Detailed instructions for use are in the User's Guide.
[. . . ] DWS-1008 User's Manual
Table of Contents
Table of Contents
Product Contents System Requirements Introduction Hardware Overview Features Installation Overview Getting Started Installation Configuration CLI Quickstart Command Accessing the CLI Configuration Overview Configuring for Authenticating Users Configuring APs for Wireless Users Configuring a Service Profile Configuring AAA For Administrative and Local Access Overview of AAA Access Types of Administrative Access First-Time Configuration via the Console Customizing AAA with Globs and Groups Configuring and Managing Ports and VLANs Setting the Port Type Displaying Port Statistics Configuring and Managing VLANs Managing the Layer 2 Forwarding Database Configuring the Aging Timeout Period Port and VLAN Configuration Scenario Configuring and Managing IP Interfaces and Services MTU Support Configuring and Managing IP Interfaces Configuring and Managing IP Routes Managing the Management Services Managing SSH Managing Telnet Configuring and Managing DNS Configuring and Managing Aliases Configuring and Managing Time Parameters Configuring and Managing NTP Managing the ARP Table 1 1 2 3 4 5 7 8 11 12 17 18 28 29 37 52 53 54 54 56 63 63 69 73 78 81 81 86 86 86 90 93 94 97 99 101 102 105 107
D-Link Systems, Inc.
I
DWS-1008 User's Manual
Logging In to a Remote Device Tracing a Route IP Interfaces and Services Configuration Scenario Configuring SNMP Enabling SNMP Versions Setting SNMP Security Configuring a Notification Profile Configuring a Notification Target Enabling the SNMP Service Displaying SNMP Information Configuring DWL-8220AP Access Points Overview Service Profiles Radio Profiles Configuring Access Points Specifying the Country of Operation Configuring AP Port Parameters Configuring Security Configuring a Service Profile Configuring Radio-Specific Parameters Assigning a Radio Profile and Enabling Radios Disabling or Reenabling Radios Displaying AP Configuration Information Configuring User Encryption Configuring WPA Configuring RSN Configuring WEP Encryption Configuration Scenarios Configuring RF Auto-Tuning RF AutoTuning Overview Changing RF AutoTuning Settings Displaying RF AutoTuning Settings Wi-Fi Multimedia How WMM Works in MSS Disabling or Reenabling WMM Displaying WMM Information Configuring and Managing Spanning Tree Protocol Enabling the Spanning Tree Protocol Changing Standard Spanning Tree Parameters Configuring and Managing STP Fast Convergence Features Displaying Spanning Tree Information Spanning Tree Configuration Scenario 109 110 111 115 116 120 121 125 127 128 130 130 139 143 146 146 152 156 159 166 168 168 170 176 178 185 188 190 197 197 203 205 208 208 209 209 211 211 211 216 219 223
D-Link Systems, Inc.
II
DWS-1008 User's Manual
Configuring and Managing IGMP Snooping Disabling or Reenabling IGMP Snooping Disabling or Reenabling Proxy Reporting Enabling the Pseudo-Querier Changing IGMP Timers Enabling Router Solicitation Configuring Static Multicast Ports Displaying Multicast Information Configuring and Managing Security ACLs About Security Access Control Lists Creating and Committing a Security ACL Mapping Security ACLs Modifying a Security ACL Using ACLs to Change CoS Enabling Prioritization for Legacy Voice over IP Security ACL Configuration Scenario Managing Keys and Certificates Why Use Keys and Certificates?About Keys and Certificates Creating Keys and Certificates Displaying Certificate and Key Information Key and Certificate Configuration Scenarios Configuring AAA for Network Users About AAA for Network Users AAA Tools for Network Users Configuring 802. 1X Authentication Configuring Authentication and Authorization by MAC Address Configuring Last-Resort Access Configuring AAA for Users of Third-Party APs Assigning Authorization Attributes Overriding or Adding Attributes Locally with a Location Policy Configuring Accounting for Wireless Network Users Displaying the AAA Configuration Avoiding AAA Problems in Configuration Order Configuring a Mobility Profile Network User Configuration Scenarios Configuring Communication with RADIUS RADIUS Overview Before You Begin Configuring RADIUS Servers Configuring RADIUS Server Groups RADIUS and Server Group Configuration Scenario 225 225 225 225 226 227 228 228 232 232 234 242 245 249 251 253 255 255 256 259 263 264 270 270 275 280 285 289 290 294 303 306 309 310 312 313 320 320 320 320 323 326
D-Link Systems, Inc.
III
DWS-1008 User's Manual
Managing 802. 1X Managing 802. 1X on Wired Authentication Ports Managing 802. 1X Encryption Keys Managing 802. 1X Client Reauthentication Managing Other Timers Displaying 802. 1X Information Managing Sessions About the Session Manager Displaying and Clearing Administrative Sessions Displaying and Clearing Network Sessions Rogue Detection and Countermeasures About Rogues and RF Detection Summary of Rogue Detection Features Configuring Rogue Detection Lists Enabling Countermeasures Disabling or Reenabling Active Scan Enabling AP Signatures Disabling or Reenabling Logging of Rogues Enabling Rogue and Countermeasures Notifications IDS and DoS Alerts Displaying RF Detection Information Managing System Files About System Files Working with Files Managing Configuration Files Backing Up and Restoring the System Appendix A - Troubleshooting Fixing Common Setup Problems Recovering the System Password Configuring and Managing the System Log Running Traces Using Show Commands Remotely Monitoring Traffic Capturing System Information for Technical Support Appendix B - Supported RADIUS Attribites Supported Standard and Extended Attributes Appendix C - DHCP Server How the MSS DHCP Server Works Configuring the DHCP Server Displaying DHCP Server Information Appendix D - Glossary Appendix E - Technical Specifications Appendix F - Warranty Appendix G - Registration 328 328 329 332 334 335 338 338 338 340 345 345 348 350 355 355 356 356 356 356 362 366 366 368 372 376 378 378 380 380 387 391 392 399 400 400 405 406 406 407 409 441 444 449
D-Link Systems, Inc.
IV
DWS-1008 User's Manual
Product Contents
Product Contents
DWS-1008 8-Port Wireless Switch Power Supply Serial Cable for Connection to Console Rack-Mount Brackets (2) Rubber Feet (4) Screws (6) Install Guide Manual and Reference Guide on CD
System Requirements
An existing 10/100 Ethernet network DWL-8220AP Access Point(s)
Warning: Installation must be performed by qualified service personnel only. Please follow all warning notices and instructions marked on the product or included in the documentation. The manufacturer is not responsible for any radio or TV interference caused by unauthorized modifications to this equipment. [. . . ] permit L4 Protocol 115 source IP 192. 168. 1. 11 0. 0. 0. 0 destination IP 192. 168. 1. 15 0. 0. 0. 0 precedence 0 tos 0 enable-hits You can also view a specific security ACL. For example, to view acl-2, type the following command: DWS-1008# show security acl info acl-2 ACL information for acl-2 set security acl ip acl-2 (hits #1 0) ---------------------------------------------------1. permit L4 Protocol 115 source IP 192. 168. 1. 11 0. 0. 0. 0 destination IP 192. 168. 1. 15 0. 0. 0. 0 precedence 0 tos 0 enable-hits
D-Link Systems, Inc.
0
DWS-1008 User's Manual
Configuring and Managing Security ACLs
Displaying Security ACL Hits
Once you map an ACL, you can view the number of packets it has filtered, if you included the keyword hits. Type the following command: DWS-1008# show security acl hits ACL hit-counters Index Counter ACL-name ------------------------------------------10 acl-2 20 acl-999 5 916 acl-123 To sample the number of hits the security ACLs generate, you must specify the number of seconds between samples. For example, to sample the hits generated every 180 seconds, type the following commands: DWS-1008# hit-sample-rate 180 DWS-1008# show security acl hits ACL hit-counters Index Counter ACL-name ------------------------------------------1 31986 acl-red 20 acl-green
Clearing Security ACLs
The clear security acl command removes the ACL from the edit buffer only. To clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs. To remove the security ACL from the running configuration and nonvolatile storage, you must also use the commit security acl command. For example, the following command deletes acl-99 from the edit buffer: DWS-1008# clear security acl acl-99 To clear acl-99 from the configuration, type the following command: DWS-1008# commit security acl acl-99 success: change accepted
D-Link Systems, Inc.
DWS-1008 User's Manual
Configuring and Managing Security ACLs
Mapping Security ACLs
User-based security ACLs are mapped to an IEEE 802. 1X authenticated session during the AAA process. You can specify that one of the authorization attributes returned during authentication is a named security ACL. The switch maps the named ACL automatically to the user's authenticated session. Security ACLs can also be mapped statically to ports, VLANs, virtual ports, or Distributed APs. User-based ACLs are processed before these ACLs, because they are more specific and closer to the network edge.
Mapping User-Based Security ACLs
When you configure administrator or user authentication, you can set a Filter-Id authorization attribute at the RADIUS server or at the switch's local database. The Filter-Id attribute is a security ACL name with the direction of the packets appended--for example, acl-name. in or acl-name. out. The security ACL mapped by Filter-Id instructs the switch to use its local definition of the ACL, including the flow direction, to filter packets for the authenticated user. Note: The Filter-Id attribute is more often received by the DWS-1008 switch through an external AAA RADIUS server than applied through the local database. For example, to filter packets coming from 192. 168. 253. 1 and going to 192. 168. 253. 12, type the following command: DWS-1008# set security acl ip acl-222 permit ip 192. 168. 253. 1 0. 0. 0. 0 198. 168. 253. 12 0. 0. 0. 0 hits 2. For example, to commit acl222, type the following command: DWS-1008# commit security acl acl-222 success: change accepted. Apply the Filter-Id authentication attribute to a user's session via an external RADIUS server. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the DWS-1008 switch, the user fails authorization and cannot be authenticated. Alternatively, authenticate the user with the Filter-Id attribute in the switch's local database. Specify . in for incoming packets or out for outgoing packets.
D-Link Systems, Inc.
DWS-1008 User's Manual Mapping Target Commands
Configuring and Managing Security ACLs
User authenticated set user username attr filter-id acl-name. out User authenticated set mac-user username attr filter-id aclby a MAC address name. in set mac-user username attr filter-id aclname. out When assigned the Filter-Id attribute, an authenticated user with a current session receives packets based on the security ACL. [. . . ]
DWS-1008 User's Manual
Appendix F - Warranty
D-Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements, or for which an RMA number is not visible from the outside of the package. The product owner agrees to pay D-Link's reasonable handling and return shipping charges for any product that is not packaged and shipped in accordance with the foregoing requirements, or that is determined by D-Link not to be defective or non-conforming.
What Is Not Covered:
This limited warranty provided by D-Link does not cover: Products, if in D-Link's judgment, have been subjected to abuse, accident, alteration, modification, tampering, negligence, misuse, faulty installation, lack of reasonable care, repair or service in any way that is not contemplated in the documentation for the product, or if the model or serial number has been altered, tampered with, defaced or removed; Initial installation, installation and removal of the product for repair, and shipping costs; Operational adjustments covered in the operating manual for the product, and normal maintenance; Damage that occurs in shipment, due to act of God, failures due to power surge, and cosmetic damage; Any hardware, software, firmware or other products or services provided by anyone other than D-Link; Products that have been purchased from inventory clearance or liquidation sales or other sales in which D-Link, the sellers, or the liquidators expressly disclaim their warranty obligation pertaining to the product. Repair by anyone other than D-Link or an Authorized D-Link Service Office will void this Warranty.
Disclaimer of Other Warranties:
EXCEPT FOR THE LIMITED WARRANTY SPECIFIED HEREIN, THE PRODUCT IS PROVIDED "AS-IS" WITHOUT ANY WARRANTY OF ANY KIND WHATSOEVER INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IF ANY IMPLIED WARRANTY CANNOT BE DISCLAIMED IN ANY TERRITORY WHERE A PRODUCT IS SOLD, THE DURATION OF SUCH IMPLIED WARRANTY SHALL BE LIMITED TO NINETY (90) DAYS. [. . . ]