................................. L4 Port Mode................................... ICMP Mode...................................... Max ICMP Pkt Size..............................
10 Port Routing The first networks were small enough for the end stations to communicate directly. As networks grew, Layer 2 bridging was used to segregate traffic, a technology that worked well for unicast traffic, but had problems coping with large quantities of multicast packets. The next major development was routing, where packets were examined and redirected at Layer 3.
Configuration Guide • Routing Table Object - responsible for maintaining the routing table populated by local and static routes. CLI Examples The diagram in this section shows a Unified Switch configured for port routing. It connects three different subnets, each connected to a different port. The script shows the commands you would use to configure a Unified Switch to provide the port routing support shown in the diagram. Figure 28. Port Routing Example Network Diagram Subnet 3 Port 0/3 192.130.3.
10 Port Routing Network directed broadcast frames are dropped and the maximum transmission unit (MTU) size is 1500 bytes. config interface 0/2 routing ip address 192.150.2.2 255.255.255.0 exit exit config interface 0/3 routing ip address 192.130.3.1 255.255.255.0 exit exit config interface 0/5 routing ip address 192.64.4.1 255.255.255.
Configuration Guide Using the Web Interface to Configure Routing Use the following screens to perform the same configuration using the Graphical User Interface: To enable routing for the switch, as shown in Example 1. Enabling Routing for the Switch, use the LAN> L3 Features> IP > Configuration page. Figure 29. IP Configuration To configure routing on each interface, as shown in Example 2. Enabling Routing for Ports on the Switch, use the LAN> L3 Features > IP > Interface Configuration page. Figure 30.
11 VLAN Routing You can configure the Unified Switch with some ports supporting VLANs and some supporting routing. You can also configure the Unified Switch to allow traffic on a VLAN to be treated as if the VLAN were a router port. When a port is enabled for bridging (default) rather than routing, all normal bridge processing is performed for an inbound packet, which is then associated with a VLAN. Its MAC Destination Address (MAC DA) and VLAN ID are used to search the MAC address table.
Configuration Guide Figure 31. VLAN Routing Example Network Diagram Layer 3 Switch Physical Port 0/2 VLAN Router Port 4/1 192.150.3.1 Physical Port 0/1 Physical Port 0/3 VLAN Router Port 4/2 192.150.4.1 Layer 2 Switch Layer 2 Switch VLAN 10 VLAN 20 Example 1: Create Two VLANs The following commands show an example of how to create two VLANs with egress frame tagging enabled.
11 VLAN Routing Next specify the VLAN ID assigned to untagged frames received on the ports. config interface 0/1 vlan pvid 10 exit interface 0/2 vlan pvid 10 exit interface 0/3 vlan pvid 20 exit exit Example 2: Set Up VLAN Routing for the VLANs and the Switch. The following commands show how to enable routing for the VLANs: vlan database vlan routing 10 vlan routing 20 exit show ip vlan This returns the logical interface IDs that will be used in subsequent routing commands.
Configuration Guide Using the Web Interface to Configure VLAN Routing You can perform the same configuration by using the Web Interface. Use the LAN> L2 Features > VLAN> VLAN Configuration page to create the VLANs, specify port participation, and configure whether frames will be transmitted tagged or untagged. Figure 32. VLAN Configuration Use the LAN> L2 Features > VLAN > Port Configuration page to specify the handling of untagged frames on receipt. Figure 33.
11 VLAN Routing Use the LAN> L3 Features > VLAN Routing > Configuration page to enable VLAN routing and configure the ports. Figure 34. VLAN Routing Configuration To enable routing for the switch, use the LAN> L3 Features > IP > Configuration page. Figure 35.
Configuration Guide Use the LAN> L3 Features > IP > Interface Configuration page to enable routing for the ports and configure their IP addresses and subnet masks. Figure 36. IP Interface Configuration 78 © 2001- 2011 D-Link Corporation. All Rights Reserved.
12 Virtual Router Redundancy Protocol When an end station is statically configured with the address of the router that will handle its routed traffic, a single point of failure is introduced into the network. If the router goes down, the end station is unable to communicate. Since static configuration is a convenient way to assign router addresses, Virtual Router Redundancy Protocol (VRRP) was developed to provide a backup mechanism.
Configuration Guide Figure 37. VRRP Example Network Configuration Layer 3 Switch acting as Router 2 Layer 3 Switch acting as Router 1 Port 0/4 192.150.4.1 Virtual Router ID 20 Virtual Addr. 192.150.2.1 Port 0/2 192.150.2.1 Virtual Router ID 20 Virtual Addr. 192.150.2.1 Layer 2 Switch Hosts Example 1: Configuring VRRP on the Switch as a Master Router Enable routing for the switch. IP forwarding is then enabled by default.
12 Virtual Router Redundancy Protocol Specify the IP address that the virtual router function will recognize. Note that the virtual IP address on port 0/2 is the same as the port’s actual IP address, therefore this router will always be the VRRP master when it is active. And the priority default is 255. ip vrrp 20 ip 192.150.2.1 Enable VRRP on the port. ip vrrp 20 mode exit Example 2: Configuring VRRP on the Switch as a Backup Router Enable routing for the switch.
Configuration Guide Using the Web Interface to Configure VRRP Use the following screens to perform the same configuration using the Graphical User Interface: To enable routing for the switch, use the LAN > L3 Features > IP > Configuration page. Figure 38. IP Configuration To enable routing for the ports and configure their IP addresses and subnet masks, use the LAN> L3 Features > IP > Interface Configuration page. Figure 39. IP Interface Configuration 82 © 2001- 2011 D-Link Corporation.
12 Virtual Router Redundancy Protocol To enable VRRP for the switch, use the LAN> L3 Features > VRRP > VRRP Configuration page. Figure 40. VRRP Configuration To configure virtual router settings, use the LAN> L3 Features > VRRP > Virtual Router Configuration page. Figure 41.
Configuration Guide 84 © 2001- 2011 D-Link Corporation. All Rights Reserved.
13 Proxy Address Resolution Protocol (ARP) This section describes the Proxy Address Resolution Protocol (ARP) feature. Overview • • • • Proxy ARP allows a router to answer ARP requests where the target IP address is not the router itself but a destination that the router can reach. If a host does not know the default gateway, proxy ARP can learn the first hop. Machines in one physical network appear to be part of another logical network.
Example #2: ip proxy-arp DWS-3024) (Interface 0/24)#ip proxy-arp ? Press Enter to execute the command. (DWS-3024) (Interface 0/24)#ip proxy-arp Web Example The following web pages are used in the proxy ARP feature. Figure 42.
14 Routing Information Protocol (RIP) This section describes the Routing Information Protocol (RIP). RIP is an Interior Gateway Protocol (IGP) based on the Bellman-Ford algorithm and targeted at smaller networks (network diameter no greater than 15 hops). Overview The routing information is propagated in RIP update packets that are sent out both periodically and in the event of a network topology change.
Configuration Guide Figure 43. RIP Configuration RIP Interface Configuration Use the Interface Configuration page to enable and configure or to disable RIP on a specific interface. To display the page, click L3 Features > RIP > Interface Configuration in the navigation tree. Figure 44. RIP Interface Configuration RIP Route Redistribution Configuration Use the RIP Route Redistribution Configuration page to configure which routes are redistributed to other routers using RIP.
14 Routing Information Protocol (RIP) Figure 45.
Configuration Guide 90 © 2001- 2011 D-Link Corporation. All Rights Reserved.
15 Access Control Lists (ACLs) This section describes the Access Control Lists (ACLs) feature. Overview Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. Normally ACLs reside in a firewall router or in a router connecting two internal networks. ACL Logging provides a means for counting the number of “hits” against an ACL rule.
Configuration Guide • The order of the rules is important: when a packet matches multiple rules, the first rule takes precedence. Also, once you define an ACL for a given port, all traffic not specifically permitted by the ACL is denied access. MAC ACLs MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet: • • • • • • • Source MAC address Source MAC mask Destination MAC address Destination MAC mask VLAN ID Class of Service (CoS) (802.
15 Access Control Lists (ACLs) ACL Configuration Process To configure ACLs, follow these steps: • • • • • Create a MAC ACL by specifying a name. Create an IP ACL by specifying a number. Add new rules to the ACL. Configure the match criteria for the rules. Apply the ACL to one or more interfaces. IP ACL CLI Example The script in this section shows you how to set up an IP ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same.
Configuration Guide Example #1: Create ACL 179 and Define an ACL Rule After the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address. config access-list 179 permit tcp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.0 Example #2: Define the Second Rule for ACL 179 Define the rule to set similar conditions for UDP traffic as for TCP traffic. access-list 179 permit udp 192.168.77.0 0.0.0.
15 Access Control Lists (ACLs) Example #5: Specify MAC ACL Attributes (DWS-3024) (Config)#mac access-list extended mac1 (DWS-3024) (Config-mac-access-list)#deny ? any Enter a MAC Address. Configure a match condition for all the source MAC addresses in the Source MAC Address field. (DWS-3024) (Config-mac-access-list)#deny any ? any bpdu Enter a MAC Address. Configure a match condition for all the destination MAC addresses in the Destination MAC Address field.
Configuration Guide Example #6 Configure MAC Access Group (DWS-3024) (Config)#interface 0/5 (DWS-3024) (Interface 0/5)#mac ? access-group Attach MAC Access List to Interface. (DWS-3024) (Interface 0/5)#mac access-group ? Enter name of MAC Access Control List. (DWS-3024) (Interface 0/5)#mac access-group mac1 ? in Enter the direction . (DWS-3024) (Interface 0/5)#mac access-group mac1 in ? <1-4294967295> Press Enter to execute the command.
15 Access Control Lists (ACLs) Example #7 Set up an ACL with Permit Action (DWS-3024) (Config)#mac access-list extended mac2 (DWS-3024) (Config-mac-access-list)#permit ? any Enter a MAC Address. Configure a match condition for all the source MAC addresses in the Source MAC Address field. (DWS-3024) (Config-mac-access-list)#permit any ? any Enter a MAC Address. Configure a match condition for all the destination MAC addresses in the Destination MAC Address field.
Configuration Guide Web Examples Use the Web pages in this section to configure and view MAC access control list and IP access control lists. MAC ACL Web Pages The following figures show the pages available to view and configure MAC ACL settings. Figure 47. MAC ACL Configuration Page - Create New MAC ACL Figure 48. MAC ACL Rule Configuration - Create New Rule 98 © 2001- 2011 D-Link Corporation. All Rights Reserved.
15 Access Control Lists (ACLs) Figure 49. MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask Figure 50.
Configuration Guide Figure 51. ACL Interface Configuration Figure 52. MAC ACL Summary 100 © 2001- 2011 D-Link Corporation. All Rights Reserved.
15 Access Control Lists (ACLs) Figure 53. MAC ACL Rule Summary IP ACL Web Pages The following figures show the pages available to view and configure standard and extended IP ACL settings. Figure 54.
Configuration Guide Figure 55. IP ACL Configuration Page - Create a Rule and Assign an ID Figure 56. IP ACL Rule Configuration Page - Rule with Protocol and Source IP Configuration 102 © 2001- 2011 D-Link Corporation. All Rights Reserved.
15 Access Control Lists (ACLs) Figure 57.
Configuration Guide Figure 58. IP ACL Summary Figure 59. IP ACL Rule Summary 104 © 2001- 2011 D-Link Corporation. All Rights Reserved.
16 802.1X Network Access Control Port-based network access control allows the operation of a system’s port(s) to be controlled to ensure that access to its services is permitted only by systems that are authorized to do so. Port Access Control provides a means of preventing unauthorized access by supplicants or users to the services offered by a System.
Configuration Guide simpler. At the start of service for a user, the RADIUS client that is configured to use accounting sends an accounting start packet specifying the type of service that it will deliver. Once the server responds with an acknowledgement, the client periodically transmits accounting data. At the end of service delivery, the client sends an accounting stop packet allowing the server to update specified statistics. The server again responds with an acknowledgement. 802.
16 802.1X Network Access Control Guest VLAN The Guest VLAN feature allows a switch to provide a distinguished service to unauthenticated users. This feature provides a mechanism to allow visitors and contractors to have network access to reach external network with no ability to surf internal LAN. When a client that does not support 802.1X is connected to an unauthorized port that is 802.1X-enabled, the client does not respond to the 802.1X requests from the switch.
Configuration Guide Configuring the Guest VLAN by Using the Web Interface To enable the Guest VLAN features by using the Web interface, use the LAN> Security > 802.1x > 802.1X Setting page. To configure the Guest VLAN settings on a port, use the LAN> Security > 802.1x > 802.1X Port Setting page. 108 © 2001- 2011 D-Link Corporation. All Rights Reserved.
16 802.1X Network Access Control Configuring Dynamic VLAN Assignment The software also supports VLAN assignment for clients based on the RADIUS server authentication. To enable the switch to accept VLAN assignment by the RADIUS server, use the authorization network radius command in Global Config mode. To enable the VLAN Assignment Mode by using the Web interface, use the LAN> Security > 802.1x > 802.1X Setting page and select Enable from the VLAN Assignment Mode menu.
Configuration Guide 110 © 2001- 2011 D-Link Corporation. All Rights Reserved.
17 Captive Portal The Captive Portal (CP) feature allows you to block wired and wireless clients from accessing the network until user verification has been established. The example in this section shows how to configure a captive portal and associate it with a physical interface so that any wired client that attempts to access the network through that interface must enter a username and password that is verified by a local user database.
Configuration Guide C. Click Submit. NOTE: To customize the page that captive portal users see when they first access the network, click the (English) tab. You can change the text on the page, the logos that display, and the color scheme. 3. Configure a captive portal user. A. Navigate to the LAN > Security > Captive Portal > Local User page. B. Click Add. C. Enter the user name user1 and the password 12345678. D. Click Add. 4. Associate the appropriate interfaces to the configured captive portal. A.
17 Captive Portal C. In the Interface List column, CTRL + Click to select interface Slot 0 Port 1 through Slot 0 Port 10. D. Click Add. CLI Example Use the following commands to perform the same configuration by using the CLI.
Configuration Guide To access the CP WEB Customization page, click the language link above the page title. For example, to customize the way the English version of the captive portal page looks, click (English). Use the menu above the customization fields to select the area of the captive portal Web page to customize. The page areas are divided into the following five categories: • • • • • Global Parameters—Contains settings that can be shared across other CP pages.
17 Captive Portal Figure 62. CP Web Page Customization—Authentication Page Figure 63.
Configuration Guide Figure 64. CP Web Page Customization—Logout Page Figure 65. CP Web Page Customization——Logout Success Page Client Authentation Logout Request The administrator can optionally configure and enable ‘user logout’. This feature allows the authenticated client to deauthenticate from the network. In response to the request, the authenticated user, connected either through wireless connection or through wired connection, is removed from the connection status tables.
17 Captive Portal Captive Port Rate Limiting This feature is also supported only by the DWL-8600AP. It is not supported by the DWL3500AP and DWL-8500AP. This feature only provided for the WLAN clients and not for the Wired clients. Rate Limiting is supported for Captive Portal users as well. The CP Rate Limiting is applicable for a Managed AP only.
Configuration Guide Description: Maximum number of octets the user is allowed to receive. After this limit has been reached the user will be disconnected. If the attribute is 0 or not present then use the value configured for the captive portal. Range: Integer Usage: Optional Radius Attribute: D-Link-Max- Total-Octets Number: 171, 126 Description: Maximum number of octets the user is allowed to transfer (sum of octets transmitted and received).
18 Port Security This section describes the Port Security feature. Overview Port Security: • • • • • • Allows for limiting the number of MAC addresses on a given port. Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted. Enabled on a per port basis. When locked, only packets with allowable MAC address will be forwarded. Supports both dynamic and static. Implement two traffic filtering methods. These methods can be used concurrently.
Configuration Guide CLI Examples The following are examples of the commands used in the Port Security feature. Example #1: show port security (DWS-3024) #show port-security ? all dynamic static violation Press Enter to execute the command. Display port-security information for all interfaces Display port security information for a specific interface. Display dynamically learned MAC addresses. Display statically locked MAC addresses.
18 Port Security Web Examples The following Web pages are used in the Port Security feature. Figure 66. Port Security Administration Figure 67.
Configuration Guide Figure 68. Port Security Statically Configured MAC Addresses To view Port Security status information, navigate to LAN> Monitoring > Port Security from the navigation panel. Figure 69. Port Security Dynamically Learned MAC Addresses 122 © 2001- 2011 D-Link Corporation. All Rights Reserved.
18 Port Security Figure 70.
Configuration Guide 124 © 2001- 2011 D-Link Corporation. All Rights Reserved.
19 RADIUS Making use of a single database of accessible information – as in an Authentication Server – can greatly simplify the authentication and management of users in a large network. One such type of Authentication Server supports the Remote Authentication Dial In User Service (RADIUS) protocol as defined by RFC 2865. For authenticating users prior to access, the RADIUS standard has become the protocol of choice by administrators of large accessible networks.
Configuration Guide The client name is assigned at the time of creating client entry in the local MAC Authentication list. To modify the name of an existing client entry, the entry must be deleted and then re-added with the changed name. Assigning a Client Name in a Local MAC Authentication List RADIUS Fail-through and Failover Server Support A secondary or backup RADIUS server can be defined for wireless client authentication using WPA-Enterprise security.
19 RADIUS NOTE: RADIUS failthrough mode is not available for Captive Portal client authenti- cation and RADIUS-based MAC authentication. RADIUS Configuration Examples Configuring RADIUS for Wired Clients This example configures two RADIUS servers at 10.10.10.10 and 11.11.11.11. Each server has a unique shared secret key. The shared secrets are configured to be secret1 and secret2 respectively. The server at 10.10.10.10 is configured as the primary server.
Configuration Guide secret1 secret1 radius server host auth 11.11.11.11 radius server key auth 11.11.11.11 secret2 secret2 radius server primary 10.10.10.10 authentication login radiusList radius local users defaultlogin radiusList exit Using the Web Interface The following Web screens show how to perform the configuration described in the example. Figure 72. Add a RADIUS Server 128 © 2001- 2011 D-Link Corporation. All Rights Reserved.
19 RADIUS Figure 73.
Configuration Guide Figure 74. Create an Authentication List Figure 75. Configure the Authentication List 130 © 2001- 2011 D-Link Corporation. All Rights Reserved.
19 RADIUS Figure 76. Set the User Login Configuring RADIUS Fail-through on a Managed AP This example configures a secondary Radius Server,and Radius fail-through feature in the global profile for an AP managed by a DWS-3000 Switch. (This example assumes that a primary RADIUS server has already been configured in the AP profile.) Note that the same commands can be used in Network Profile mode to configure these parameters on particular wireless network.
Configuration Guide Enabling Failthrough Mode at the Global Level Enabling Failthrough Mode for a Particular Network 132 © 2001- 2011 D-Link Corporation. All Rights Reserved.
20 TACACS+ TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ is based on the TACACS protocol described in RFC1492. TACACS+ uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages.
Configuration Guide Figure 77. DWS-3000 with TACACS+ Unified Switch When a user attempts to log into the switch, the NAS or switch prompts for a user name and password. The switch attempts to communicate with the highest priority configured TACACS+ server at 10.10.10.10. Upon successful connection with the server, the switch and server exchange the login credentials over an encrypted channel.
20 TACACS+ Configuring TACACS+ by Using the Web Interface The following Web screens show how to perform the configuration described in the example. Figure 78. Add a TACACS+ Server Figure 79.
Configuration Guide Figure 80. Create an Authentication List (TACACS+) Figure 81. Configure the Authentication List (TACACS+) 136 © 2001- 2011 D-Link Corporation. All Rights Reserved.
20 TACACS+ Figure 82.
Configuration Guide 138 © 2001- 2011 D-Link Corporation. All Rights Reserved.
21 Class of Service Queuing The Class of Service (CoS) feature lets you give preferential treatment to certain types of traffic over others. To set up this preferential treatment, you can configure the ingress ports, the egress ports, and individual queues on the egress ports to provide customization that suits your environment. The level of service is determined by the egress port queue to which the traffic is assigned.
Configuration Guide CoS Mapping Table for Trusted Ports Mapping is from the designated field values on trusted ports’ incoming packets to a traffic class priority (actually a CoS traffic queue). The trusted port field-to-traffic class configuration entries form the Mapping Table the switch uses to direct ingress packets from trusted ports to egress queues.
21 Class of Service Queuing Figure 83. CoS Mapping and Queue Configuration Ingress packet A UserPri=3 packet B UserPri=7 time packet C (untagged) packet D UserPri=6 Port 0/10 mode='trust dot1p' 802.
Configuration Guide Figure 84. CoS Configuration Example System Diagram Port 0/10 Port 0/8 Server You will configure the ingress interface uniquely for all cos-queue and VLAN parameters. configure interface 0/10 classofservice trust dot1p classofservice dot1p-mapping 6 3 vlan priority 2 exit interface 0/8 cos-queue min-bandwidth 0 0 5 5 10 20 40 0 cos-queue strict 6 exit exit You can also set traffic shaping parameters for the interface.
21 Class of Service Queuing Web Examples The following web pages are used for the Class of Service feature. Figure 85. 802.1p Priority Mapping Page Figure 86.
Configuration Guide Figure 87. IP DSCP Mapping Configuration Page Figure 88. CoS Interface Configuration Page 144 © 2001- 2011 D-Link Corporation. All Rights Reserved.
21 Class of Service Queuing Figure 89. CoS Interface Queue Configuration Page Figure 90.
Configuration Guide 146 © 2001- 2011 D-Link Corporation. All Rights Reserved.
22 Differentiated Services 22 Differentiated Services Differentiated Services (DiffServ) is one technique for implementing Quality of Service (QoS) policies. Using DiffServ in your network allows you to directly configure the relevant parameters on the switches and routers rather than using a resource reservation protocol. This section explains how to configure the Unified Switch to identify which traffic class a packet belongs to, and how it should be handled to provide the desired quality of service.
Configuration Guide • The Unified Switch supports the Traffic Conditioning Policy type which is associated with an inbound traffic class and specifies the actions to be performed on packets meeting the class rules: - Marking the packet with a given DSCP, IP precedence, or CoS - Policing packets by dropping or re-marking those that exceed the class’s assigned data rate - Counting the traffic within the class Service – Assigns a policy to an interface for inbound traffic.
22 Differentiated Services 2. Create a DiffServ class of type “all” for each of the departments, and name them. Define the match criteria -- Source IP address -- for the new classes. class-map match-all finance_dept match srcip 172.16.10.0 255.255.255.0 exit class-map match-all marketing_dept match srcip 172.16.20.0 255.255.255.0 exit class-map match-all test_dept match srcip 172.16.30.0 255.255.255.0 exit class-map match-all development_dept match srcip 172.16.40.0 255.255.255.0 exit 3.
Configuration Guide queue attribute. It is presumed that the switch will forward this traffic to interface 0/5 based on a normal destination address lookup for internet traffic. interface 0/5 cos-queue min-bandwidth 0 25 25 25 25 0 0 0 exit exit Adding Color-Aware Policing Attribute Policing in the DiffServ feature uses either “color blind” or “color aware” mode. Color blind mode ignores the coloration (marking) of the incoming packet.
22 Differentiated Services 3. View information about the DiffServ policy and class configuration. In the following example, the interface specified is interface 0/1. The policy is attached to interfaces 0/1 through 0/4. (DWS-3024) #show diffserv service 0/1 in DiffServ Admin Mode............................ Interface...................................... Direction...................................... Operational Status............................. Policy Name....................................
Configuration Guide Figure 92. DiffServ Configuration Figure 93. DiffServ Class Configuration 152 © 2001- 2011 D-Link Corporation. All Rights Reserved.
22 Differentiated Services Figure 94. DiffServ Class Configuration - Add Match Criteria Figure 95.
Configuration Guide Figure 96. DiffServ Class Configuration Figure 97. DiffServ Class Summary 154 © 2001- 2011 D-Link Corporation. All Rights Reserved.
22 Differentiated Services Figure 98. DiffServ Policy Configuration Figure 99.
Configuration Guide Figure 100. DiffServ Policy Class Definition Figure 101. Assign Queue 156 © 2001- 2011 D-Link Corporation. All Rights Reserved.
22 Differentiated Services Figure 102. DiffServ Policy Summary Figure 103.
Configuration Guide Figure 104. DiffServ Service Configuration Figure 105. DiffServ Service Summary 158 © 2001- 2011 D-Link Corporation. All Rights Reserved.
22 Differentiated Services Configuring the Color-Aware Attribute by Using the Web The following screens show the additional steps to take to configure the finance_dept class with a color-aware attribute. 1. Add a new class to serve as the auxiliary traffic class. A. From the Class Selector menu on the DiffServ Class Configuration page, select Create. B. After the screen refreshes, enter color_class in the Class field. C. Select All as the Class Type. D. Click Submit.
Configuration Guide C. After the screen refreshes, enter values for the Committed Rate and Committed Burst Size fields. D. Click Configure Selected Attribute. The DiffServ Policy Attribute Summary page appears so you can view information about all of the policies and their attributes configured on the system. 160 © 2001- 2011 D-Link Corporation. All Rights Reserved.
22 Differentiated Services DiffServ for VoIP Configuration Example One of the most valuable uses of DiffServ is to support Voice over IP (VoIP). VoIP traffic is inherently time-sensitive: for a network to provide acceptable service, a guaranteed transmission rate is vital. This example shows one way to provide the necessary quality of service: how to set up a class for UDP traffic, have that traffic marked on the inbound side, and then expedite the traffic on the outbound side.
Configuration Guide Configuring DiffServ VoIP Support Example Enter Global Config mode. Set queue 5 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch. config cos-queue strict 5 diffserv Create a DiffServ classifier named 'class_voip' and define a single match criterion to detect UDP packets.
23 DHCP Filtering This section describes the Dynamic Host Configuration Protocol (DHCP) Filtering feature. Overview DHCP filtering provides security by filtering untrusted DHCP messages. An untrusted message is a message that is received from outside the network or firewall, and that can cause traffic attacks within network. You can use DHCP Filtering as a security measure against unauthorized DHCP servers.
Configuration Guide CLI Examples The commands shown below show examples of configuring DHCP Filtering for the switch and for individual interfaces.
23 DHCP Filtering Use the DHCP Filtering Configuration page to configure the DHCP Filtering admin mode on the switch. Figure 107. DHCP Filtering Configuration Use the DHCP Filtering Interface Configuration page to configure DHCP Filtering on specific interfaces. Figure 108. DHCP Filtering Interface Configuration To view the DHCP Filtering settings on each interface, use the DHCP Filter Binding Information page under LAN > Monitoring > DHCP Filter Summary.
Configuration Guide Figure 109. DHCP Filter Binding Information 166 © 2001- 2011 D-Link Corporation. All Rights Reserved.
24 Traceroute This section describes the Traceroute feature. Use Traceroute to discover the routes that packets take when traveling on a hop-by-hop basis to their destination through the network.
Configuration Guide (DWS-3024) (DWS-3024) #traceroute ? Enter IP address. #traceroute 216.109.118.74 ? Press Enter to execute the command. Enter port no. (DWS-3024) #traceroute 216.109.118.74 Tracing route over a maximum of 20 hops 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 168 10.254.24.1 10.254.253.1 63.237.23.33 63.144.4.1 63.144.1.141 205.171.21.89 205.171.8.154 205.171.8.222 205.171.251.34 209.244.219.181 209.244.11.9 4.68.121.146 4.79.228.2 216.115.96.185 216.109.120.203 216.
25 Configuration Scripting Configuration Scripting allows you to generate a text-formatted script file that shows the current configuration of the system. You can generate multiple scripts and upload and apply them to more than one switch. Overview Configuration Scripting: • • • • • • Provides scripts that can be uploaded and downloaded to the system. Provides flexibility to create command configuration scripts. Can be applied to several switches. Can save up to ten scripts or 500K of memory.
Configuration Guide list show validate Lists all configuration script files present on the switch. Displays the contents of configuration script. Validate the commands of configuration script. Example #2: script list and script delete (DWS-3024) #script list Configuration Script Name ------------------------basic.scr running-config.scr Size(Bytes) ----------93 3201 2 configuration script(s) found. 1020706 bytes free. (DWS-3024) #script delete basic.
25 Configuration Scripting Example #5: copy nvram: script Use this command to upload a configuration script. (DWS-3024) #copy nvram: script running-config.scr tftp://192.168.77.52/running-config.scr Mode......................... Set TFTP Server IP........... TFTP Path.................... TFTP Filename................ Data Type.................... Source Filename.............. TFTP 192.168.77.52 ./ running-config.scr Config Script running-config.
Configuration Guide Example #7: Validate another Configuration Script (DWS-3024) #script validate default.scr network parms vlan database exit configure lineconfig exit spanning-tree interface 0/1 exit interface 0/2 exit interface 0/3 exit ... continues exit exit Configuration 172 172.30.4.2 255.255.255.0 0.0.0.0 configuration name 00-18-00-00-00-10 through interface 0/26 ... script 'default.scr' validation succeeded. © 2001- 2011 D-Link Corporation. All Rights Reserved.
26 Outbound Telnet This section describes the Outbound Telnet feature. Overview Outbound Telnet: • • • • Feature establishes an outbound telnet connection between a device and a remote host. When a telnet connection is initiated, each side of the connection is assumed to originate and terminate at a “Network Virtual Terminal” (NVT). Server and user hosts do not maintain information about the characteristics of each other’s terminals and terminal handling conventions. Must use a valid IP address.
Configuration Guide Example #1: show network (DWS-3024) >telnet 192.168.77.151 Trying 192.168.77.151... (DWS-3024) User:admin Password: (DWS-3024)>enable Password: (DWS-3024)#show network IP Address...............................192.168.77.151 Subnet Mask..............................255.255.255.0 Default Gateway..........................192.168.77.127 Burned In MAC Address....................00:10:18.82.04:E9 Locally Administered MAC Address.........00:00:00:00:00:00 MAC Address Type......................
26 <0-5> Outbound Telnet Configure the maximum number of outbound telnet sessions allowed. (DWS-3024) (Line)#session-limit 5 (DWS-3024) (Line)#session-timeout ? <1-160> Enter time in minutes. (DWS-3024) (Line)#session-timeout 15 Web Example You can set up the Outbound Telnet session through the Web interface. You can: • • • Enable or disable administration mode Set how many sessions you want Set the session time outs Figure 110.
Configuration Guide 176 © 2001- 2011 D-Link Corporation. All Rights Reserved.
27 Pre-Login Banner This section describes the Pre-Login Banner feature. Overview Pre-Login Banner: • • • • Allows you to create message screens when logging into the CLI Interface By default, no Banner file exists Banner can be uploaded or downloaded File size cannot be larger than 2K The Pre-Login Banner feature is only for the CLI interface. CLI Example To create a Pre-Login Banner, follow these steps: 1. On your PC, using Notepad or another text editor, create a banner.
Configuration Guide (DWS-3024) #copy tftp://192.168.77.52/banner.txt nvram:clibanner Mode...........................................TFTP Set TFTP Server IP.............................192.168.77.52 TFTP Path......................................./ TFTP Filename..................................banner.txt Data Type......................................
28 Simple Network Time Protocol (SNTP) This section describes the Simple Network Time Protocol (SNTP) feature. Overview SNTP: • • • • • Used for synchronizing network resources Adaptation of NTP Provides synchronized network timestamp Can be used in broadcast or unicast mode SNTP client implemented over UDP which listens on port 123 CLI Examples The following are examples of the commands used in the SNTP feature.
Configuration Guide Example #3: show sntp server (DWS-3024) #show sntp server Server Server Server Server Server Server Server IP Address: Type: Stratum: Reference Id: Mode: Maximum Entries: Current Entries: 81.169.155.234 ipv4 3 NTP Srv: 212.186.110.32 Server 3 1 SNTP Servers -----------IP Address: Address Type: Priority: Version: Port: Last Update Time: Last Attempt Time: Last Update Status: Total Unicast Requests: Failed Unicast Requests: 81.169.155.
28 Simple Network Time Protocol (SNTP) Example #6: configuring sntp server (DWS-3024)(Config) #sntp server 192.168.10.234 ? <1-3> Press Enter to execute the command. Enter SNTP server priority from 1 to 3. Example #7: configure sntp client port (DWS-3024)(Config) #sntp client port 1 ? <6-10> Press Enter to execute the command. Enter value in the range (6 to 10). Poll interval is 2^(value) in seconds.
Configuration Guide Figure 113. SNTP Server Configuration Page To configure SNTP server settings, use the LAN > Admin > SNTP > Time Zone Configuration page. Figure 114. Time Zone Configuration Page To configure SNTP server settings, use the LAN > Admin > SNTP > Summer Time Configuration page. 182 © 2001- 2011 D-Link Corporation. All Rights Reserved.
28 Simple Network Time Protocol (SNTP) Figure 115.
Configuration Guide 184 © 2001- 2011 D-Link Corporation. All Rights Reserved.
29 Syslog This section provides information about the Syslog feature. Overview Syslog: • • • Allows you to store system messages and/or errors Can store to local files on the switch or a remote server running a syslog daemon Method of collecting message logs from many systems Interpreting Log Files <130> JAN 01 00:00:06 A B A. B. C. D. E. F. G. H I. 0.0.0.0-1 C UNKN [0x800023]: D E bootos.
Configuration Guide CLI Examples The following are examples of the commands used in the Syslog feature.
29 Syslog Example #3: show logging traplogs (DWS-3024) #show logging traplogs Number of Traps Since Last Reset............... 16 Trap Log Capacity.............................. 256 Number of Traps Since Log Last Viewed..........
Configuration Guide Example #5: logging port configuration (DWS-3024) #config (DWS-3024) (Config)#logging ? buffered cli-command console host syslog Buffered (In-Memory) Logging Configuration. CLI Command Logging Configuration. Console Logging Configuration. Enter IP Address for Logging Host Syslog Configuration. (DWS-3024) (Config)#logging host ? reconfigure remove Enter Logging Host IP Address Logging Host Reconfiguration Logging Host Removal (DWS-3024) (Config)#logging host 192.168.
29 Syslog Web Examples The following web pages are used with the Syslog feature. Figure 116. Log - Syslog Configuration Page Figure 117.
Configuration Guide Figure 118. Log - Hosts Configuration Page - Add Host Figure 119. Log - Hosts Configuration Page 190 © 2001- 2011 D-Link Corporation. All Rights Reserved.
30 Port Description The Port Description feature lets you specify an alphanumeric interface identifier that can be used for SNMP network management. CLI Example Use the commands shown below for the Port Description feature. Example #1: Enter a Description for a Port This example specifies the name “Test” for port 0/10: config interface 0/10 description Test exit exit Example #2: Show the Port Description show port description 0/10 Interface.......0/10 ifIndex.........10 Description.....Test MAC Address..
Configuration Guide Configuring Port Description with the Web Interface Use the following Web screen to enter Port Description information. Figure 120. Port Configuration Screen - Set Port Description 192 © 2001- 2011 D-Link Corporation. All Rights Reserved.
