M4250 Datasheet

ManualsBrandsNETGEAR ManualsComputers & Accessories12x2.5G and 2xSFP+ Managed Switch

Enterprise security

TrafccontrolMACFilterandPortSecurityhelprestrictthetrafcallowedintoandoutofspeciedportsorinterfacesinthesysteminordertoincreaseoverallsecurity

andblockMACaddressoodingissues

DHCPSnoopingmonitorsDHCPtrafcbetweenDHCPclientsandDHCPserverstolterharmfulDHCPmessageandbuildsabindingsdatabaseof(MACaddress,IP

address,VLANID,port)tuplesthatareconsideredauthorizedinordertopreventDHCPserverspoongattacks

IPsourceguardandDynamicARPInspectionusetheDHCPsnoopingbindingsdatabaseperportandperVLANtodropincomingpacketsthatdonotmatchany

bindingandtoenforcesourceIP/MACaddressesformalicioususerstrafcelimination

Time-basedLayer2/Layer3-v4/Layer3-v6/Layer4AccessControlLists(ACLs)canbebindedtoports,Layer2interfaces,VLANsandLAGs(LinkAggregationGroups

orPortchannel)forfastunauthorizeddatapreventionandrightgranularity

Forin-bandswitchmanagement,managementACLsonCPUinterface(ControlPlaneACLs)areusedtodenetheIP/MACorprotocolthroughwhichmanagement

access is allowed for increased HTTP/HTTPS or Telnet/SSH management security

Out-of-bandmanagementisavailableviadedicatedserviceport(1GRJ45OOB)whenin-bandmanagementcanbeprohibitedviamanagementACLs

Bridgeprotocoldataunit(BPDU)GuardallowsthenetworkadministratortoenforcetheSpanningTree(STP)domainbordersandkeeptheactivetopologyconsistent

and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to inﬂuence the overall STP by creating loops

SpanningTreeRootGuard(STRG)enforcestheLayer2networktopologybypreventingroguerootbridgespotentialissueswhenforinstance,unauthorizedor

unexpected new equipment in the network may accidentally become a root bridge for a given VLAN

Dynamic 802.1x VLAN assignment mode, including

Dynamic VLAN creation mode and Guest VLAN / Un-

authenticated VLAN are supported for rigorous user

and equipment RADIUS policy server enforcement

• Upto48clients(802.1x)perportaresupported,includingtheauthenticationoftheusersdomain,inorder

tofacilitateconvergentdeployments.ForinstancewhenIPphonesconnectPCsontheirbridge,IPphones

andPCscanauthenticateonthesameswitchportbutunderdifferentVLANassignmentpolicies(Voice

VLANversusotherProductionVLANs)

802.1xMACAddressAuthenticationBypass(MAB)is

a supplemental authentication mechanism that lets

non-802.1x devices bypass the traditional 802.1x

process altogether, letting them authenticate to

thenetworkusingtheirclientMACaddressasan

identiﬁer

• AlistofauthorizedMACaddressesofclientNICsismaintainedontheRADIUSserverforMABpurpose

• MAB can be conﬁgured on a per-port basis on the switch

• MABinitiatesafterunsuccessfuldot1xauthenticationprocess(congurabletimeout),whenclientsdon’t

respond to any of EAPOL packets

• When802.1Xunawareclientstrytoconnect,theswitchsendstheMACaddressofeachclienttotheauthen-

tication server

• TheRADIUSservercheckstheMACaddressoftheclientNICagainstthelistofauthorizedaddresses

• The RADIUS server returns the access policy and VLAN assignment to the switch for each client

With Successive Tiering, the Authentication Manager

allows for authentication methods per port for a

Tiered Authentication based on conﬁgured time-outs

• Bydefault,congurationauthenticationmethodsaretriedinthisorder:Dot1x,thenMAB,thenCaptivePortal

(webauthentication)

• With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies

– For instance, when a client is connecting, M4300 tries to authenticate the user/client using the three

methods above, the one after the other

• The admin can restrict the conﬁguration such that no other method is allowed to follow the captive portal

method, for instance

DoubleVLANs(DVLAN)passtrafcfromonecustomerdomaintoanotherthroughthe“metrocore”inamulti-tenancyenvironment:customerVLANIDsarepreserved

and a service provider VLAN ID is added to the trafﬁc so the trafﬁc can pass the metro core in a simple, secure manner

PrivateVLANs(withPrimaryVLAN,IsolatedVLAN,

CommunityVLAN,Promiscuousport,Hostport,

Trunks)provideLayer2isolationbetweenportsthat

share the same broadcast domain, allowing a VLAN

broadcast domain to be partitioned into smaller

point-to-multipoint subdomains accross switches in

the same Layer 2 network

• Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but need

to communicate with a router

• They remove the need for more complex port-based VLANs with respective IP interface/subnets and

associated L3 routing

• Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop or

attack other users’ trafﬁc

SSL version 3 and TLS version 2 ensure Web GUI sessions are secured

SecureShell(SSHversion2)andSNMPv3(withorwithoutMD5orSHAauthentication)ensureSNMPandTelnetsessionsaresecured

2048-bit RSA key pairs, SHA2-256 and SHA2-512 cryptographic hash functions for SSLv3 and SSHv2 are supported on all M4300 models

PAGE 10 of 44

AV Line Managed Switches

Datasheet | M4250 series

AV Line Managed Switches