Data Sheet

ManualsBrandsNETGEAR ManualsComputers & Accessories8xMulti-Gig PoE+ (240W) and 2xSFP+ (shared) Managed Switch

Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation

Groups or Port channel) for fast unauthorized data prevention and right granularity

For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to deﬁne the IP/MAC or protocol through which management

access is allowed for increased HTTP/HTTPS or Telnet/SSH management security

Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs

Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent

and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to inﬂuence the overall STP by creating loops

Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unex-

pected new equipment in the network may accidentally become a root bridge for a given VLAN

Dynamic 802.1x VLAN assignment mode, including

Dynamic VLAN creation mode and Guest VLAN /

Unauthenticated VLAN are supported for rigorous user

and equipment RADIUS policy server enforcement

• Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in

order to facilitate convergent deployments. For instance when IP phones connect PCs on their bridge, IP

phones and PCs can authenticate on the same switch port but under dierent VLAN assignment policies

(Voice VLAN versus other Production VLANs)

802.1x MAC Address Authentication Bypass (MAB)

is a supplemental authentication mechanism that lets

non-802.1x devices bypass the traditional 802.1x

process altogether, letting them authenticate to the

network using their client MAC address as an identiﬁer

• A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose

• MAB can be conﬁgured on a per-port basis on the switch

• MAB initiates aer unsuccesful dot1x authentication process (conﬁgurable time out), when clients don’t

respond to any of EAPOL packets

• When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the

authentication server

• The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses

• The RADIUS server returns the access policy and VLAN assignment to the switch for each client

With Successive Tiering, the Authentication Manager

allows for authentication methods per port for a Tiered

Authentication based on conﬁgured time-outs

• By default, conﬁguration authentication methods are tried in this order: Dot1x, then MAB, then Captive

Portal (web authentication)

• With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies

– For instance, when a client is connecting, M4200 tries to authencate the user/client using the three

methods above, the one aer the other

• The admin can restrict the conﬁguration such that no other method is allowed to follow the captive portal

method, for instance

Double VLANs (DVLAN - QinQ) pass trac from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are

preserved and a service provider VLAN ID is added to the trac so the trac can pass the metro core in a simple, secure manner

Private VLANs (with Primary VLAN, Isolated VLAN,

Community VLAN, Promiscuous port, Host port,

Trunks) provide Layer 2 isolation between ports that

share the same broadcast domain, allowing a VLAN

broadcast domain to be partitioned into smaller point-

to-multipoint subdomains accross switches in the

same Layer 2 network

• Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but

need to communicate with a router

• They remove the need for more complex port-based VLANs with respective IP interface/subnets and

associated L3 routing

• Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop

or attack other users’ trac

Secure Shell (SSH) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured

TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch conﬁguration, based on

latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP

and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password

Superior quality of service

Advanced classiﬁer-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization

8 queues for priorities and various QoS policies based on 802.1p (CoS) and DiServ can be applied to interfaces and VLANs

Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity

ProSAFE® Intelligent Edge Managed Switches Data Sheet

M4200 series

Page 9 of 31