Guest Vlan Configuration | D-Link DGS-3700 manual

DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual

Guest VLAN Configuration

On 802.1X security enabled networks, there is a need for non 802.1X supported devices to gain limited access to the network, due to lack of the proper 802.1X software or incompatible devices, such as computers running Windows 98 or lower operating systems, or the need for guests to gain access to the network without full authorization. To supplement these circumstances, this switch now implements 802.1X Guest VLANs. These VLANs should have limited access rights and features separate from other VLANs on the network.

To implement 802.1X Guest VLANs, the user must first
create a VLAN on the network with limited rights and then
enable it as an 802.1X guest VLAN. Then the
administrator must configure the guest accounts
accessing the Switch to be placed in a Guest VLAN when
trying to access the Switch. Upon initial entry to the
Switch, the client wishing services on the Switch will need
to be authenticated by a remote RADIUS Server or local
authentication on the Switch to be placed in a fully
operational VLAN. If authenticated and the authenticator
posseses the VLAN placement information, that client will
be accepted into the fully operational target VLAN and
normal switch functions will be open to the client. If the
authenticator does not have target VLAN placement
information, the client will be returned to its originating
VLAN. Yet, if the client is denied authentication by the	Figure 5 - 28 Guest VLAN Authentication Process
authenticator, it will be placed in the Guest VLAN where it
has limited rights and access. The adjacent figure should
give the user a better understanding of the Guest VLAN
process.

Limitations Using the Guest VLAN

1.Guest VLANs are only supported for port-based VLANs. MAC-based VLANs cannot undergo this procedure.

2.Ports supporting Guest VLANs cannot be GVRP enabled and vice versa.

3.A port cannot be a member of a Guest VLAN and a static VLAN simultaneously.

4.Once a client has been accepted into the target VLAN, it can no longer access the Guest VLAN.

164

Image 175

D-Link DGS-3700 user manual Guest Vlan Configuration, Limitations Using the Guest Vlan

Contents

Copyright 2009. All rights reserved Page Table of Contents DDM L2 Features QoS Security ACL Save Services and Tools 258 Preface Typographical Conventions Intended Readers Introduction Login to Web Manager Areas of the User Interface Web-based User Interface Area Web PagesArea Function Page Configuration System Information Device Information Auto Logout Serial Port SettingsFields that can be configured are described below Parameter Description Baud Rate IP Address IP Address Settings window Dhcp Bootp Setting the Swith’s IP Address using the Console Interface Interface Settings IPv6 State Parameter Description Interface NameIPv6 Network Address IPv6 Neighbor Settings IPv6 Route SettingsAutomatic Link Local Address Address Link Layer MAC Port ConfigurationPort Settings Neighbor IPv6 Port Description Port Error Disabled Static ARP Settings User Accounts Management Admin Operator User Admin, Operator and User PrivilegesNew Password Password User Account Management Admin, Operator and User Privileges System Log Settings System Log ConfigurationSystem Log Server 514 or Severity Parameter Description Server IDServer IP Address UDP Port Parameter Description System Severity System Severity SettingsSeverity Level Dhcp Relay Dhcp Relay Global Settings Policy Dhcp Relay AgentInformation Option Check Circuit ID sub-option format Implementation of Dhcp Information Option 82 on the SwitchRemote ID sub-option format Mode Dhcp Relay Interface SettingsDhcp Relay Option 60 Default Settings Parameter Description Relay IP Address Dhcp Relay Option 61 Default Settings Dhcp Relay Option 60 Settings Relay Rule Out of Band Management SettingsDhcp Relay Option 61 Settings Parameter Description Client ID Link Status External Alarm SettingsDhcp Auto Configuration Settings Parameter Description IP Address Telnet Settings Web SettingsMAC Address Aging Time Parameter Description Password EncryptionClipaging Settings Firmware Information Size Bytes Dual Configuration SettingsUpdate Time Version Ping Test Size Local Loopback Ports SettingsTimeout IPv6 Ping Test Vlan Counter Settings Time Settings Sntp Settings Hhmm TimeZone Settings MAC Notification Global Settings MAC Notification Settings ParameterDescription MAC Notification Port Settings Traps Snmp SettingsMIBs Subtree OID Snmp Global State SettingsSnmp View Table Parameter Description View Name Snmp Group Table Snmp User Table Parameter Description Community Name Snmp Community Table Snmp v6Host Table Snmp Host Table Name Snmp Engine IDCommunity String/SNMPv3 User Hours Time Range SettingsSnmp Trap Configuration Parameter Description Range Name ParameterDescription Analyzer Server ID SFlow Global State SettingsSFlow Analyzer Server Settings SFlow SFlow Flow Sampler Settings Following parameters can be configured SFlow Counter Poller Settings Single IP Management Upgrade to Single IP Settings Topology Local Port Parameter Description Device NameRemote Port Speed Icon Description 62 Topology view 63 Device Information Utilizing the Tool Tip Tool Tips Group Icon Right-Click Member Switch Icon Commander Switch IconCandidate Switch Icon Menu Bar Configuration File Backup/Restore Firmware Upgrade Upload Log File DDM SettingsBrowse DDM Status List DDM Temperature Threshold Settings DDM Bias Current Threshold Settings DDM Voltage Threshold Settings DDM Rx Power Threshold Settings DDM Tx Power Threshold Settings Parameter Description From Port / To Port Jumbo Frame window Jumbo Frame Understanding Ieee 802.1p Priority VLANsVlan Description Ieee 802.1Q Packet Forwarding Ieee 802.1Q VLANs Ieee 802.1Q Tag 802.1Q Vlan Tags Tagging and Untagging Port Vlan IDIngress Filtering VID Default VLANsPort-based VLANs Vlan Segmentation Spvlan Tpid + Double VLANsVlan and Trunk Groups Destination Source Double Vlan Example Regulations for Double VLANs Current 802.1Q Static VLANs Entries window 802.1Q Vlan 802.1Q Vlan window Add/Edit Vlan Tab Untagged Port SettingsAdvertisement Tagged 10 802.1Q Vlan window Vlan Batch Settings window Vlan ID Subnet Vlan SettingsVlan Precedence Settings Subnet Vlan In-Q In-Q SettingsVlan Precedence Vlan Translation Settings For ingress untagged packets at UNI ports In-Q and Vlan Translation RulesFor ingress tagged packets at UNI ports 802.1v Protocol Vlan 802.1v Protocol Group Settings Search Port List 802.1v Protocol Vlan Settings802.1p Priority Check the Select All Ports box Gvrp Settings Rspan Settings Gvrp Gvrp Global SettingsPvid NNI Bpdu MAC-based Vlan SettingsPvid Auto Assign Settings Leave All Time Understanding Port Trunk Groups Port Trunking Member Ports Parameter Description AlgorithmMaster Port Active Port Activity Lacp Port Settings Forward Portlist Traffic Segmentation 27 Bpdu Tunneling window Bpdu Tunneling Settings Querier IP Igmp Snooping SettingsIgmp Snooping Rate Limit 255 Time Query IntervalMax Response Robustness Value Igmp Snooping Static Group Settings Igmp Snooping Rate Limit Settings Igmp Snooping Multicast Vlan Settings Igmp Multicast Group Profile SettingsFollowing fields can be set IPv4 Multicast Profile Settings IPv4 Max Multicast Group Settings IPv4 Limited Multicast Range Settings MLD Snooping MLD Snooping SettingsMLD Control Messages 25 sec Query Expiry TimeQuery Interval 1-65535 sec Max Response Time 43 MLD Snooping Router IP Settings Modify window MLD Snooping Rate Limit Settings MLD Multicast Group Profile Settings MLD Snooping Static Group SettingsIPv6 Address 1,6 Source Port MLD Snooping Multicast Vlan Settings1,6 Tagged Member Port e.g.1-4,6 IPv6 Multicast Profile Settings IPv6 Max Multicast Group Settings IPv6 Limited Multicast Range Settings 55 Port Mirror window Port Mirror Trap Status Loopback Detection SettingsRecover Time Parameter Description LBD State Edge Port Spanning Tree802.1w Rapid Spanning Tree Port Transition States 802.1D and 802.1w Compatibility P2P Port STP Bridge Global Settings NNI Bpdu Address Max Hops External Cost 0=Auto STP Port Settings P2P MST Configuration Identification Msti ID STP Instance SettingsParameter Description Configuration Name Revision Level 200000000 Mstp Port InformationInstance ID Internal Path cost Unicast Forwarding Forwarding & FilteringMulticast Forwarding Multicast MAC Multicast Filtering Mode Lldp Global Settings Notification Lldp Port SettingsAdmin Status Parameter Description From Port /To Port Lldp Management Address List Lldp Basic TLVs SettingsParameter Description Address Vlan Lldp Dot1 TLVs Settings Lldp Statistics System Lldp Dot3 TLVs SettingsMAC/PHY 72 Lldp Statistics System window Lldp Local Port Information Lldp Remote Port Information CFM Port Settings CFM MPs Reply LTRs CFM CCM PDUs Forwarding ModeCFM Mipccm List Parameter Description CFM State Connectivity Fault Management SettingsConnectivity Fault Management CreateMD Connectivity Fault Management SettingsMD LBM CFM Loopback SettingsMIP MEP CFM Linktrace Settings Received Remote Ethernet OAM SettingsEthernet OAM Remote Loopback Ethernet OAM Configuration Settings Advantages of QoS QoS Understanding QoS Mapping QoS on the SwitchPage Bandwidth Control HOL Blocking PeventionNo Limit Traffic Control window Traffic Control Time Interval Traffic Trap Setting Traffice TrapSettings Count Down 802.1p Default Priority window 802.1p Default Priority QoS Scheduling Mechanism 802.1p User Priority Scheduling QoS SchedulingMechanism Class ID Band Manage Settings Band Manage Settings Sred Settings Click Apply to implement changes 141 Dscp Map Settings Dscp Trust SettingsSred Drop Counter Dscp List0-63 Dscp Map Priority List0-7 802.1p Map SettingsColor Security Safeguard Engine Safeguard Engine window Trusted Host IMP Binding Global SettingsIP-MAC-Port Binding Parameter ACL Mode Trap / Log Dhcp Snoop State IMP Binding Port Settings Max Entry Allow Zero IPForward Dhcp Packet Ports IMP Binding Entry Settings MAC Block List Port Security Port SettingsPort Security Dhcp Snooping Entries Max. Learning Port Security Vlan SettingsAdmin State Lock Address Max Learning Dhcp Server Screening SettingsPort Security Entries Vlan ID e.g.1,4-6 Dhcp Offer Filtering Dhcp Screening Port SettingsParameterDescription Server IP Address Client’s MAC Address 802.1X Port-Based and Host-Based Access ControlAuthentication Server 802.1X 16 The Authentication Server Authenticator Client Authentication Process 20 Example of Typical Port-Based Configuration Port-Based Network Access Control 21 Example of Typical Host-Based Configuration Host-Based Network Access Control 802.1X Port Settings 802.1X Global SettingsPDU QuietPeriod SuppTimeoutServerTimeout ReAuthentication 802.1X User Authentication Radius Server Initialize Ports Reauthenticate PortsConfirm Key Limitations Using the Guest Vlan Guest Vlan Configuration Guest Vlan SSL Settings Ciphersuite Download Certificate EDE CBC SHA CBC SHA SSH Settings SSH Authmode and Algorithm Settings HMAC-RSA SSH User Authentication ListsHMAC-SHA1 HMAC-MD5 Host Name Access Authentication ControlPage Application Authentication Settings Authentication Policy Settings 37 Authentication Server Group Settings window Authentication Server Group 38 Authentication Server Group Settings Edit window Authentication Server Login Method Lists ParameterDescription Method List Name Enable Method ListsPriority 1, 2, 3 41 Enable Method List window Local Enable Password Settings 42 Local Enable Password window Radius Accounting Settings MAC-based Access Control Settings MAC-based Access Control Guest Vlan ID Parameter Description Settings MBA Global StateMethod Guest Vlan Name Hold Time MAC-based Access Control Local Settings Web Authentication Conditions and Limitations Web-based Access Control SettingsParameterDescription State Redirection Web-based Access Control User SettingsLogout Timer 1440 Authentication NetBIOS Filtering Settings NetBIOS FilteringConfirmation Access ID ACL Configuration WizardParameterDescription Type Option Access Profile ListApply To Add Access Profile Ethernet Mask Select ACL Type Parameter Description Ethernet ACLSource MAC Mask Destination MAC Ethernet Type Access Profile List Ethernet Replace Dscp Parameter Description Access IDVlan Mask Replace Priority Counter PrecedenceTime Range Rx Rate Icmp Type DscpSource IP Mask Destination IP Mask 11 Access Profile List IPv4 12 Access Profile Details IPv4 Time Range Name Icmp IPv6 UDP Parameter Description IPv6 ClassIPv6 Flow Label IPv6 TCP 17 Access Profile List IPv6 Flow Label Class 20 Access Rule List IPv6 Parameter Description Chunk 22 Add Packet Content ACL Profile 23 Access Profile List Packet Content 25 Access Profile Packet Content CPU Interface Filtering 26 Access Rule List Packet Content 28 CPU Access Profile List window CPU Access Profile List Mask Destination MAC Source MACMask 802.1Q Vlan IPv4 Dscp Parameter Description Select Profile ID 209 33 Add CPU ACL Profile window for IPv6 Select ACL Parameter Description Select ProfileOffset 37 CPU Access Rule List window for Ethernet 39 CPU Access Rule Detail Information window for Ethernet 40 CPU Access Rule List window for IP 42 CPU Access Rule Detail Information window for IP 45 CPU Access Rule Detail Information window for IPv6 ACL Flow Meter ACL Finder 50 ACL Flow Meter window Mode Device Status Cable Diagnostic Show/Hide CPU UtilizationParameter Description Time Interval Record Number Packet Size Port Utilization Packet Size window Packets Memory UtilizationReceived RX Received RX window for Bytes and Packets UMBcast RX Transmitted TX 12 Transmitted TX window for Bytes and Packets Bytes 14 Received RX window for errors Errors OverSize CRCErrorSymbol UnderSize ExDefer 16 Transmitted TX window for errors Radius Authentication Port Access Control Radius Account Client Responses ServerAddressRequests Retransmissions Backend State Authenticator StateParameter Description MAC Address Auth PAE State 22 Authenticator Statistics window for MAC-based Authenticator Statistics Authenticator Session Statistics Authenticator Diagnostics Auth Enter Auth TimeoutConnect Enter Connect LogOff Browse ARP Table 27 Browse ARP Table window Browse Vlan Browse Igmp Router Port Show Vlan PortsIgmp Snooping Group Browse Igmp Snooping Counter Igmp Snooping Forwarding Table MLD Snooping Group Browse MLD Router Port 35 MLD Snooping Group window MLD Snooping Forwarding Table Browse MLD Snooping Counter Browse Session TableCFM Packet Counter List CFM Packet Counter CCM List Browse CFM Fault MEPBrowse CFM Port MP List Browse Vlan Counter Statistics MAC Address TableFunctions used in the MAC address table are described below Browse Ethernet OAM Statistics Browse Ethernet OAM Event Log 46 Browse Ethernet OAM Statistics window Minutes/1 Day Packet/ErrorHistorical Counter & Utilization Browse Historical Counter Browse Historical Utilization System Log Date-Time Parameter Description Log TypeLog Text Save Configuration ID 1 window Save Configuration ID Save All Save Log Reset Configuration File Backup & RestoreUpload Log File Download Firmware Reboot System ARP FCS ARP Forwarding Table Ethernet frame format Port2 00-20-5C-01-22-22 Destination address Source address Ether-type How ARP spoofing attacks a network Ethernet Gratuitous ARP Example topology Prevent ARP spoofing via packet content ACL Offset Chunk Ethernet 266 Category Event Description Log Information Severity System Log Entries SSL AAA Page Page Page IP-MAC DOS DDM Proprietary Trap List DGS-3700 Series Trap ListTrap Name/OID Variable Bind Format MIB Name Severity Equipment Glossary Page Command Parameters Password Recovery Procedure Command Parameters