M4250 Datasheet

ManualsBrandsNETGEAR ManualsComputers & Accessories24x1G PoE+ 300W 2x1G and 4xSFP Managed Switch

Loopback interfaces are available as dynamic, stable IP addresses for other devices on the network, and for routing protocols

SupportofRoutingInformationProtocol(RIPv2)as

adistancevectorprotocolspeciedinRFC2453for

IPv4

• Each route is characterized by the number of gateways, or hops, a packet must traverse to reach its intended

destination

• Categorizedasaninteriorgatewayprotocol,RIPoperateswithinthescopeofanautonomoussystem

IPMultinettingallowstoconguremorethanoneIPaddressonanetworkinterface(othervendorsmaycallitIPAliasingorSecondaryAddressing)

ICMPThrottlingfeatureaddscongurationoptions

forthetransmissionofvarioustypesofICMPmes-

sages

• ICMPRedirectscanbeusedbyamalicioussendertoperformman-in-the-middleattacks,ordivert

packetstoamaliciousmonitor,ortocauseDenialofService(DoS)byblackholingthepackets

• ICMPEchoRequestsandothermessagescanbeusedtoprobeforvulnerablehostsorrouters

• RatelimitingICMPerrormessagesprotectsthelocalrouterandthenetworkfromsendingalargenumberof

messagesthattakeCPUandbandwidth

ThePolicyBasedRoutingfeature(PBR)overrides

routing decision taken by the router and makes the

packet to follow different actions based on a policy

• It provides freedom over packet routing/forwarding instead of leaving the control to standard routing proto-

cols based on L3

• For instance, some organizations would like to dictate paths instead of following the paths shown by

routing protocols

• Network Managers/Administrators can set up policies such as:

– My network will not carry trafﬁc from the Engineering department

– Trafﬁc originating within my network with the following characteristics will take path A, while other trafﬁc

will take path B

– When load sharing needs to be done for the incoming trafﬁc across multiple paths based on packet

entities in the incoming trafﬁc

Enterprise security

TrafccontrolMACFilterandPortSecurityhelprestrictthetrafcallowedintoandoutofspeciedportsorinterfacesinthesysteminordertoincreaseoverallsecurity

andblockMACaddressoodingissues

DHCPSnoopingmonitorsDHCPtrafcbetweenDHCPclientsandDHCPserverstolterharmfulDHCPmessageandbuildsabindingsdatabaseof(MACaddress,IP

address,VLANID,port)tuplesthatareconsideredauthorizedinordertopreventDHCPserverspoongattacks

IPsourceguardandDynamicARPInspectionusetheDHCPsnoopingbindingsdatabaseperportandperVLANtodropincomingpacketsthatdonotmatchany

bindingandtoenforcesourceIP/MACaddressesformalicioususerstrafcelimination

Time-basedLayer2/Layer3-v4/Layer3-v6/Layer4AccessControlLists(ACLs)canbebindedtoports,Layer2interfaces,VLANsandLAGs(LinkAggregationGroups

orPortchannel)forfastunauthorizeddatapreventionandrightgranularity

Forin-bandswitchmanagement,managementACLsonCPUinterface(ControlPlaneACLs)areusedtodenetheIP/MACorprotocolthroughwhichmanagement

access is allowed for increased HTTP/HTTPS or Telnet/SSH management security

Out-of-bandmanagementisavailableviadedicatedserviceport(1GRJ45OOB)whenin-bandmanagementcanbeprohibitedviamanagementACLs

Bridgeprotocoldataunit(BPDU)GuardallowsthenetworkadministratortoenforcetheSpanningTree(STP)domainbordersandkeeptheactivetopologyconsistent

and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to inﬂuence the overall STP by creating loops

SpanningTreeRootGuard(STRG)enforcestheLayer2networktopologybypreventingroguerootbridgespotentialissueswhenforinstance,unauthorizedor

unexpected new equipment in the network may accidentally become a root bridge for a given VLAN

Dynamic 802.1x VLAN assignment mode, including

Dynamic VLAN creation mode and Guest VLAN / Un-

authenticated VLAN are supported for rigorous user

and equipment RADIUS policy server enforcement

• Upto48clients(802.1x)perportaresupported,includingtheauthenticationoftheusersdomain,inorder

tofacilitateconvergentdeployments.ForinstancewhenIPphonesconnectPCsontheirbridge,IPphones

andPCscanauthenticateonthesameswitchportbutunderdifferentVLANassignmentpolicies(Voice

VLANversusotherProductionVLANs)

802.1xMACAddressAuthenticationBypass(MAB)is

a supplemental authentication mechanism that lets

non-802.1x devices bypass the traditional 802.1x

process altogether, letting them authenticate to

thenetworkusingtheirclientMACaddressasan

identiﬁer

• AlistofauthorizedMACaddressesofclientNICsismaintainedontheRADIUSserverforMABpurpose

• MAB can be conﬁgured on a per-port basis on the switch

• MABinitiatesafterunsuccessfuldot1xauthenticationprocess(congurabletimeout),whenclientsdon’t

respond to any of EAPOL packets

• When802.1Xunawareclientstrytoconnect,theswitchsendstheMACaddressofeachclienttotheauthen-

tication server

• TheRADIUSservercheckstheMACaddressoftheclientNICagainstthelistofauthorizedaddresses

• The RADIUS server returns the access policy and VLAN assignment to the switch for each client

PAGE 13 of 57

AV Line Managed Switches

Datasheet | M4250 series

AV Line Managed Switches