Page 2 © 2009 D-Link Corporation. All rights reserved. Reproduction in any manner whatsoever without the written permission of D-Link Corporation is strictly forbidden. Trademarks used in this text: D-Link and the D-LINK logo are trademarks of D-Link Corporation; Microsoft and Windows are registered trademarks of Microsoft Corporation.
Page 3: Table Of Contents
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Preface ... xi Intended Readers ... 1 Typographical Conventions... 1 Notes, Notices, and Cautions ... 1 Web-based Switch Configuration ... 2 Introduction ... 2 Login to Web Manager ... 2 Web-based User Interface ... 3 Web Pages ...
Page 4 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Telnet Settings ... 30 Password Encryption ... 31 Clipaging Settings ... 31 Firmware Information ... 31 Dual Configuration Settings ... 32 Ping Test ... 33 Local Loopback Ports Settings ... 34 VLAN Counter Settings ...
Page 5 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual DDM Bias Current Threshold Settings ... 63 DDM Tx Power Threshold Settings ... 64 DDM Rx Power Threshold Settings ... 64 L2 Features ... 66 Jumbo Frame ... 66 VLANs ... 67 Understanding IEEE 802.1p Priority ...
Page 6 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual MLD Snooping Multicast VLAN Settings ... 102 IPv6 Multicast Profile Settings ... 103 IPv6 Limited Multicast Range Settings ... 104 IPv6 Max Multicast Group Settings ... 104 Port Mirror ... 105 Loopback Detection Settings ...
Page 7 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual 802.1p User Priority ... 137 QoS Scheduling Mechanism ... 137 QoS Scheduling ... 138 In Band Manage Settings ... 139 SRED ... 140 SRED Settings ... 140 SRED Drop Counter ... 142 DSCP Trust Settings ...
Page 8 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual SSH Authmode and Algorithm Settings ... 169 SSH User Authentication Lists ... 170 Access Authentication Control ... 171 Authentication Policy Settings ... 173 Application Authentication Settings ... 173 Authentication Server Group ... 174 Authentication Server ...
Page 9 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual RADIUS Authentication ... 233 RADIUS Account Client ... 234 Authenticator State ... 236 Authenticator Statistics ... 237 Authenticator Session Statistics ... 238 Authenticator Diagnostics ... 239 Browse ARP Table ... 241 VLAN ...
Page 10 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Download Firmware ... 258 Reboot System ... 258 Mitigating ARP Spoofing Attacks Using Packet Content ACL ... 259 System Log Entries ... 267 Glossary... 278 Password Recovery Procedure ... 280...
Page 11: Preface
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Preface The DGS-3700 Series User Manual is divided into sections that describe the system installation and operating instructions with examples. Section 1, Introduction to Web-based Switch Management – Describes how to connect to and use the Web- based switch management feature on the Switch.
Page 12: Intended Readers
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Intended Readers The DGS-3700 Series Manual contains information for setup and management of the Switch. This manual is intended for network managers familiar with network management concepts and terminology. Typographical Conventions...
Page 13: Web-Based Switch Configuration
Login to Web Manager To begin managing the Switch, simply run the browser you have installed on your computer and point it to the IP address you have defined for the device. The URL in the address bar should read something like: http://123.123.123.123, where the numbers 123 represent the IP address of the Switch.
Page 14: Web-Based User Interface
The Switch management features available in the web-based manager are explained below. Web-based User Interface The user interface provides access to various Switch configuration and management windows, allows you to view performance statistics, and permits you to graphically monitor the system status.
Page 15: Web Pages
Area 1 Select the folder or window to be displayed. The folder icons can be opened to display the hyper- linked window buttons and subfolders contained within them. Click the D-Link logo to go to the D- Link website. Area 2 Presents a graphical near real-time image of the front panel of the Switch.
Page 16 Settings, SNTP Settings, MAC Notification Settings, SNMP Settings, Time Range Settings, sFlow, Single IP Management and DDM. L2 Features – A discussion of the Layer 2 features on the Switch, including Jumbo Frame, 802.1Q VLAN, Subnet VLAN, QinQ, 802.1v Protocol VLAN, RSPAN Settings, GVRP Settings, GVRP Global Settings, MAC-based VLAN Settings, PVID Auto Assign Settings, Port Trunking, LACP Port Settings, Traffic Segmentation, BPDU Tunneling Settings, IGMP Snooping, MLD Snooping, Port Mirror, Loopback Detection Settings, Spanning Tree, Forwarding &...
Page 17: Configuration
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Section 2 Configuration Device Information System Information Serial Port Settings IP Address Interface Settings IPv6 Route Settings IPv6 Neighbor Settings Port Configuration Static ARP Settings User Accounts System Log Configuration System Severity Settings...
Page 18: Device Information
This window contains the main settings for all major functions on the Switch and appears automatically when you log on. To return to the Device Information window, click the DGS-3700-12/DGS-3700-12G Web Management Tool folder. The Device Information window shows the Switch’s MAC Address (assigned by the factory and unchangeable), the Boot PROM Version, Firmware Version, Hardware Version and Serial Number as well as other information about different settings on the Switch.
Page 19: Serial Port Settings
The fields that can be configured are described below: Parameter Description System Name Enter a system name for the Switch, if so desired. This name will identify it in the Switch network. System Location Enter the location of the Switch, if so desired.
Page 20: Ip Address
The IP address may initially be set using the console interface prior to connecting to it through the Ethernet. If the Switch IP address has not yet been changed, read the introduction of the DGS-3700 Series CLI Manual for more information.
Page 21 IP addresses, network masks, and default gateways to be assigned by a central BOOTP server. If this option is set, the Switch will first look for a BOOTP server to provide it with this information before using the default or previously entered settings.
Page 22: Setting The Swith's Ip Address Using The Console Interface
Switch IP address to meet the specification of your networking address scheme. The IP address for the Switch must be set before it can be managed with the Web-based manager. The Switch IP address can be automatically set using BOOTP or DHCP protocols, in which case the actual address assigned to the Switch must be known.
Page 23 Allows the user to enable or disable the IPv6 state on the interface. IPv6 State This field is used to set the interval, in milliseconds that the Switch will produce neighbor Retransmit solicitation packets to be sent out over the local network. This is used to discover IPv6 neighbors time on the local network.
Page 24: Ipv6 Route Settings
Click Apply to implement changes made. To remove any entry, click the Delete All button. IPv6 Neighbor Settings This window allows the user to create and configure IPv6 Neighbor settings on the Switch. The Switch’s current IPv6 neighbor settings will be displayed in the table at the bottom of this window.
Page 25: Port Configuration
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Parameter Description Enter the interface name of the IPv6 neighbor you wish to configure. Interface Name Enter the neighbor IPv6 address of the entry you wish to configure. Neighbor IPv6 Address...
Page 26: Port Description
SFP ports should be nominated Fiber and the Combo 1000BASE-T ports should be nominated Copper. The result will be displayed in the appropriate switch port number slot (C for copper ports and F for fiber ports). To view this window, click Configuration > Port Configuration > Port Description as shown below:...
Page 27: Port Error Disabled
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Port Error Disabled The following window will display the information about ports that have had their connection status disabled, for reasons such as Loopback Detection or link down status. To view this window, click Configuration > Port Configuration > Port Error Disabled as shown below.
Page 28: User Accounts
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The following fields can be set: Parameter Description ARP Aging Time The user may globally set the maximum amount of time, in minutes, that an Address (0-65535) Resolution Protocol (ARP) entry can remain in the Switch’s ARP table, without being accessed, before it is dropped from the table.
Page 29 Admin, Operator and User Privileges Recently added to the levels of security offered on the Switch, the Operator level privilege will allow users to configure and view configurations on the Switch, except for those involving security features, which are still left to the Admin privilege.
Page 30 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Community Strings and Trap Stations Update Firmware and Configuration Files System Utilities Factory Reset User Account Management Add/Update/Delete User Accounts View User Accounts Table 2 - 1 Admin, Operator and User Privileges...
Page 31: System Log Configuration
Time Interval – This method configures a time interval by which the Switch will save the log files. The user may set a time between 1 and 65535 minutes. Log Trigger – This method will save log files to the Switch every time a log event occurs on the Switch.
Page 32 Processes and daemons that have not been explicitly assigned a Facility may use any of the "local use" facilities or they may use the "user-level" Facility. Those Facilities that have been designated are shown in the following: Bold font indicates the facility values that the Switch is currently employing.
Page 33: System Severity Settings
System Severity Settings The Switch can be configured to allow alerts be logged or sent as a trap to an SNMP agent or both. The level at which the alert triggers either a log entry or a trap message can be set as well. Use the System Severity Settings menu to set the criteria for alerts.
Page 34: Dhcp Relay
The range is between 1 and 16 hops, with a default value of 4. The relay time threshold sets the minimum time (in seconds) that the Switch will wait before forwarding a DHCP REQUEST packet.
Page 35 Click Apply to implement any changes that have been made. NOTE: If the Switch receives a packet that contains the option-82 field from a DHCP client and the information-checking feature is enabled, the switch drops the packet because it is invalid. However, in some instances, you might configure a client with the option-82 field.
Page 36: The Implementation Of Dhcp Information Option 82 On The Switch
Length e. VLAN: the incoming VLAN ID of DHCP client packet. Module: For a standalone switch, the Module is always 0; For a stackable switch, the Module is the Unit ID. g. Port: The incoming port number of DHCP client packet, port number starts from 1.
Page 37: Dhcp Relay Interface Settings
DHCP Relay Interface Settings This window allows the user to set up a server, by IP address, for relaying DHCP information to the Switch. The user may enter a previously configured IP interface on the Switch that will be connected directly to the DHCP/BOOTP server using the following window.
Page 38: Dhcp Relay Option 60 Settings
DHCP Relay Option 60 Settings This window is used to configure option 60 relay rules on the Switch. Different strings can be specified for the same relay server, and the same string can be specified with multiple relay servers. The system will relay the packet to all the matching servers.
Page 39: Dhcp Relay Option 61 Settings
Out of Band Management Settings This window is used to configure the RJ-45 Out-of-band (OOB) management port on the Switch. The OOB port is physically isolated from the data channels of the Switch. This port allows administrators manage the device remotely without the impact data channel congestion.
Page 40: External Alarm Settings
This window is used to display and configure the messages receiving from the RJ-45 alarm port when external alarm occurs. The alarm port is designed to collect the alarm message generated by the 3-party alarm generator. While receiving the alarm messages, the Switch will send out alarm traps to the NMS according to the message you configured.
Page 41: Mac Address Aging Time
DHCP reply packet. The TFTP server must be running and have the requested configuration file in its base directory when the request is received from the Switch. Consult the DHCP server and TFTP server software instructions for information on loading a configuration file.
Page 42: Password Encryption
States the image ID number of the firmware in the Switch’s memory. The Switch can store two firmware images for use. Image ID 1 will be the default boot up firmware for the Switch unless Figure 2 - 34 Password Encryption window...
Page 43: Dual Configuration Settings
Dual Configuration Settings The following window is used to configure firmware information set in the Switch. The DGS-3700 Series has the capability to store two firmware images in its memory. To view this window, click Configuration > Dual Configuration Settings as shown below:...
Page 44: Ping Test
Ping is a small program that sends ICMP Echo packets to the IPv6 or IPv4 address you specify. The destination node then responds to or "echoes" the packets sent from the Switch. This is very useful to verify connectivity between the Switch and other nodes on the network.
Page 45: Local Loopback Ports Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual choose a specific number of times to ping the Target IP Address by entering a number between 1 and 255. Timeout Select a timeout period between 1 and 10 seconds for this Ping message to reach its destination.
Page 46: Vlan Counter Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual the pull-down menus. This function allows the user to select MAC Internal/MAC External or PHY Internal/PHY Loopback Mode External. MAC and PHY represent the layer on which the loopback is performed while the Internal or External represents the local loopback mode.
Page 47: Sntp Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual SNTP Settings The Simple Network Time Protocol Settings can be configured in the next two windows. Time Settings This window is used to configure the time settings for the Switch. To view this window, click Configuration > SNTP Settings > Time Settings as shown below:...
Page 48: Timezone Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual TimeZone Settings The following window is used to configure time zones and Daylight Savings time settings for SNTP. To view this window, click Configuration > SNTP Settings > TimeZone Settings as shown below:...
Page 49: Mac Notification Settings
MAC Notification Settings MAC Notification is used to monitor MAC addresses learned and entered into the forwarding database. To globally set MAC notification on the Switch, open the following window by opening the MAC Notification Settings in the Configuration folder.
Page 50: Mac Notification Port Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 2 - 43 MAC Notification Global Settings window The following parameters may be viewed and modified: Parameter Description State Enable or disable MAC notification globally on the Switch. Interval The time in seconds between notifications.
Page 51: Snmp Settings
The DGS-3700 Series supports the SNMP versions 1, 2c, and 3. The default SNMP setting is disabled. You must enable SNMP. Once SNMP is enabled you can choose which version you want to use to monitor and control the Switch.
Page 52: Snmp Global State Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual SNMP Global State Settings The SNMP Global State Settings is used to globally enable or disable the SNMP Settings on the switch. To view this window, click Configuration > SNMP Settings > SNMP Global State Settings as shown below:...
Page 53: Snmp Group Table
Read View Name This name is used to specify the SNMP group created can request SNMP messages. Write View Name Specify a SNMP group name for users that are allowed SNMP write privileges to the Switch's SNMP agent. Notify View Name Specify a SNMP group name for users that can receive SNMP trap messages generated by the Switch's SNMP agent.
Page 54: Snmp User Table
SNMP User Table This window displays all of the SNMP User's currently configured on the Switch and also allows you to add new users. To view this window, click Configuration > SNMP Settings > SNMP User Table as shown below:...
Page 55: Snmp Community Table
SNMP manager and an agent. The community string acts like a password to permit access to the agent on the Switch. One or more of the following characteristics can be associated with the community string: •...
Page 56: Snmp Host Table
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual SNMP Host Table The SNMP Host Table window is used to set up SNMP trap recipients. To view this window, click Configuration > SNMP Settings > SNMP Host Table as shown below:...
Page 57: Snmp Engine Id
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual monitor and control network devices. SNMPv2 – Specifies that SNMP version 2 will be used. The SNMP v2 supports both centralized and distributed network management strategies. It includes improvements in the Structure of Management Information (SMI) and adds some security features.
Page 58: Snmp Trap Configuration
The Time Range window is used in conjunction with the Access Profile feature to determine a starting point and an ending point, based on days of the week, when an Access Profile configuration will be enabled on the Switch. Once configured here, the time range settings are to be applied to an access profile rule using the Access Profile table.
Page 59: Sflow
The sFlow folder contains four windows to enable and configure the sFlow settings on the Switch. sFlow Global State Settings This table is used to enable or disable the sFlow Global State Settings on the Switch. The sFlow version, address and state configurations can also be viewed in this table.
Page 60: Sflow Flow Sampler Settings
Flow Sampler Settings This table is used to create sFlow flow sampler settings on the Switch. By configuring the sampling function for a port, a sample packet received by this port will be encapsulated and forwarded to the analyzer server at the specified interval.
Page 61: Sflow Counter Poller Settings
Counter Poller Settings This window is used to create the sflow counter poller settings on the Switch. Within the sflow counter poller function, the port statistics counter information will be forwarded to the server at the configured interval. These counters are RFC 2233 counters.
Page 62: Single Ip Management
Member Switch (MS), which is a switch that is recognized by the CS a member of a SIM group, and a Candidate Switch (CaS), which is a Switch that has a physical link to the SIM group but has not been recognized by the CS as a member of the SIM group.
Page 63: Single Ip Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The Upgrade to v1.6 To better improve SIM management, the DGS-3700 Series has been upgraded to version 1.6 in this release. Many improvements have been made, including: 1. The Commander Switch (CS) now has the capability to automatically rediscover member switches that have left the SIM group, either through a reboot or web malfunction.
Page 64: Topology
Configuration Backup/Restore and Upload Log File. Topology The Topology window will be used to configure and manage the Switch within the SIM group and requires Java script to function properly on your computer. The Java Runtime Environment on your server should initiate and lead you to the topology window, as seen below.
Page 65 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 2 - 61 Single IP Management window – Tree View The Tree View window holds the following information under the Data tab: Parameter Description Device Name This field will display the Device Name of the switches in the SIM group configured by the user. If no Device Name is configured by the name, it will be given the name default and tagged with the last six digits of the MAC Address to identify it.
Page 66 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual This window will display how the devices within the Single IP Management Group are connected to other groups and devices. Possible icons in this screen are as follows: Icon Group Layer 2 commander switch...
Page 67: Tool Tips
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Tool Tips In the Topology view window, the mouse plays an important role in configuration and in viewing device information. Setting the mouse cursor over a specific device in the topology window (tool tip) will display the same information about a specific device as the Tree view does.
Page 68: Right-Click
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Right-Click Right-clicking on a device will allow the user to perform various functions, depending on the role of the Switch in the SIM group and the icon associated with it. Group Icon The following options may appear for the user to configure: Collapse –...
Page 69: Commander Switch Icon
Add to group – Add a candidate to a group. Clicking this option will reveal the following dialog for the user to enter a password for authentication from the Candidate Switch before being added to the SIM group. Click OK to enter the...
Page 70: Menu Bar
Add to group – Add a candidate to a group. Clicking this option will reveal the following dialog for the user to enter a password for authentication from the Candidate Switch before being added to the SIM group. Click OK to enter the password or Cancel to exit the window.
Page 71: Firmware Upgrade
Firmware Upgrade This screen is used to upgrade firmware from the Commander Switch to the Member Switch. Member Switches will be listed in the table and will be specified by Port (port on the CS where the MS resides), MAC Address, Model Name and Version.
Page 72: Upload Log File
The following window is used to upload log files from SIM member switches to a specified PC. To upload a log file, enter the Server IP address of the SIM member switch and then enter a Path\Filename on your PC where you wish to save this file.
Page 73: Ddm Temperature Threshold Settings
Click Apply to implement changes made. DDM Temperature Threshold Settings This table is used to configure the DDM Temperature Threshold Settings for specific ports on the Switch. To view this window, click Configuration > DDM > DDM Temperature Threshold Settings as shown below:...
Page 74: Ddm Voltage Threshold Settings
DDM Bias Current Threshold Settings This table is used to configure the threshold of the bias current for specific ports on the Switch. To view this window, click Configuration > DDM > DDM Bias Current Threshold Settings as shown below:...
Page 75: Ddm Tx Power Threshold Settings
Click Apply to implement changes made. DDM Tx Power Threshold Settings This table is used to configure the threshold of Tx power for specific ports on the Switch. To view this window, click Configuration > DDM > DDM Tx Power Threshold Settings as shown below:...
Page 76 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The following fields can be configured: Parameter Description Specifies a port or range of ports to be configured. From Port / To Port This is the highest threshold for the alarm. When the operating parameter rises above this High Alarm value, action associated with the alarm will be taken.
Page 77: L2 Features
Forwarding & Filtering LLDP Ethernet OAM The following section will aid the user in configuring Layer 2 functions for the Switch. The Switch includes various functions all discussed in detail in the following section. Jumbo Frame This window will enable or disable the Jumbo Frame function on the Switch. The default is Disabled. When enabled, jumbo frame (frames larger than the standard Ethernet frame size of 1536 bytes) of up to 13K (and 13312 bytes tagged) can be transmitted by the Switch.
Page 78: Vlans
802.1Q tag from packet headers to maintain compatibility with devices that are tag-unaware. The Switch's default is to assign all ports to a single 802.1Q VLAN named "default." The "default" VLAN has a VID = 1. The member ports of Port-based VLANs may overlap, if desired.
Page 79: Ieee 802.1Q Vlans
Ingress port – A port on a switch where packets are flowing into the Switch and VLAN decisions must be made. Egress port – A port on a switch where packets are flowing out of the Switch, either to another switch or to an end station, and tagging decisions must be made.
Page 80: Q Vlan Tags
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual 802.1Q VLAN Tags The figure below shows the 802.1Q VLAN tag. There are four additional octets inserted after the source MAC address. Their presence is indicated by a value of 0x8100 in the EtherType field. When a packet's EtherType field is equal to 0x8100, the packet carries the IEEE 802.1Q/802.1p tag.
Page 81: Port Vlan Id
Switch will drop the packet. Because of the existence of the PVID for untagged packets and the VID for tagged packets, tag-aware and tag-unaware network devices can coexist on the same network. A switch port can have only one PVID, but can have as many VIDs as the Switch has memory in its VLAN table to store them.
Page 82: Default Vlans
(Port 10) is a member of VLAN 2 (and can therefore receive VLAN 2 packets). If Port 10 is not a member of VLAN 2, then the packet will be dropped by the Switch and will not reach its destination. If Port 10 is a member of VLAN 2, the packet will go through.
Page 83: Double Vlans
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual VLAN and Trunk Groups The members of a trunk group have the same VLAN setting. Any VLAN setting on the members of a trunk group will apply to the other member ports.
Page 84: Regulations For Double Vlans
Some rules and regulations apply with the implementation of the Double VLAN procedure. 1. All ports must be configured for the SPVID and its corresponding TPID on the Service Provider’s edge switch. 2. All ports must be configured as Access Ports or Uplink ports. Access ports can only be Ethernet ports while Uplink ports must be Gigabit ports.
Page 85: 802.1Q Vlan
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual • Web-based Access Control • IP Multicast Routing • GVRP • All Regular 802.1Q VLAN functions 802.1Q VLAN The 802.1Q VLAN window lists all previously configured VLANs by VLAN ID and VLAN Name.
Page 86 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 3 - 7 802.1Q VLAN window – Add/Edit VLAN Tab To return to the 802.1Q VLAN window, click the VLAN List Tab at the top of the window. To change an existing 802.1Q VLAN entry, click the corresponding Edit button.
Page 87 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Advertisement Enabling this function will allow the Switch to send out GVRP packets to outside sources, notifying that they may join the existing VLAN. Port Settings Allows an individual port to be specified as member of a VLAN.
Page 88 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 3 - 10 802.1Q VLAN window – VLAN Batch Settings window The following fields can be set in the VLAN Batch Settings windows: Parameter Description VID List (e.g 2-5) Enter a VLAN ID List that can be added, deleted or configured.
Page 89: Subnet Vlan
Enter the appropriate information and click Add to create a new entry. To search for a particular entry enter the appropriate information and click Find. To remove an entry click Delete. To view all entries on the Switch click Show All to remove all entries click Delete All.
Page 90: Q-In-Q
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The following parameters can be configured: Parameter Description Specify the port or range of ports you wish to configure. From Port / To Port Use the drop down menu to select the VLAN precedence, choose either MAC Based VLAN or VLAN Precedence Subnet VLAN.
Page 91: Vlan Translation Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The following fields can be set: Parameter Description From Port / To Port A consecutive group of ports that are part of the VLAN configuration starting with the selected port. Role The user can choose between UNI or NNI role.
Page 92: Q-In-Q And Vlan Translation Rules
> port-based VLAN. If matched, the matched VLAN will become this packet's 'SPVLAN'. For ingress tagged packets at UNI ports 1. The switch will look up the VLAN translation table. If matched, the VLAN tag will be translated (replace CEVLAN with SVLAN, or add SPVLAN).
Page 93: 802.1V Protocol Vlan
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual 802.1v Protocol VLAN 802.1v Protocol Group Settings The table allows the user to create Protocol VLAN groups and add protocols to that group. The 802.1v Protocol VLAN Group Settings supports multiple VLANs for each protocol and allows the user to configure the untagged ports of different protocols on the same physical port.
Page 94: 802.1V Protocol Vlan Settings
This parameter is specified if you want to re-write the 802.1p default priority previously set in 802.1p Priority the Switch, which is used to determine the CoS queue to which packets are forwarded to. Once this field is specified, packets accepted by the Switch that match this priority are forwarded to the CoS queue specified previously by the user.
Page 95: Rspan Settings
The packet travels from the switch where the monitored packet is received, through the intermediate switch, then to the switch where the sniffer is attached. The first switch is also named the source switch. RSPAN VLAN mirroring will only work when RSPAN Global Settings are enabled. RSPAN redirect function will work when RSPAN is enabled and at least one RSPAN VLAN has been configured with redirect ports.
Page 96: Gvrp Global Settings
VLAN when created in the 802.1Q Port Settings table. The Switch's default is to assign all ports to the default VLAN with a VID of 1. The PVID is used by the port to tag outgoing, untagged packets, and to make filtering decisions about incoming packets.
Page 97: Mac-Based Vlan Settings
MAC-based VLAN Settings This table is used to create MAC-based VLAN entries on the switch. A MAC Address can be mapped to any existing static VLAN and multiple MAC addresses can be mapped to the same VLAN. When a static MAC-based VLAN entry is created for a user, the traffic from this user is able to be serviced under the specified VLAN regardless of the authentiucation function operated on the port.
Page 98: Port Trunking
Port trunk groups are used to combine a number of ports together to make a single high-bandwidth data pipeline. DGS-3700 Series supports up to 6 port trunk groups with 2 to 8 ports in each group. A potential bit rate of 8000 Mbps can be achieved.
Page 99 The Spanning Tree Protocol will treat a link aggregation group as a single link, on the switch level. On the port level, the STP will use the port parameters of the Master Port in the calculation of port cost and in determining the state of the link aggregation group.
Page 100: Lacp Port Settings
LACP Port Settings The LACP Port Settings window is used to create port trunking groups on the Switch. Using the following window, the user may set which ports will be active and passive in processing and sending LACP control frames.
Page 101: Traffic Segmentation
Traffic Segmentation Traffic segmentation is used to limit traffic flow from a single port to a group of ports on either a single switch or a group of ports on another switch in a switch stack. This method of segmenting the flow of traffic is similar to using VLANs to limit traffic, but is more restrictive.
Page 102: Bpdu Tunneling Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual BPDU Tunneling Settings This table is used to configure the BPDU Tunneling port types. When the device is operated with Q-in-Q enabled, DA will be replaced by the tunnel multicast address, and the BPDU will be tagged with the tunnel VLAN based on the Q- in-Q VLAN configuration and the tunnel/uplink setting.
Page 103: Igmp Snooping
IGMP messages passing through the Switch. In order to use IGMP Snooping it must first be enabled for the entire Switch (see the DGS-3700-12/DGS-3700-12G Switch Series Web Management Tool). You may then fine-tune the settings for each VLAN using the IGMP Snooping link in the L2 Features folder.
Page 104 Learning Aged Out specified VLAN. Version Allows the user to configure the IGMP version used on the Switch. The default value is 3. Querier Role This read-only field describes the behavior of the router for sending query packets. Querier will denote that the router is sending out IGMP query packets.
Page 105: Igmp Snooping Rate Limit Settings
IGMP Snooping Static Group Settings This table is used to configure the current IGMP snooping static group information on the Switch. To view this window, click L2 Features > IGMP Snooping > IGMP Snooping Static Group Settings as shown below:...
Page 106: Igmp Multicast Group Profile Settings
IGMP Multicast Group Profile Settings This table allows the user to create igmp multicast group profiles and specify multicast address lists on the Switch. To view this window, click L2 Features > IGMP Snooping > IGMP Multicast Group Profile Settings as shown...
Page 107: Ipv4 Multicast Profile Settings
The IPv4 Multicast Profile Settings window allows the user to add a profile to which multicast IPv4 address(es) reports are to be received on specified ports or VLANs on the Switch. This function will therefore limit the number of reports received and the number of multicast groups configured on the Switch. The user may set an IP Multicast address or range of IPv4 Multicast addresses to accept reports (Permit) or deny reports (Deny) coming into the specified switch ports or VLANs.
Page 108: Ipv4 Limited Multicast Range Settings
To add a new range enter the information and click Add, to delete an entry enter the information and click Delete. IPv4 Max Multicast Group Settings The IPv4 Max Multicast Group Settings allows users to configure the ports on the switch that will be apart of the max number of multicast groups that can be learned by data driven.
Page 109: Mld Snooping
2. Multicast Listener Report – Comparable to the Host Membership Report in IGMPv2, and labeled as 131 in the ICMP packet header, this message is sent by the listening host to the Switch stating that it is interested in receiving multicast data from a multicast address in response to the Multicast Listener Query message.
Page 110 The default is Disabled. If the field displays “Disabled”, it will always be in MLD- Snooping non-querier state. Used to enable or disable the fast done state of the switch. This field is disabled by default. Used to enable or disable MLD snooping for the specified VLAN. This field is Disabled by default.
Page 111: Mld Snooping Rate Limit Settings
Specifies a VLAN or range of VLANs to configure or display. Rate Limit Specifies the rate of MLD control packets that the switch can process on a specific port. The rate is specified in packets per second. The packet that exceeds the limited rate will be dropped.
Page 112: Mld Snooping Static Group Settings
MLD Multicast Group Profile Settings This table allows the user to create MLD multicast group profiles and specify multicast address lists on the Switch. To view this window, click L2 Features > MLD Snooping > MLD Multicast Group Profile Settings as shown below:...
Page 113: Mld Snooping Multicast Vlan Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 3 - 47 MLD Multicast Group Profile Settings window To configure the group list once a profile has been created, click on the hyperlinked window: Figure 3 - 48 Multicast Group Profile Multicast Address Settings window – Group List Enter the Multicast Address List and click Add the new information will be displayed in the table.
Page 114: Ipv6 Multicast Profile Settings
The IPv6 Multicast Profile Settings window allows the user to add a profile to which multicast IPv6 address(es) reports are to be received on specified ports or VLANs on the Switch. This function will therefore limit the number of reports received and the number of multicast groups configured on the Switch. The user may set an IP Multicast address or range of IPv6 Multicast addresses to accept reports (Permit) or deny reports (Deny) coming into the specified switch ports or VLANs.
Page 115: Ipv6 Limited Multicast Range Settings
To add a new range enter the information and click Add, to delete an entry enter the information and click Delete. IPv6 Max Multicast Group Settings The IPv6 Max Multicast Group Settings allows users to configure the ports or VLANs on the switch that will be apart of the max number of multicast groups that can be learned.
Page 116: Port Mirror
Port Mirror The Switch allows you to copy frames transmitted and received on a port and redirect the copies to another port. You can attach a monitoring device to the mirrored port, such as a sniffer or an RMON probe, to view details about the packets passing through the first port.
Page 117: Loopback Detection Settings
Switch when a loop detecting packet has been looped back to the switch. When the Switch detects that these packets are received from a port or a VLAN, it signifies a loop on the network. The Switch will automatically block the port or the VLAN and send an alert to the administrator.
Page 118: Spanning Tree
Rapid STP and 802.1q-2005 MSTP. 802.1D STP will be familiar to most networking professionals. However, since 802.1w RSTP has been recently introduced to D-Link managed Ethernet switches, a brief introduction to the technology is provided below followed by a description of how to set up 802.1D STP and 802.1w RSTP.
Page 119: P2P Port
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual P2P Port A P2P port is also capable of rapid transition. P2P ports may be used to connect to other bridges. Under RSTP, all ports operating in full-duplex mode are considered to be P2P ports, unless manually overridden through configuration.
Page 120: Stp Bridge Global Settings
Switch will start sending its own BPDU to all other switches for permission to become the Root Bridge. If it turns out that your switch has the lowest Bridge Identifier, it will become the Root Bridge. The user may choose a time between 6 and 40 seconds. The default value is 20.
Page 121 BPDU (bridge protocol data unit) packet sent by the Switch will be discarded. Each switch on the hop count will reduce the hop count by one until the value reaches zero. The Switch will then discard the BPDU packet and the information held for the port will age out.
Page 122: Stp Port Settings
Priority and Port Cost. An STP Group spanning tree works in the same way as the switch-level spanning tree, but the root bridge concept is replaced with a root port concept. A root port is a port of the group that is elected based on port priority and port cost, to be the connection to the network for the group.
Page 123: Mst Configuration Identification
The following windows in the MST Configuration Identification section allow the user to configure a MSTI instance on the Switch. These settings will uniquely identify a multiple spanning tree instance set on the Switch. The Switch initially possesses one CIST or Common Internal Spanning Tree of which the user may modify the parameters for but cannot change the MSTI ID for, and cannot be deleted.
Page 124: Stp Instance Settings
STP Instance Settings This table is used to create STP Instance Settings on the Switch. An STP instance may have multiple members with the same MSTP configuration. There is no limit to the number of STP regions in a network but each region only supports a maximum of 16 spanning tree instances (one unchangeable default entry).
Page 125: Mstp Port Information
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual MSTP Port Information This window displays the current MSTP Port Information and can be used to update the port configuration for an MSTI ID. If a loop occurs, the MSTP function will use the port priority to select an interface to put into the forwarding state.
Page 126: Forwarding & Filtering
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Forwarding & Filtering This folder contains windows for Unicast Forwarding, Multicast Forwarding and Multicast Filtering Mode. Unicast Forwarding To view this window, click L2 Features > Forwarding & Filtering > Unicast Forwarding as shown below:...
Page 127: Multicast Filtering Mode
Multicast Filtering Mode This table is used to configure the Multicast Filtering settings on the switch. It allows users to configure the switch to forward or filter the Unregistered Groups per VLAN. To view this window, click L2 Features > Forwarding & Filtering > Multicast Filtering Mode as shown below:...
Page 128: Lldp Global Settings
LLDP Global Settings This window is used to configure the LLDP Global Settings on the Switch. When LLDP is enabled the Switch can start to transmit, receive and process LLDP packets. The specific function of each port will depend on the per port LLDP settings.
Page 129: Lldp Port Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual LLDP Port Settings This window is used to display the LLDP port settings on the Switch. The ports can be individually configured to send notifications to configured SNMP trap receivers. To view this window, click L2 Features > LLDP > LLDP Port Settings...
Page 130: Lldp Management Address List
LLDP Basic TLVs Settings This window is used to enable the settings for the Basic TLVs Settings. An active LLDP port on the Switch always includes mandatory data in its outbound advertisements. There are four optional data types that can be configured for an individual port or group of ports to exclude one or more of these data types from outbound LLDP advertisements.
Page 131: Lldp Dot1 Tlvs Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Port Description Use the drop-down menu to enable or disable port description. System Name Use the drop-down menu to enable or disable system name. System Use the drop-down menu to enable or disable system description.
Page 132: Lldp Dot3 Tlvs Settings
LLDP Statistics System allows you an overview of neighbor detection activity, LLDP Stastics and the settings for individual ports on the Switch. Use the drop-down menu to check a specific port and click Find the information will be displayed in the lower half of the table.
Page 133: Lldp Local Port Information
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual To view this window, click L2 Features > LLDP > LLDP Statistics System as shown below: Figure 3 - 72 LLDP Statistics System window LLDP Local Port Information LLDP Local Port Information window displays the information on a per port basis currently available for populating outbound LLDP advertisements in the local port brief table shown below.
Page 134: Lldp Remote Port Information
To return to the LLDP Local Port Information window click the <<Back button. LLDP Remote Port Information This window displays port information learned from the neighbor. The switch receives packets from a remote station but is able to store the information as local.
Page 135: Cfm Ccm Pdus Forwarding Mode
CFM CCM PDUs Forwarding Mode This window is used to configure the CFM CCM PDU forwarding mode on the Switch. By default the CCM message is handled and forwarded by software. The software can handle the packet based on behaviour defined by the standard.
Page 136: Connectivity Fault Management Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Connectivity Fault Management Settings This window is used to configure the CFM settings on the Switch. To view this window, click L2 Features > CFM > Connectivity Fault Management Settings as shown below:...
Page 137: Cfm Loopback Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual This setting controls the creation of MIPs. None – Means that no MIPs will be created. This is the default value. Auto – MIPs are created when the next lower active MD-level on the port is reached or there are no lower active MD levels.
Page 138: Cfm Linktrace Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual LBMs Priority The 802.1p priority to be set in the transmitted LBMs. If not specified it uses the same priority as CCMs and LTMs sent by the MEP. Click Apply to implement changes made.
Page 139: Ethernet Oam
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Ethernet OAM Ethernet OAM Settings This window is used to configure the ports Ethernet OAM mode. In Active mode the ports can initiate OAM discovery and start or stop remote loopback. When a port in OAM enabled, any change to the OAM mode will cause the OAM discovery to be restarted.
Page 140: Ethernet Oam Configuration Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Ethernet OAM Configuration Settings This window is used to configure and display the primary controls and status information for Ethernet OAM on the Switch. To view this window, click L2 Features > Ethernet OAM > Ethernet OAM Configuration Settings as shown below:...
Page 141: Qos
QoS Scheduling In Band Manage Settings SRED The DGS-3700 Series supports 802.1p priority queuing Quality of Service. The following section discusses the implementation of QoS (Quality of Service) and benefits of using 802.1p priority queuing. Advantages of QoS QoS is an implementation of the IEEE 802.1p standard that allows network administrators a method of reserving bandwidth for important functions that require a large bandwidth or have a high priority, such as VoIP (voice-over Internet Protocol), web browsing applications, file server applications or video conferencing.
Page 142: Understanding Qos
Switch to examine packets for this tag, acquires the tagged packets and maps them to a class queue on the Switch. Then in turn, the administrator will set a priority for this queue so that will be emptied before any other packet is forwarded.
Page 143 CoS until there are no more packets for this CoS. The other CoS queues that have been given a nonzero value, and depending upon the weight, will follow a common weighted round-robin scheme. Remember that the DGS-3700 Series has eight priority queues (and eight Classes of Service) for each port on the Switch.
Page 144: Hol Blocking Pevention
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual HOL Blocking Pevention This window is used to enable HOL Prevention Settings on the Switch. To view this window, click QoS > HOL Blocking Prevention Settings as shown below: Bandwidth Control The bandwidth control settings are used to place a ceiling on the transmitting and receiving data rates for any selected port.
Page 145: Traffic Control
The packet storm is monitored to determine if too many packets are flooding the network, based on the threshold level provided by the user. Once a packet storm has been detected, the Switch will drop packets coming into the Switch until the storm has subsided.
Page 146 Switch’s chip to determine if a Packet Storm is occurring. Count Down The Count Down timer is set to determine the amount of time, in minutes, that the Switch will (0 or 5-30) wait before shutting down the port that is experiencing a traffic storm. Only the switch continues to experience a traffic storm during this countdown period and the switch will shutdown the port.
Page 147: 802.1P Default Priority
To view this window, click QoS > 802.1p Default Priority as shown below: This window allows you to assign a default 802.1p priority to any given port on the Switch. The priority queues are numbered from 0, the lowest priority, to 7, the highest priority. Click Apply to implement your settings.
Page 148: 802.1P User Priority
Figure 4 - 6 802.1p User Priority window Once you have assigned a priority to the port groups on the Switch, you can then assign this Class to each of the 7 levels of 802.1p priorities. Click Apply to set your changes.
Page 149: Qos Scheduling
Click Apply to implement changes made. QoS Scheduling This window allows the user to configure the way the Switch will map an incoming packet per port based on its 802.1p user priority, to one of the eight available hardware priority queues available on the Switch.
Page 150: In Band Manage Settings
This window allows the user to specify a priority handling of untagged in-band management packets received by the Switch. The priority value entered in this window will be used to determine which of the eight hardware priority queues the packet is forwarded to.
Page 151: Sred
Detection (RED) is a congestion avoidance mechanism at the gateway in packet switched networks. RED gateways keep the average queue size low while allowing occasional bursts of packets in the queue. The switch provides support for sRED through active queue management by probabilistic dropping of incoming colored packets.
Page 152 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual From port / To port A consecutive group of ports may be configured starting with the selected port. Class ID Select the Class ID, from 0-7, to configure for the SRED parameters. Selecting all will set the parameters configured here for all CoS queues.
Page 153: Sred Drop Counter
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual SRED Drop Counter This window is used to view the SRED Drop Counter settings on the Switch. To view this window, click QoS > SRED > SRED Drop Counter as shown below: DSCP Trust Settings This window is used to enable DSCP Trust Settings on the Switch.
Page 154 This field allows the user to enter a DSCP value in the space provided, which will instruct the Switch to examine the DiffServ Code part of each packet header and use this as the, or part of the criterion for forwarding. The user may choose a value between 0 and 63.
Page 155: 802.1P Map Settings
This parameter is specified if you want to re-write the 802.1p default priority previously set in the Switch, which is used to determine the CoS queue to which packets are forwarded to. Once this field is specified, packets accepted by the Switch that match this priority are forwarded to the CoS queue specified previously by the user.
Page 156: Security
When in this mode, the Switch only receives a small amount of ARP or IP broadcast packets for a calculated time interval. Every five seconds, the Switch will check to see if there are too many packets flooding the Switch. If the threshold has been crossed, the Switch will do a rate limit and only allow a small amount of ARP and IP broadcast packets for five seconds.
Page 157 ARP and IP broadcast packets will return to 5 seconds and the process will resume. Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted mode. After the packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet flow.
Page 158: Trusted Host
If an unauthorized user tries to access an IP-MAC binding enabled port, the system will block the access by dropping its packet. For the DGS-3700 Series, active and inactive entries use the same database. The maximum entry number is 511. The creation of authorized users can be manually configured by CLI or Web. The function is port- based, meaning a user can enable or disable the function on the individual port.
Page 159: Imp Binding Port Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Switch will send a trap message to the SNMP agent and the Switch log when an ARP packet is received that doesn’t match the IP-MAC binding configuration set on the Switch.
Page 160 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual From Port / To Port Select a port or range of ports to set for IP-MAC Binding. State Use the pull-down menu to Enable or Disable these ports for IP-MAC Binding.
Page 161: Imp Binding Entry Settings
Ports Specify the switch ports for which to configure this IP-MAC binding entry (IP Address + MAC Address). Click the All Ports check box to configure this entry for all ports on the Switch. Mode The user may set the IP-MAC Binding Mode here by using the pull-down menu. The choices are: ARP –...
Page 162: Dhcp Snooping Entries
Admin State pull-down menu to Enabled, and clicking Apply can lock the port. Port Security is a security feature that prevents unauthorized computers (with source MAC addresses) unknown to the Switch prior to locking the port (or ports) from connecting to the Switch's locked ports and gaining access to the network.
Page 163: Port Security Vlan Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The following parameters can be set: Parameter Description A consecutive group of ports may be configured starting with the selected port. From Port / To Port This pull-down menu allows you to enable or disable Port Security (locked MAC address table Admin State for the selected ports).
Page 164: Port Security Entries
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Parameter Description Specifies a VLAN or list of VLANs by VLAN Name. VLAN Name Specifies a VLAN or list of VLANs by VLAN ID. VLAN ID (e.g.:1,4-6) Specifies the maximum number of port-security entries that can be learned by this VLAN. If Max Learning this parameter is set to 0, no user can get authorization on this VLAN.
Page 165: Dhcp Screening Port Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual DHCP Screening Port Settings The Switch supports DHCP Server Screening, a feature that denies access to rogue DHCP servers. When the DHCP server filter function is enabled, all DHCP server packets will be filtered from a specific port.
Page 166: 155
The Authentication Server is a remote device that is connected to the same network as the Client and Authenticator, must be running a RADIUS Server program and must be configured properly on the Authenticator (Switch). Clients Figure 5 - 14 The EAPOL Packet...
Page 167 Switch must be authenticated by the Authentication Server (RADIUS) before attaining any services offered by the Switch on the LAN. The role of the Authentication Server is to certify the identity of the Client...
Page 168: Authentication Process
Client The Client is simply the endstation that wishes to gain access to the LAN or switch services. All endstations must be running software that is compliant with the 802.1X protocol. For users running Windows XP or Windows Vista, that software is included within the operating system.
Page 169: Understanding 802.1X Port-Based And Host-Based Network Access Control
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Understanding 802.1X Port-based and Host-based Network Access Control The original intent behind the development of 802.1X was to leverage the characteristics of point-to-point in LANs. As any single LAN segment in such infrastructures has no more than two devices attached to it, one of which is a Bridge Port.
Page 170: Host-Based Network Access Control
In order to successfully make use of 802.1X in a shared media LAN segment, it would be necessary to create “logical” Ports, one for each attached device that required access to the LAN. The Switch would regard the single physical Port connecting it to the shared media segment as consisting of a number of distinct logical Ports, each logical Port being independently controlled from the point of view of EAPOL exchanges and authorization state.
Page 171: 802.1X Global Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual 802.1X Global Settings This window is used to configure the 802.1X Global Settings on the Switch. To view this window, click Security > 802.1X > 802.1X Global Settings as shown below:...
Page 172 Enter the port or ports to be set. QuietPeriod This allows you to set the number of seconds that the Switch remains in the quiet state (0-65535) following a failed authentication exchange with the client. The default setting is 60 seconds.
Page 173: 802.1X User
To view this window, click Security > 802.1X > 802.1X User as shown below: Authentication RADIUS Server The RADIUS feature of the Switch allows you to facilitate centralized user administration as well as providing protection against a sniffing, active hacker.
Page 174: Initialize Port(S)
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Confirm Key Re-enter the previously entered Key. Click Apply to implement changes. Initialize Port(s) This window allows you to initialize ports for the 802.1X Settings. This window will appear in the folder when the “enable 802.1x”...
Page 175: Guest Vlan Configuration
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Guest VLAN Configuration On 802.1X security enabled networks, there is a need for non 802.1X supported devices to gain limited access to the network, due to lack of the proper 802.1X software or...
Page 176: Guest Vlan
The Switch supports two types of cryptology algorithms: • Stream Ciphers – There are two types of stream ciphers on the Switch, RC4 with 40-bit keys and RC4 with 128-bit keys. These keys are used to encrypt messages and need to be consistent between client and host for optimal use.
Page 177: Download Certificate
The information included in the ciphersuites is not included with the Switch and requires downloading from a third source in a file form called a certificate. This function of the Switch cannot be executed without the presence and implementation of the certificate file and can be downloaded to the Switch by utilizing a TFTP server. The Switch supports SSLv3 and TLSv1.
Page 178 NOTE: Enabling the SSL command will disable the web-based switch management. To log on to the Switch again, the header of the URL must begin with https://. Entering anything else into the address field of the web browser will result in an error and no authentication will be granted.
Page 179: Ssh
SSH server, using the SSH Authmode and Algorithm Settings window. 4. Finally, enable SSH on the Switch using the SSH Settings window. After completing the preceding steps, a SSH Client on a remote PC can be configured to manage the Switch using a secure, in band connection.
Page 180: Ssh Authmode And Algorithm Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual security shell encryptions. The available options are Never, 10 min, 30 min, and 60 min. The default setting is Never. Click Apply to implement changes made. SSH Authmode and Algorithm Settings The SSH Algorithm window allows the configuration of the desired types of SSH algorithms used for authentication encryption.
Page 181: Ssh User Authentication Lists
Click Apply to implement changes made. SSH User Authentication Lists The following windows are used to configure parameters for users attempting to access the Switch through SSH. To view this window, click Security > SSH > SSH User Authentication Lists as shown below: Figure 5 - 33 SSH User Authentication Lists window In the example aboveright, the User Account “RG”...
Page 182: Access Authentication Control
Switch. The users will set Authentication Server Hosts in a preferable order in the built-in Authentication Server Groups and when a user tries to gain access to the Switch, the Switch will ask the first Authentication Server Hosts for authentication. If no authentication is made, the second server host in the list will be queried, and so on. The built-in Authentication Server Groups can only have hosts that are running the specified protocol.
Page 183 If the first technique goes through its Authentication Server Hosts and no authentication is returned, the Switch will then go to the next technique listed in the server group for authentication, until the authentication has been verified or denied, or the list is exhausted.
Page 184: Authentication Policy Settings
Click Apply to implement changes made. Application Authentication Settings This window is used to configure switch configuration applications (console, Telnet, SSH, web) for login at the user level and at the administration level (Enable Admin) utilizing a previously configured method list.
Page 185: Authentication Server Group
Click Apply to implement changes made. Authentication Server Group This window will allow users to set up Authentication Server Groups on the Switch. A server group is a technique used to group TACACS/XTACACS/TACACS+/RADIUS server hosts into user-defined categories for authentication using method lists.
Page 186: Authentication Server
This window will set user-defined Authentication Server Hosts for the TACACS/XTACACS/TACACS+/RADIUS security protocols on the Switch. When a user attempts to access the Switch with Authentication Policy enabled, the Switch will send authentication packets to a remote TACACS/XTACACS/TACACS+/RADIUS server host on a remote host.
Page 187: Login Method Lists
TACACS host in the server group. If no response comes from the server host, the Switch will send an authentication request to the second TACACS host in the server group and so on, until the list is exhausted.
Page 188: Enable Method Lists
TACACS host in the server group. If no verification is found, the Switch will send an authentication request to the second TACACS host in the server group and so on, until the list is exhausted. At that point, the Switch will restart the same sequence with the following protocol listed, XTACACS.
Page 189: Local Enable Password Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual NOTE: To set the Local Enable Password, see the next section, entitled Local Enable Password. To view the following table, click Security > Access Authentication Control > Enable Method Lists as shown below: To delete an Enable Method List defined by the user, click the correspoinding Delete button.
Page 190: Radius Accounting Settings
The Accounting feature of the Switch uses a remote RADIUS server to collect information regarding events occurring on the Switch. The following is a list of information that will be sent to the RADIUS server when an event triggers the Switch to send these informational packets.
Page 191: Mac-Based Access Control
MAC-based Access Control Settings The following window is used to set the parameters for the MAC-based Access Control function on the Switch. Here the user can set the running state, method of authentication, RADIUS password and view the Guest VLAN configuration to be associated with the MAC-based Access Control function of the Switch.MAC-based Access Control...
Page 192 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 5 - 44 MAC-based Access Control Settings window The following parameters may be viewed or set: Parameter Description MBA Global State Click the radio buttons to globally enable or disable the MAC-based Access Control function on the Switch.
Page 193: Mac-Based Access Control Local Settings
The following window is used to set a list of MAC addresses, along with their corresponding target VLAN, which will be authenticated for the Switch. Once a queried MAC address is matched in this table, it will be placed in the VLAN associated with it here.
Page 194: Web Authentication
VLAN set by the user. All clients in this authentication VLAN will be queried for authentication by the local method or through a RADIUS server. Once accepted, the user will be placed in a target VLAN on the Switch where it will have rights and privileges to openly access the Internet.
Page 195: Conditions And Limitations
DNS, UDP and HTTP packets. 4. Certain functions exist on the Switch that will filter HTTP packets, such as the Access Profile function. The user needs to be very careful when setting filter functions for the target VLAN, so that these HTTP packets are not denied by the Switch.
Page 196: Web-Based Access Control User Settings
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual for users trying to access the network via the switch. This RADIUS server must have already been pre-assigned by the administrator using the RADIUS Server window located in the 802.1X section.
Page 197: Netbios Filtering
If the user enables the NETBIOS filter, the switch will create one access profile and three access rules automatically. If the user enables the extensive NETBIOS filter, the switch will create one more access profile and one more access rule.
Page 198: Acl
These criteria can be specified on a basis of Packet Content, MAC address, or IP address. Due to a chipset limitation, the Switch supports a maximum of 12 access profiles. The rules used to define the access profiles are limited to a total of 1536 rules for the Switch.
Page 199: Access Profile List
Switch will examine, such as the MAC source address or the IP destination address. The second part is entering the criteria the Switch will use to determine what to do with the frame. The entire process is described below in two parts.
Page 200 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 6 - 3 Add Access Profile (Ethernet) If creating an Ethernet ACL enter the Profile ID and Profile Name and click Select the following window will appear.
Page 201 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Click on the boxes at the top of the table, which will then turn red and reveal parameters for configuration. To create a new entry enter the correct information and click Create. To return to the Access Profile List page click Back.
Page 202 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Ethernet Type Selecting this option instructs the Switch to examine the Ethernet type value in each frame's header. Click Create to view the new Access Profile List entry in the Access Profile List table shown below. To add another Access Profile click Add ACL Profile.
Page 203 802.1p user priority re-written to its original value before being forwarded by the Switch Replace DSCP (0- Select this option to instruct the Switch to replace the DSCP value (in a packet that meets the selected criteria) with the value entered in the adjacent field.
Page 204 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Precedence header. Time Range Tick the check box and enter the name of the Time Range settings that has been previously Name configured in the Time Range Settings window. This will set specific times when this access rule will be implemented on the Switch.
Page 205 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Click on the boxes at the top of the table, which will then turn red and reveal parameters for configuration. To create a new entry enter the correct information and click Create. To return to the Access Profile List page click Back.
Page 206 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Select IGMP to instruct the Switch to examine the Internet Group Management Protocol (IGMP) field in each frame's header. Select TCP to use the TCP port number contained in an incoming packet as the forwarding criterion.
Page 207 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual To return to the Access Profile List click Show All Profiles, to add a rule to a previously configured entry click on the corresponding Add/View Rules, which will reveal the following window;...
Page 208 Select this option to instruct the Switch to replace the DSCP value (in a packet that meets the selected criteria) with the value entered in the adjacent field. Replace ToS Select this option to instruct the Switch to replace the Type of Service as part of the packet Precedence header.
Page 209 Description IPv6 Class Ticking this check box will instruct the Switch to examine the class field of the IPv6 header. This class field is a part of the packet header that is similar to the Type of Service (ToS) or Precedence bits field in IPv4.
Page 210 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Click Create to view the new Access Profile List entry in the Access Profile List table shown below. To add another Access Profile click Add ACL Profile. To delete a profile click the corresponding Delete button, to view the specific configurations for an entry click the Show Details button.
Page 211 Select this option to instruct the Switch to replace the DSCP value (in a packet that meets the selected criteria) with the value entered in the adjacent field. Replace ToS Select this option to instruct the Switch to replace the Type of Service as part of the packet Precedence header.
Page 212 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Precedence bits field in IPv4. Rx Rate (1-15624) Use this to limit Rx bandwidth for the profile being configured. This rate is implemented using the following equation: 1 value = 64Kbit/sec. (ex. If the user selects an Rx rate of 10 then the ingress rate is 640Kbit/sec.) The user many select a value between 1 and 15624 or...
Page 213 With this advanced unique Packet Content Mask (also known as Packet Content Access Control List - ACL), the D-Link switch family can effectively mitigate some network attacks like the common ARP Spoofing attack that is wide spread today. This is why the Packet Content ACL is...
Page 214 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual able to inspect any specified content of a packet in different protocol layers. Click Apply to implement changes made. Click Create to view the new Access Profile List entry in the Access Profile List table shown below. To add another Access Profile click Add ACL Profile.
Page 215 Select this option to instruct the Switch to replace the DSCP value (in a packet that meets the selected criteria) with the value entered in the adjacent field. Replace ToS Select this option to instruct the Switch to replace the Type of Service as part of the packet Precedence header.
Page 216: Cpu Interface Filtering
Due to a chipset limitation and needed extra switch security, the Switch incorporates CPU Interface filtering. This added feature increases the running security of the Switch by enabling the user to create a list of access rules for packets destined for the Switch’s CPU interface. Employed similarly to the Access Profile feature previously mentioned, CPU interface filtering examines Ethernet, IP and Packet Content Mask packet headers destined for the CPU and will either forward them or filter them, based on the user’s implementation.
Page 217: Cpu Access Profile List
Figure 6 - 28 CPU Access Profile List window This window displays the CPU Access Profile List entries created on the Switch (one CPU access profile of each type has been created for explanatory purposes). To view the configurations for an entry, click the corresponding Show Details button.
Page 218 This will change the menu according to the requirements for the type of profile. Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header. Select IPv4 to instruct the Switch to examine the IPv4 address in each frame's header.
Page 219 This will change the menu according to the requirements for the type of profile. Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header. Select IPv4 to instruct the Switch to examine the IPv4 address in each frame's header.
Page 220 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Destination IP Mask Enter an IP address mask for the destination IP address. Protocol Selecting this option instructs the Switch to examine the protocol type value in each frame's header. You must then specify what protocol(s) to include according to the following...
Page 221 Select Packet Content Mask to specify a mask to check the content of the packet header. IPv6 Class Checking this field will instruct the Switch to examine the class field of the IPv6 header. This class field is a part of the packet header that is similar to the Type of Service (ToS) or Precedence bits field in IPv4.
Page 222 This will change the menu according to the requirements for the type of profile. Select Ethernet to instruct the Switch to examine the layer 2 part of each packet header. Select IPv4 to instruct the Switch to examine the IPv4 address in each frame's header.
Page 223 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual the 15th byte. • 16-31 – Enter a value in hex form to mask the packet from byte 16 to byte 31. • 32-47 – Enter a value in hex form to mask the packet from byte 32 to byte 47.
Page 224 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Action Select Permit to specify that the packets that match the access profile are forwarded by the Switch, according to any additional rule added (see below). Select Deny to specify the packets that match the access profile to be filtered.
Page 225 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual To establish the rule for a previously created CPU Access Profile: To configure the Access Rules for IP, open the CPU Access Profile List window and click Add/View Rules for an IP entry.
Page 226 Enter an IPv6 Class. The class can be between 0 – 255. Flow Label Configuring this field, in hex form, will instruct the Switch to examine the flow label field of the IPv6 header. This flow label field is used by a source to label sequences of packets such as non-...
Page 227 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual default quality of service or real time service packets. Time Range Tick the check box and enter the name of the Time Range settings that has been previously Name configured in the Time Range Settings window. This will set specific times when this access rule will be implemented on the Switch.
Page 228: Acl Finder
Select Deny to specify the packets that match the access profile to be filtered. Offset This field will instruct the Switch to mask the packet header beginning with the offset value specified: Offset 0-15 – Enter a value in hex form to mask the packet from the beginning of the packet to the 15th byte.
Page 229 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual To view this window, click ACL > ACL Flow Meter as shown below: The following fields may be configured: Parameter Description Profile ID The pre-configured Profile ID for which to configure the Flow Metering parameters.
Page 230 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Access ID (1-128) Enter the Access ID that will be used to configure the Flow Metering parameters, enter a value between 1 and 128. Mode Select the mode to be used either trTCM or srTCM and enter the corresponding information.
Page 231: Monitoring
Cable Diagnostic This window displays the details of copper cables attached to specific ports on the Switch. If there is an error in the cable this feature can determine the type of error and the position where the error has occurred.
Page 232: Cpu Utilization
To view this window, click Monitoring > CPU Utilization as shown below: To view the CPU utilization by port, use the real-time graphic of the Switch and/or switch stack at the top of the web page by simply clicking on a port. Click Apply to implement the configured settings. The window will automatically refresh with new updated statistics.
Page 233: Port Utilization
Two windows are offered. To select a port to view these statistics for, select the port by using the Port pull-down menu. The user may also use the real-time graphic of the Switch at the top of the web page by simply clicking on a port.
Page 234 Select the desired setting between 1s and 60s, where "s" stands for seconds. The default value is one second. Record Number Select number of times the Switch will be polled between 20 and 200. The default value is 200. The total number of packets (including bad packets) received that were 64 octets in length...
Page 235: Memory Utilization
Received (RX) This table displays the RX packets on the Switch. To select a port to view these statistics for, select the port by using the Port pull-down menu. The user may also use the real-time graphic of the Switch at the top of the web page by simply clicking on a port.
Page 236 Select the desired setting between 1s and 60s, where "s" stands for seconds. The default value is one second. Record Number Select number of times the Switch will be polled between 20 and 200. The default value is 200. View...
Page 237: Umb_Cast (Rx)
This table displays the UMB_cast RX Packets on the Switch. To select a port to view these statistics for, select the port by using the Port pull-down menu. The user may also use the real-time graphic of the Switch at the top of the web page by simply clicking on a port.
Page 238: Transmitted (Tx)
To select a port to view these statistics for, select the port by using the Port pull-down menu. The user may also use the real-time graphic of the Switch at the top of the web page by simply clicking on a port.
Page 239 Select the desired setting between 1s and 60s, where "s" stands for seconds. The default value is one second. Record Number Select number of times the Switch will be polled between 20 and 200. The default value is View Table.
Page 240 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual 200. Bytes Counts the number of bytes successfully sent on the port. Packets Counts the number of packets successfully sent on the port. Unicast Counts the total number of good packets that were transmitted by a unicast address.
Page 241: Errors
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Errors The Web Manager allows port error statistics compiled by the Switch's management agent to be viewed as either a line graph or a table. Four windows are offered. Received (RX) To select a port to view these statistics for, select the port by using the Port pull-down menu.
Page 242: Transmitted (Tx)
To select a port to view these statistics for, select the port by using the Port pull-down menu. The user may also use the real-time graphic of the Switch at the top of the web page by simply clicking on a port.
Page 243 Select the desired setting between 1s and 60s, where "s" stands for seconds. The default value is one second. Record Number Select number of times the Switch will be polled between 20 and 200. The default value is 200. ExDefer Counts the number of packets for which the first transmission attempt on a particular interface was delayed because the medium was busy.
Page 244: Port Access Control
Clicking this button instructs the Switch to display a line graph rather than a table. Port Access Control The following windows are used to monitor 802.1X statistics of the Switch, on a per port basis. RADIUS Authentication This table contains information concerning the activity of the RADIUS authentication client on the client side of the RADIUS authentication protocol.
Page 245: Radius Account Client
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual as sysName in MIB II.) ServerIndex The identification number assigned to each RADIUS Authentication server that the client shares a secret with. AuthServerAddress The (conceptual) table listing the RADIUS authentication servers with which the client shares a secret.
Page 246 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The user may also select the desired time interval to update the statistics, between 1s and 60s, where “s” stands for seconds. The default value is one second. To clear the current statistics shown, click the Clear button in the top left hand corner.
Page 247: Authenticator State
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual PacketsDropped Authenticator State The following section describes the 802.1X Status on the Switch. To view this window, click Monitoring > Port Access Control > Authenticator State as shown below: Figure 7 - 20 Authenticator State window (for MAC-based 802.1X) Figure 7 - 21 Authenticator State window (for Port-based 802.1X)
Page 248: Authenticator Statistics
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Authenticator Statistics This window contains the statistics objects for the Authenticator PAE associated with each port. An entry appears in this table for each port that supports the Authenticator function. To view this window, click Monitoring > Port Access Control > Authenticator Statistics as shown below: Figure 7 - 22 Authenticator Statistics window (for MAC-based 802.1X)
Page 249: Authenticator Session Statistics
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Rx Resp The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator. Rx Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
Page 250: Authenticator Diagnostics
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The user may select the desired time interval to update the statistics, between 1s and 60s, where “s” stands for seconds. The default value is one second. The following fields can be viewed:...
Page 251 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual The following fields can be viewed: Parameter Description Port The identification number assigned to the Port by the System in which the Port resides. Connect Enter Counts the number of times that the state machine transitions to the CONNECTING state from any other state.
Page 252: Browse Arp Table
Browse ARP Table This window displays current ARP entries on the Switch. To search a specific ARP entry, enter an Interface Name or an IP Address at the top of the window and click Find. Click the Show Static button to display static ARP table entries.
Page 253: Vlan
The following windows are used to configure the VLAN settings of the Switch. Browse VLAN This window allows the VLAN status for each of the Switch's ports to be viewed by VLAN. Enter a VID (VLAN ID) in the field at the top of the window and click the Find button.
Page 254: Show Vlan Ports
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Show VLAN Ports This window allows the VLAN status for each of the Switch's ports to be viewed by VLAN. Enter a VID (VLAN ID) in the field at the top of the window and click the Find button.
Page 255: Igmp Snooping Forwarding Table
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Enter the appropriate information and click Find, the information will be shown in the IGMP Snooping Group Table. The following field can be viewed: Parameter Description VLAN Name The VLAN ID of the multicast group.
Page 256: Mld Snooping
IGMP Snooping for IPv4. The user may browse this table by VLAN Name present in the Switch by entering that VLAN Name in the empty field shown below, and clicking the Find button. The number of MLD reports that were snooped is displayed in the Reports field.
Page 257: Mld Snooping Forwarding Table
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 7 - 35 MLD Snooping Group window Enter a VLAN Name or VLAN List and Group IP Address in the appropriate field and click the Find button. MLD Snooping Forwarding Table This window is used to display the current MLD snooping forwarding information on the Switch.
Page 258: Browse Mld Snooping Counter
CFM Packet Counter List This window displays the CFM packet Rx/Tx counters on the Switch. Enter the ports you wish to view and click Find. To view this window, click Monitoring > CFM > CFM Packet Counter List as shown below:...
Page 259: Cfm Packet Counter Ccm List
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual CFM Packet Counter CCM List This window displays the CCM database entries on the Switch. To view this window, click Monitoring > CFM > CFM Packet Counter CCM List as shown below:...
Page 260: Mac Address Table
MAC Address Table This allows the Switch's dynamic MAC address forwarding table to be viewed. When the Switch learns an association between a MAC address and a port number, it makes an entry into its forwarding table. These entries are then used to forward packets through the Switch.
Page 261: Ethernet Oam
Browse Ethernet OAM Event Log This window allows the user to view the Ethernet OAM event log information. The Switch can buffer up to 1000 event logs. The event log will provide and record detailed information about each OAM event. Specify the port number and port list you wish to view and click Find.
Page 262 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Figure 7 - 46 Browse Ethernet OAM Statistics window...
Page 263: Historical Counter & Utilization
Browse Historical Counter This window is used to display statistics about the packets sent and received by the Switch. The counters are set up in 15 minute and one day intervals. There is a maximum of five 15 minute historical statistic entries supported for each port, with one being the most recent 15 minutes of data.
Page 264: Browse Historical Utilization
To view this window, click Monitoring > System Log as shown below: The Switch can record event information in its own logs, to designated SNMP trap receiving stations, and to the PC connected to the console manager. Click Next to go to the next page of the System Log window. Clicking Clear Log will allow the user to clear the Switch History Log.
Page 265 Log Type Choose the type of log to view. There are two choices: Regular Log – Choose this option to view regular switch log entries, such as logins or firmware transfers. Attack Log – Choose this option to view attack log files, such as spoofing attacks.
Page 266: Save Services And Tools
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Save Services and Tools Save Configuration ID 1 Save Configuration ID 2 Save Log Save All Configuration File Backup & Restore Upload Log File Reset Download Firmware Reboot System The four Save windows include: Save Configuration 1, Save Configuration 2, Save Log, and Save All. Each version of the window will aid the user in saving configurations to the Switch’s memory.
Page 267: Save Configuration Id 2
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Save Configuration ID 2 Open the Save drop-down menu at the top of the Web manager and click Save Configuration ID 2 to open the following window: Save Log Open the Save drop-down menu at the top of the Web manager and click Save Log to open the following window:...
Page 268: Configuration File Backup & Restore
Upload Log File A history and attack log can be uploaded from the Switch to a TFTP server. To upload a log file, enter a Server IP address, Interface Name and file/path name and then click Upload or Upload Attack Log.
Page 269: Download Firmware
Clicking the Yes radio button will instruct the Switch to save the current configuration to non-volatile RAM before restarting the Switch. Clicking the No radio button instructs the Switch not to save the current configuration before restarting the Switch. All of the configuration information entered from the last time Save Changes was executed will be lost.
Page 270: Mitigating Arp Spoofing Attacks Using Packet Content Acl
IP address is known. This protocol is vulnerable because it can spoof the IP and MAC information in the ARP packets to attack a LAN (known as ARP spoofing). This document is intended to introduce ARP protocol, ARP spoofing attacks, and the counter measure brought by D-Link's switches to counter the ARP spoofing attack. •...
Page 271 Figure - 2 When the switch floods the frame of ARP requests to the network, all PCs will receive and examine the frame but only PC B will reply to the query as the destination IP address of PC B matches (see Figure-3).
Page 272 Table – 4 (Ethernet frame format) The switch will also examine the “Source Address” of the Ethernet frame and find that the address is not in the Forwarding Table. The switch will learn PC B’s MAC and update its Forwarding Table.
Page 273 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual How ARP spoofing attacks a network ARP spoofing, also known as ARP poisoning, is a method to attack an Ethernet network which may allow an attacker to sniff data frames on a LAN, modify the traffic, or stop the traffic altogether (known as a Denial of Service - DoS attack).
Page 274 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Gratuitous ARP Ethernet Destination Source Ethernet H/W type Protocol Protocol Operation Sender H/W Sender Target H/W Target address address type type address address address protocol address protocol length length address address...
Page 275 2. The switch will deny all other ARP packets which claim they are from the gateway’s IP. The design of Packet Content ACL on the DGS-3700 Series enables users to inspect any offset_chunk. An offset_chunk is a 4-byte block in a HEX format which is utilized to match the individual field in an Ethernet frame. Each profile is allowed to contain up to a maximum of 4 offset_chunks.
Page 276 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Offset Offset Offset Offset Offset Offset Chunk Chunk0 Chunk1 Chunk2 Chunk3 Chunk4 Byte Byte Byte Byte Offset Offset Offset Offset Offset Chunk Chunk15 Chunk16 Chunk17 Chunk18 Byte Byte Byte Byte Table-6: Chunk and Packet offset Indicates a completed ARP packet contained in the Ethernet frame, which is the pattern for the calculation of packet offset.
Page 277 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual...
Page 278: System Log Entries
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual System Log Entries The following table lists all possible entries and their corresponding meanings that will appear in the System Log of this Switch. Category Event Description System System started up...
Page 279 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Log message upload was unsuccessful Interface Port link up Port link down Console Successful login through Console Login failed through Console Logout through Console Console session timed out Successful login through Web Successful login through Web (Username:...
Page 280 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Spanning Tree Protocol is disabled Successful login through SSH Successful login through SSH (Username: Login failed through SSH Logout through SSH SSH session timed out SSH server is enabled SSH server is disabled...
Page 281 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Login failed through Telnet Login failed through Telnet from <userIP> authenticated by AAA local authenticated by AAA local method (Username: method <username>, MAC: <macaddr>) Successful login through SSH Successful login through SSH from <userIP>...
Page 282 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual server <username>, MAC: <macaddr>) Login failed through Telnet Login failed through Telnet from <userIP> authenticated by AAA server authenticated by AAA server <serverIP> (Username: <username>, MAC: <macaddr>) Successful login through SSH Successful login through SSH from <userIP>...
Page 283 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Successful Enable Admin Successful Enable Admin through SSH from <userIP> through SSH authenticated by authenticated by AAA none method (Username: AAA none method <username>, MAC: <macaddr>) Successful Enable Admin Successful Enable Admin through Console through Console authenticated by AAA server <serverIP>...
Page 284 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Web(SSL) from <userIP> due to AAA server timeout or improper configuration. Login failed through Telnet from user due to AAA server timeout or improper configuration. Enable Admin failed through Telnet from user due to AAA server timeout or improper configuration.
Page 285 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Unauthenticated IP address encountered and discarded by IP-MAC port binding Loop-back LBD loop occurred Detection LBD port recovered. Loop detection restarted LBD loop occurred. Packet discard begun LBD recovered. Loop detection restarted...
Page 286 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual IP and IP Address change activity Password Changed Password change activity Dual Excution error encountered Configuration druring system boot-up 802.1X VID assigned from RADIUS server after RADIUS client authenticated by RADIUS server successfully.
Page 287: Proprietary Trap List
DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual Login Fail Aged out DGS-3700 Series Trap List Trap Name/OID Variable Bind coldStart None 1.3.6.1.6.3.1.1.5.1 WarmStart None 1.3.6.1.6.3.1.1.5.2 authenticationFailure None 1.3.6.1.6.3.1.1.5.5 linkDown ifIndex, 1.3.6.1.6.3.1.1.5.3 ifAdminStatus, ifOperStatus linkup ifIndex, 1.3.6.1.6.3.1.1.5.4 ifAdminStatus, ifOperStatus...
Page 288 DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual swPowerStatusChg 1.3.6.1.4.1.171.12.11.2.2.2.0.1 swFanFailure 1.3.6.1.4.1.171.12.11.2.2.3.0.1 swFanRecover 1.3.6.1.4.1.171.12.11.2.2.3.0.2 swMacBasedAuthLoggedSuccess 1.3.6.1.4.1.171.12.35.11.1.0.1 SwMacBasedAuthLoggedFail 1.3.6.1.4.1.171.12.35.11.1.0.2 SwMacBasedAuthAgesOut 1.3.6.1.4.1.171.12.35.11.1.0.3 SwExternalAlarm 1.3.6.1.4.1.171.12.11.2.2.5.0.1 SwDdmAlarmTrap 1.3.6.1.4.1.171.12.72.4.0.1 SwDdmWarningTrap 1.3.6.1.4.1.171.12.72.4.0.2 swL2PortLoopOccurred 1.3.6.1.4.1.171.11.102.1.1.2.100.1.2.0 swL2PortLoopRestart 1.3.6.1.4.1.171.11.102.1.1.2.100.1.2.0 swL2VlanLoopOccurred 1.3.6.1.4.1.171.11.102.1.1.2.100.1.2.0 swL2VlanLoopRestart 1.3.6.1.4.1.171.11.102.1.1.2.100.1.2.0 swPowerStatusChgSeverity swFanFailureSeverity swFanRecoverSeverity swMacBasedAuthLoggedSucc SwMacBasedAuthLoggedFail...
Page 289: Glossary
A port which does not learn device addresses, and which receives all frames with an unknown address. Backbone ports are normally used to connect the Switch to the backbone of your network. Note that backbone ports were formerly known as designated downlink ports.
Page 290 A device, which filters, forwards and floods packets based on the packet's destination address. The switch learns the addresses associated with each switch port and builds tables based on this information to be used for the switching decision. TCP/IP: A layered set of communications protocols providing Telnet terminal emulation, FTP file transfer, and other services for communication among a wide range of computer equipment.
Page 291: Password Recovery Procedure
This section will explain how the Password Recovery feature can help network administrators reach this goal. The following steps explain how to use the Password Recovery feature on D-Link devices to easily recover passwords. Complete these steps to reset the password: For security reasons, the Password Recovery feature requires the user to physically access the device.
Page 292 Command Parameters {<username>} reset. show account The show account command displays all previously created accounts.

D-Link DGS-3700 Series User Manual

Web-Based Switch Configuration

Configuration

L2 Features

Qos

Security

Acl

Monitoring

Quick Links

User Manual

Related Manuals for D-Link DGS-3700 Series

Summary of Contents for D-Link DGS-3700 Series