Page 2: Table Of Contents
DWS-1008 User’s Manual Table of Contents Table of Contents Product Contents System Requirements Introduction Hardware Overview Features Installation Overview Getting Started Installation Conﬁguration CLI Quickstart Command Accessing the CLI Conﬁguration Overview Conﬁguring for Authenticating Users Conﬁguring APs for Wireless Users Conﬁguring a Service Proﬁle...
Page 3 DWS-1008 User’s Manual Logging In to a Remote Device Tracing a Route IP Interfaces and Services Conﬁguration Scenario Conﬁguring SNMP Enabling SNMP Versions Setting SNMP Security Conﬁguring a Notiﬁcation Proﬁle Conﬁguring a Notiﬁcation Target Enabling the SNMP Service Displaying SNMP Information Conﬁguring DWL-8220AP Access Points...
Page 4 DWS-1008 User’s Manual Conﬁguring and Managing IGMP Snooping Disabling or Reenabling IGMP Snooping Disabling or Reenabling Proxy Reporting Enabling the Pseudo-Querier Changing IGMP Timers Enabling Router Solicitation Conﬁguring Static Multicast Ports Displaying Multicast Information Conﬁguring and Managing Security ACLs About Security Access Control Lists...
Page 5 DWS-1008 User’s Manual Managing 802.1X Managing 802.1X on Wired Authentication Ports Managing 802.1X Encryption Keys Managing 802.1X Client Reauthentication Managing Other Timers Displaying 802.1X Information Managing Sessions About the Session Manager Displaying and Clearing Administrative Sessions Displaying and Clearing Network Sessions...
Page 6: Product Contents
Such modiﬁcations could void the user’s authority to operate the equipment. The DWS-1008 switch has been designed and tested to be installed in an operating ambient temperature of 0° C to +40° C (32° F to 104° F). To reduce the risk of equipment damage, install equipment with consideration to these ambient conditions.
Page 7: Introduction
DWL-8220APs and up to six more DWL-8220APs connected indirectly. Maximum Performance With Load Balancing Capabilities The DWS-1008 performs Layer 2 forwarding and also comes with extensive Layer 3-4 and identity-tracking capabilities. It integrates seamlessly with wired infrastructures and offers redundant load-sharing links, 802.1q trunking, spanning tree and per-VLAN spanning tree (PVST+).
Page 8: Hardware Overview
The 10/100 Ethernet ports on the DWS-1008 switch provide automatic MDI/MDX, which automatically crosses over the send and receive signals if required. Ports 1-6 support PoE. Uplink Ports (7 & 8): Ports 7 and 8 on the DWS-1008 switch are uplink ports only and do not support PoE. LEDS: Link (1-8): Solid green 100Mbps link is operational.
Page 9: Features
You also can conﬁgure a default domain name to append to hostnames. • Network Time Protocol (NTP) - The DWS-1008 switch can sets its time and date by polling an NTP server. • System log - The DWS-1008 generates log messages to log system events. The log messages are stored locally and also can be exported to syslog servers.
Page 10: Installation Overview
Installation Overview Installation Overview Caution: The DWS-1008 switch has been designed and tested to be installed in an operating ambient temperature of 0° C to +40° C (32° F to 104° F). To reduce the risk of equipment damage, install equipment with consideration to these ambient conditions.
Page 11 The mounting brackets support front mounting only. Warning: Earth grounding is required for a DWS-1008 switch installed in a rack. If you are relying on the rack to provide ground, the rack itself must be grounded with a ground strap to the earth ground.
Page 12: Getting Started
Use show commands to display the current conﬁguration and monitor the status of network operations. * The Mobility System Software is built-in to the ﬁrmware on the DWS-1008 switch. No additional software is required. The switch supports two connection modes: •...
Page 13: Installation
3. Attach the four rubber adhesive feet over the X’s. 4. Turn the switch right-side up, and place the switch in position on the table. Powering On a DWS-1008 Switch Warning: The switch relies on the building’s installation for overcurrent protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15 A U.S.
Page 14 This indicates normal power supply operation. Connecting to a Serial Management Console Initial conﬁguration of the DWS-1008 switch requires a connection to the switch’s CLI through the serial console port. To connect a PC to the serial console port: 1.
Page 15 Installation Installation (continued) Connecting to the Network Use the following procedures to connect a DWS-1008 switch to DWL-8220AP access points or other 10/100 Ethernet devices. Connecting to a DWL-8220AP or Other 10/100 Ethernet Devices Note: The 10/100 Ethernet ports are conﬁgured as wired network ports by default. You must change the port type for locally connected DWL-8220AP access points, and for wired end stations that use AAA through the DWS-1008 switch to access the network.
Page 16: Conﬁguration
DWS-1008 User’s Manual Conﬁguration Conﬁguration You can use CLI (Command Line Interface) to conﬁgure a new switch or to continue conﬁguration of a partially conﬁgured switch: CLI (Command Line Interface) You can conﬁgure a switch using the CLI by attaching a PC to the switch’s Console port.
Page 17: Cli Quickstart Command
DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) CLI Quickstart Command The quickstart command runs a script that interactively helps you conﬁgure the following items: • System name • Country code (regulatory domain) • System IP address • Default route • Administrative users and passwords •...
Page 18 Conﬁguration (continued) To run the quickstart command: 1. Attach a PC to the DWS-1008 switch’s serial console port. Use the following modem settings: 9600 bps, 8 bits, 1 stop, no parity, hardware ﬂow control disabled. 2. Press Enter three times, to display a username prompt (Username:), a password prompt (Password:), and then a command prompt such as the following: DWS-1008-aabbcc>...
Page 19 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) • Administrative user admin1, with password letmein. The only management access the switch allows by default is CLI access through the serial connection. • System Time and date parameters: • Date: 15th of August, 2005 •...
Page 20 DWS-1008-aabbcc# quickstart This will erase any existing conﬁg. Continue? [n]: y Answer the following questions. Enter ‘?’ for help. ^C to break out System Name [DWS-1008]: DWS-1008-Corp Country Code [US]: US System IP address []: 10.10.10.4 System IP address netmask []: 255.255.255.0 Default route []: 10.10.10.1...
Page 21 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) 6. Optionally, enable Telnet. DWS-1008-aabbcc# set ip telnet server enable 7. Verify the conﬁguration changes. DWS-1008-aabbcc# show conﬁg 8. Save the conﬁguration changes. DWS-1008-aabbcc# save conﬁg D-Link Systems, Inc.
Page 22: Accessing The Cli
Note: For simplicity, the command prompt examples in the documentation show a switch model (such as DWS-1008) and the CLI access level (> for restricted access or # for enabled access) only. The default command prompt on your switch shows your switch’s model number and also contains the last three octets of the switch’s MAC address.
Page 23: Conﬁguration Overview
Conﬁguration Conﬁguration (continued) Conﬁguration Overview To conﬁgure a DWS-1008 switch for basic service, perform the following tasks, in this order: 1. Conﬁgure an enable password. (See “Conﬁguring an Enable Password” on page 19.) 2. Conﬁgure time and date parameters. (See “Conﬁguring the Time and Date” on page 20.) 3.
Page 24 Conﬁguration Conﬁguration (continued) Conﬁguring an Enable Password D-Link recommends that you conﬁgure an enable password to provide at least minimal security to the DWS-1008 switch before you proceed to more advanced conﬁguration options. To conﬁgure an enable password, use the following command: set enablepass To conﬁgure an enable password:...
Page 25 3 Specify the IP address of a Network Time Protocol (NTP) server or statically set the time and date. Note: D-Link recommends that you set the time and date parameters before you install certiﬁcates on the DWS-1008 switch. Generally, certiﬁcates are valid for one year beginning with the system time and date that are in effect when you generate the certiﬁcate request.
Page 26 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Additional commands conﬁgure an NTP server and enable the switch’s NTP client. DWS-1008# set timezone PST -8 success: change accepted. DWS-1008# set summertime PDT success: change accepted. DWS-1008# set ntp server 192.168.1.10 DWS-1008# set ntp enable...
Page 27 Any or all VLANs on the switch can have an IP address. Web View requires IP connectivity to a DWS-1008 switch to manage the switch. User trafﬁc also requires VLANs, although you do not need to conﬁgure every user’s VLAN on every DWS-1008 switch.
Page 28 Conﬁguring a Default Route If Web View and a DWS-1008 switch are in different subnets, you need to conﬁgure a default route on the switch. To conﬁgure a default route, use the following command: set ip route default gateway metric...
Page 29 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Verifying IP Connectivity To verify that the switch can send and receive IP trafﬁc, use the following command: ping host The ping command sends an Internet Control Message Protocol (ICMP) echo packet to the speciﬁed device and listens for a reply packet.
Page 30 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Specifying the Country of Operation You must specify the country in which you plan to operate the switch and its access points. MSS does not allow you to conﬁgure or enable the access point radios until you specify the country of operation.
Page 31 ============================================================= Specifying a System IP Address You can designate one of the IP addresses conﬁgured on a DWS-1008 switch’s VLAN to be the system IP address of the switch. The system IP address provides a common IP interface and source IP address for some management and MobileLAN operations. The system IP address is required by some features, including roaming.
Page 32 To verify the conﬁguration change, use the following command: show system The following commands conﬁgure the system IP address to be 10.10.10.4, the IP address on VLAN mgmt, and verify the change: DWS-1008# set system ip-address 10.10.10.4 success: change accepted. DWS-1008# show system =============================================================...
Page 33: Conﬁguring For Authenticating Users
AP. If Spanning Tree Protocol (STP) is enabled on the port that is directly connected to a Distributed AP, D-Link recommends that you enable port fast convergence (called PortFast on some vendors’ devices) on the port or disable STP on the port.
Page 34: Conﬁguring Aps For Wireless Users
4. Apply the radio proﬁle to radios and enable the radios. AP Connection Requirements You can connect a DWL-8220AP access point to a DWS-1008 switch directly to a 10/100 port supplying PoE or through an intermediate network. There are two types of AP to switch connection: direct and distributed.
Page 35 This example has the following conﬁguration requirements for the APs: • AP1 is directly connected to the switch. The DWS-1008 needs port 2 conﬁgured as a directly connected AP. • AP2 is connected through a Layer 2 network to the switch. The switch needs a Distributed AP conﬁguration in order to boot and conﬁgure AP2.
Page 36 • Power - PoE must be provided on one of the Ethernet connections to the AP. Be sure to utilize a PoE injection device that has been tested by D-Link. Providing PoE on both of the Ethernet connections (if the AP has two) allows for redundant PoE.
Page 37 IP address returned for TRPZ, the AP never contacts the IP address returned for wlan-switch. The AP does not boot. After the AP contacts the switch, the switch relays information about DWS-1008 switches in the network that contain a Distributed AP conﬁguration speciﬁc to that Distributed AP.
Page 38 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Conﬁguring for a Directly-Connected AP Caution: When you set the port type for use by locally connected APs, you must specify the PoE state (enabled or disabled) of the port. If you enable PoE on a port connected to another device, physical damage to the device can result.
Page 39 Conﬁguration (continued) The following example sets ports 1, 2, and 4 for the DWL-8220AP access point: DWS-1008# set port type ap 1,2,4 model dwl-8220ap poe enable This may affect the power applied on the conﬁgured ports. Would you like to continue? (y/n) [n]y success: change accepted.
Page 40 Conﬁguration (continued) Note: You can conﬁgure an AP conﬁguration template for automatically conﬁguring Distributed APs when they boot using the DWS-1008 switch. The following example conﬁgures connections for two Distributed APs that are indirectly connected to the switch. Note that when you create a connection, you assign it a number that can be used later for displaying and conﬁguration, much like the physical ports for...
Page 41 APs conﬁgured in the MobileLAN, use the following command: show dap global [dap-num | serial-id serial-ID] The following command lists conﬁguration information for the Distributed APs below: DWS-1008# show dap global Total number of entries: 12 DAP Serial Id Switch IP Address...
Page 42: Conﬁguring A Service Proﬁle
DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Conﬁguring a Service Proﬁle A service proﬁle controls advertisement and encryption for an SSID. You can specify the following: • Whether SSIDs that use the service proﬁle are beaconed • Whether the SSIDs are encrypted or clear (unencrypted) •...
Page 43 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Values psk-phrase No passphrase Uses dynamically generated keys rather than deﬁned statically conﬁgured keys to authenticate WPA clients. psk-raw No preshared Uses dynamically generated keys rather than key deﬁned...
Page 44 SSID. To conﬁgure and display a radio proﬁle, use the following commands: set radio-proﬁle name show radio-proﬁle name Note: D-Link recommends that you do not use the name default. MSS already contains a radio proﬁle named default. D-Link Systems, Inc.
Page 45 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) The following command conﬁgures radio proﬁle rp1: DWS-1008# set radio-proﬁle rp1 success: change accepted. The table below lists the radio proﬁle parameters and their default values. Parameter Default Value Radio Behavior When Parameter Set To Default Values...
Page 46 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Values service-proﬁle Not Deﬁned Default settings for all service proﬁle parameters, including encryption parameters, are used. short-retry Sends a short unicast frame up to ﬁve times without acknowledgment.
Page 47 The following commands applies radio proﬁle rp1 to radio 1 on AP access ports 1, 2, and 4 and on Distributed AP 1 and Distributed AP 2 and enables the radios: DWS-1008# set ap 1,2,4 radio 1 radio-proﬁle rp1 mode enable success: change accepted.
Page 48 To verify radio conﬁguration changes, use the following commands: show ap conﬁg [port-list [radio {1 | 2}]] show dap conﬁg [dap-num [radio {1 | 2}]] * Please contact D-Link Sales for information regarding Trapeze antennas. Here is an example: DWS-1008# show ap conﬁg 1...
Page 49 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) Conﬁguring User Authentication MSS provides the following types of authentication: • IEEE 802.1X - If the network user’s network interface card (NIC) supports 802.1X, MSS checks for an 802.1X authentication rule that matches the username (and SSID, if wireless access is requested), and that uses the Extensible Authentication Protocol (EAP) requested by the NIC.
Page 50 VLAN: • Tunnel-Private-Group-ID - This attribute is described in RFC 2868, RADIUS attributes for Tunnel Protocol Support. • VLAN-Name - This attribute is a D-Link vendor-speciﬁc attribute (VSA). Note: You cannot conﬁgure the Tunnel-Private-Group-ID attribute in the local user database.
Page 51 The following commands conﬁgure two RADIUS servers, add them to server group grp1, enable load balancing of authentication sessions among the servers, and verify the change: DWS-1008# set radius server svr1 address 10.10.70.20 key rad1pword success: change accepted. DWS-1008# set radius server svr2 address 10.10.70.40 key rad2pword success: change accepted.
Page 52 EAP type to communicate with EAP- ® capable RADIUS server group grp1, when attempting to access SSID private_wlan. The server group authenticates the users. DWS-1008# set authentication dot1x ssid private_wlan EXAMPLE\* pass-through grp1 success: change accepted. D-Link Systems, Inc.
Page 53 DWS-1008# set authentication dot1x ssid private_wlan *@eng.example.com pass-through grp1 success: change accepted. DWS-1008# set authentication dot1x ssid private_wlan *@*.*.com pass-through grp1 success: change accepted. DWS-1008# set authentication dot1x ssid private_wlan *@*.com pass-through grp1 success: change accepted. Displaying the Server Group and Authentication Conﬁguration The show aaa command displays the server group and authentication conﬁguration on a...
Page 54 Conﬁguration (continued) Conﬁguring EAP Ofﬂoad with Server Authentication You can conﬁgure a DWS-1008 switch to perform all EAP processing locally and use RADIUS servers for authentication and authorization. To conﬁgure the DWS-1008 switch to perform EAP processing locally and use RADIUS servers for MS-CHAP-V2: 1.
Page 55 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) DWS-1008# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports Tries Dead State -------------------------------------------------------------------------------------- svr1 10.10.70.20 1812 1813 svr2 10.10.70.40 1812 1813 Server groups grp1 (load-balanced): svr1 svr2 set authentication dot1x ssid private_wlan EXAMPLE\* peap-mschapv2 grp1 Displaying and Saving the Conﬁguration...
Page 56 DWS-1008 User’s Manual Conﬁguration Conﬁguration (continued) The following command displays the beginning of the conﬁguration ﬁle on a DWS-1008 switch conﬁgured with the commands in this chapter: DWS-1008# show conﬁg # Conﬁguration nvgen’d at 2005-4-29 14:12:37 # Image 4.0.1 # Model DWS-1008 # Last change occurred at 2005-4-29 14:03:52 set ip route default 10.10.20.19 1...
Page 57: Conﬁguring Aaa For Administrative And Local Access
The switch attempts administrative authentication in the local database ﬁrst. If it ﬁnds no match, the DWS-1008 attempts administrative authentication on the RADIUS server. Note. A CLI Telnet connection to the DWS-1008 is not secure, unlike SSH, Web View connections.
Page 58: Overview Of Aaa Access
• Administrative access mode - Allows a network administrator to access the switch and conﬁgure it. You must establish administrative access in enabled mode before adding users. • Network access mode - Allows network users to connect through the DWS-1008 switch. D-Link Systems, Inc.
Page 59: Types Of Administrative Access
Until you set the enable password and conﬁgure authentication, the default username and password are blank. Press Enter when prompted for them. To enable an administrator: 1. Log in to the DWS-1008 switch from the serial console, and press Enter when the switch displays a username prompt: Username: 2.
Page 60 Conﬁguring AAA for Administrative and Local Access Setting the DWS-1008 Switch Enable Password There is one enable password for the entire DWS-1008 switch. You can optionally change the enable password from the default. Setting the DWS-1008 Enable Password for the First Time To set the enable password for the ﬁrst time:...
Page 61: Customizing Aaa With Globs And Groups
DWS-1008# set authentication console * local Caution: If you type this command before you have created a local username and password, you can lock yourself out of the DWS-1008 switch. Before entering this command, you must conﬁgure a local username and password.
Page 62 The local database on the DWS-1008 switch is the simplest way to store user information in a D-Link system. To conﬁgure a user in the local database, type the following command: set user username password password Note.
Page 63 In the set accounting command, you must include AAA methods that specify whether to use the local database or RADIUS server to receive the accounting records. Specify local, which causes the processing to be done on the DWS-1008 switch, or specify a RADIUS server group.
Page 64 DWS-1008 switch or saved the conﬁguration. If the DWS-1008 switch is rebooted before you have saved the conﬁguration, all changes are lost. You can also type the load conﬁg command, which reloads the DWS-1008 switch to the last saved conﬁguration or loads a particular conﬁguration ﬁlename.
Page 65 For all scenarios, the administrator is Natasha with the password m@Jor. Local Authentication The ﬁrst time you access a DWS-1008 switch, it requires no authentication. In this scenario, after the initial conﬁguration of the DWS-1008 switch, Natasha is connected through the console and has enabled access.
Page 66 Natasha types the following commands in this order: DWS-1008# set user natasha password m@Jor User natasha created DWS-1008# set radius server r1 address 192.168.253.1 key sunFLOW#$ success: change accepted. DWS-1008# set server group sg1 members r1 success: change accepted.
Page 67 To conﬁgure unconditional authentication, Natasha sets the authentication method to none. She types the following commands in this order: DWS-1008# set user natasha password m@Jor User natasha created DWS-1008# set radius server r1 address 192.168.253.1 key sunFLOW#$ success: change accepted. DWS-1008# set server group sg1 members r1 success: change accepted.
Page 68: Conﬁguring And Managing Ports And Vlans
All DWS-1008 switch ports are network ports by default. You must set the port type for ports directly connected to AP access ports and to wired user stations that must be authenticated to access the network.
Page 69 This may affect the power applied on the conﬁgured ports. Would you like to continue? (y/n) [n]y success: change accepted. DWS-1008# set port type ap 2 model DWL-8220AP poe enable radiotype 11b This may affect the power applied on the conﬁgured ports. Would you like to continue? (y/n) [n]y success: change accepted.
Page 70 MAC authentication is successful. To set port 2 as a wired authentication port, type the following command: DWS-1008# set port type wired-auth 2 success: change accepted This command conﬁgures port 2 as a wired authentication port supporting one interface and one simultaneous user session.
Page 71 DWS-1008# set port 3 name adminpool success: change accepted. Caution: When you clear a Distributed AP, MSS ends user sessions that are using the AP. Note. To avoid confusion, D-Link recommends that you do not use numbers as port names. Removing a Port Name...
Page 72 The PoE state depends on whether you enable or disable PoE when you set the port type. Caution: Use the DWS-1008 switch’s PoE only to power D-Link DWL-8220AP access points. If you enable PoE on ports connected to other devices, damage can result.
Page 73 PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing a DWL-8220 access point that is connected to two DWS-1008 switches to reboot using the port connected to the other switch. To reset a port, use the following command:...
Page 74: Displaying Port Statistics
| collisions | receive-etherstats | transmit-etherstats] [port port-list] You can specify one statistic type with the command. For example, to display octet statistics for port 3, type the following command: DWS-1008# show port counters octets port 3 Port Status Rx Octets...
Page 75 To monitor port statistics beginning with octet statistics (the default), type the following command: DWS-1008# monitor port counters As soon as you press Enter, MSS clears the window and displays statistics at the top of the window. In this example, the octet statistics are displayed ﬁrst.
Page 76 Load Sharing A DWS-1008 switch balances the port group trafﬁc among the group’s physical ports by assigning trafﬁc ﬂows to ports based on the trafﬁc’s source and destination MAC addresses. The switch assigns a trafﬁc ﬂow to an individual port and uses the same port for all subsequent trafﬁc for that ﬂow.
Page 77 To conﬁgure a port group named server2 containing ports 3 and 5 and add the ports to the default VLAN, type the following commands: DWS-1008# set port-group name server2 3,5 mode on success: change accepted. DWS-1008# set vlan default port server2 success: change accepted.
Page 78: Conﬁguring And Managing Vlans
Conﬁguring and Managing Ports and VLANs Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To conﬁgure a Cisco Catalyst switch to interoperate with a D-Link DWS-1008 switch, use the following command on the Catalyst switch: set port channel port-list mode on Conﬁguring and Managing VLANs...
Page 79 Every VLAN on a DWS-1008 switch has both a VLAN name, used for authorization purposes, and a VLAN number. VLAN numbers can vary uniquely for each switch and are not related to 802.1Q tag values.
Page 80 Conﬁguring and Managing Ports and VLANs A DWS-1008 switch switches trafﬁc at Layer 2 among ports in the same VLAN. For example, suppose you conﬁgure ports 4 and 5 to belong to VLAN 2 and ports 6 and 7 to belong to VLAN 3.
Page 81 Specify a VLAN number from 2 to 4095, and specify a name up to 16 alphabetic characters long. You cannot use a number as the ﬁrst character in a VLAN name. D-Link recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not conﬁgure two separate VLANs with the names red and RED.
Page 82 To clear port 2, which uses tag value 11, from VLAN marigold, type the following command: DWS-1008# clear vlan marigold port 2 tag 11 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.
Page 83: Managing The Layer 2 Forwarding Database
VLAN. Managing the Layer 2 Forwarding Database A DWS-1008 switch uses a Layer 2 forwarding database (FDB) to forward trafﬁc within a VLAN. The entries in the forwarding database map MAC addresses to the physical or virtual ports connected to those MAC addresses within a particular VLAN. To forward a packet to another device in a VLAN, the switch searches the forwarding database for the packet’s...
Page 84 (You cannot add a multicast or broadcast address as a permanent or static forwarding database entry.) • Added by the DWS-1008 switch itself - For example, the authentication protocols can add entries for wired and wireless authentication users. The switch also adds any static entries added by the system administrator and saved in the conﬁguration...
Page 85 To add a permanent entry for MAC address 00:bb:cc:dd:ee:ff on ports 3 and 5 in VLAN blue, type the following command: DWS-1008# set fdb perm 00:bb:cc:dd:ee:ff port 3,5 vlan blue success: change accepted. To add a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the default VLAN, type...
Page 86: Conﬁguring The Aging Timeout Period
For example, to set the aging timeout period for VLAN 2 to 600 seconds, type the following command: DWS-1008# set fdb agingtime 2 age 600 success: change accepted. Port and VLAN Conﬁguration Scenario This scenario assigns names to ports, and conﬁgures AP access ports, wired authentication ports, a load-sharing port group, and VLANs.
Page 87 DWS-1008 User’s Manual Conﬁguring and Managing Ports and VLANs success: change accepted. DWS-1008# set port 2 name ﬁnance success: change accepted. DWS-1008# set port 3 name accounting success: change accepted. DWS-1008# set port 4 name shipping success: change accepted. DWS-1008# set port 5 name lobby success: change accepted.
Page 88 3. Conﬁgure ports 2 through 6 for connection to access point model DWL-8220AP and verify the conﬁguration changes. Type the following commands: DWS-1008# set port type ap 2-6 model dwl-8220ap poe enable This may affect the power applied on the conﬁgured ports. Would you like to continue? (y/n) [n]y success: change accepted.
Page 89 5. Conﬁgure ports 7 and 8 as a load-sharing port group to provide a redundant link to the backbone, and verify the conﬁguration change. Type the following commands: DWS-1008# set port-group name backbonelink port 7,8 mode on success: change accepted.
Page 90 DWS-1008 User’s Manual Conﬁguring and Managing Ports and VLANs success: conﬁguration saved. D-Link Systems, Inc.
Page 91: Conﬁguring And Managing Ip Interfaces And Services
IP tunnel, and only to reassemble fragments created by another D-Link device for tunneling. If the path MTU between D-Link devices is less than 1448 bytes, a device in the path might further fragment or drop a tunneled packet. If the packet is further fragmented, the receiving switch will not be able to reassemble the fragments, and the packet is dropped.
Page 92 Domain Name, and (6) Domain Name Server • (60) Vendor Class Identiﬁer, set to TRPZ x.x.x, where x.x.x is the MSS version The DHCP client is disabled by default on the DWS-1008, You can enable the DHCP client on one VLAN only.
Page 93 The vlan-id can be the VLAN name or number. The following command enables the DHCP client on VLAN corpvlan: DWS-1008# set interface corpvlan ip dhcp-client enable success: change accepted. You can conﬁgure the DHCP client on more than one VLAN, but the client can be active on only one VLAN.
Page 94 DWS-1008 User’s Manual Conﬁguring and Managing IP Interfaces and Services The IP interface table ﬂags the address assigned by a DHCP server with an asterisk ( * ). In the following example, VLAN corpvlan received IP address 10.3.1.110 from a DHCP server.
Page 95: Conﬁguring And Managing Ip Routes
DWS-1008 User’s Manual Conﬁguring and Managing IP Interfaces and Services Conﬁguring the System IP Address You can designate one of the IP addresses conﬁgured on an Switch to be the system IP address of the switch. The system IP address determines the interface or source IP address MSS uses for system tasks, including the following: •...
Page 96 192.168.1.10, the Switch uses the default route to forward a packet addressed to that host. D-Link recommends that you conﬁgure at least one default route. You can conﬁgure a maximum of four routes per destination. This includes default routes, which have destination 0.0.0.0/0.
Page 97 MSS places the new route at the top of the group of routes with the same cost. To add a default route that uses gateway 10.5.4.1 and has a cost of 1, type the following command: DWS-1008# set ip route default 10.5.4.1 1 success: change accepted. D-Link Systems, Inc.
Page 98: Managing The Management Services
To add an explicit route from an Switch to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and give the route a cost of 1, type the following command: DWS-1008# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1 success: change accepted.
Page 99: Managing Ssh
• Absolute timeout - controls how long an SSH session can remain open, regardless of how active the session is. The absolute timeout is disabled by default. D-Link recommends using the idle timeout to close unused sessions. However, if the idle timeout is disabled, MSS changes the default absolute timeout from 0 (disabled) to 60 minutes to prevent an abandoned session from remaining open indeﬁnitely.
Page 100 To generate a 1024-byte SSH authentication key, type the following command: DWS-1008# crypto generate key ssh 1024 key pair generated You can verify the key using the following command:...
Page 101 To change the absolute timeout value to 30 minutes, type the following command: DWS-1008# set ip ssh absolute-timeout 30 success: absolute timeout set to 30 minutes Managing SSH Server Sessions...
Page 102: Managing Telnet
To display the status of the Telnet server, use the following command: show ip telnet To display the Telnet server status and the TCP port number on which an Switch listens for Telnet trafﬁc, type the following command: DWS-1008> show ip telnet Server Status Port -------------------------------------- Enabled D-Link Systems, Inc.
Page 103 To display the Telnet server sessions on an Switch, type the following command: Note. If you type the clear sessions admin telnet command from within a Telnet session, the session ends as soon as you press Enter. DWS-1008# show sessions admin Username Time (s)
Page 104: Conﬁguring And Managing Dns
DWS-1008 User’s Manual Conﬁguring and Managing IP Interfaces and Services Conﬁguring and Managing DNS You can conﬁgure an Switch to use a Domain Name Service (DNS) server to resolve hostnames into their IP addresses. This capability is useful in cases where you specify a hostname instead of an IP address in a command.
Page 105 DWS-1008 User’s Manual Conﬁguring and Managing IP Interfaces and Services Enabling or Disabling the DNS Client The DNS client is disabled by default. To enable or disable the DNS client, use the following command: set ip dns {enable | disable} Conﬁguring DNS Servers...
Page 106: Conﬁguring And Managing Aliases
To display DNS server information, use the following command: show ip dns The following example shows DNS server information on a switch conﬁgured to use three DNS servers. DWS-1008# show ip dns Domain Name: example.com DNS Status: enabled IP Address...
Page 107: Conﬁguring And Managing Time Parameters
(UTC) by setting the time zone. You also can conﬁgure MSS to offset the time by an additional hour for daylight savings time or similar summertime period. Note. D-Link recommends that you set the time and date parameters before you install certiﬁcates on the switch. Generally, certiﬁcates are valid for one year beginning with the system time and date that are in effect when you generate the certiﬁcate request.
Page 108 (-) in front of the hour value to subtract the hours from UTC. To set the time zone to PST (Paciﬁc Standard Time), type the following command: DWS-1008# set timezone PST -8 Timezone is set to ‘PST’, offset from UTC is -8:0 hours.
Page 109 2:00 a.m. on the last Sunday in October, according to the North American standard. To set the summertime period to PDT (Paciﬁc Daylight Time) and use the default start and end dates and times, type the following command: DWS-1008# set summertime PDT success: change accepted. Displaying the Summertime Period...
Page 110: Conﬁguring And Managing Ntp
The day of week is automatically calculated from the day you set. To set the date to February 29, 2004 and time to 23:58: DWS-1008# set timedate date feb 29 2004 time 23:58:00 Time now is: Sun Feb 29 2004, 23:58:02 PST The CLI makes the time change, then displays the current system time based on the change.
Page 111 To add an NTP server to the list of NTP servers, use the following command: set ntp server ip-addr To conﬁgure an Switch to use NTP server 192.168.1.5, type the following command: DWS-1008# set ntp server 192.168.1.5 Removing an NTP Server To remove an NTP server, use the following command: clear ntp server {ip-addr | all} If you use the all option, MSS clears all NTP servers conﬁgured on the switch.
Page 112: Managing The Arp Table
DWS-1008 User’s Manual Conﬁguring and Managing IP Interfaces and Services Resetting the Update Interval to the Default To reset the update interval to the default value, use the following command: clear ntp update-interval Enabling the NTP Client The NTP client is disabled by default. To enable the NTP client, use the following command:...
Page 113 {permanent | static | dynamic} ip-addr mac-addr To add a static ARP entry that maps IP address 10.10.10.1 to MAC address 00:bb:cc:dd:ee: ff, type the following command: DWS-1008# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1 Changing the Aging Timeout The aging timeout speciﬁes how long a dynamic entry can remain unused before the software...
Page 114: Logging In To A Remote Device
You can specify from 0 to 1,000,000 seconds. To disable aging, specify 0. For example, to disable aging of dynamic ARP entries, type the following command: DWS-1008# set arp agingtime 0 success: set arp aging time to 0 seconds Note: To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command.
Page 115: Tracing A Route
Username: When you press Ctrl+t or type exit to end the client session, the management session returns to the local prompt: DWS-1008-remote> Session 0 pty tty2.d terminated tt name tty2.d DWS-1008# Use the following commands to manage Telnet client sessions:...
Page 116: Ip Interfaces And Services Conﬁguration Scenario
DNS parameters, and time and date parameters. 1. Conﬁgure IP interfaces on the mgmt and roaming VLANs, and verify the conﬁguration changes. Type the following commands: DWS-1008# set interface mgmt ip 10.10.10.10/24 success: change accepted. DWS-1008# set interface roaming ip 10.20.10.10/24 success: change accepted.
Page 117 Total Power Over Ethernet : 105.6 ============================================================= 3. Conﬁgure a default route through a gateway router attached to the Switch and verify the conﬁguration change. Type the following commands: DWS-1008# set ip route default 10.20.10.1 1 success: change accepted. D-Link Systems, Inc.
Page 118 4. Conﬁgure the DNS domain name and DNS server entries, enable the DNS service, and verify the conﬁguration changes. Type the following commands: DWS-1008# set ip dns domain example.com success: change accepted. DWS-1008# set ip dns server 10.10.10.69 PRIMARY success: change accepted. DWS-1008# set ip dns server 10.20.10.69 SECONDARY success: change accepted.
Page 119 Offset : 60 minutes Recurring : yes, starting at 2:00 am of ﬁrst Sunday of April and ending at 2:00 am on last Sunday of October. DWS-1008# set ntp server 192.168.1.5 DWS-1008# set ntp enable success: NTP Client enabled DWS-1008# show ntp...
Page 120: Conﬁguring Snmp
DWS-1008 User’s Manual Conﬁguring SNMP Conﬁguring SNMP Overview The MSS SNMP engine (also called the SNMP server or agent) can run any combination of the following SNMP versions: • SNMPv1 - SNMPv1 is the simplest and least secure SNMP version.
Page 121: Enabling Snmp Versions
{v1 | v2c | usm | all} {enable | disable} The usm option enables SNMPv3. The all option enables all three versions of SNMP. The following command enables all SNMP versions: DWS-1008 set snmp protocol all enable success: change accepted. D-Link Systems, Inc.
Page 122 To clear an SNMP community string, use the following command: clear snmp community name comm-string The following command conﬁgures community string switchmgr1 with access level notify-read-write: DWS-1008 set snmp community name switchmgr1 notify-read-write success: change accepted. D-Link Systems, Inc.
Page 123 DWS-1008 User’s Manual Conﬁguring SNMP Creating a USM User for SNMPv3 To create a USM user for SNMPv3, use the following command: set snmp usm usm-username snmp-engine-id {ip ip-addr | local | hex hex-string} access {read-only | read-notify | notify-only | read-write |...
Page 124 The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES encryption with passphrases. This user can send informs to the notiﬁcation receiver that has engine ID 192.168.40.2. DWS-1008 set snmp usm securesnmpmgr1 snmp-engine-id ip 192.168.40.2 auth-type sha auth-pass-phrase myauthpword encrypt-type 3des encrypt-pass-phrase mycryptpword success: change accepted.
Page 125: Setting Snmp Security
• auth-req-unsec-notify - SNMP message exchanges are authenticated but are not encrypted, and notiﬁcations are neither authenticated nor encrypted. Command Example The following command sets the minimum level of SNMP security allowed to authentication and encryption: DWS-1008 set snmp security encrypted success: change accepted. D-Link Systems, Inc.
Page 126: Conﬁguring A Notiﬁcation Proﬁle
The proﬁle-name can be up to 32 alphanumeric characters long, with no spaces. To modify the default notiﬁcation proﬁle, specify default. The notiﬁcation-type can be one of the following: • AuthenTraps - Generated when the DWS-1008 switch’s SNMP engine receives a bad community string. • AutoTuneRadioChannelChangeTraps - Generated when the RF Auto-Tuning feature changes the channel on a radio.
Page 127 DWS-1008 User’s Manual Conﬁguring SNMP • ClientDot1xFailureTraps - Generated when a client experiences an 802.1X failure. • ClientRoamingTraps - Generated when a client roams. • CounterMeasureStartTraps - Generated when MSS begins countermeasures against a rogue access point. • CounterMeasureStopTraps - Generated when MSS stops countermeasures against a rogue access point.
Page 128 • RFDetectSpoofedMacAPTraps - Generated when MSS detects a wireless packet with the source MAC address of a D-Link AP, but without the spoofed AP’s signature (ﬁngerprint). • RFDetectSpoofedSsidAPTraps - Generated when MSS detects beacon rames for a valid SSID, but sent by a rogue AP.
Page 129 The following command changes the action in the default notiﬁcation proﬁle from drop to send for all notiﬁcation types: DWS-1008 set snmp notify proﬁle default send all success: change accepted. The following commands create notiﬁcation proﬁle snmpprof_rfdetect, and change the action to send for all RF detection notiﬁcation types:...
Page 130: Conﬁguring A Notiﬁcation Target
DWS-1008 User’s Manual Conﬁguring SNMP DWS-1008 set snmp notify proﬁle snmpprof_rfdetect send RFDetectSpoofedSsidAPTraps success: change accepted. DWS-1008 set snmp notify proﬁle snmpprof_rfdetect send RFDetectUnAuthorizedAPTraps success: change accepted. DWS-1008 set snmp notify proﬁle snmpprof_rfdetect send RFDetectUnAuthorizedOuiTraps success: change accepted. DWS-1008 set snmp notify proﬁle snmpprof_rfdetect send RFDetectUnAuthorizedSsidTraps success: change accepted.
Page 131 The target-num is an ID for the target. This ID is local to the DWS-1008 switch and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.
Page 132: Enabling The Snmp Service
Command Examples The following command conﬁgures a notiﬁcation target for acknowledged notiﬁcations: DWS-1008 set snmp notify target 1 10.10.40.9 usm inform user securesnmpmgr1 snmp-engine-id ip success: change accepted. This command conﬁgures target 1 at IP address 10.10.40.9. The target’s SNMP engine ID is based on its address.
Page 133: Displaying Snmp Information
Displaying Notiﬁcation Proﬁles To display notiﬁcation proﬁles, use the following command: DWS-1008 show snmp notify proﬁle The command lists settings separately for each notiﬁcation proﬁle. The use count indicates how many notiﬁcation targets use the proﬁle. For each notiﬁcation type, the command lists whether MSS sends notiﬁcations of that type to the targets that use the notiﬁcation proﬁle.
Page 134 DWS-1008 User’s Manual Conﬁguring SNMP Displaying SNMP Statistics Counters To display SNMP statistics counters, use the following command: DWS-1008 show snmp counters D-Link Systems, Inc.
Page 135: Conﬁguring Dwl-8220Ap Access Points
DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points Conﬁguring DWL-8220AP Access Points DWL-8220AP access points contain radios that provide networking between your wired network and IEEE 802.11 wireless users. A DWL-8220AP access point connects to the wired network through a 10/100 Ethernet link and connects to wireless users through radio signals.
Page 136 Directly Connected DWL-8220APs and Distributed APs To conﬁgure the switch to support a DWL-8220AP access point, you must ﬁrst determine how the DWL-8220AP will connect to the switch. There are two types of AP to DWS-1008 connection: direct and distributed.
Page 137 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points subnet. If the AP is unable to locate an DWS-1008 on the subnet it is connected to, the AP sends DNS requests to both TRPZ and wlan-switch, where the DNS sufﬁx for mynetwork.com is learned through DHCP.
Page 138 ﬂat domain name space. You can use the DHCP option 43 ﬁeld to provide a list of DWS-1008 IP addresses, without the need to conﬁgure DNS servers. To use DHCP option 43, conﬁgure the option to contain a comma-separated list of DWS- 1008 IP addresses or hostnames, in the following format: ip:ip-addr1,ip-addr2,...
Page 139 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points AP Parameters The table below summarizes parameters that apply to individual access points, including dual-homing parameters. Parameter Default Value Description name Based on AP name. the port or Distributed AP connection number. For example: •...
Page 140 Bias On an switch, conﬁgurations for APs have a bias (low or high) associated with them. The default is high. A switch with high bias for a DWL-8220AP is preferred over an DWS-1008 with low bias for the AP. If more than one switch has high bias, or the bias for all connections is the same, the switch that has the greatest capacity to add more active APs is preferred.
Page 141 A DWL-8220AP access point brings up the link on the AP’s port 1 and attempts the boot process outlined below. If you want the AP to boot from a speciﬁc DWS-1008, you must ensure that only one DWS-1008 can respond through the AP’s port 1 with a high bias under normal operation. If the boot process fails to locate any DWS-1008, the AP then attempts the boot process on the AP’s port 2.
Page 142 The process continues with step 5. 5. If the AP is unable to locate an DWS-1008 on the subnet it is connected to, and is unable to ﬁnd an DWS-1008 based on DHCP option 43, the AP sends DNS requests to both TRPZ and wlan-switch, where the DNS sufﬁx for mynetwork.com is learned through DHCP.
Page 143 Conﬁguring DWL-8220AP Access Points 6. The DNS server replies with the system IP address of an switch. • If only TRPZ is deﬁned in DNS, the AP sends a unicast Find DWS-1008 message to the switch whose IP address is returned for TRPZ.
Page 144: Service Proﬁles
If MSS rejects an association request for load-balancing reasons but not for authentication reasons, the rejection does not count as an authentication failure. D-Link recommends that you conﬁgure small groups and ensure that all the radios in the group provide comparable coverage within the same service area.
Page 145 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points auth-fallthru none Denies access to users who do not match an 802.1X or MAC authentication rule for the SSID requested by the user. auth-psk disable Does not support using a preshared key (PSK) to authenticate WPA clients.
Page 146 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points shared-key-auth disable Does not use shared-key authentication. This parameter does not enable PSK authentication for WPA. To enable PSK encryption for WPA, use the set radio-proﬁle auth- psk command. ssid-name dlink Uses the SSID name dlink.
Page 147 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points Public and Private SSIDs Each radio can support the following types of SSIDs: • Encrypted SSID - Clients using this SSID must use encryption. Use the encrypted SSID for secured access to your enterprise network.
Page 148: Radio Proﬁles
DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points Encryption Encrypted SSIDs can use the following encryption methods: • Wi-Fi Protected Access (WPA) • Non-WPA dynamic Wired Equivalent Privacy (WEP) • Non-WPA static WEP Dynamic WEP is enabled by default. Radio Proﬁles You can easily assign radio conﬁguration parameters to many radios by conﬁguring a radio...
Page 149 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points countermeasures Does not issue conﬁgured countermeasures against any device. dtim-interval Sends the delivery trafﬁc indication map (DTIM) after every beacon. frag-threshold 2346 Transmits frames up to 2346 bytes long without fragmentation. long-retry Sends a long unicast frame up to ﬁve times...
Page 150 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points rts-threshold 2346 Transmits frames longer than 2346 bytes by means of the Request-to-Send/ Clear-to-Send (RTS/CTS) method. service-proﬁle No service Default settings for all proﬁles service proﬁle parameters, deﬁned including encryption parameters, are used.
Page 151: Conﬁguring Access Points
DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interference among the radios. Conﬁguring Access Points To conﬁgure DWL-8220AP access points, perform the following tasks, in this order: •...
Page 152 Luxembourg To verify the conﬁguration change, use the following command: show system The following commands set the country code to US (United States) and verify the setting: DWS-1008# set system countrycode US success: change accepted. DWS-1008# show system ============================================================= Product Name:...
Page 153 SSID. A switch can have one template. Conﬁgured APs Have Precedence Over Unconﬁgured APs When a switch determines the DWS-1008 IP address to send to a booting AP, the switch gives preference to APs that are already conﬁgured, over unconﬁgured APs that require a template.
Page 154 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points To display the AP settings in the template, type the following command: DWS-1008# show dap conﬁg auto Dap auto: mode: disabled bias: high ﬁngerprint boot-download-enable: YES load balancing group: none Radio 1: type: 802.11g, mode: enabled, channel: dynamic tx pwr: 15, proﬁle: default...
Page 155 {1 | 2} radio-proﬁle name mode {enable | disable} The following command changes the template to use radio proﬁle autodap1 for radio 1: DWS-1008# set dap auto radio 1 radio-proﬁle autodap1 success: change accepted. Note: You must conﬁgure the radio proﬁle before you can apply it to the template.
Page 156 Displaying Status Information for APs Conﬁgured by the Template To display status information for APs conﬁgured by the template, type the following command: DWS-1008# show dap status auto Dap: 100 (auto), IP-addr: 10.8.255.6 (vlan ‘default’), AP model: DWL-8220AP, manufacturer: D-Link, name: AP100...
Page 157: Conﬁguring Ap Port Parameters
DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points Conﬁguring AP Port Parameters To conﬁgure a switch for connection to an access point, you must do one of the following: • For an access point directly connected to a switch port, conﬁgure the switch port as a DWL-8220AP access port.
Page 158 Caution: When you set the port type for AP use, you must specify the PoE state (enable or disable) of the port. Use the switch’s PoE to power D-Link DWL-8220APs only. If you enable PoE on a port connected to another device, physical damage to the device can result.
Page 159 To conﬁgure Distributed AP connection 1 for the DWL-8220AP with serial-ID 0322199999, type the following command: DWS-1008# set dap 1 serial-id 0322199999 model dwl-8220ap success: change accepted. Clearing a DWL-8220AP from the Conﬁguration Caution: When you clear an access point, MSS ends user sessions that are using the AP.
Page 160 {ap port-list | dap dap-num} bias {high | low} The default bias is high. To change the bias for a Distributed AP to low, type the following command: DWS-1008# set dap 1 bias low success: change accepted. Conﬁguring a Load-Balancing Group A load-balancing group is a named set of access points.
Page 161: Conﬁguring Security
MSS provides security for management trafﬁc between switches and Distributed APs. When you enable the feature, all management trafﬁc between Distributed APs that support encryption and the switch is encrypted. DWS-1008 security is disabled by default. The encryption uses RSA as the public key cryptosystem, with AES-CCM for data encryption and integrity checking and HMAC-MD5 for keyed hashing and message authentication during the key exchange.
Page 162 ﬁngerprint. The following example shows information for Distributed AP 8, including its ﬁngerprint: DWS-1008# show dap status 8 Dap: 8, IP-addr: 10.2.26.40 (vlan ‘default’), AP model: DWL-8220AP, manufacturer: D-Link, name: DAP08 ﬁngerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3...
Page 163 To apply the new setting to an AP, restart the AP. To conﬁgure AP security requirements, use the following command: set dap security {require | optional | none} The following command conﬁgures an DWS-1008 to require Distributed APs to have encryption keys: DWS-1008# set dap security require Fingerprint Log Message If AP encryption is optional, and an AP whose ﬁngerprint has not been conﬁrmed in MSS...
Page 164: Conﬁguring A Service Proﬁle
The following command applies the name corporate users to the SSID managed by service proﬁle mycorp_srvcprf: DWS-1008# set service-proﬁle mycorp_srvcprf ssid-name “corporate users” success: change accepted. Disabling or Reenabling Encryption for an SSID To specify whether the SSID is encrypted or unencrypted, use the following command: set service-proﬁle name ssid-type [clear | crypto]...
Page 165 To conﬁgure a new radio proﬁle named rp1, type the following command: DWS-1008# set radio-proﬁle rp1 success: change accepted. To assign the proﬁle to one or more radios, use the set ap radio radio-proﬁle command.
Page 166 SSIDs. MSS still sends one beacon for each SSID during each beacon interval. To change the beacon interval for radio proﬁle rp1 to 200 ms, type the following command: DWS-1008# set radio-proﬁle rp1 beacon-interval 200 success: change accepted. Changing the DTIM Interval The DTIM interval speciﬁes the number of times after every beacon that a radio sends a...
Page 167 The threshold can be a value from 256 bytes through 3000 bytes. The default is 2346. To change the RTS threshold for radio proﬁle rp1 to 1500 bytes, type the following command: DWS-1008# set radio-proﬁle rp1 rts-threshold 1500 success: change accepted.
Page 168 The threshold can be a value from 1 through 15. The default is 5. To change the long retry threshold for radio proﬁle rp1 to 8, type the following command: DWS-1008# set radio-proﬁle rp1 long-retry 8 success: change accepted. Changing the Maximum Receive Threshold The maximum receive threshold speciﬁes the number of milliseconds a frame received by a...
Page 169 11g-only {enable | disable} To conﬁgure the 802.11b/g radios in radio proﬁle rp1 to allow associations from 802.11g clients only, type the following command: DWS-1008# set radio-proﬁle rp1 11g-only enable success: change accepted. Changing the Preamble Length By default, 802.11b/g radios advertise support for frames with short preambles and can...
Page 170 To conﬁgure 802.11b/g radios that use the radio proﬁle rp_long to advertise support for long preambles instead of short preambles, type the following command: DWS-1008# set radio-proﬁle rp_long preamble-length long success: change accepted. Resetting a Radio Proﬁle Parameter to its Default Value To reset a radio proﬁle parameter to its default value, use the following command:...
Page 171: Conﬁguring Radio-Speciﬁc Parameters
Note: You must disable all radios that are using a radio proﬁle before you can remove the proﬁle. To disable the radios that are using radio proﬁle rptest and remove the proﬁle, type the following commands: DWS-1008# set radio-proﬁle rptest mode disable DWS-1008# clear radio-proﬁle rptest success: change accepted. Conﬁguring Radio-Speciﬁc Parameters The following parameters are speciﬁc to individual radios and are not controlled by a radio...
Page 172 For an 802.11a radio specify radio 2. • Note: The maximum transmit power you can conﬁgure on any D-Link radio is the highest setting allowed for the country of operation or the highest setting supported on the hardware, whichever is lower.
Page 173: Assigning A Radio Proﬁle And Enabling Radios
To assign radio proﬁle rp1 to radio 1 on ports 1-3, and 6 and enable the radios, type the following command: DWS-1008# set ap 1-3,6 radio 1 radio-proﬁle rp1 mode enable success: change accepted. To assign radio proﬁle rp1 to radio 2 on ports 1-4 and port 6 and enable the radios, type the following command: DWS-1008# set ap 1-4,6 radio 2 radio-proﬁle rp1 mode enable...
Page 174 [mode {enable | disable}] The following command enables all radios that use radio proﬁle rp1: DWS-1008# set radio-proﬁle rp1 mode enable success: change accepted. The following commands disable all radios that use radio proﬁle rp1, change the beacon interval, then reenable the radios: DWS-1008# set radio-proﬁle rp1 mode disable...
Page 175: Displaying Ap Conﬁguration Information
[port-list [radio {1 | 2}]] show dap conﬁg [dap-num [radio {1 | 2}]] The command lists information separately for each access point. To display conﬁguration information for an access point on DWS-1008 port 2, type the following command: DWS-1008# show ap conﬁg 2...
Page 176 24, max-retransmissions: 10 To display conﬁguration information for a Distributed AP access point conﬁgured on connection 1, type the following command: DWS-1008# show dap conﬁg 1 Dap 1: serial-id: 12345678, AP model: DWL-8220AP, bias: high, name: DAP01 ﬁngerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3...
Page 177 To display service proﬁle information, use the following command: show service-proﬁle { name Entering show service-proﬁle ? displays a list of the service proﬁles conﬁgured on the switch. To display information for service proﬁle wpa_clients, type the following command: DWS-1008# show service-proﬁle wpa_clients ssid-name: D-Link ssid-type: crypto beacon:...
Page 178 WMM enabled: Service proﬁles: default-dot1x, default-clear Displaying AP Status Information To display status information including link state and DWS-1008 status, use the following commands: show ap status [terse] | [port-list | all [radio {1 | 2}]] show dap status [terse] | [dap-num | all [radio {1 | 2}]] The terse option displays a brief line of essential status information for each directly connected AP or Distributed AP.
Page 179 [port-list [radio {1 | 2}]] show dap counters [dap-num [radio {1 | 2}]] To display statistics counters for an access point on port 2, type the following command: DWS-1008# show ap counters 2 Port: 2 radio: 1...
Page 180 DWS-1008 User’s Manual Conﬁguring DWL-8220AP Access Points CCMP Pkt Decrypt Err CCMP Pkt Replays 0 CCMP Pkt Transfer Ct RadioResets TxUniPkt TxUniByte RxPkt RxByte UndcrptPkt TxMultiPkt TxMultiByte UndcrptByte PhyError 6.0: 1888 632537 0 89354 1947920 9.0: 149925 12.0: 18.0: 80769 1017 24.0: 107057 7694 8085317 629107...
Page 181: Conﬁguring User Encryption
DWS-1008 User’s Manual Conﬁguring User Encryption Conﬁguring User Encryption Mobility System Software (MSS) encrypts wireless user trafﬁc for all users who are successfully authenticated to join an encrypted SSID and who are then authorized to join a VLAN. MSS supports the following types of encryption for wireless user trafﬁc: •...
Page 182 DWS-1008 User’s Manual Conﬁguring User Encryption The table below lists the encryption types supported by MSS and their default states. Wireless Encryption Defaults Conﬁguration Required in Encryption Type Client Support Default State RSN clients Disabled • Enable the RSN information element Non-RSN (IE).
Page 183: Conﬁguring Wpa
DWS-1008 User’s Manual Conﬁguring User Encryption Conﬁguring WPA Wi-Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard. WPA provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. WPA is based on the 802.11i standard. You can use WPA with 802.1X authentication.
Page 184 DWS-1008 User’s Manual Conﬁguring User Encryption • If the recalculated MIC does not match the MIC received with the frame, the frame fails the integrity check. This condition is called a MIC failure. The access point or client discards the frame and also starts a 60-second timer. If another MIC failure does not occur within 60 seconds, the timer expires.
Page 185 DWS-1008 User’s Manual Conﬁguring User Encryption Note: For a MAC client that authenticates using a PSK, the RADIUS servers or local database still must contain an authentication rule for the client, to assign the client to a VLAN. WPA Information Element A WPA information element (IE) is a set of extra ﬁelds in a wireless frame that contain WPA...
Page 186 DWS-1008 User’s Manual Conﬁguring User Encryption The table below lists the encryption support for WPA and non-WPA clients. Encryption Support for WPA and Non-WPA Clients Client Encryption Type Encryption WPA— WPA— WPA— Dynamic WPA—TKIP Static WEP Type CCMP WEP40 WEP104 Supported WPA—CCMP...
Page 187 WPA IE, use the following command: set service-proﬁle name wpa-ie {enable | disable} To enable WPA in service proﬁle wpa, type the following command: DWS-1008# set service-proﬁle wpa wpa-ie enable success: change accepted. Specifying the WPA Cipher Suites To use WPA, at least one cipher suite must be enabled.
Page 188 To conﬁgure service proﬁle wpa to use passphrase 1234567890123<>?=+&% The quick brown fox jumps over the lazy sl, type the following command: DWS-1008# set service-proﬁle wpa psk-phrase “1234567890123<>?=+&% The quick brown fox jumps over the lazy sl” success: change accepted.
Page 189 DWS-1008 User’s Manual Conﬁguring User Encryption Examples: To conﬁgure service proﬁle wpa to use a raw PSK with PSK clients, type a command such as the following: DWS-1008# set service-proﬁle wpa psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa 0836162e758100f5f6b87965e59d success: change accepted. Disabling 802.1X Authentication for WPA To disable 802.1X authentication for WPA clients, use the following command:...
Page 190: Conﬁguring Rsn
To assign radio proﬁle bldg1 to radio 1 on ports 1-3, and 6 and enable the radios, type the following command: DWS-1008# set ap 1-3,6 radio 1 radio-proﬁle bldg1 mode enable success: change accepted. To assign radio proﬁle bldg1 to radio 2 on ports 4-5 and enable the radios, type the following command: DWS-1008# set ap 4-5 radio 2 radio-proﬁle bldg1 mode enable...
Page 191 RSN IE, use the following command: set service-proﬁle name rsn-ie {enable | disable} To enable RSN in service proﬁle wpa, type the following command: DWS-1008# set service-proﬁle rsn rsn-ie enable success: change accepted. Specifying the RSN Cipher Suites To use RSN, at least one cipher suite must be enabled.
Page 192 To assign a radio proﬁle to radios and enable the radios, use the following command: set ap port-list radio {1 | 2} radio-proﬁle name mode {enable | disable} To map service proﬁle rsn to radio proﬁle bldg2, type the following command: DWS-1008# set radio-proﬁle blgd2 service-proﬁle rsn success: change accepted. D-Link Systems, Inc.
Page 193: Conﬁguring Wep
DWS-1008 User’s Manual Conﬁguring User Encryption Conﬁguring WEP Wired-Equivalent Privacy (WEP) is a security protocol deﬁned in the 802.11 standard. WEP uses the RC4 encryption algorithm to encrypt data. To provide integrity checking, WEP access points and clients check the integrity of a frame’s cyclic redundancy check (CRC), generate an integrity check value (ICV), and append the value to the frame before sending it.
Page 194 • a to f To conﬁgure WEP key index 1 for radio proﬁle rp1 to aabbccddee, type the following command: DWS-1008# set service-proﬁle rp1 wep key-index 1 key aabbccddee success: change accepted. Assigning Static WEP Keys When static WEP is enabled, static WEP key 1 is assigned to unicast and multicast trafﬁc by default.
Page 195: Encryption Conﬁguration Scenarios
1. Create an authentication rule that sends all 802.1X users of SSID mycorp in the EXAMPLE domain to the server group shorebirds for authentication. Type the following command: DWS-1008# set authentication dot1x ssid mycorp EXAMPLE\* pass-through shorebirds 2. Create a service proﬁle named wpa for the SSID. Type the following command: DWS-1008# set service-proﬁle wpa...
Page 196 7. Apply radio proﬁle rp1 to radio 1 on port 5 and to radios 1 and 2 on port 6, enable the radios, and verify the conﬁguration changes. Type the following commands: DWS-1008# set ap 5,6 radio 1 radio-proﬁle rp1 mode enable success: change accepted.
Page 197 DWS-1008# set service-proﬁle wpa-wep success: change accepted. 3. Set the SSID in the service proﬁle to thiscorp. Type the following command: DWS-1008# set service-proﬁle wpa-wep ssid-name thiscorp success: change accepted. 4. Enable WPA in service proﬁle wpa-wep. Type the following command: DWS-1008# set service-proﬁle wpa-wep wpa-ie enable...
Page 198 8. Apply radio proﬁle rp2 to radio 1 on port 5 and to radios 1 and 2 on port 6, enable the radios, and verify the conﬁguration changes. Type the following commands: DWS-1008# set ap 5,6 radio 1 radio-proﬁle rp2 mode enable success: change accepted.
Page 199 DWS-1008 User’s Manual Conﬁguring User Encryption 3. Add MAC users to MAC user group wpa-for-mac. Type the following commands: DWS-1008# set mac-user aa:bb:cc:dd:ee:ff group wpa-for-mac success: conﬁguration saved. DWS-1008# set mac-user a1:b1:c1:d1:e1:f1 group wpa-for-mac success: conﬁguration saved. 4. Verify the AAA conﬁguration changes. Type the following command:...
Page 200 13. Apply radio proﬁle rp3 to radio 1 on port 4 and to radios 1 and 2 on port 6 and enable the radios, and verify the conﬁguration changes. Type the following commands: DWS-1008# set ap 4,6 radio 1 radio-proﬁle rp3 mode enable success: change accepted.
Page 201 DWS-1008 User’s Manual Conﬁguring User Encryption DWS-1008# show ap conﬁg Port 4: AP model: DWL-8220AP, POE: enable, bias: high, name: AP04 boot-download-enable: YES load balancing group: none Radio 1: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, proﬁle: rp3 auto-tune max-power: default, min-client-rate: 5.5, max-retransmissions: 10...
Page 202: Conﬁguring Rf Auto-Tuning
DWS-1008 User’s Manual Conﬁguring RF Auto-Tuning Conﬁguring RF Auto-Tuning RF AutoTuning Overview The RF AutoTuning feature dynamically assigns channel and power settings to AP radios, and adjusts those settings when needed. RF AutoTuning can perform the following tasks: • Assign initial channel and power settings when an AP radio is started.
Page 203 DWS-1008 User’s Manual Conﬁguring RF Auto-Tuning Channel and Power Tuning RF AutoTuning can change the channel or power of a radio, to compensate for RF changes such as interference, or to maintain at least the minimum data transmit rate for associated clients.
Page 204 DWS-1008 User’s Manual Conﬁguring RF Auto-Tuning • Utilization, calculated based on the number of multicast packets per second that a radio can send on a channel while continuously sending ﬁxed-size frames over a period of time. • Phy error count, which is the number of frames received by the AP radio that have physical layer errors.
Page 205 DWS-1008 User’s Manual Conﬁguring RF Auto-Tuning channel-interval 3600 Every 3600 seconds, MSS examines the RF information gathered from the network and determines whether the channel needs to be changed to compensate for RF changes. channel-holddown MSS maintains the channel setting on a radio for at least 900 seconds regardless of RF changes.
Page 206 DWS-1008 User’s Manual Conﬁguring RF Auto-Tuning max-retransmissions If more than 10% of the packets received by the radio from a client are retransmissions, the radio lowers the data rate to the client and, if necessary, increases power to reduce the retransmissions.
Page 207 0 to 65535 seconds. If you set the interval to 0, RF AutoTuning does not reevaluate the channel at regular intervals. However, RF AutoTuning can still change the channel in response to RF anomalies. D-Link recommends that you use an interval of at least 300 seconds (5 minutes).
Page 208: Changing Rf Autotuning Settings
{enable | disable} To enable power tuning for radios in the rp2 radio proﬁle, type the following command: DWS-1008# set radio-proﬁle rp2 auto-tune power-conﬁg enable success: change accepted. Changing the Power Tuning Interval The default power tuning interval is 300 seconds.
Page 209 To set the maximum power that RF AutoTuning can set on radio 1 on the DWL-8220AP access point on port 7 to 12 dBm, type the following command: DWS-1008# set ap 7 radio 1 auto-tune max-power 12 success: change accepted.
Page 210: Displaying Rf Autotuning Settings
To display the RF AutoTuning and other individual radio settings on radio 1 of a directly connected AP access port connected to port 2, type the following command: DWS-1008# show ap conﬁg 2 radio 1 Port 2: AP model: DWL-8220AP, POE: enable, bias: high, name: AP02...
Page 211 1, proﬁle: default auto-tune max-power: default, min-client-rate: 24, max-retransmissions: 10 Displaying RF Neighbors To display the other radios that a speciﬁc D-Link radio can hear, use the following commands: show auto-tune neighbors [ap ap-num [radio {1 | 2| all}]]...
Page 212 [dap dap-num [radio {1 | 2| all}]] To display RF attribute information for radio 1 on the directly connected DWL-8220AP access point on port 2, type the following command: DWS-1008# show auto-tune attributes ap 2 radio 1 Auto-tune attributes for port 2 radio 1: Noise:...
Page 213: Wi-Fi Multimedia
This occurs for directly connected APs and for Distributed APs. The switch never changes the data packet’s IP ToS value. If the DWS-1008 is forwarding a packet through a tunnel to another switch, MSS uses • the same process used for trafﬁc to an AP. Generally, a switch uses a tunnel to send user data to another DWS-1008 switch when the user’s VLAN is conﬁgured on the...
Page 214: Disabling Or Reenabling Wmm
DWL-8220AP access points use forwarding queues to prioritize trafﬁc to wireless clients. When the AP receives a packet from a DWS-1008 switch, the AP places the packet into one of four forwarding queues. The AP’s queue selection is based on the IP ToS setting in the tunnel header of the encapsulated data packet received from the switch.
Page 215 You can display statistics for AP forwarding queues, using the following commands: show dap qos-stats [dap-num] show dap qos-stats [port-list] The following command shows statistics for the AP forwarding queues on a Distributed AP: DWS-1008# show dap qos-stats 4 Queue =========================== DAP: 4 radio: 1...
Page 216: Conﬁguring And Managing Spanning Tree Protocol
STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] To enable STP on all VLANs conﬁgured on a DWS-1008 switch, type the following command: DWS-1008# set spantree enable success: change accepted.
Page 217 DWS-1008 User’s Manual Conﬁguring and Managing STP Bridge Priority The bridge priority determines the switch’s eligibility to become the root bridge. You can set this parameter globally or on individual VLANs. The root bridge is elected based on the bridge priority of each device in the spanning tree.
Page 218 DWS-1008# set spantree portcost 3,4 cost 20 success: change accepted. To change the cost for the same ports in VLAN mauve, type the following command: DWS-1008# set spantree portvlancost 3,4 cost 20 vlan mauve success: change accepted. Resetting the STP Port Cost to the Default Value...
Page 219 To set the priority of ports 3 and 4 to 48 in VLAN mauve, type the following command: DWS-1008# set spantree portvlanpri 3-4 priority 48 vlan mauve success: change accepted. Resetting the STP Port Priority to the Default Value...
Page 220 The all option applies the change to all VLANs. Alternatively, specify an individual VLAN. To change the forwarding delay on VLAN pink to 20 seconds, type the following command: DWS-1008# set spantree fwddelay 20 vlan pink success: change accepted. D-Link Systems, Inc.
Page 221: Conﬁguring And Managing Stp Fast Convergence Features
The all option applies the change to all VLANs. Alternatively, specify an individual VLAN. To change the maximum acceptable age for root bridge hello packets on all VLANs to 15 seconds, type the following command: DWS-1008# set spantree maxage 15 all success: change accepted. Conﬁguring and Managing STP Fast Convergence Features The standard STP timers delay trafﬁc forwarding brieﬂy after a topology change.
Page 222 Conﬁguring and Managing STP Uplink Fast Convergence Uplink fast convergence enables a DWS-1008 switch that has redundant links to the network core to immediately change the state of a backup link to forwarding if the primary link to the root fails. Uplink fast convergence bypasses the listening and learning states to immediately enter the forwarding state.
Page 223 To enable or disable backbone fast convergence, use the following command: set spantree backbonefast {enable | disable} To enable backbone fast convergence on all VLANs, type the following command: DWS-1008# set spantree backbonefast enable success: change accepted. Displaying the Backbone Fast Convergence State...
Page 224: Displaying Spanning Tree Information
VLAN, only the ports contained in the VLAN are listed in the command output. To list only the ports that are in the active (forwarding) state, enter the active option. To display STP information for VLAN mauve, type the following command: DWS-1008# show spantree vlan mauve VLAN Spanning tree mode...
Page 225 To display information about ports that are in the STP blocking state, use the following command: show spantree blockedports [vlan vlan-id] To display information about blocked ports on a DWS-1008 switch for the default VLAN (VLAN 1), type the following command: DWS-1008# show spantree blockedports vlan default...
Page 226 DWS-1008 User’s Manual Conﬁguring and Managing STP To display STP statistics for port 1, type the following command: DWS-1008# show spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for VLAN = 1 port spanning tree...
Page 227 1. Remove the network cables from ports 2 and 3 or use MSS to disable the ports. This prevents a loop until you complete the STP conﬁguration. To disable the ports and verify the results, type the following commands: DWS-1008# set port disable 2-3 success: set “disable” on port 2-3 D-Link Systems, Inc.
Page 228: Spanning Tree Conﬁguration Scenario
10/100BaseTx down auto network 10/100BaseTx 2. Conﬁgure a backbone VLAN and verify the conﬁguration change. Type the following commands: DWS-1008# set vlan 10 name backbone port 2-3 success: change accepted. DWS-1008# show vlan conﬁg Admin VLAN Tunl Port VLAN Name...
Page 229 Disabled 4 128 Disabled 4. Reconnect or reenable ports 2 and 3 and verify the change. Type the following commands: DWS-1008# set port enable 2-3 success: set “enable” on port 2-3 DWS-1008# show port status Port Name Admin Oper Conﬁg...
Page 230: Conﬁguring And Managing Igmp Snooping
Internet Group Management Protocol (IGMP) snooping controls multicast trafﬁc on a DWS-1008 switch by forwarding packets for a multicast group only on the ports that are connected to members of the group. A multicast group is a set of IP hosts that receive trafﬁc addressed to a speciﬁc Class D IP address, the group address.
Page 231: Changing Igmp Timers
DWS-1008 User’s Manual Conﬁguring and Managing IGMP Snooping Note: D-Link recommends that you use the pseudo-querier only when the VLAN contains local multicast trafﬁc sources and no multicast router is servicing the subnet. To enable the pseudo-querier, use the following command:...
Page 232: Enabling Router Solicitation
You can specify a value from 2 through 255. The default is 2. Enabling Router Solicitation A DWS-1008 switch can search for multicast routers by sending multicast router solicitation messages. This message invites multicast routers that receive the message and that support router solicitation to immediately advertise themselves to the switch.
Page 233: Conﬁguring Static Multicast Ports
Conﬁguring and Managing IGMP Snooping Conﬁguring Static Multicast Ports A DWS-1008 switch learns about multicast routers and receivers from multicast trafﬁc it receives from those devices. When the switch receives trafﬁc from a multicast router or receiver, the switch adds the port that received the trafﬁc as a multicast router or receiver port.
Page 234 DWS-1008 User’s Manual DWS-1008 User’s Manual Conﬁguring and Managing IGMP Snooping To display multicast information for VLAN orange, type the following command: DWS-1008# show igmp vlan orange VLAN: orange IGMP is enabled Proxy reporting is on Mrouter solicitation is on Querier functionality is off Conﬁguration values: qi: 125 oqi: 300 qri: 100 lmqi: 10 rvalue: 2 Multicast...
Page 235 To display information about the multicast routers only without also displaying all the other multicast information, use the following command: show igmp mrouter [vlan vlan-id] To display the multicast routers in VLAN orange, type the following command: DWS-1008# show igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter-IPaddr...
Page 236 Use the group parameter to display receivers for a speciﬁc group or set of groups. For example, to display receivers for multicast groups 237.255.255.1 through 237.255.255.255, in all VLANs, type the following command: DWS-1008# show igmp receiver-table group 237.255.255.0/24 VLAN: red Session...
Page 237: Conﬁguring And Managing Security Acls
D-Link provides a very powerful mapping application for security ACLs. In addition to being assigned to physical ports, VLANs, virtual ports in a VLAN, or Distributed APs, ACLs can be mapped dynamically to a user’s session, based on authorization information passed back...
Page 238 DWS-1008 User’s Manual Conﬁguring and Managing Security ACLs Overview of Security ACL Commands The ﬁgure below provides a visual overview of the way you use MSS commands to set a security ACL, commit the ACL so it is stored in the conﬁguration, and map the ACL to a user session, VLAN, port, virtual port, or Distributed AP.
Page 239: Creating And Committing A Security Acl
0 (routine), and a type-of-service (TOS) level of 0 (normal). GRE is protocol number 47. DWS-1008# set security acl ip acl-2 permit cos 2 47 192.168.1.11 0.0.0.0 192.168.1.15 0.0.0.0 precedence 0 tos 0 hits The security ACL acl-2 described above also applies the CoS level 2 (medium priority) to the permitted packets.
Page 240 DWS-1008 User’s Manual Conﬁguring and Managing Security ACLs Common IP Protocol Numbers Number IP Protocol Internet Message Control Protocol (ICMP) Internet Group Management Protocol (IGMP) Transmission Control Protocol (TCP) Any private interior gateway (used by Cisco for Internet Gateway Routing Protocol)
Page 241 Class of Service Class-of-service (CoS) assignment determines the priority treatment of packets transmitted by a DWS-1008 switch, corresponding to a forwarding queue on the AP. The table below shows the results of CoS priorities you assign in security ACLs. Class-of-Service (CoS) Packet Handling...
Page 242 DWS-1008 User’s Manual Conﬁguring and Managing Security ACLs The before 1 portion of the ACE places it before any others in the ACL, so it has precedence over any later ACEs for any parameter settings that are met. ICMP includes many messages that are identiﬁed by a type ﬁeld. Some also have a code within that type.
Page 243 15, on an established TCP session, and counts the number of hits generated by the ACE: DWS-1008# set security acl ip acl-4 permit tcp 192.168.1.5 0.0.0.0 192.168.1.6 0.0.0.0 eq 524 precedence 7 tos 15 established hits Setting a UDP ACL The following command ﬁlters UDP packets:...
Page 244 To put the security ACLs you have created into effect, use the commit security acl command with the name of the ACL. For example, to commit acl-99, type the following command: DWS-1008# commit security acl acl-99 success: change accepted. To commit all the security ACLs in the edit buffer, type the following command: DWS-1008# commit security acl all success: change accepted.
Page 245 You can display the contents of one or all security ACLs that are committed. To display the contents of all committed security ACLs, type the following command: DWS-1008# show security acl info all ACL information for all set security acl ip acl-999 (hits #2 0) ---------------------------------------------------- 1.
Page 246 Displaying Security ACL Hits Once you map an ACL, you can view the number of packets it has ﬁltered, if you included the keyword hits. Type the following command: DWS-1008# show security acl hits ACL hit-counters Index Counter ACL-name -------------------------------------------...
Page 247: Mapping Security Acls
The security ACL mapped by Filter-Id instructs the switch to use its local deﬁnition of the ACL, including the ﬂow direction, to ﬁlter packets for the authenticated user. Note: The Filter-Id attribute is more often received by the DWS-1008 switch through an external AAA RADIUS server than applied through the local database.
Page 248 ACL acl-222 to virtual ports 1 through 3 and 5 on port 2 to ﬁlter incoming packets, type the following command: DWS-1008# set security acl map acl-222 port 2 tag 1-3,5 in success: change accepted. Plan your security ACL maps to ports, VLANs, virtual ports, and Distributed APs so that only one security ACL ﬁlters a ﬂow of packets.
Page 249 DWS-1008# show security acl map acljoe ACL acljoe is mapped to: Port 4 In DWS-1008# clear security acl map acljoe port 4 in success: change accepted. After you clear the mapping between port 4 and ACL acljoe, the following is displayed when...
Page 250: Modifying A Security Acl
ACL named acl-violet. Follow these steps: 1. To display all committed security ACLs, type the following command: DWS-1008# show security acl info all ACL information for all set security acl ip acl-violet (hits #2 0) ---------------------------------------------------- 1.
Page 251 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits 2. To add the deny ACE to acl-111 and place it ﬁrst, type the following commands: DWS-1008# set security acl ip acl-111 deny 192.168.254.12 0.0.0.255 before 1 DWS-1008# commit security acl acl-111 success: change accepted.
Page 252 1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits 2. To modify the ﬁrst ACE in acl-111, type the following commands: DWS-1008# set security acl ip acl-111 permit 192.168.254.12 0.0.0.0 modify 1 DWS-1008# commit security acl acl-111 success: change accepted.
Page 253 DWS-1008 User’s Manual Conﬁguring and Managing Security ACLs DWS-1008# show security acl info all ACL information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------- 1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any...
Page 254: Using Acls To Change Cos
3, to have CoS value 7 when they are forwarded to any 10.10.30.x address on Distributed AP 2, enter the following commands: DWS-1008# set security acl ip acl1 permit cos 7 ip 10.10.20.5 0.0.0.0 10.10.30.0 0.0.0.255 precedence 3 success: change accepted.
Page 255 46 (equivalent to precedence value 5 and ToS value 12), to have CoS value 7 when they are forwarded to any 10.10.90.x address on Distributed AP 4: DWS-1008# set security acl ip acl2 permit cos 7 ip 10.10.50.2 0.0.0.0 10.10.90.0 0.0.0.255 precedence 5 tos 12 success: change accepted.
Page 256: Enabling Prioritization For Legacy Voice Over Ip
1. Conﬁgure an ACE in ACL voip that assigns IP trafﬁc from any IP address with source UDP port 3344, addressed to any destination address, to CoS queue 6: DWS-1008# set security acl ip voip permit cos 6 udp 0.0.0.0 255.255.255.255 eq 3344 0.0.0.0 255.255.255.255 2.
Page 257 2. Conﬁgure an ACE in ACL svp that assigns IP protocol 119 trafﬁc for all source and destination addresses to CoS queue 7: DWS-1008# set security acl ip svp permit cos 7 119 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 3. Conﬁgure another ACE to change the default action of the ACL from deny to permit.
Page 258: Security Acl Conﬁguration Scenario
9 now accepts packets only from 192.168.1.1, and denies all other packets. 5. To map acl-99 to user Natasha’s sessions when you are using the local DWS-1008 switch database for authentication, conﬁgure Natasha in the database with the Filter- Id attribute.
Page 259 DWS-1008 User’s Manual Conﬁguring and Managing Security ACLs 7. To save your conﬁguration, type the following command: DWS-1008# save conﬁg success: conﬁguration saved. D-Link Systems, Inc.
Page 260: Managing Keys And Certiﬁcates
Managing Keys and Certiﬁcates Managing Keys and Certiﬁcates A digital certiﬁcate is a form of electronic identiﬁcation for computers. The DWS-1008 switch requires digital certiﬁcates to authenticate its communications to Web View, to WebAAA clients, and to Extensible Authentication Protocol (EAP) clients for which the switch performs all EAP processing.
Page 261: About Keys And Certiﬁcates
DWS-1008 User’s Manual Managing Keys and Certiﬁcates 1. To form the encrypted TLS channel, the switch must have a digital certiﬁcate and must send that certiﬁcate to the wireless client. 2. Inside the switch’s digital certiﬁcate is the switch’s public key, which the wireless client uses to encrypt a pre-master secret key.
Page 262 Public and Private Keys D-Link’s identity-based networking uses public key cryptography to enforce the privacy of data transmitted over the network. Using public-private key pairs, users and devices can send encrypted messages that only the intended receiver can decrypt.
Page 263 Public-Key Cryptography Standards (PKCS) are encryption interface standards created by RSA Data Security, Inc., that provide a ﬁle format for transferring data and cryptographic information. D-Link supports the PKCS object ﬁles listed in PKCS Object Files Supported by D-link. PKCS Object Files Supported by D-link...
Page 264: Creating Keys And Certiﬁcates
DWS-1008 User’s Manual Managing Keys and Certiﬁcates PKCS #12 Personal Contains a certiﬁcate signed by a CA and a Information public-private key pair provided by the CA Exchange to go with the certiﬁcate. Syntax Because the key pair comes from the CA,...
Page 265 Choose the key length based on your need for security or to conform with your organization’s practices. For example, the following command generates an administrative key pair of 1024 bits: DWS-1008# crypto generate key admin 1024 admin key pair generated Note: After you generate or install a certiﬁcate (described in the following sections), do not create the key pair again.
Page 266 Common Name: DWS-1008 Email Address: admin@example.com Unstructured Name: DWS-1008 in wiring closet 120 You must include a common name (string) when you generate a self-signed certiﬁcate. The other information is optional. Use a fully qualiﬁed name if such names are supported on your network.
Page 267 You must include a common name (string) when you generate a CSR. Use a fully qualiﬁed name if such names are supported on your network. The other information is optional. For example: DWS-1008#dws-1008# crypto generate request admin Country Name: US State Name: MI...
Page 268: Displaying Certiﬁcate And Key Information
{admin | eap | webaaa} show crypto certiﬁcate {admin | eap | webaaa} For example, to display information about an administrative certiﬁcate, type the following command: DWS-1008# show crypto certiﬁcate admin Certiﬁcate: Version: 3 Serial Number: 999 (0x3e7)
Page 269: Key And Certiﬁcate Conﬁguration Scenarios
Country Name: US State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: DWS-1008 Email Address: admin@example.com Unstructured Name: DWS-1008 in wiring closet 4 Self-signed cert for admin is -----BEGIN CERTIFICATE----- MIICUzCCAbygAwIBAgICA+cwDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNBMRowGAYDVQQDFBF0ZWNocHVic0B0cnB6LmNvbTAeFw0wMzA0 Lm8wmVYLxP56MpCUAm9O8C2foYgOY40= -----END CERTIFICATE-----...
Page 270 State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: DWS-1008 6 Email Address: admin@example.com Unstructured Name: DWS-1008 in wiring closet 4 Self-signed cert for webaaa is -----BEGIN CERTIFICATE----- MIICUzCCAbygAwIBAgICA+cwDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNBMRowGAYDVQQDFBF0ZWNocHVic0B0cnB6LmNvbTAeFw0wMzA0 Lm8wmVYLxP56M 4. Display certiﬁcate information for veriﬁcation: DWS-1008# show crypto certiﬁcate admin...
Page 271 DWS-1008 User’s Manual Managing Keys and Certiﬁcates DWS-1008# show crypto certiﬁcate webaaa Certiﬁcate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=TRPZ, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=CA, L=PLEAS, O=TRPZ, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB...
Page 272 CA certiﬁes for administrative access, 802.1X (EAP) access, and Web AAA access. 1. Set time and date parameters, if not already set. 2. Generate public-private key pairs: DWS-1008# crypto generate key admin 1024 key pair generated DWS-1008# crypto generate key eap 1024 key pair generated D-Link Systems, Inc.
Page 273 DWS-1008 User’s Manual Managing Keys and Certiﬁcates DWS-1008# crypto generate key webaaa 1024 key pair generated 3. Create a CSR (PKCS #10 object ﬁle) to request an administrative certiﬁcate: DWS-1008# crypto generate request admin Country Name: US State Name: CA...
Page 274 13. Paste the CA’s signed certiﬁcate under the prompt. 14. Display information about the CA’s certiﬁcate, to verify it: DWS-1008# show crypto ca-certiﬁcate admin 15. Repeat To install the CA’s certiﬁcate on the switch through Display information about the CA’s certiﬁcate, to verify it: to install the CA’s certiﬁcate for EAP (802.1X) and Web AAA.
Page 275: Conﬁguring Aaa For Network Users
DWS-1008 User’s Manual Conﬁguring AAA for Network Users Conﬁguring AAA for Network Users About AAA for Network Users Network users include the following types of users: • Wireless users - Users who access the network by associating with an SSID on a D-Link radio.
Page 276 DWS-1008 User’s Manual Conﬁguring AAA for Network Users The username or MAC address can be an exact match or can match a userglob or MAC address glob, which allow wildcards to be used for all or part of the username or MAC address.
Page 277 DWS-1008 User’s Manual Conﬁguring AAA for Network Users Web and last-resort are described in Authentication Types. None means the user is automatically denied access. The fallthru authentication type for wireless access is associated with the SSID (through a service proﬁle). The fallthru authentication type for wired authentication access is speciﬁed with the wired authentication port.
Page 278 DWS-1008 User’s Manual Conﬁguring AAA for Network Users • For a user to be successfully authenticated by an 802.1X or WebAAA rule, the username and password entered by the user must be conﬁgured on the RADIUS servers used by the authentication rule or in the switch’s local database, if the local database is used by the rule.
Page 279 DWS-1008 User’s Manual Conﬁguring AAA for Network Users • Mobility-Proﬁle - Controls the switch ports a user can access. For wireless users, an MSS Mobility Proﬁle speciﬁes the access points through which the user can access the network. For wired authentication users, the Mobility Proﬁle speciﬁes the wired authentication ports through which the user can access the network.
Page 280: Aaa Tools For Network Users
DWS-1008 User’s Manual Conﬁguring AAA for Network Users AAA for network users controls and monitors their use of the network: • Classiﬁcation for customized access. As with administrative and console users, you can classify network users through username globbing. Based on the structured username, different AAA treatments can be given to different classes of user.
Page 281 (This is the default authorization password). AAA Rollover Process A DWS-1008 switch attempts AAA methods in the order in which they are entered in the conﬁguration: 1. The ﬁrst AAA method in the list is used unless that method results in an error. If the method results in a pass or fail, the result is ﬁnal and the switch tries no other...
Page 282 192.168.253.2 with the password chey3nn3, the administrator enters the following commands: DWS-1008# set radius server server-1 address 192.168.253.1 key chey3nn3 DWS-1008# set radius server server-2 address 192.168.253.2 key chey3nn3 2. To conﬁgure server-1 and server-2 into server-group-1, the administrator enters the...
Page 283 DWS-1008 User’s Manual Conﬁguring AAA for Network Users 3. If server-2 does not respond, because the switch has no more servers to try in server-group-1, the switch attempts to authenticate using the next AAA method, which is the local method.
Page 284 Ways a DWS-1008 Switch Can Use EAP Network users with 802.1X support cannot access the network unless they are authenticated. You can conﬁgure a switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the switch, or to ofﬂoad some authentication tasks from...
Page 285: Conﬁguring 802.1X Authentication
SSID wetlands, as an 802.1X user using the PEAP-MS-CHAP-V2 method via the server group shorebirds, which contains one or more RADIUS servers: DWS-1008# set authentication dot1x ssid wetlands Tamara peap-mschapv2 shorebirds When a user attempts to connect through 802.1X, the following events occur: 1.
Page 286 To ofﬂoad both PEAP and MS-CHAP-V2 processing onto the switch, use the following command: DWS-1008# set authentication dot1x ssid marshes *@example.com peap-mschapv2 local Using Pass-Through The pass-through method causes EAP authentication requests to be processed entirely by remote RADIUS servers in server groups.
Page 287 Conﬁguring AAA for Network Users For example, the following command authenticates 802.1X user Jose for wired authentication access via the local database: DWS-1008# set authentication dot1X Jose wired peap-mschapv2 local success: change accepted. Binding User Authentication to Machine Authentication Bonded Auth™ (bonded authentication) is a security feature that binds an 802.1X user’s authentication to authentication of the machine from which the user is attempting to log on.
Page 288 (Generally, in a Bonded Auth conﬁguration, the RADIUS servers will use a user database stored on an Active Directory server.) D-Link recommends that you make the rules as general as possible. For example, if the Active Directory domain is mycorp.com, the following userglobs match on all machine names and users in the domain: •...
Page 289 By default, the Bonded Auth period is 0 seconds. MSS does not wait for a Bonded Auth user to reauthenticate. You can set the Bonded Auth period to a value up to 300 seconds. D-Link recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.
Page 290: Conﬁguring Authentication And Authorization By Mac Address
Conﬁguring AAA for Network Users The following command sets the Bonded Auth period to 60 seconds, to allow time for WEP users to reauthenticate: DWS-1008# set dot1x bonded-period 60 success: change accepted. Displaying Bonded Auth Conﬁguration Information o display Bonded Auth conﬁguration information, use the following command: show dot1x conﬁg...
Page 291 For example, to create a MAC user group called mac-easters with a 3000-second Session- Timeout value, type the following command: DWS-1008# set mac-usergroup mac-easters attr session-timeout 3000 success: change accepted. To conﬁgure a MAC user in the local database and optionally add the user to a group, use...
Page 292 For example, the following command sets the authentication for MAC address 01:01:02:03:04:05 when requesting SSID voice, via the local database: DWS-1008# set authentication mac ssid voice 01:01:02:03:04:05 local success: change accepted If the switch’s conﬁguration does not contain a set authentication mac command that matches a non-802.1X client’s MAC address, MSS tries MAC authentication by default.
Page 293 Conﬁguring AAA for Network Users For example, to add the MAC user 00:01:02:03:04:05 to VLAN red: DWS-1008# set mac-user 00:01:02:03:04:05 attr vlan-name red success: change accepted To change the value of an authorization attribute, reenter the command with the new value.
Page 294: Conﬁguring Last-Resort Access
Note: Although MSS allows you to conﬁgure a user password for a last-resort user, the password has no effect. Last-resort users can never access a DWS-1008 switch in administrative mode and never require a password when authorized locally. However, if the last-resort user is authorized on a RADIUS server, the server might require a password.
Page 295: Conﬁguring Aaa For Users Of Third-Party Aps
DWS-1008 User’s Manual Conﬁguring AAA for Network Users Conﬁguring AAA for Users of Third-Party APs A switch can provide network access for users associated with a third-party AP that has authenticated the users with RADIUS. You can connect a third-party AP to a switch and conﬁgure the switch to provide authorization for clients who authenticate and access the...
Page 296 DWS-1008 User’s Manual Conﬁguring AAA for Network Users Requirements Third-Party AP Requirements • The third-party AP must be connected to the switch through a wired Layer 2 link. MSS cannot provide data services if the AP and switch are in different Layer 3 subnets.
Page 297 The following command conﬁgures ports 3 and 4 as wired authentication ports, and assigns tag value 104 to the ports: DWS-1008# set port type wired-auth 3-4 tag 104 success: change accepted. You can specify multiple tag values. Specify the tag value for each SSID you plan to support.
Page 298 The following command maps SSID mycorp to packets received on port 3 or 4, using 802.1Q tag value 104: DWS-1008# set radius proxy port 3-4 tag 104 ssid mycorp success: change accepted. Enter a separate command for each SSID, and its tag value, you want the switch to support.
Page 299: Assigning Authorization Attributes
The table below lists the authorization attributes supported by MSS. (For brief descriptions of all the RADIUS attributes and D-link vendor-speciﬁc attributes supported by MSS, as well as the vendor ID and types for D-link VSAs conﬁgured on a RADIUS server, see Appendix B, “Supported RADIUS Attributes”).
Page 300 DWS-1008 User’s Manual Conﬁguring AAA for Network Users Authentication Attributes for Local Users Attribute Description Valid Value(s) encryption-type Type of encryption One of the following numbers that required for access identiﬁes an encryption algorithm: by the client. Clients • 1 - AES_CCM (Advanced...
Page 301 DWS-1008 User’s Manual Conﬁguring AAA for Network Users ﬁlter-id Security access Name of an existing security ACL, control list (ACL), to up to 253 alphanumeric characters, (network access permit or deny trafﬁc with no tabs or spaces. mode only) received (input) or •...
Page 302 DWS-1008 User’s Manual Conﬁguring AAA for Network Users service-type Type of access the One of the following numbers: user is requesting. • 2 - Framed; for network user access • 6 - Administrative; for administrative access to the switch, with authorization to access the enabled (conﬁguration) mode.
Page 303 (network access after authentication. conﬁgured in a service proﬁle, and mode only) the service proﬁle must be used by a radio proﬁle assigned to D-link radios. start-date Date and time at Date and time, in the following which the user...
Page 304 DWS-1008 User’s Manual Conﬁguring AAA for Network Users URL to which the Web URL, in standard format. For user is redirected example: (network access after successful mode only) http://www.example.com WebAAA. Note: You must include the http:// portion. You can dynamically include any of the variables in the URL string: •...
Page 305 Assigning a Security ACL Locally To use the local DWS-1008 switch database to restrict a user, a MAC user, or a group of users or MAC users to the permissions stored within a committed security ACL, use the...
Page 306 When you assign the Encryption-Type attribute to a user or group, the encryption type or types are entered as an authorization attribute into the user or group record in the local DWS- 1008 switch database or on the RADIUS server. Encryption-Type is a D-link vendor-speciﬁc attribute (VSA).
Page 307 DWS-1008# set mac-usergroup mac-fans attr encryption-type 12 success: change accepted. To clear an encryption type from the proﬁle of a use or group of users in the local DWS-1008 switch database, use one of the following commands: clear user username attr encryption-type...
Page 308: Overriding Or Adding Attributes Locally With A Location Policy
For example, you might want to enforce VLAN membership and security ACL policies on a particular DWS-1008 switch based on a client’s organization or physical location, or assign a VLAN to users who have no AAA assignment. For these situations, you can conﬁgure the location policy on the switch.
Page 309 The following command authorizes access to the guest_1 VLAN for all users who do not match *.ourﬁrm.com: DWS-1008# set location policy permit vlan guest_1 if user neq *.ourﬁrm.com The following command places all users who are authorized for SSID tempvendor_a into...
Page 310 For example, the following command authorizes users at *.ny.ourﬁrm.com to access the bld4.tac VLAN, and applies the security ACL tac_24 to the trafﬁc they receive: DWS-1008# set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny. ourﬁrm.com The following command authorizes access to users on VLANs with names matching bld4.* and applies security ACLs svcs_2 to the trafﬁc they send and svcs_3 to the trafﬁc they...
Page 311: Conﬁguring Accounting For Wireless Network Users
To move the ﬁrst rule to the end of the list and display the results, type the following commands: DWS-1008 clear location policy 1 success: clause 1 is removed. DWS-1008 set location policy deny if user eq *.theirﬁrm.com DWS-1008 show location policy Id Clauses ---------------------------------------------------------------- 1) permit vlan guest_1 if vlan neq *.ourﬁrm.com...
Page 312 Number of packets sent by the switch Viewing Local Accounting Records To view local accounting records, type the following command: DWS-1008# show accounting statistics Sep 26 11:01:48 Acct-Status-Type=START Acct-Authentic=2 User-Name=geetha AAA_ TTY_ATTR=2 Event-Timestamp=1064599308 Sept 26 12:50:21 Acct-Status-Type=STOP Acct-Authentic=2 User-Name=geetha AAA_...
Page 313 Acct-Status-Type=UPDATE Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=209 Acct-Output-Octets=1280 Acct-Input-Octets=1920 Acct-Output-Packets=10 Acct-Input-Packets=15 Event-Timestamp=1053536700 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 The user terminated the session on DWS-1008-0017: DWS-1008-0017# show accounting statistics May 21 17:07:32 Acct-Status-Type=STOP Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=361 Event-Timestamp=1053536852 Acct-Output-Octets=2560 Acct-Input-Octets=5760 Acct-Output-Packets=20 Acct-Input-Packets=45 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D...
Page 314: Displaying The Aaa Conﬁguration
DWS-1008 User’s Manual Conﬁguring AAA for Network Users Displaying the AAA Conﬁguration To view the results of the AAA commands you have set and verify their order, type the show aaa command. The order in which the commands appear in the output determines the order in which MSS matches them to users.
Page 315: Avoiding Aaa Problems In Conﬁguration Order
Conﬁguration Producing an Incorrect Processing Order For example, suppose you initially set up start-stop accounting as follows for all 802.1X users via RADIUS server group 1: DWS-1008# set accounting dot1x ssid mycorp * start-stop group1 success: change accepted. D-Link Systems, Inc.
Page 316 You then set up PEAP-MS-CHAP-V2 authentication and authorization for all users at EXAMPLE/ at server group 1. Finally, you set up PEAP-MS-CHAP-V2 authentication and authorization for all users in the local DWS-1008 switch database, with the intention that EXAMPLE users are to be processed ﬁrst:...
Page 317: Conﬁguring A Mobility Proﬁle
The Mobility Proﬁle feature is disabled by default. You must enable Mobility Proﬁle attributes on the switch to use it. You can enable or disable the feature for the whole DWS-1008 switch only. If the Mobility Proﬁle feature is disabled, all Mobility Proﬁle attributes are ignored.
Page 318: Network User Conﬁguration Scenarios
2. Conﬁgure stop-only accounting for all mycorp users at EXAMPLE, for accounting records to be stored locally. Type the following command: DWS-1008# set accounting dot1x ssid mycorp EXAMPLE\* stop-only local success: change accepted. 3. Conﬁgure an ACL to ﬁlter the inbound packets for each user at EXAMPLE. Type the following command for each user: DWS-1008# set user EXAMPLE\username attr ﬁlter-id acl-101.in...
Page 319 ---------------------------------------------------- 1. permit IP source IP 192.168.1.1 0.0.0.255 destination IP any enable-hits 5. Create a Mobility Proﬁle called tulip by typing the following commands: DWS-1008# set mobility-proﬁle name tulip port 2,4-6 success: change accepted. DWS-1008# set mobility-proﬁle mode enable success: change accepted.
Page 320 1. Conﬁgure the RADIUS server r1 at IP address 10.1.1.1 with the string sunny for the key. Type the following command: DWS-1008# set radius server r1 address 10.1.1.1 key sunny 2. Conﬁgure the server group sg1 with member r1. Type the following command: DWS-1008# set server group sg1 members r1 3.
Page 321 1. To set authentication for all 802.1X users of SSID thiscorp, type the following command: DWS-1008# set authentication dot1x ssid thiscorp * peap-mschapv2 local 2. To add user Natasha to the local database on the switch, type the following command: DWS-1008# set user Natasha password moon 3.
Page 322 1. Conﬁgure the RADIUS server r1 at IP address 10.1.1.1 with the string starry for the key. Type the following command: DWS-1008# set radius server r1 address 10.1.1.1 key starry 2. Conﬁgure the server group sg1 with member r1. Type the following command: DWS-1008# set server group sg1 members r1 3.
Page 323 1. Conﬁgure the RADIUS server r1 at IP address 10.1.1.1 with the string starry for the key. Type the following command: DWS-1008# set radius server r1 address 10.1.1.1 key starry 2. Conﬁgure the server group sg1 with member r1. Type the following command: DWS-1008# set server group sg1 members r1 3.
Page 324 B. 1. Redirect bldga-prof- VLAN users to the VLAN bldgb-eng: DWS-1008# set location policy permit vlan bldgb-eng if vlan eq bldga-prof-* 2. Allow writing instructors from -techcomm VLANs to use the bldgb-eng VLAN: DWS-1008# set location policy permit vlan bldgb-eng if vlan eq *-techcomm 3.
Page 325: Conﬁguring Communication With Radius
DWS-1008 User’s Manual Conﬁguring Communication with RADIUS Conﬁguring Communication with RADIUS RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed client-server system. RADIUS servers provide a repository for all usernames and passwords, and can manage and store large groups of users.
Page 326 RADIUS servers in the server group are unresponsive and have entered the dead time. For failover authentication or authorization to work promptly, D-Link recommends that you change the dead time to a value other than 0. With the default setting, the dead time is never invoked and MSS does not hold down requests to unresponsive RADIUS servers.
Page 327 For example, the following command names a RADIUS server rs1 with the IP address 192.168.0.2 and the key testing123: DWS-1008# set radius server rs1 address 192.168.0.2 key testing123 success: change accepted. You can conﬁgure multiple RADIUS servers. When you deﬁne server names and keys, case is signiﬁcant.
Page 328: Conﬁguring Radius Server Groups
Conﬁguring Communication with RADIUS Note: You must provide RADIUS servers with names that are unique. To prevent confusion, D-Link recommends that RADIUS server names differ in ways other than case. For example, avoid naming two servers RS1 and rs1. You can conﬁgure additional parameters with set radius server, such as the UDP ports used for AAA services and the timeout period.
Page 329 For example, to conﬁgure RADIUS servers pelican and seagull as the server group swampbirds with load balancing: 1. Conﬁgure the members of a server group by typing the following command: DWS-1008# set server group swampbirds members pelican seagull success: change accepted. 2. Enable load balancing by typing the following command: DWS-1008# set server group swampbirds load-balance enable success: change accepted.
Page 330 The RADIUS server coot is conﬁgured but not part of the server group shorebirds. 2. To add RADIUS server coot as the last server in the server group shorebirds, type the following command: DWS-1008# set server group shorebirds members sandpiper heron egret coot success: change accepted. Deleting a Server Group...
Page 331: Radius And Server Group Conﬁguration Scenario
1. Conﬁgure RADIUS servers. Type the following commands: DWS-1008# set radius server pelican address 192.168.253.11 key elm DWS-1008# set radius server seagull address 192.168.243.12 key ﬁr DWS-1008# set radius server egret address 192.168.243.15 key pine DWS-1008# set radius server sandpiper address 192.168.253.17 key oak...
Page 332 DWS-1008 User’s Manual Conﬁguring Communication with RADIUS DWS-1008# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------------------------------- sandpiper 192.168.253.17 1812 1813 heron 192.168.253.12 1812 1813 egret 192.168.253.15...
Page 333: Managing 802.1X
Managing 802.1X Managing 802.1X Certain settings for IEEE 802.1X sessions on the DWS-1008 switch are enabled by default. For best results, change the settings only if you are aware of a problem with the switch’s 802.1X performance. For settings that you can reset with a clear command, MSS reverts to the default value.
Page 334: Managing 802.1X Encryption Keys
For example, the following command forces port 19 to unconditionally authenticate all 802.1X authentication attempts with an EAP success message: DWS-1008# set dot1x port-control forceauth 19 success: authcontrol for 19 is set to FORCE-AUTH. Similarly, the following command forces port 12 to unconditionally reject any 802.1X attempts...
Page 335 The default is 5 seconds. The range for the retransmission interval is from 1 to 65,535 seconds. For example, type the following command to set the retransmission interval to 300 seconds: DWS-1008# set dot1x tx-period 300 success: dot1x tx-period set to 300.
Page 336 DWS-1008 User’s Manual Managing 802.1X Use the following command to disable WEP rekeying for broadcast and multicast keys: DWS-1008# set dot1x wep-rekey disable success: wep rekeying disabled Note: Reauthentication is not required for using this command. Broadcast and multicast keys are always rotated at the same time, so all members of a given radio and VLAN receive the new keys at the same time.
Page 337: Managing 802.1X Client Reauthentication
{enable | disable} Reauthentication is enabled by default. Type the following command to reenable reauthentication of clients: DWS-1008# set dot1x reauth enable success: dot1x reauthentication enabled. Setting the Maximum Number of 802.1X Reauthentication Attempts The following command sets the number of reauthentication attempts that the switch makes...
Page 338 For example, type the following command to set the number of seconds to 100 before reauthentication is attempted: DWS-1008# set dot1x reauth-period 100 success: dot1x auth-server timeout set to 100. Type the following command to reset the default timeout period: DWS-1008# clear dot1x reauth-period success: change accepted.
Page 339: Managing Other Timers
For example, type the following command to set the authorization server timeout to 60 seconds: DWS-1008# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60. To reset the authorization server timeout to the default, type the following command: DWS-1008# clear dot1x timeout auth-server success: change accepted.
Page 340: Displaying 802.1X Information
The default is 30 seconds. The range of time is from 1 to 65,535 seconds. For example, type the following command to set the number of seconds for a timeout to 300: DWS-1008# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300. Type the following command to reset the timeout period: DWS-1008# clear dot1x timeout supplicant success: change accepted.
Page 341 DWS-1008 User’s Manual Managing 802.1X Viewing 802.1X Clients Type the following command to display active 802.1X clients: DWS-1008# show dot1x clients MAC Address State Vlan Identity -------------------------------------------------------------------------------------------------------------- 00:20:a6:48:01:1f Connecting (unknown) 00:05:3c:07:6d:7c Authenticated vlan-it EXAMPLE\smith 00:05:5d:7e:94:83 Authenticated vlan-eng EXAMPLE\jgarcia 00:02:2d:86:bd:38 Authenticated vlan-eng wong@exmpl.com...
Page 342 7, authcontrol: auto, max-sessions: 1 port 8, authcontrol: auto, max-sessions: 16 Viewing 802.1X Statistics Type the following command to display 802.1X statistics about connecting and authenticating: DWS-1008# show dot1x stats 802.1X statistic value ------------------------------------------------------------- Enters Connecting: Logoffs While Connecting:...
Page 343: Managing Sessions
A session is a related set of communication transactions between an authenticated user (client) and the speciﬁc station to which the client is bound. Packets are exchanged during a session. A DWS-1008 switch supports the following kinds of sessions: • Administrative sessions - A network administrator managing the switch •...
Page 344 This will terminate manager sessions, do you wish to continue? (y|n) [y]y Displaying and Clearing Client Telnet Sessions To view administrative sessions of Telnet clients, type the following command: DWS-1008# show sessions telnet client Session Server Address Server Port Client Port ----------- ---------------------- ---------------- ---------------- 192.168.1.81...
Page 345: Displaying And Clearing Network Sessions
You can clear all Telnet client sessions or a particular session. For example, the following command clears Telnet client session 1: DWS-1008# clear sessions telnet client 1 Displaying and Clearing Network Sessions Use the following command to display information about network sessions:...
Page 346 In the show sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed information for all network sessions, type the following command: DWS-1008> show sessions network verbose User Sess IP or MAC VLAN...
Page 347 2 sessions match criteria (of 3 total) Use the verbose keyword to see more information. For example, the following command displays detailed session information about nin@example.com: DWS-1008> show sessions network user nin@example.com verbose User Sess IP or MAC VLAN...
Page 348 For example, to clear all sessions for MAC address 00:01:02:04:05:06, type the following command: DWS-1008# clear sessions network mac-addr 00:01:02:04:05:06 Displaying and Clearing Network Sessions by VLAN Name You can view all session information for a speciﬁc VLAN or VLAN glob. To see all network...
Page 349 ID number. clear sessions network session-id session-id For example, the following command deletes network session 9: DWS-1008# clear sessions network session-id 9 SM Apr 11 19:53:38 DEBUG SM-STATE: localid 9, mac 00:06:25:09:39:5d, ﬂags 0000012fh, to change state to KILLING...
Page 350: Rogue Detection And Countermeasures
• Rogue - The device is in the D-Link network but does not belong there. • Interfering device - The device is not part of the D-Link network but also is not a rogue. No client connected to the device has been detected communicating with any network entity listed in the forwarding database (FDB) of any switch.
Page 351 DWS-1008 User’s Manual Rogue Detection and Countermeasures Rogue Detection Lists Rogue detection lists specify the third-party devices and SSIDs that MSS allows on the network, and the devices MSS classiﬁes as rogues. You can conﬁgure the following rogue detection lists: •...
Page 352 DWS-1008 User’s Manual Rogue Detection and Countermeasures Radios perform both types of scans on all channels allowed for the country of operation. (This is the regulatory domain set by the set system countrycode command.) 802.11b/g radios scan in the 2.4 GHz to 2.4835 GHz spectrum. 802.11a radios scan in the 5.15 GHz to 5.85 GHz spectrum.
Page 353: Summary Of Rogue Detection Features
DWS-1008 User’s Manual Rogue Detection and Countermeasures Dynamic Frequency Selection (DFS) Some regulatory domains require conformance to ETSI document EN 301 893. Section 4.6 of that document speciﬁes requirements for Dynamic Frequency Selection (DFS). These requirements apply to radios operating in the 5 GHz band (802.11a radios).
Page 354 RF detection. MSS does not classify devices on this list as rogues or interfering devices, and does not issue countermeasures against them. Packets sent by D-Link APs to interfere with the operation of a rogue. Countermeasures are conﬁgurable a radio-proﬁle basis.
Page 355: Conﬁguring Rogue Detection Lists
By default, the permitted vendor list is empty and all vendors are allowed. If you conﬁgure a permitted vendor list, MSS allows only the devices whose OUIs are on the list. The permitted vendor list applies only to the switch on which the list is conﬁgured. DWS-1008 switches do not share permitted vendor lists.
Page 356 By default, the permitted SSID list is empty and all SSIDs are allowed. If you conﬁgure a permitted SSID list, MSS allows trafﬁc only for the SSIDs that are on the list. The permitted SSID list applies only to the switch on which the list is conﬁgured. DWS-1008 switches do not share permitted SSID lists.
Page 357 MSS. MSS can place a client in the black list due to an association, reassociation or disassociation ﬂood from the client. The client black list applies only to the switch on which the list is conﬁgured. DWS-1008 switches do not share client black lists.
Page 358 MAC addresses of APs and clients. By default, the attack list is empty. The attack list applies only to the switch on which the list is conﬁgured. DWS-1008 switches do not share attack lists. To add an entry to the list, use the following command:...
Page 359 11:22:33:44:55:66 is no longer in attacklist. Conﬁguring an Ignore List By default, when countermeasures are enabled, MSS considers any non-D-Link transmitter to be a rogue device and can send countermeasures to prevent clients from using that device. To prevent MSS from sending countermeasures against a friendly device, add the device to...
Page 360: Enabling Countermeasures
The rogue option enables or disables countermeasures for rogues only. The following command enables countermeasures in radio proﬁle radprof3 for rogues only: DWS-1008# set radio-proﬁle radprof3 countermeasures rogue success: change accepted. To disable countermeasures on a radio proﬁle, use the following command: clear radio-proﬁle name countermeasures...
Page 361: Enabling Ap Signatures
Disabling or Reenabling Logging of Rogues By default, a DWS-1008 switch generates a log message when a rogue is detected or disappears. To disable or reenable the log messages, use the following command: set rfdetect log {enable | disable}...
Page 362 DWS-1008 User’s Manual Rogue Detection and Countermeasures Flood Attacks A ﬂood attack is a type of Denial of Service attack. During a ﬂood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests.
Page 363 • Spoofed AP - A rogue device pretends to be a D-Link AP by sending packets with the source MAC address of the D-Link AP. Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device.
Page 364 DWS-1008 User’s Manual Rogue Detection and Countermeasures Disallowed Devices or SSIDs You can conﬁgure the following types of lists to explicitly allow speciﬁc devices or SSIDs: • Permitted SSID list - MSS generates a message if an SSID that is not on the list is detected.
Page 365 DWS-1008 User’s Manual Rogue Detection and Countermeasures Management Client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 7 ﬂood frame 7 message ﬂood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Management Client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame D ﬂood...
Page 366 DWS-1008 User’s Manual Rogue Detection and Countermeasures Fake AP SSID FakeAP SSID attack detected from aa:bb:cc:dd: (when source ee:ff. MAC address is Seen by AP on port 2, radio 1 on channel 11 with known) RSSI -53 SSID myssid. Fake AP SSID FakeAP BSSID attack detected.
Page 367: Displaying Rf Detection Information
Displays the BSSIDs detected show rfdetect visible mac-addr by a speciﬁc D-Link radio. show rfdetect visible ap ap-num [radio {1 | 2}] show rfdetect visible dap dap-num [radio {1 | 2}]...
Page 368 DWS-1008 User’s Manual Rogue Detection and Countermeasures Displaying Rogue Clients To display the wireless clients detected by a DWS-1008 switch, use the following command: show rfdetect clients [mac mac-addr] The following command shows information about all wireless clients detected by a switch’s...
Page 369 DWS-1008 User’s Manual Rogue Detection and Countermeasures DWS-1008# show rfdetect counters Type Current Total -------------------------------------------------- ------------ ------------ Rogue access points Interfering access points 1116 Rogue 802.11 clients Interfering 802.11 clients 802.11 adhoc clients Unknown 802.11 clients Interfering 802.11 clients seen on wired network 802.11 probe request ﬂood...
Page 370 [radio {1 | 2}] To following command displays information about the rogues detected by radio 1 on AP port DWS-1008# show rfdetect visible ap 3 radio 1 Total number of entries: 104 Flags: i = infrastructure, a = ad-hoc...
Page 371: Managing System Files
DWS-1008 User’s Manual Managing System Files Managing System Files A DWS-1008 switch contains nonvolatile storage. MSS allows you to manage the ﬁles in nonvolatile storage. In addition, you can copy ﬁles between the switch and a TFTP server on the network.
Page 372 BootLoader: 1.19 / 1.7.4 To also display DWL-8220AP access point information, type the following command: DWS-1008# show version details Mobility System Software, Version: 3.0.0 Copyright (c) 2003,2004 by D-Link Systems, Inc Build Information: (build#75) TOP 2004-06-30 07:25:00 Model: DWS-1008 Hardware Mainboard: version 0 ;...
Page 373: Working With Files
DWS-1008 User’s Manual Managing System Files In this example, the switch is running software version 1.1.0. The switch used the 010100.020 image ﬁle in boot partition boot1 and the conﬁguration conﬁguration ﬁle for the most recent reboot. The switch is set to use image ﬁle DWS010100.008 in boot partition boot0 and conﬁguration ﬁle newconﬁg for the next reboot.
Page 374 DWS-1008 User’s Manual Managing System Files The following command displays the ﬁles in the old subdirectory: DWS-1008# dir old ============================================================= ﬁle: Filename Size Created ﬁle:conﬁguration.txt 3541 bytes Sep 22 2003, 22:55:44 ﬁle:conﬁguration.xml 24 KB Sep 22 2003, 22:55:44 Total: 27 Kbytes used, 207824 Kbytes free...
Page 375 To copy the ﬁle ﬂoor2 from nonvolatile storage to a TFTP server, type the following command: DWS-1008# copy ﬂoor2 tftp://10.1.1.1/ﬂoor2 success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] The above command copies the ﬁle to the same ﬁlename on the TFTP server. To rename the ﬁle when copying it, type the following command:...
Page 376 Note: MSS does not prompt you to verify whether you want to delete a ﬁle. When you press Enter after typing a delete command, MSS immediately deletes the speciﬁed ﬁle. D-Link recommends that you copy a ﬁle to a TFTP server before deleting the ﬁle.
Page 377: Managing Conﬁguration Files
DWS-1008 User’s Manual Managing System Files DWS-1008# mkdir corp2 success: change accepted. DWS-1008# dir ============================================================= ﬁle: Filename Size Created ﬁle:conﬁguration 17 KB May 21 2004, 18:20:53 ﬁle:conﬁguration.txt 379 bytes May 09 2004, 18:55:17 corp2/ 512 bytes May 21 2004, 19:22:09...
Page 378 192.168.253.11 severity critical set timezone PST -8 0 set summertime PDT start ﬁrst sun apr 2 0 end last sun oct 2 0 set system name DWS-1008 set system countrycode US set system contact trapeze-pubs set radius server r1 address 192.168.253.1 key sunﬂower...
Page 379 To use a different conﬁguration ﬁle in nonvolatile storage after rebooting, use the following command: set boot conﬁguration-ﬁle ﬁlename To conﬁgure a DWS-1008 switch to load the conﬁguration ﬁle ﬂoor2 from nonvolatile storage following the next software reboot, type the following command: DWS-1008# set boot conﬁguration-ﬁle ﬂoor2 success: boot conﬁg set.
Page 380 Caution: This command completely removes the running conﬁguration and replaces it ith the conﬁguration contained in the ﬁle. D-Link recommends that you save a copy of he current running conﬁguration to a backup conﬁguration ﬁle before loading a new conﬁguration.
Page 381: Backing Up And Restoring The System
ﬁle can be quite large if the user area contains image ﬁles. This is the default for the backup command. Note: If the archive’s ﬁles cannot ﬁt on the switch, the restore operation fails. D-Link recommends deleting unneeded image ﬁles before creating or restoring an archive.
Page 382 DWS-1008 User’s Manual Managing System Files Caution: Do not use the force option unless advised to do so by D-Link TAC. If you restore one switch’s system ﬁles onto another switch, you must generate new key pairs and certiﬁcates on the switch.
Page 383: Appendix A - Troubleshooting
MSS areas. Some show commands are particularly useful in troubleshooting. The show tech-support command combines a number of show commands into one, and provides an extensive snapshot of your switch conﬁguration settings for the D-Link Technical Support. Fixing Common Setup Problems The table below contains remedies for some common problems that can occur during basic installation and setup of a DWS-1008 switch.
Page 384 DWS-1008 User’s Manual Appendix A - Troubleshooting Switch does not The country code 1. Type the show system command to display the accept conﬁguration might not be set country code conﬁgured on information for an or might be set for the switch.
Page 385: Recovering The System Password
The restart switch on a DWS-1008 switch is also located next to its serial console port. 2. When you see descending numbers on the console, press any key.
Page 386 DWS-1008 User’s Manual Appendix A - Troubleshooting Log Message Components Each log message contains the following components: Field Description Facility Portion of MSS that is affected Date Time and date the message is generated Severity Severity level of the message.
Page 387 Note. The debug level produces a lot of messages, many of which can appear to be somewhat cryptic. Debug messages are used primarily by D-Link for troubleshooting and are not intended for administrator use. Using Log Commands To enable, disable, or modify system logging to the switch’s log buffer, console, current Telnet...
Page 388 For example, to set logging to the buffer for events at the warning level and higher, type the following command: DWS-1008# set log buffer severity warning success: change accepted. To view log entries in the system log buffer, use the following command:...
Page 389 To ﬁlter the event log by MSS area, use the facility facility-name keyword. For a list of facilities for which you can view event messages, type the following command: DWS-1008# show log buffer facility ? <facility name> Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP,ASO,...
Page 390 For example, the following command sends all error-level event messages generated by a switchto a server at IP address 192.168.153.09 and identiﬁes them as facility 5 messages: DWS-1008# set log server 192.168.153.09 severity error local-facility 5 success: change accepted. To stop sending log messages to a syslog server, use the following command:...
Page 391 To enable current session logging, type the following command: DWS-1008# set log current enable success: change accepted To disable current session logging, type the following command:...
Page 392: Running Traces
Caution: Using the set trace command can have adverse effects on system performance. D-Link recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
Page 393 Tracing 802.1X sessions can help diagnose problems with wireless clients. For example, to trace 802.1X activity for user tamara@example.com at level 4, type the following command: DWS-1008# set trace dot1x user tamara@example.com level 4 success: change accepted. Displaying a Trace Use the show trace command to show the trace areas that are enabled.
Page 394 Because traces use the logging facility, any other logging target can be used to capture trace messages if its severity is set to debug. However, since tracing can be voluminous, D-Link discourages this in practice. To enable trace output to the console, enter the command set log console severity debug.
Page 395 [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] For example, the following command displays a trace log of error-level events: DWS-1008# show log trace severity error KERNEL Jan 15 23:08:10 ERROR duplicate IP address 10.7.122.102 sent from link address 00:05:5d:45:ae:cd To display a speciﬁc number of trace log messages, you must enter a plus sign (+), minus...
Page 396: Using Show Commands
DWS-1008 User’s Manual Appendix A - Troubleshooting DWS-1008# copy 0000000001 tftp://192.168.253.11/log-ﬁle Clearing the Trace Log To clear all messages from the trace log buffer, type the following command: DWS-1008# clear log trace List of Trace Areas To see all MSS areas you can trace, type the following command:...
Page 397 DWS-1008 User’s Manual Appendix A - Troubleshooting Server groups sg1: SideShow SQA: SQA2BServer set authentication dot1x *@xmpl.com pass-through sg1 set authentication dot1x *@xmpl.com pass-through SQA set authentication dot1x EXAMPLE\* peap-mschapv2 sg1 user sqa password = 08325d4f (encrypted) session-timeout = 3600...
Page 398: Remotely Monitoring Trafﬁc
DWS-1008 User’s Manual Appendix A - Troubleshooting The show arp command displays the ARP aging timer and ARP entries in the system. To display ARP information, type the following command: DWS-1008# show arp ARP aging time: 1200 seconds Host HW Address...
Page 399 AP Mar 25 13:15:21.681369 ERROR DAP 3 ap_network: Observer 10.10.101.2 is not accepting TZSP packets To prevent ICMP error messages from the observer, D-Link recommends using the Netcat application on the observer to listen to UDP packets on the TZSP port.
Page 400 The snap-length num option speciﬁes the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. D-link recommends specifying a snap length of 100 bytes or less.
Page 401 If the ﬁlter does not have an observer, the AP still maintains a counter of the number of packets that match the ﬁlter. The following command maps snoop ﬁlter snoop1 to radio 2 on Distributed AP 3: DWS-1008# set snoop map snoop1 dap 3 radio 2 success: change accepted. Displaying the Snoop Filters Mapped to a Radio To display the snoop ﬁlters that are mapped to a radio, use the following command:...
Page 402 ﬁlter-name dap dap-num radio {1 | 2} The following command removes snoop ﬁlter snoop2 from radio 2 on Distributed AP 3: DWS-1008# clear snoop map snoop2 dap 3 radio 2 success: change accepted. To remove all snoop ﬁlter mappings from all radios, use the following command:...
Page 403 DWS-1008 User’s Manual Appendix A - Troubleshooting The following command shows statistics for snoop ﬁlter snoop1: DWS-1008# show snoop stats snoop1 Filter Radio Rx Match Tx Match Dropped Stop-After ============================================================= snoop1 stopped Preparing an Observer and Capturing Trafﬁc To observe monitored trafﬁc, install the following applications on the observer: •...
Page 404: Capturing System Information For Technical Support
Capturing System Information for Technical Support For problems you cannot solve yourself, use the show tech-support command to generate a report of your switch’s conﬁguration and status, which you can show to the D-link Technical Support. Displaying Technical Support Information The show tech-support command combines a group of show commands to provide an in-depth snapshot of the status of the switch.
Page 405: Appendix B - Supported Radius Attribites
Appendix B - Supported RADIUS Attribites Supported RADIUS Attributes D-Link’s Mobility System Software (MSS) supports the standard and extended RADIUS authentication and accounting attributes listed at the bottom. An attribute is sent to RADIUS accounting only if the table listing it shows Yes or Optional in the column marked Sent in Accounting-Request for the attribute and the attribute is applied to the client’s session conﬁguration.
Page 406 DWS-1008 User’s Manual Appendix B - Supported RADIUS Attribites Service- Access type, which can be one of the Type following: • 2 - Framed; for network user access • 6 - Administrative; for administrative access to the switch, with authorization to access the enabled (conﬁguration) mode.
Page 407 If received, this information must be sent on, without interpretation, in all subsequent packets sent to the RADIUS server for that client session. Vendor- String. Allows MSS to support D-Link Speciﬁc VSAs. Session- Maximum number of seconds of service Timeout allowed the user before reauthentication of the session.
Page 408 DWS-1008 User’s Manual Appendix B - Supported RADIUS Attribites Acct-Input- Number of octets received from the Octets port over the course of this service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update.
Page 409 DWS-1008 User’s Manual Appendix B - Supported RADIUS Attribites Acct-Input- Number of times the Acct-Input-octets Gigawords counter has wrapped around 2 over the course of this service being provided. Can be present only in Accounting- Request records in which Acct-Status- Type is set to Acct-Stop or Acct-Interim- Update.
Page 410: Appendix C - Dhcp Server
Note: Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks. D-Link recommends that you do not use the MSS DHCP server to allocate client addresses in a production network.
Page 411: How The Mss Dhcp Server Works
DWS-1008 User’s Manual Appendix C - DHCP Server How the MSS DHCP Server Works When MSS receives a DHCP Discover packet, the DHCP server allocates an address from the conﬁgured range according to RFC 2131 and ARPs the address to ensure that it is not already in use.
Page 412: Displaying Dhcp Server Information
Appendix C - DHCP Server The following command enables the DHCP server on VLAN red-vlan to serve addresses from the 192.168.1.5 to 192.168.1.25 range: DWS-1008# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25 success: change accepted. To remove all IP information from a VLAN, including the DHCP client and user-conﬁgured...
Page 413 DWS-1008 User’s Manual Appendix C - DHCP Server DHCP Clients: Hardware Address: 00:01:02:03:04:05 State: BOUND Lease Allocation: 43200 seconds Lease Remaining: 12345 seconds IP Address: 10.10.20.2 Subnet Mask: 255.255.255.0 Default Gateway: 10.10.20.1 DNS Servers: 10.10.20.4 10.10.20.5 DNS Domain Name: mycorp.com In addition to information for addresses leased from the VLANs where you conﬁgured the...
Page 414: Appendix D - Glossary
DWS-1008 User’s Manual Appendix D - Glossary Glossary 3DES A three-round application of the Data Encryption Standard (DES) that uses a 168-bit encryption key. See also DES. 802.1D The IEEE LAN speciﬁcation for the operation of media access control (MAC) bridges.
Page 415 The DWS-1008 switch can use a RADIUS server or its own local database for AAA services. access control entry See ACE.
Page 416 (AP) A hardware unit that acts as a communication hub by linking wireless mobile IEEE 802.11 stations such as PCs to a wired backbone network. A D-Link Mobility System has DWL-8220AP access points. See also ad hoc network; infrastructure network.
Page 417 DWL-8220AP access point. Bias can be set to either low or high on each DWS-1008 switch and is high by default. Bias applies only to switches that are indirectly attached to the AP through an intermediate Layer 2 or Layer 3 network. An AP always attempts to boot on AP port 1 ﬁrst, and if the AP is directly attached to a switch on AP...
Page 418 DWS-1008 User’s Manual Appendix D - Glossary Basic service set. A set of wireless stations that communicate with one another through an access point (AP). BSSID Basic service set identiﬁer. The 48-bit media access control (MAC) address of the radio in the access point (AP) that serves the stations in a basic service set (BSS).
Page 419 DWS-1008 User’s Manual Appendix D - Glossary Challenge Handshake Authentication Protocol See CHAP. CHAP Challenge Handshake Authentication Protocol. An authentication protocol that deﬁnes a threeway handshake to authenticate a user (client). CHAP uses the MD5 hash algorithm to generate a response to a challenge that can be checked by the authenticator. For wireless...
Page 420 DWS-1008 User’s Manual Appendix D - Glossary cryptography The science of information security. Modern cryptography is typically concerned with the processes of scrambling ordinary text (known as plain text or clear text) into encrypted text at the sender’s end of a connection, and decrypting the encrypted text back into clear text at the receiver’s end.
Page 421 DWS-1008 User’s Manual Appendix D - Glossary DHCP Dynamic Host Conﬁguration Protocol. A protocol that dynamically assigns IP addresses to stations, from a centralized server. DHCP is the successor to the Bootstrap Protocol (BOOTP). dictionary attack An attempt to gain illegal access to a computer or network by logging in repeatedly with passwords that are based on a list of terms in a dictionary.
Page 422 ﬁle. dual-homed connection A redundant, resilient connection between a DWL-8220AP access point and a DWS-1008 switch. The connection can consist of two direct physical links from both AP ports to one or two switches, one or more distributed links through an intermediate Layer 2 or Layer 3 network, or a combination of one direct physical link and one or more distributed links.
Page 423 Extended service set. A logical connection of multiple basic service sets (BSSs) connected to the same network. Roaming within an ESS is guaranteed by the D-Link Mobility System. Ethernet II The original Ethernet speciﬁcation produced by Digital, Intel, and Xerox (DIX) that served as the basis of the IEEE 802.3 standard.
Page 424 DWS-1008 User’s Manual Appendix D - Glossary ETSI European Telecommunications Standards Institute. A nonproﬁt organization that establishes telecommunications and radio standards for Europe. European Telecommunications Standards Institute See ETSI. extended service set See ESS. Extensible Authentication Protocol See EAP. Extensible Markup Language See XML.
Page 425 Appendix D - Glossary forwarding database (FDB) A database maintained on a DWS-1008 switch for the purpose of making Layer 2 forwarding and ﬁltering decisions. Each entry consists of the media access control (MAC) address of a source or destination device, an identiﬁer for the port on which the source or destination station is located, and an identiﬁer for the virtual LAN (VLAN) to which the device belongs.
Page 426 HPOV Hewlett-Packard Open View. The umbrella network management system (NMS) family of products from Hewlett-Packard. The D-Link Mobility System RingMaster tool suite interacts with the HPOV Network Node Manager (NNM). HTTPS Hypertext Transfer Protocol over Secure Sockets Layer. An Internet protocol developed by Netscape to encrypt and decrypt network connections to Web servers.
Page 427 A DWS-1008 switch uses IGMP snooping to monitor the Internet Group Management Protocol (IGMP) conversation between hosts and routers. When the switch detects an IGMP report from a host for a given multicast group, it adds the host’s port number to the list for that group.
Page 428 Like most corporate wireless LANs (WLANs), which must access a wired LAN for ﬁle servers and printers, a D-Link Mobility System is an infrastructure network. Compare ad hoc network. initialization vector (IV) In encryption, random data used to make a message unique.
Page 429 See also location policy rule. location policy rule A rule in the location policy on a DWS-1008 switch that grants or denies a set of network access rights based on one or more criteria. Location policy rules use a username or VLAN membership to determine whether to override—or supply—authorization attributes during...
Page 430 MAC service data unit See MSDU. managed device In a D-Link network wireless LAN (WLAN), a DWS-1008 switch or DWL-8220AP access point under the control of the RingMaster tool suite. master secret A code derived from the pre-master secret. A master secret is used to encrypt Transport Layer Security (TLS) authentication exchanges and also to derive a pairwise master key (PMK).
Page 431 Mobility System Software™ (MSS™) The Trapeze operating system, accessible through a command-line interface (CLI) or Web View, that enables D-Link Mobility System products to operate as a single system. Mobility System Software (MSS) performs authentication, authorization, and accounting (AAA) functions; manages DWS-1008 switches and DWL-8220AP access points; and maintains the wireless LAN (WLAN) by means of such network structures as MobileLAN groups, virtual LANs (VLANs), tunnels, spanning trees, and link aggregation.
Page 432 DWS-1008 User’s Manual Appendix D - Glossary Maximum transmission unit. The size of the largest packet that can be transmitted over a particular medium. Packets exceeding the MTU value in size are fragmented or segmented, and then reassembled at the receiving end. If fragmentation is not supported or possible, a packet that exceeds the MTU value is dropped.
Page 433 DWS-1008 User’s Manual Appendix D - Glossary PEAP Protected Extensible Authentication Protocol. A draft extension to the Extensible Authentication Protocol with Transport Layer Security (EAP-TLS), developed by Microsoft Corporation, Cisco Systems, and RSA Data Security, Inc. TLS is used in PEAP Part 1 to authenticate the server only, and thus avoids having to distribute user certiﬁcates to every client.
Page 434 A RingMaster feature that allows you to apply a collection of conﬁguration settings known as a domain policy, or part of the policy, to one or more DWS-1008 switches. With Policy Manager, you can also merge some or all of the conﬁguration changes you make to a single switch into a domain policy.
Page 435 DWS-1008 User’s Manual Appendix D - Glossary Pseudorandom function. A function that produces effectively unpredictable output. A PRF can use multiple iterations of one or more hash algorithms to achieve its output. The Transport Layer Security (TLS) protocol deﬁnes a speciﬁc PRF for deriving keying material.
Page 436 DWS-1008 User’s Manual Appendix D - Glossary Public-Key Cryptography Standards See PKCS. public-key infrastructure See PKI. PVST+ Per-VLAN Spanning Tree protocol. A proprietary Cisco protocol that supports a separate instance of the Spanning Tree Protocol (STP) for each virtual LAN (VLAN) in a network and maps the multiple spanning trees to a single tree, to comply with the IEEE 802.1Q...
Page 437 DWS-1008 User’s Manual Appendix D - Glossary registration authority (RA) Network software that veriﬁes a user (client) request for a digital certiﬁcate and instructs the certiﬁcate authority (CA) to issue the certiﬁcate. Registration authorities are part of a public-key infrastructure (PKI), which enables secure exchanges of information over a network.
Page 438 ﬁlter packets that are entering or exiting it. Associating a security ACL with a particular user, port, virtual LAN (VLAN), or virtual port on a DWS-1008 switch controls the network trafﬁc to or from the user, port, VLAN, or virtual port. The rules in an ACL are known as access control entries (ACEs).
Page 439 IEEE 802 networks. Wireless clients and DWL-8220AP access points are stations in a D-Link Mobility System. Spanning Tree Protocol. A link management protocol, deﬁned in the IEEE 802.1D standard, that provides path redundancy while preventing undesirable loops in a network.
Page 440 Appendix D - Glossary subnet mobility The ability of a wireless user (client) to roam across DWL-8220AP access points and DWS-1008 switches in a virtual LAN (VLAN) while maintaining a single IP address and associated data sessions. supplicant A client that is attempting to access a network.
Page 441 To forward trafﬁc for a roaming user, a DWS-1008 switch that is not a member of the user’s virtual LAN (VLAN) creates a tunnel to another switch on which the user’s VLAN is conﬁgured.
Page 442 Layer 2 switches, with each VLAN operating as a separate switch, or make multiple devices members of multiple logical Layer 2 networks. By default, all DWS-1008 switch ports are members of VLAN 1, which is named default. VLAN glob...
Page 443 Web View A Web-based application for conﬁguring and managing a single DWS-1008 switch and its attached DWL-8220AP access points through a Web browser. Web View uses a secure connection that implements Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).
Page 444 DWS-1008 User’s Manual Appendix D - Glossary wildcard mask A 32-bit quantity used with an IP address to determine which bits in the address to ignore in a comparison with another IP address. When setting up security access control lists (ACLs), you specify source and destination IP addresses and corresponding wildcard masks by which the switch determines whether to forward or ﬁlter packets.
Page 445 DWS-1008 User’s Manual Appendix D - Glossary WPA information element See WPA IE. X.500 A standard of the International Organization for Standardization (ISO) and International Telecommunications Union Telecommunication Standardization Sector (ITU-T), for systematically collecting the names of people in an organization into an electronic directory that can be part of a global directory available to anyone in the world with Internet access.
Page 446: Appendix E - Technical Speciﬁcations
DWS-1008 User’s Manual Appendix E - Technical Speciﬁcations Technical Speciﬁcations Hardware Speciﬁcations Physical and Environmental • Dimensions (W x D x H): 17.4 x 8.2 x 1.72 in (44.2 x 20.8 x 4.4 cm) • Weight: 5.2lbs (3kg) • Operating Temperature: 0ºC to 40ºC (32ºF to 104ºF)
Page 447 DWS-1008 User’s Manual Appendix E - Technical Speciﬁcations Technical Speciﬁcations (continued) EMI / EMC • FCC PART 15 • ICES PART 15 • VCCI • EN 55022 • EN 55024 • EN 60101-1-2 (1993) • CISPR 22 Software Speciﬁcations IEEE •...
Page 448 Appendix E - Technical Speciﬁcations DWS-1008 User’s Manual Technical Speciﬁcations (continued) General • RFC 1122 Host requirements • RFC 1393 Traceroute • RFC 1519 CIDR • RFC 1591 DNS (client) • RFC 1769 SNTP • RFC 768 UDP • RFC 783 TFTP •...
Page 449: Appendix F - Warranty
D-Link’s sole obligation shall be to repair or replace the defective Hardware during the Warranty Period at no charge to the original owner or to refund at D-Link’s sole discretion. Such repair or replacement will be rendered by D-Link at an Authorized D-Link Service Ofﬁce.
Page 450 Period from the date or original retail purchase. If a material non-conformance is incapable of correction, or if D-Link determines in its sole discretion that it is not practical to replace the non-conforming Software, the price paid by the original licensee for the non-conforming Software will be refunded by D-Link;...
Page 451 DWS-1008 User’s Manual Appendix F - Warranty D-Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements, or for which an RMA number is not visible from the outside of the package. The product owner agrees to pay D-Link’s reasonable handling and...
Page 452 Appendix F - Warranty Limitation of Liability: TO THE MAXIMUM EXTENT PERMITTED BY LAW, D-LINK IS NOT LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY LOSS OF USE OF THE PRODUCT, INCONVENIENCE OR DAMAGES...
Page 453 • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. For detailed warranty outside the United States, please contact corresponding local D-Link ofﬁce. FCC Caution: The manufacturer is not responsible for any radio or TV interference caused by unauthorized modiﬁcations to this equipment;...
Page 454: Appendix G - Registration
DWS-1008 User’s Manual Appendix G - Registration Registration Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights. Revised: 10/12/2005 Version 1.00 D-Link Systems, Inc.

D-Link DWS-1008 User Manual

Conﬁguring AAA for Administrative and Local Access

Conﬁguring and Managing Ports and Vlans

Conﬁguring and Managing IP Interfaces and Services

Conﬁguring SNMP

Conﬁguring DWL-8220AP Access Points

Conﬁguring User Encryption

Conﬁguring RF Auto-Tuning

Wi-Fi Multimedia

Conﬁguring and Managing Spanning Tree Protocol

Conﬁguring and Managing IGMP Snooping

Conﬁguring and Managing Security Acls

Managing Keys and Certiﬁcates

Conﬁguring AAA for Network Users

Conﬁguring Communication with RADIUS

Managing 802.1X

Managing Sessions

Rogue Detection and Countermeasures

Managing System Files

Appendix A - Troubleshooting

Appendix B - Supported RADIUS Attribites

Appendix C - DHCP Server

Appendix D - Glossary

Appendix E - Technical Speciﬁcations

Appendix F - Warranty

Appendix G - Registration

Quick Links

Related Manuals for D-Link DWS-1008

Summary of Contents for D-Link DWS-1008