Manuals / Allied Telesis / Computer Equipment / Switch

Allied Telesis AT-9724TS Port-Based Network Access Control, MAC-Based Network Access Control

Models: AT-9724TS

1 197

Download 197 pages 53.72 Kb

Page 86

Port-Based Network Access Control

AT-9724TS Switch

Uncontrolled Port

Controlled Port - port blocked

802.1X Client	802.1X Client 802.1X Client 802.1X Client	RADIUS
		Server

Figure 6- 73. Example of Typical Port-Based Configuration

Once the connected device has successfully been authenticated, the Port then becomes Authorized, and all subsequent traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized. Hence, if the Port is actually connected to a shared media LAN segment with more than one attached device, successfully authenticating one of the attached devices effectively provides access to the LAN for all devices on the shared segment. Clearly, the security offered in this situation is open to attack.

MAC-Based Network Access Control

Uncontrolled Port

Controlled Port - port blocked

AT-9724TS Switch

RADIUS

Server

802.1X	802.1X	802.1X	802.1X	802.1X	802.1X	802.1X	802.1X	802.1X
Client	Client	Client	Client	Client	Client	Client	Client	Client

Figure 6- 74. Example of Typical MAC-Based Configuration

In order to successfully make use of 802.1X in a shared media LAN segment, it would be necessary to create “logical” Ports, one for each attached device that
required access to the LAN.The Switch would regard the single physical Port connecting it to the shared media segment as consisting of a number of distinct
logical Ports, each logical Port being independently controlled from the point of view of EAPOL exchanges and authorization state.The Switch learns each
attached devices’ individual MAC addresses, and effectively creates a logical Port that the attached device can then use to communicate with the LAN via the
Switch.	85
Allied Telesyn AT-9724TS High-Density Layer 3 Stackable Gigabit Ethernet Switch	85

Image 86

Allied Telesis AT-9724TS specifications Port-Based Network Access Control, MAC-Based Network Access Control, Switch

Contents

AT-9724TS Electrical Safety and Emission Statement Table of Contents RIP 133 How This Guide is Organized PrefacePurpose of This Guide Document Conventions Bold fontEuropean Support Numbers Returning Products FTP Server Regional LocationsTell Us What You Think Ethernet Technology Fast Ethernet Switching TechnologyIntroduction Gigabit Ethernet TechnologySwitch Description FeaturesFront Panel Components Installing the SFP portsPorts RFC1493 BridgeRear Panel Components LED IndicatorsLED Description Side-Panel ComponentsInstalling the Switch without a Rack InstallationPackage Contents Before You Connect to the NetworkInstalling the Switch in a Rack Prepare Switch for installation on a desktop or shelfPower Failure Mounting the Switch in a Standard 19 RackPower On External Redundant Power SystemSwitch to Hub or Switch Connecting the SwitchSwitch To End Node Connecting To Network Backbone or Server Stacking and the AT-9724TSStacking Limitations Utilizing a Ring Topology Stacking in a Ring ArchitectureIntroduction to Switch Management First Time Connecting to the Switch Password Protection Snmp SettingsIP Address Assignment TrapsMIBs Connecting Devices to the Switch Assigning the Switch an IP AddressIntroduction Introduction to Web-based Switch ConfigurationLogin to Web Manager AreaFunction Web-based User InterfaceAreas of the User Interface Web Pages Click the Switch Information link in the Configuration menu Configuring The SwitchSwitch Information Dhcp BootpIP Address Vlan Name Setting the Switchs IP Address using the Console InterfaceAdvanced Settings Specified or Management Station IP Addresses are assignedBox Information To configure switch ports Port ConfigurationLowest priority number in the stack is the Master switch Priority StackSpeed/Duplex Port DescriptionParameter Description State Flow ControlLink Aggregation Understanding Port Trunk Groups To configure a mirror portPort Mirroring 10. Link Aggregation Group Configuration window Add Lacp Port Setting 12. Lacp Port Setting and Lacp Port Information windowSpecified.The default setting is MAC Notification Global SettingsHistory size Setting is 1 second MAC NotificationIgmp Versions 1 MAC Notification Port SettingsIgmp Parameter Description UnitType Meaning Igmp Snooping Vlan IDStatic Router Ports Following parameters can be set Spanning Tree802.1s Mstp VID Vlan IDPort Transition States STP Bridge Global Settings802.1w Rapid Spanning Tree Edge Port21. STP Bridge Global Settings STP compatible MST Configuration Table Msti ID MstiParameter Msti ID of the Cist is 0 and cannot be alteredDisplays the Msti ID previously set by the user Internal cost 0=Auto Msti Port InformationParameter Description Instance ID PriorityInstance Status STP Instance SettingsParameter Description Instance Type Instance PriorityExternal Root Cost Forward DelayParameter Description Designated Root Bridge Regional Root BridgeSTP Port Settings MAC Address Forwarding & Filtering Unicast ForwardingVlan ID VID Multicast MAC Address Static Multicast ForwardingVID Not be a member of the Static Multicast GroupIeee 802.1Q VLANs Some relevant terms VLANs Understanding Ieee 802.1p PriorityVlan Description Filtering 802.1Q Vlan TagsIngress TransmitBits 39.Adding an Ieee 802.1Q TagTagging and Untagging Default VLANsPort Vlan ID Ingress FilteringVlan Segmentation Switch PortsPort-based VLANs Vlan and Trunk GroupsStatic Vlan Entry Protocol Type Header in Hexadecimal FormPage Advertisement Protocol IDGvrp Setting Port Settings Tag None Egress ForbiddenIngress Check Traffic ControlGvrp Acceptable Frame TypeMax. Learning Addr Admin StatePort Security ModeVlan Name MAC Address SwitchPort Lock Entries Be deletedUnderstanding QoS 18 QoSAdvantages of QoS Nolimit Disables the limitBandwidth Control PacketsOutput Scheduling Weight fairQoS Scheduling Mechanism Parameter Description StrictBe specified Configuring the Combination QueueParameter Description Max. Packets 802.1p Default Priority 802.1p User Priority55. Setup Forwarding Ports window Traffic SegmentationSystem Log Server 57. System Log Servers Add Following parameters can be setServer IP Status Choose Enabled or Disabled to activate or deactivateParameter Description Index SeveritySntp Settings Current Time SettingsMinutes +/- Hhmm DST Repeating SettingsTime Zone and DST Enter the month DST will start on, each yearAccess Profile Table Configuring the Access Profile Table 61.Access Profile Table EthernetVlan Dscp Shown below is the Packet Content Mask configuration windowSource IP Mask Destination IP Mask Protocol PortOffset Source IP Access IDReplace Dscp Destination IPPage Source MAC Source Destination MAC Destination71.Access Rule Configuration Packet Content Mask 72.Access Rule Display window Packet Content Mask Priority OffsetSwitch Port-Based Network Access ControlMAC-Based Network Access Control Configure Authenticator 75 .1X Authenticator Settings windowLocal Users Capability PAE System ControlFrom and To Auth PAE State Initializing Ports for Port BasedFrom Backend StateReauthenticate Ports for Port Based Initializing Ports for MAC BasedReauthenticate Ports for MAC Based Radius Server Layer 3 IP Networking Layer 3 Global Advanced Settings Setting Up IP InterfacesTo setup IP Interfaces on the Switch Network Number IP AddressSubnet Mask MD5 Key Table ConfigurationParameter Description Interface Name SecondaryRoute Redistribution Settings Route Source Metric TypeFollowing parameters may be set or viewed Static/Default RouteIP address of the Static/Default Route ParameterDescription Dest Protocol Src Protocol Type MetricRoute Type Validity Range Default Value Route Preference SettingsBackup State IP address above Permanently set on the switch and unconfigurableStatic Parameter Description RIPOspf Intra Ospf InterIP address of the ARP entry Static ARP TableParameter Description IP Address MAC address of the ARP entryRIP Version 1 Message Format RIP Command CodesRIP Configuration RIP 1 MessageSetting Up RIP 102Ospf Cost Link-State AlgorithmShortest Path Algorithm OspfShortest Path Tree 104105 Areas and Border RoutersLink-State Packets Simple Password Authentication Ospf AuthenticationMessage Digest Authentication MD-5 Backbone and AreaBuilding Adjacency AdjacenciesDesignated Router Election Adjacencies on Point-to-Point InterfacesHello Packet On the network Backup Designated Router Interface address on the networkDatabase Description Packet 109Bit Link-State Request PacketField Description Options MS bit111 Link-State Update PacketOctets Version No 112 Link-State Acknowledgment PacketLink-State Advertisement Formats Link State ID ASBR,AS External Link Link State Advertisement HeaderRouter Links Advertisements Link State Checksum Successive Link State Sequence numbersField Description Type Field Description BitArea Link IDSummary Link Advertisements IP Type of Service that this metric refers toNetwork Links Advertisements Field DescriptionField Description Network Mask Type of Service that the following cost is relevant toAutonomous Systems External Link Advertisements Parameter Description Ospf Route ID General Ospf SettingsOspf Area ID Setting Current Route IDParameter Description Area ID Ospf Interface SettingsStub Default Cost Stub Import Summary LSAMetric Type, as specified in the previous parameter Auth TypeAuth. Key ID Router Retransmit Time SecondsOspf Virtual Interface Settings Network Number Ospf Area Aggregation SettingsOspf Host Route Settings Lsdb TypeFollowing fields are configured for Ospf host route Dhcp / Bootp RelayDhcp / Bootp Relay Information Ospf domainDHCP/BootP Relay Settings DNS RelayDNS Relay Static Settings Domain Name ResolutionConfiguring DNS Relay Information Mapping Domain Names to Addresses125 Vrrp ConfigurationNon-owner response Ping Display Vrrp Interface SettingsVrid Vrid Admin. StatePreempt Mode Critical IP AddressVirtual Router State Virtual IP AddressVirtual MAC Address Master IP Address129 Igmp Interface ConfigurationIP Multicast Routing Protocol Dvmrp Interface Settings Dvmrp Interface ConfigurationDvmrp Global Setting 130Neighbor Timeout Interval PIM-DM Interface ConfigurationPIM-DM Configuration Probe IntervalJoin/Prune Interval Previously defined IP interfaceDisplays the IP address for the IP interface named above SecondsUser Accounts Security ManagementSecurity IP 133User Account Management Admin and User PrivilegesManagement Admin User 134135 Access Authentication ControlPolicy & Parameters Login Method List Applications Authentication SettingsAuthentication Server Group Settings Enable Method List137 Retransmit Authentication Server HostsTimeout Login Method Lists 139Enable Method Lists 140Method 1, 2, 3 Local Enable PasswordParameter Description Method List Name Method listParameterDescription Enable AdminLocal Enabled field will result in a fail message 142Parameter Description Certificate Type Secure Socket Layer SSLDownload Certificate Key File Name Cert.derConfiguration 144SSH Algorithm SSH ConfigurationSecure Shell SSH AES192-CBC 3DES-CBCAES128-CBC AES256-CBCHMAC-MD5 SSH User AuthenticationHMAC-SHA1 HMAC-RSAHost Name Auth. ModeParameter Description User Name Host IPSnmp Manager Snmp User TableAuth-Protocol Group NameSnmp Version Priv-ProtocolSnmp View Table 151Subtree OID Snmp Group TableParameter Description View Name 152Snmp Community Table Configuration Snmp Host Table Access RightContents of the MIBs on the Switch Parameter Description Community NameCommunity String or Snmp Engine IDParameter Description Host IP Address Snmp V3 User NameCPU Utilization MonitoringPort Utilization Parameter Description Time Interval157 PacketsReceived RX 158 UMB Cast RX 159Transmitted TX 160Tx Packets Analysis window table for Bytes and Packets 161Errors 162Under Size Crc ErrorRecord Number Over Size164 ExColl Packet SizeLateColl Because the medium was busy SingCollStacking Information Runtime Version Device StatusProm Version A Star topology Version IllustrationsMAC Address 168Address Switch History LogFind Down menus Vlan ID of the Vlan the port is a memberParameter Description Sequence Igmp Snooping GroupIgmp Snooping Forwarding 170Browse Router Port Port Access ControlAuthenticator State Parameter Description Auth PAE State Authenticator StatisticsCapability is disabled 802.1xFollowing fields can be viewed Rx Invalid AuthenticatorRx Error Recognized 173Authenticator Session Statistics Authenticator Diagnostics Radius Authentication Radius Accounting 177178 Layer 3 FeatureBrowse IP Address Browse IP Multicast Forwarding Table Browse Routing TableBrowse ARP Table 179Browse Ospf Lsdb Table Browse Igmp Group TableOspf Monitoring 180Browse Ospf Neighbor Table Ospf Virtual NeighborBrowse Dvmrp Neighbor Address Table Dvmrp MonitoringBrowse Dvmrp Routing Table PIM Neighbor Address Table Browse Dvmrp Routing Next Hop TablePIM Monitoring 183Download Configuration File Switch MaintenanceTftp Service Download FirmwareUpload Log Upload ConfigurationMultiple Image Services Firmware InformationBOX Config Firmware ImageUpdate Time SizeActive Ping TestParameter Description Image Save Changes ResetParameter Description Save Only save config 188Logout Reboot DeviceFollowing menu is used to restart the Switch 189Physical & Environmental Appendix a Technical SpecificationsGeneral EMCPerformance 191Geräte DER Klasse Lightning Danger Electrical Type Class 1 EquipmentGefahr Durch Blitzschlag VorsichtElektrische Toestellen VAN Klasse Fare Under UvejrElektrisk Klasse 1-UDSTYR Pericolo DI Fulmini Métalliques accessibles à l’utilisateurSalamaniskuvaara Elettricità Dispositivi DI ClassePeligro DE Rayos Fare for LynnedslagFare Arbeid Ikke på utstyr eller Kabler i Tordenvær Electrico Equipo DEL Tipo Clase196 Fara FÖR BlixtnedslagElektriskt TYP Klass 1 Utrustning