Manuals / Black Box / Computer Equipment / Network Hardware

Black Box LGB1148A, LGB1126A, Managed Gigabit Switch, LGB1108A manual Configuration, Page

Models: LGB1108A Managed Gigabit Switch LGB1126A LGB1148A

1 220

Download 220 pages 9.43 Kb

Page 53

Chapter 3: Configuration

3.2.3 Access Control List

This section describes how to configure Access Control List rule. An Access Control List (ACL) is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match, the frame is accepted. Other actions can also be invoked when a matching packet is found, including rate limiting, copying matching packets to another port or to the system log, or shutting down a port.

This page shows the Access Control List (ACL), which is made up of the ACEs defined on this switch. Each row describes the ACE that is defined. The maximum number of ACEs is 256 on each switch. Click on the lowest plus sign to add a new ACE to the list. The reserved ACEs used for internal protocol, cannot be edited or deleted, the order sequence cannot be changed an the priority is highest.

Web Interface

To configure Access Control List in the Web interface:

1.Click Configuration, ACL, then Configuration.

2.Click the button to add a new ACL, or use the other ACL modification buttons to specify the editing action (i.e., edit, delete, or moving the relative position of entry in the list).

3.To specific the parameter of the ACE.

4.Click the Save button to save the setting.

5.To cancel a setting, click the Reset button. It will revert to previously saved values.

6.When editing an entry on the Access Control Entry (ACE) Configuration page, note that the Items displayed depend on various selections, such as Frame Type and IP Protocol Type. Then specify the relevant criteria to be matched for this rule, and set the actions to take when a rule is matched (such as Rate Limiter, Port Copy, Logging, and Shutdown).

Figure 3-10. The ACL Rate Limiter Configuration screen.

LGB1108A	724-746-5500 blackbox.com	Page 53
LGB1108A

Image 53

Black Box LGB1148A, LGB1126A, Managed Gigabit Switch, LGB1108A manual Configuration, Page

Contents

Gigabit Managed Switches Managed Gigabit SwitchLGB1108A LGB1126A LGB1148A Customer Support InformationTrademarks Used in this Manual TrademarksPage Page FCC StatementNOM Statement Normas Oficiales Mexicanas Electrical Safety StatementInstrucciones de Seguridad PagePage Table of ContentsTable of Contents Page Chapter 1 Overview3.13 GVRP Chapter 1 OverviewPage 4.6 AAA Chapter 1 OverviewPage Page 1 OverviewChapter 1 Overview Page 1.1 Initial ConfigurationChapter 1 Overview Page The Gigabit Managed Switch supports a simple user management function allowing only one administrator to configure the system at the same time. If there are two or more users using an administrator’s identity, it will only allow the one who logs in first to configure the system. The rest of the users, even with an administrator’s identity, can only monitor the system. Those who have no administrator’s identity can only monitor the system. There is a maximum of three users able to login simultaneously in the Gigabit Managed SwitchChapter 1 Overview Figure 1-2. Accessing the on-line help function Chapter 2 System ConfigurationPage LGB1108APage 1.2 Connecting to PCs, Servers, Hubs, and SwitchesChapter 2 System Configuration Page 1.3 Network Wiring ConnectionsChapter 2 System Configuration 2.1 System Information 2. System ConfigurationChapter 2 System Configuration PagePage Chapter 2 System ConfigurationDevice Name The name of the switch. User-defined Page Chapter 2 System Configuration2.1.2 Configuration Page Chapter 2 System ConfigurationPage 2.2 TimeChapter 2 System Configuration Page Chapter 2 System ConfigurationDaylight Savings Time Set Offset Daylight savings time is used in some countries. If you select this setting, the unit will adjust the time, forward or backward in increments of one hour, between the starting date and the ending date that you select. For example, if you set the daylight savings offset to be 1 hour, when the time reaches the starting time, the system time will be increased one hour. And when the time reaches the ending time, the system time will be decreased one hour Page 2.3 AccountChapter 2 System Configuration Page Chapter 2 System Configuration2.3.2 Privilege Levels Chapter 2 System ConfigurationPage Parameter Description Group Name Chapter 2 System ConfigurationPage Page 2.4 IP Internet ProtocolChapter 2 System Configuration Page Chapter 2 System ConfigurationPage Chapter 2 System ConfigurationPage 2.5 SyslogChapter 2 System Configuration 2.5.2 Log Chapter 2 System ConfigurationPage Page Chapter 2 System ConfigurationPage 2.6 SNMPChapter 2 System Configuration Page Chapter 2 System ConfigurationPage Chapter 2 System ConfigurationNone No privacy protocol Chapter 2 System ConfigurationPage Page Chapter 2 System ConfigurationPage Chapter 2 System ConfigurationPage Chapter 3 Configuration2.6.7 Trap Chapter 3 ConfigurationPage Page Chapter 3 Configuration3.1 Port 3. ConfigurationChapter 3 Configuration PagePage Chapter 3 ConfigurationPage Chapter 3 Configuration3.1.3 Traffic Overview Chapter 3 ConfigurationPage Page Chapter 3 ConfigurationReceive Queue Counters Chapter 3 ConfigurationPage Page Chapter 3 Configuration3.1.6 SFP Information Chapter 3 ConfigurationPage 3.1.7 EEE Chapter 3 ConfigurationPage Page Chapter 3 ConfigurationPage 3.2 ACLChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationThis section describes how to configure Access Control List rule. An Access Control List ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match, the frame is accepted. Other actions can also be invoked when a matching packet is found, including rate limiting, copying matching packets to another port or to the system log, or shutting down a port Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.3 AggregationChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.4 Spanning TreeChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.5 IGMP SnoopingChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationType Indicates the Type. It can be either Allow or Deny Chapter 3 ConfigurationPage Page 3.6 MLD SnoopingChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.7 MVRChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.8 LLDPChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationFigure 3-44. The LLDP-MED Configuration screen Parameter Description Coordinates Location Chapter 3 ConfigurationPage Apartment Unit Apartment, suite - Example Apt Floor Floor - Example Chapter 3 ConfigurationPage Application Type Intended use of the application types Chapter 3 ConfigurationPage Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationLLDP-MED Generic Endpoint Class I The LLDP-MED Generic Endpoint Class I definition is applicable to all endpoint products that require the base LLDP discovery services defined in TIA-1057, however do not support IP media or act as an end-user communication appliance. Such devices may include but are not limited to IP Communication Controllers, other communication related servers, or any device requiring basic services as defined in TIA-1057 Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.9 Filtering Data BaseChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 Configuration33-33-FF-A8-01-01 your switch MAC address for IPv6 global IP 00-40-C7-73-01-29 your switch MAC address for IPv4NOTE the following MAC addresses FF-FF-FF-FF-FF-FF for BroadcastPage 3.10 VLANChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationChapter 3 Configuration NOTE The port must be a member of the same VLAN as the Port VLAN IDPage Table 3-1 Port TypesPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage NOTE Special character and underscore are not allowedChapter 3 Configuration Page Chapter 3 ConfigurationPage 3.11 Voice VLANChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.12 GARPChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.13 GVRPChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.14 QoSChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationClick the Port Index to set the QoS Egress Port Schedulers Chapter 3 ConfigurationPage Page Chapter 3 ConfigurationClick the Port Index to set the QoS Egress Port Shapers Chapter 3 ConfigurationPage Page Chapter 3 ConfigurationClick the Port Index to set the QoS Port Tag Remarking Chapter 3 ConfigurationPage Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage Chapter 3 ConfigurationAny All types of Destination MAC addresses are allowed Chapter 3 ConfigurationPage Page Chapter 3 Configuration5. IPv4 A valid protocol IP may range from 0-255 TCP or UDP or ’Any’. A specific Source IP address in the value/mask format or ’Any’. The IP and Mask are in the format x.y.z.w where x, y, z, and w are decimal numbers between 0 and 255. When the Mask is converted to a 32-bit binary string and read from left to right, all bits following the first zero must also be zero Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.15 Thermal ProtectionChapter 3 Configuration Page Chapter 3 ConfigurationNOTE The temperature means the MAC and PHY chipset’s TA temperature, not the PSU device or environment temperature. Do not set environment temperature limitation value Page 3.16 sFlow AgentChapter 3 Configuration Page Chapter 3 ConfigurationPage Chapter 3 ConfigurationPage 3.17 Loop ProtectionChapter 3 Configuration Page Chapter 3 ConfigurationPage 3.18 Single IPChapter 3 Configuration Page Chapter 3 ConfigurationPage 3.19 Easy PortChapter 3 Configuration Page Chapter 3 ConfigurationPage 3.20 MirroringChapter 3 Configuration Page 3.21 Trap Event SeverityChapter 3 Configuration Page 3.22 SMTP ConfigurationChapter 3 Configuration Page 3.23 UPnPChapter 3 Configuration 4. Security Chapter 4 Security4.1. IP Source Guard PagePage Chapter 4 SecurityPage Chapter 4 SecurityPage 4.2 ARP InspectionChapter 4 Security Page Chapter 4 SecurityPage Chapter 4 SecurityPage 4.3 DHCP SnoopingChapter 4 Security Page Chapter 4 SecurityPage 4.4 DHCP RelayChapter 4 Security Page Chapter 4 SecurityPage Chapter 4 SecurityPage 4.5 NASChapter 4 Security Page When the NAS module uses the Port Security module to secure MAC addresses, the Port Security module needs to check for activity on the MAC address in question at regular intervals and free resources if no activity is seen within a given period of time. This parameter controls exactly this period and can be set to a number between 10 and 1,000,000 secondsChapter 4 Security Page Chapter 4 SecurityPage Multi 802.1X In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened for network traffic. This allows other clients connected to the port for instance through a hub to piggyback on the successfully authenticated client and get network access even though they really arent authenticated. To overcome this security breach, use the Multi 802.1X variantChapter 4 Security Page RADIUS-Assigned QoS Enabled When RADIUS-Assigned QoS is both globally enabled and enabled checked on a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic received on the supplicants port will be classified to the given QoS Class. If re-authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or its invalid, or the supplicant is otherwise no longer present on the port, the ports QoS Class is immediately reverted to the original QoS Class which may be changed by the administrator in the meanwhile without affecting the RADIUS assignedChapter 4 Security Value of Tunnel-Type must be set to VLAN ordinal Chapter 4 SecurityPage Page Chapter 4 SecurityPage Chapter 4 SecurityPage Chapter 4 SecurityPage 4.6 AAAChapter 4 Security Figure 4-17. The RADIUS Accounting Configuration screen Figure 4-16. The RADIUS Authentication Configuration screenFigure 4-18. The TACACS+ Authentication Configuration screen Chapter 4 SecurityPage Chapter 4 SecurityPage Chapter 4 SecurityPage Chapter 4 SecurityPage 4.7 Port SecurityChapter 4 Security Page Port ConfigurationChapter 4 Security Page Chapter 4 SecurityPage Chapter 4 SecurityPage This section shows the MAC addresses secured by the Port Security module. Port Security is a module with no direct configuration. Configuration comes indirectly from other modules, including the user modules. When a user module has enabled port security on a port, the port is set up for software-based learning. In this mode, frames from unknown MAC addresses are passed on to the port security module, which in turn asks all user modules whether to allow this new MAC address to forward or block it. For a MAC address to be set in the forwarding state, all enabled user modules must unanimously agree on allowing the MAC address to forward. If only one chooses to block it, it will be blocked until that user module decides otherwiseChapter 4 Security Page 4.8 Access ManagementChapter 4 Security Page Chapter 4 SecurityPage 4.9 SSHChapter 4 Security Page 4.10 HTTPSChapter 4 Security Page 4.11 Authentication MethodChapter 4 Security 5. Maintenance Chapter 5 Maintenance5.1 Restart Device PagePage 5.2 FirmwareChapter 5 Maintenance 5.2.2 Firmware Selection Chapter 5 MaintenancePage Page 5.3 Save / RestoreChapter 5 Maintenance 5.3.2 Save Start Chapter 5 MaintenancePage Page Chapter 5 MaintenancePage 5.4 Export / ImportChapter 5 Maintenance Page Chapter 5 MaintenancePage 5.5 DiagnosticsChapter 5 Maintenance Page Chapter 5 MaintenancePage Chapter 5 MaintenancePage AppendixAppendix Glossary of Web-Based Management Terms CDP CDP is an acronym for Cisco Discovery Protocol AppendixPage Page DSCP DSCP is an acronym for Differentiated Services Code Point. It is a field in the header of IP packets for packet classification purposesAppendix IPMC IPMC is an acronym for IP MultiCast AppendixPage Page MEP MEP is an acronym for Maintenance Entity Endpoint and is an endpoint in a Maintenance Entity Group ITU-T Y.1731Appendix Policer A policer can limit the bandwidth of received frames. It is located in front of the ingress queue AppendixPage Page SNAP The SubNetwork Access Protocol SNAP is a mechanism for multiplexing, on networks using IEEE 802.2 LLC, more protocols than can be distinguished by the 8-bit 802.2 Service Access Point SAP fields. SNAP supports identifying protocols by Ethernet type field values it also supports vendor-private protocol identifierAppendix Page UDP provides two services not provided by the IP layer. It provides port numbers to help distinguish different user requests and, optionally, a checksum capability to verify that the data arrived intact. Common network applications that use UDP include the Domain Name System DNS, streaming media applications such as IPTV, Voice over IP VoIP, and Trivial File Transfer Protocol TFTPAppendix About Black Box Black Box Tech Support FREE! Live. 24/7Tech support the way it should be