Page 2: Table Of Contents
Overview .............................18 Quick Starts .........................18 CLI ............................18 Web View ..........................18 Web Quick Start .........................19 Web Quick Start Parameters ....................19 Web Quick Start Requirements ...................19 Accessing the Web Quick Start ...................20 CLI quickstart Command ......................22 Quickstart Example......................23 D-Link DWS-1008 User Manual...
Page 3 Displaying Port Configuration and Status ................42 Displaying PoE State .......................43 Displaying Port Statistics ....................43 Clearing Statistics Counters ....................44 Monitoring Port Statistics ....................44 Configuring Load-Sharing Port Groups ................45 Load Sharing ........................45 Link Redundancy ......................45 Configuring a Port Group ....................46 D-Link DWS-1008 User Manual...
Page 4 Designating the System IP Address ..................65 Displaying the System IP Address ..................65 Clearing the System IP Address ..................65 Configuring and Managing IP Routes ..................66 Displaying IP Routes......................67 Adding a Static Route ......................68 Removing a Static Route .....................69 D-Link DWS-1008 User Manual...
Page 5 Configuring and Managing NTP ..................82 Adding an NTP Server ......................83 Removing an NTP Server ....................83 Changing the NTP Update Interval ..................83 Resetting the Update Interval to the Default ................84 Enabling the NTP Client ......................84 Displaying NTP Information ....................84 D-Link DWS-1008 User Manual...
Page 6 How a Distributed AP Contacts a Switch (DHCP-Obtained Address) ......109 How a Distributed AP Contacts an Switch (Statically Configured Address) ....111 Loading and Activating an Operational Image ...............113 Obtaining Configuration Information from the Switch ............113 Session Load Balancing ....................114 D-Link DWS-1008 User Manual...
Page 7 Disabling or Reenabling Encryption for an SSID ............136 Disabling or Reenabling Beaconing of an SSID ............137 Changing the Fallthru Authentication Type ..............137 Changing Transmit Rates ....................137 Disabling Idle-Client Probing ..................139 Changing the User Idle Timeout ..................139 D-Link DWS-1008 User Manual...
Page 8 Creating a Service Profile for WPA ................161 Enabling WPA ........................161 Specifying the WPA Cipher Suites .................161 Changing the TKIP Countermeasures Timer Value ............162 Enabling PSK Authentication ..................163 Disabling 802.1X Authentication for WPA ..............164 Displaying WPA Settings ....................164 D-Link DWS-1008 User Manual...
Page 9 Configuring AP Radios to Listen for AeroScout RFID Tags ............186 Locating an RFID Tag .......................188 Configuring Quality of Service ....................189 About QoS ..........................189 Summary of QoS Features ....................189 QoS Mode ..........................190 WMM QoS Mode ......................191 WMM QoS on the DWS-1008 Switch ................191 D-Link DWS-1008 User Manual viii...
Page 10 Configuring and Managing STP Fast Convergence Features ..........207 Port Fast Convergence ......................208 Backbone Fast Convergence .....................208 Uplink Fast Convergence ....................208 Configuring Port Fast Convergence ...................208 Displaying Port Fast Convergence Information ..............209 Configuring Backbone Fast Convergence .................209 D-Link DWS-1008 User Manual...
Page 11 Setting a Source IP ACL ....................227 Wildcard Masks ......................228 Class of Service ......................228 Setting an ICMP ACL ......................229 Setting TCP and UDP ACLs ....................230 Setting a TCP ACL ......................230 Setting a UDP ACL ......................230 Determining the ACE Order ....................231 D-Link DWS-1008 User Manual...
Page 12 Public and Private Keys .....................257 Digital Certificates ......................258 PKCS #7, PKCS #10, and PKCS #12 Object Files ............258 Certificates Automatically Generated by MSS ................260 Creating Keys and Certificates ....................260 Choosing the Appropriate Certificate Installation Method for Your Network ......261 D-Link DWS-1008 User Manual...
Page 13 Adding MAC Users and Groups ..................288 Clearing MAC Users and Groups ..................288 Configuring MAC Authentication and Authorization ............289 Changing the MAC Authorization Password for RADIUS ..........290 Configuring Web Portal WebAAA .....................291 How Web Portal WebAAA Works ..................291 D-Link DWS-1008 User Manual...
Page 14 Displaying and Positioning Location Policy Rules ............326 Clearing Location Policy Rules and Disabling the Location Policy ........326 Configuring Accounting for Wireless Network Users ..............327 Configuring Periodic Accounting Update Records .............328 Enabling System Accounting Messages ................328 D-Link DWS-1008 User Manual xiii...
Page 15 Enabling and Disabling 802.1X Reauthentication ..............352 Setting the Maximum Number of 802.1X Reauthentication Attempts ........352 Setting the 802.1X Reauthentication Period ..............353 Setting the Bonded Authentication Period .................353 Managing Other Timers ......................354 Setting the 802.1X Quiet Period ..................354 D-Link DWS-1008 User Manual...
Page 16 Changing or Disabling the User Idle Timeout ..............376 Rogue Detection and Countermeasures ..................377 About Rogues and RF Detection ....................377 Rogue Access Points and Clients ..................377 Rogue Classification ......................377 Rogue Detection Lists ....................378 RF Detection Scans ......................379 Dynamic Frequency Selection (DFS) ................379 Countermeasures ......................380 D-Link DWS-1008 User Manual...
Page 17 Specifying the Configuration File to Use After the Next Reboot ........408 Loading a Configuration File ....................409 Specifying a Backup Configuration File ................409 Resetting to the Factory Default Configuration ..............410 Backing Up and Restoring the System ..................411 Managing Configuration Changes ..................412 D-Link DWS-1008 User Manual...
Page 18 Remotely Monitoring Traffic ......................431 How Remote Traffic Monitoring Works ................432 Using Snoop Filters on Radios That Use Active Scan ...........432 All Snooped Traffic Is Sent in the Clear .................432 Best Practices for Remote Traffic Monitoring ..............433 D-Link DWS-1008 User Manual xvii...
Page 19 Traffic Ports Used by MSS ......................448 DHCP Server ..........................449 How the MSS DHCP Server Works ..................450 Configuring the DHCP Server ....................451 Displaying DHCP Server Information ..................452 Glossary ............................453 Technical Specifications ......................475 Warranty ............................478 Registration ...........................483 D-Link DWS-1008 User Manual xviii...
Page 20: Product Overview
The DWS-1008 switch has been designed and tested to be installed in an operating ambient temperature of 0° C to +40° C (32° F to 104° F). To reduce the risk of equipment damage, install equipment with consideration to these ambient conditions. D-Link DWS-1008 User Manual...
Page 21: Introduction
AAA and 802.1x offload capabilities. The D-Link MobileLAN solution is powered by Trapeze Networks and executes Trapeze Networks’ Mobility System Software (MSS), which maintains the intelligence of the MobileLAN system. In addition to managing users’...
Page 22: Hardware Overview (Front Panel)
PoE is on but no access point is connected to the link. Blinking amber Access point is not connected or is unresponsive, or there is a PoE problem. Unlit Port is not configured as an AP access port, or PoE is off. D-Link DWS-1008 User Manual...
Page 23: Features
• System log - The DWS-1008 generates log messages to log system events. The log messages are stored locally and also can be exported to syslog servers. • Simple Network Management Protocol (SNMP) - A DWS-1008 switch can be configured to generate SNMP traps for major system events. D-Link DWS-1008 User Manual...
Page 24: Text And Syntax Conventions
File > New indicates that you select New from the File menu. [ ] (square brackets) Enclose optional parameters in command syntax. { } (curly brackets) Enclose mandatory parameters in command syntax. Separates mutually exclusive options in command | (vertical bar) syntax. D-Link DWS-1008 User Manual...
Page 25: Installation
PoE- Note: Mounting a DWL-8220AP access point on a solid surface requires CAT5 cable that does not have strain relief. For installation on all other surfaces, you can use CAT5 cable with or without strain relief. D-Link DWS-1008 User Manual...
Page 26: Installation Hardware And Tools
Do not install equipment such that the branch circuit current and voltage protection is exceeded. Pay particular attention to the earthing connection for the supply connections. When using an extension cord or power strip, pay attention to the grounding type. D-Link DWS-1008 User Manual...
Page 27: Getting Started
(RF) signals to and from wireless users and connect them to a DWS-1008 switch. • Mobility System Software™ (MSS™) - The operating system (firmware) that runs all D-Link DWS-1008 switches and DWL-8220AP access points in a WLAN, and is accessible through a command-line interface (CLI).
Page 28: Using The Command-Line Interface
Using the Command-Line Interface Mobility System Software (MSS) operates a D-Link wireless LAN (WLAN) consisting of the DWS-1008 switch and DWL-8220AP access points. MSS has a command-line interface (CLI) on the switch that you can use to configure and manage the switch and its attached access points.
Page 29: Syntax Notation
MAC addresses, virtual LAN (VLAN) names, and ports in a single command. D-Link recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACLs). For example, do not configure two separate VLANs with the names red and RED.
Page 30: Mac Address Notation
The ACL mask must be a contiguous set of zeroes starting from the first bit. For example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are valid ACL masks. However, 0.255.0.255 is not a valid ACL mask. D-Link DWS-1008 User Manual...
Page 31: Globs
All users with usernames that have no delimiters. All users in the Windows Domain EXAMPLE with usernames that ® EXAMPLE\* have no delimiters. All users in the Windows Domain EXAMPLE whose usernames ® EXAMPLE\*.* contain a period. All users D-Link DWS-1008 User Manual...
Page 32: Mac Address Globs
MAC address, or VLAN to a glob. To verify the order, view the output of the show aaa or show config command. MSS checks globs that appear higher in the list before items lower in the list and uses the first successful match. D-Link DWS-1008 User Manual...
Page 33: Port Lists
• A hyphen-separated range of port numbers, with no spaces. For example: DWS-1008# reset port 1-4 • Any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example: DWS-1008# show port status 1-3,6 D-Link DWS-1008 User Manual...
Page 34: Command-Line Editing
Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer. Tabs The MSS CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. D-Link DWS-1008 User Manual...
Page 35: Single-Asterisk (*) Wildcard Character
Show, use ‘show help’ for more information telnet telnet IP address [server port] traceroute Print the route packets take to network host To see a subset of the online help, type the command for which you want more information. D-Link DWS-1008 User Manual...
Page 36: Understanding Command Descriptions
Understanding Command Descriptions Each command description in the D-Link Command Reference contains the following elements: • A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a command description and in the index:...
Page 37: Dws-1008 Setup Methods
IP connectivity. (Web View access also requires the switch’s HTTPS server to be enabled.) The Web Quick Start application is accessible only on unconfigured switches. D-Link DWS-1008 User Manual...
Page 38: Web Quick Start
• PC with an Ethernet port that you can connect directly to the switch • Category 5 (Cat 5) or higher Ethernet cable If the PC is connected to the network, power down the PC or disable its network interface card (NIC), then unplug the PC from the network. D-Link DWS-1008 User Manual...
Page 39: Accessing The Web Quick Start
Do not click the browser’s Refresh or Reload button at any time while using the wizard. If you do click Refresh or Reload, all the information you have entered in the wizard will be cleared. D-Link DWS-1008 User Manual...
Page 40 If you click Finish, the wizard saves the configuration settings into the switch’s configuration file. If the switch is rebooted, the configuration settings are restored when the reboot is finished. The switch is ready for operation. You do not need to restart the switch. D-Link DWS-1008 User Manual...
Page 41: Cli Quickstart Command
2. Press Enter three times, to display a username prompt (Username:), a password prompt (Password:), and then a command prompt such as the following: DWS-1008-aabbcc> 3. Access the enabled level (the configuration level) of the CLI: DWS-1008-aabbcc> enable D-Link DWS-1008 User Manual...
Page 42: Quickstart Example
If you configure time and date parameters, you will be required to enter a name for the timezone, and then enter the value of the timezone (the offset from UTC) separately. You can use a string of up to 32 alphabetic characters as the timezone name. D-Link DWS-1008 User Manual...
Page 43 Type “save config” to save the configuration DWS-1008-aabbcc# save config 6. Optionally, enable Telnet. DWS-1008-aabbcc# set ip telnet server enable 7. Verify the configuration changes. DWS-1008-aabbcc# show config 8. Save the configuration changes. DWS-1008-aabbcc# save config D-Link DWS-1008 User Manual...
Page 44: Overview
Here is an overview of configuration topics: 1. Console connection - By default, any administrator can connect to the console port and manage the switch, because no authentication is enforced. D-Link recommends that you enforce authentication on the console port after initial connection.
Page 45: Before You Start
D-Link recommends enforcing authentication for administrative access using usernames and passwords stored either locally or on RADIUS servers. Before You Start Before reading more of this chapter, use the Quick Installation Guide to set up your DWS-1008 switch and the attached access points for basic service.
Page 46: First-Time Configuration Via The Console
DWS-1008> enable 4. Press Enter to display an enabled-mode command prompt: DWS-1008# Once you see this prompt after you have typed the enable command, you have administrative privileges, which allow you to further configure the switch. D-Link DWS-1008 User Manual...
Page 47: Setting The Switch Enable Password
There is one enable password for the entire switch. You can optionally change the enable password from the default. Caution: D-Link recommends that you change the enable password from the default (no password) to prevent unauthorized users from entering configuration commands.
Page 48: Authenticating At The Console
Authenticating at the Console You can configure the console so that authentication is required, or so that no authentication is required. D-Link recommends that you enforce authentication on the console port. To enforce console authentication, take the following steps: 1. Add a user in the local database by typing the following command with a username and...
Page 49: Customizing Aaa With "Globs" And Groups
Like usernames, passwords are case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. D-Link recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.
Page 50: Adding And Clearing Local Users For Administrative Access
Adding and Clearing Local Users for Administrative Access Usernames and passwords can be stored locally on the switch. D-Link recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the switch is the simplest way to store user information.
Page 51: Displaying The Aaa Configuration
1812 1813 5 Server groups sg1: r1 Web Portal: enabled set authentication console * local set authentication admin * local set accounting admin Geetha stop-only local set accounting admin * start-stop local user Geetha Password = 1214253d1d19 (encrypted) D-Link DWS-1008 User Manual...
Page 52: Saving The Configuration
To enable local authentication for a console user, you must configure a local username. Natasha types the following commands in this order: DWS-1008# set user natasha password m@Jor User natasha created DWS-1008# set authentication console * local success: change accepted. DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 53: Local Authentication For Console Users And Radius Authentication For Telnet Users
DWS-1008# set radius server r1 address 192.168.253.1 key sunFLOW#$ success: change accepted. DWS-1008# set server group sg1 members r1 success: change accepted. DWS-1008# set authentication console * local sg1 success: change accepted. DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 54: Authentication When Radius Servers Do Not Respond
DWS-1008# set server group sg1 members r1 success: change accepted. DWS-1008# set authentication console * sg1 none success: change accepted. DWS-1008# set authentication admin * sg1 none success: change accepted. DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 55: Configuring And Managing Ports And Vlans
MSS applies default settings appropriate for the port type. The table on the next page lists the default settings applied for each port type. For example, the access point column lists default settings that MSS applies when you change a port type to ap (DWL-8220AP access point). D-Link DWS-1008 User Manual...
Page 56: Setting A Port For A Directly Connected Access Point
To set ports 4 through 6 for access point model DWL-8220AP and enable PoE on the ports, type the following command: DWS-1008# set port type ap 4-6 model dwl-8220ap poe enable This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted. D-Link DWS-1008 User Manual...
Page 57: Configuring For A Distributed Ap
To set port 2 as a wired authentication port, type the following command: DWS-1008# set port type wired-auth 2 success: change accepted This command configures port 2 as a wired authentication port supporting one interface and one simultaneous user session. D-Link DWS-1008 User Manual...
Page 58: Clearing A Port
For example, to clear the port-related settings from port 5 and reset the port as a network port, type the following command: DWS-1008# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. D-Link DWS-1008 User Manual...
Page 59: Clearing A Distributed Ap
To set the name of port 2 to adminpool, type the following command: DWS-1008# set port 2 name adminpool success: change accepted. Note: To avoid confusion, D-Link recommends that you do not use numbers as port names. Removing a Port Name To remove a port name, use the following command:...
Page 60: Configuring Port Operating Parameters
Autonegotiation is enabled by default on a switch’s 10/100 Ethernet ports. Note: D-Link recommends that you do not configure the mode of a switch port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can result in slow throughput on the link.
Page 61: Disabling Or Reenabling Power Over Ethernet
Admin Oper Config Actual Type Media ================================================================== auto 100/full network 10/100BaseTx down auto network 10/100BaseTx down auto network 10/100BaseTx down auto network 10/100BaseTx down auto network 10/100BaseTx auto 100/full 10/100BaseTx down auto network down auto network D-Link DWS-1008 User Manual...
Page 62: Displaying Poe State
DWS-1008# show port counters octets port 3 Port Status Rx Octets Tx Octets ======================================= 27965420 34886544 Note: To display all types of statistics with the same command, use the monitor port counters command. D-Link DWS-1008 User Manual...
Page 63: Clearing Statistics Counters
Advances to the next statistics type. Spacebar Exits the monitor. MSS stops displaying the statistics and displays a new command prompt. Clears the statistics counters for the currently displayed statistics type. The counters begin incrementing again. D-Link DWS-1008 User Manual...
Page 64: Configuring Load-Sharing Port Groups
When the failed port starts operating again, the switch begins using it for new traffic flows. Traffic that belonged to the port before it failed continues to be assigned to other ports. D-Link DWS-1008 User Manual...
Page 65: Configuring A Port Group
State Affin Port State ------------------------------------------------------------------------------------------------- default server2 none Up To indicate that the ports are configured as a port group, the show vlan config output lists the port group name instead of the individual port numbers. D-Link DWS-1008 User Manual...
Page 66: Removing A Port Group
Interoperating with Cisco Systems EtherChannel Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst switch to interoperate with a D-Link DWS-1008 switch, use the following command on the Catalyst switch: set port channel port-list mode on...
Page 67: Configuring And Managing Vlans
You must assign the system IP address to one of the VLANs, for communications between switches and for unsolicited communications such as SNMP traps and RADIUS accounting messages. Any IP address configured on a switch can be used for management access unless explicitly restricted. D-Link DWS-1008 User Manual...
Page 68: Users And Vlans
VLANs but on different network ports. If you use a tag value, D-Link recommends that you use the same value as the VLAN number. MSS does not require the VLAN number and tag value to be the same, but some other vendors’ devices do.
Page 69: Configuring A Vlan
Specify a VLAN number from 2 to 4093, and specify a name up to 16 alphabetic characters long. You cannot use a number as the first character in a VLAN name. D-Link recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not configure two separate VLANs with the names red and RED.
Page 70: Adding Ports To A Vlan
VLAN. To remove port 4 from VLAN red, type the following command: DWS-1008# clear vlan red port 4 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. D-Link DWS-1008 User Manual...
Page 71: Restricting Layer 2 Forwarding Among Clients
Note: You cannot remove the default VLAN (VLAN 1). However, you can add and remove ports. You can also rename the default VLAN, but D-Link recommends against it. Restricting Layer 2 Forwarding Among Clients By default, clients within a VLAN are able to communicate with one another directly at Layer 2. You can enhance network security by restricting Layer 2 forwarding among clients in the same VLAN.
Page 72: Displaying Vlan Information
State Affin Port State -------------------------------------------------------------------------------------------------------------------------- burgundy none none none none none Note: The display can include access ports and wired authentication ports, because MSS dynamically adds these ports to a VLAN when handling user traffic for the VLAN. D-Link DWS-1008 User Manual...
Page 73: Managing The Layer 2 Forwarding Database
Added by the switch itself - For example, the authentication protocols can add entries for wired and wireless authentication users. The switch also adds any static entries added by the system administrator and saved in the configuration file. D-Link DWS-1008 User Manual...
Page 74: Displaying Forwarding Database Information
* = Static Entry. + = Permanent Entry. # = System Entry. VLAN Ports TAG Dest MAC/Route Des [CoS] Destination [Protocol Type] ---------------------------------------------------------------------------------------------------------------------------------- 00:01:97:13:0b:1f [ALL] aa:bb:cc:dd:ee:ff [ALL] 1 Total 00:0b:0e:02:76:f5 Matching FDB Entries Displayed = 3 [ALL] D-Link DWS-1008 User Manual...
Page 75: Adding An Entry To The Forwarding Database
To clear all dynamic forwarding database entries that match all VLANs, type the following command: DWS-1008# clear fdb dynamic success: change accepted. To clear all dynamic forwarding database entries that match ports 3 and 5, type the following command: DWS-1008# clear fdb port 3,5 success: change accepted. D-Link DWS-1008 User Manual...
Page 76: Configuring The Aging Timeout Period
To change the aging timeout period, use the following command: set fdb agingtime vlan-id age seconds For example, to set the aging timeout period for VLAN 2 to 600 seconds, type the following command: DWS-1008# set fdb agingtime 2 age 600 success: change accepted. D-Link DWS-1008 User Manual...
Page 77: Port And Vlan Configuration Scenario
2. Configure the country code for operation in the US and verify the configuration change. Type the following commands: DWS-1008# set system countrycode US success: change accepted. DWS-1008# show system =============================================== Product Name: DWS-1008 System Name: DWS-1008 System Countrycode: System Location: System Contact: System IP: 0.0.0.0 D-Link DWS-1008 User Manual...
Page 78 DWS-1008# show port poe Port Name Link Status Port Type PoE Config PoE Draw(Watts) ============================================================ mgmt disabled finance enabled 7.04 accounting enabled 7.04 shipping enabled 7.04 lobby enabled 7.04 conf_room1 enabled 7.04 Backbone down invalid Backbone down invalid D-Link DWS-1008 User Manual...
Page 79 DWS-1008# show vlan config VLAN Name Admin Status VLAN State Tunl Affin Port Port Tag State =============================================================== default none roaming none none 7. Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 80: Configuring And Managing Ip Interfaces And Services
D-Link device for tunneling. If the path MTU between D-Link devices is less than 1384 bytes, a device in the path might further fragment or drop a tunneled packet. If the packet is further fragmented, the receiving switch will not be able to reassemble the fragments, and the packet is dropped.
Page 81: Adding An Ip Interface
MSS also has a configurable DHCP server. You can configure a DHCP client and DHCP server on the same VLAN, but only the client or the server can be enabled. The DHCP client and DHCP server cannot both be enabled on the same VLAN at the same time. D-Link DWS-1008 User Manual...
Page 82: How Mss Resolves Conflicts With Statically Configured Ip Parameters
{enable | disable} The vlan-id can be the VLAN name or number. The following command enables the DHCP client on VLAN corpvlan: DWS-1008# set interface corpvlan ip dhcp-client enable success: change accepted. D-Link DWS-1008 User Manual...
Page 83: Displaying Dhcp Client Information
To remove an IP interface, use the following command: clear interface vlan-id ip Caution: If you remove the IP interface that is being used as the system IP address, features that require the system IP address will not work correctly. D-Link DWS-1008 User Manual...
Page 84: Displaying Ip Interface Information
To display the system IP address, use the following command: show system Clearing the System IP Address Caution: Clearing the system IP address disrupts the features that use the address. To clear the system IP address, use the following command: clear system ip-address D-Link DWS-1008 User Manual...
Page 85: Configuring And Managing Ip Routes
MSS uses a default route. For example, if the route table does not have a route to host 192.168.1.10, the switch uses the default route to forward a packet addressed to that host. D-Link recommends that you configure at least one default route.
Page 86: Displaying Ip Routes
MSS changes the static route state to Down. If the route table contains other static routes to the same destination, MSS selects the resolved route that has the lowest cost. In the following example, the default route to 10.0.1.17 is down, so MSS selects the default route to 10.0.2.17. D-Link DWS-1008 User Manual...
Page 87: Adding A Static Route
To add an explicit route from a switch to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and give the route a cost of 1, type the following command: DWS-1008# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1 success: change accepted. D-Link DWS-1008 User Manual...
Page 88: Removing A Static Route
If you do not press Enter or complete the login before the timer expires, MSS ends the session. These timers are not configurable. Note: To ensure that all CLI management sessions are encrypted, after you configure SSH, disable Telnet. D-Link DWS-1008 User Manual...
Page 89: Enabling Ssh
Optionally, you also can configure MSS either to locally authenticate the user or to use a RADIUS server to authenticate the user. Use the following command: set authentication admin {user-glob} method1 [method2] [method3] [method4] D-Link DWS-1008 User Manual...
Page 90: Changing The Ssh Service Port Number
Caution: If you change the SSH port number from an SSH session, MSS immediately ends the session. To open a new management session, you must configure the SSH client to use the new SSH port number. D-Link DWS-1008 User Manual...
Page 91: Managing Ssh Server Sessions
If you do not press Enter or complete the login before the timer expires, MSS ends the session. This timer is not configurable. Enabling Telnet Telnet is disabled by default. To enable Telnet, use the following command: set ip telnet server {enable | disable} D-Link DWS-1008 User Manual...
Page 92: Adding A Telnet User
To open a new management session, you must Telnet to the switch with the new Telnet port number. Resetting the Telnet Service Port Number to Its Default To reset the Telnet management service to its default TCP port, use the following command: clear ip telnet D-Link DWS-1008 User Manual...
Page 93: Managing Telnet Server Sessions
Enabling HTTPS HTTPS is disabled by default. To enable HTTPS, use the following command: set ip https server {enable | disable} Caution: If you disable the HTTPS server, Web View access to the switch is also disabled. D-Link DWS-1008 User Manual...
Page 94: Displaying Https Information
This command applies to all types of CLI management sessions: console, Telnet, and SSH. The timeout change applies to existing sessions only, not to new sessions. The following command sets the idle timeout to 1800 seconds (one half hour): DWS-1008# set system idle-timeout 1800 success: change accepted. D-Link DWS-1008 User Manual...
Page 95: Configuring And Managing Dns
You can configure a switch to use one primary DNS server and up to five secondary DNS servers to resolve DNS queries. The switch always sends a request to the primary DNS server first. The switch sends a request to a secondary DNS server only if the primary DNS server does not respond. D-Link DWS-1008 User Manual...
Page 96: Adding A Dns Server
To add the default domain name, use the following command: set ip dns domain name Specify a domain name of up to 64 alphanumeric characters. Removing the Default Domain Name To remove the default domain name, use the following command: clear ip dns domain D-Link DWS-1008 User Manual...
Page 97: Displaying Dns Server Information
DWS-1008# set ip alias HR1 192.168.1.2 success: change accepted. After configuring the alias, you can use HR1 in commands in place of the IP address. For example, to ping 192.168.1.2, you can type the command ping HR1. D-Link DWS-1008 User Manual...
Page 98: Removing An Alias
You also can configure MSS to offset the time by an additional hour for daylight savings time or similar summertime period. Note: D-Link recommends that you set the time and date parameters before you install certificates on the switch. If the switch’s time and date are incorrect, the certificate might not be valid.
Page 99: Setting The Time Zone
For example, to display the time zone, type the following command: DWS-1008# show timezone Timezone set to ‘PST’, offset from UTC is -8 hours Clearing the Time Zone To clear the time zone, use the following command: clear timezone D-Link DWS-1008 User Manual...
Page 100: Configuring The Summertime Period
Recurring :yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October. Clearing the Summertime Period To clear the summertime period, use the following command: clear summertime D-Link DWS-1008 User Manual...
Page 101: Statically Configuring The System Time And Date
64 seconds and waits 15 seconds for a reply. If the switch does not receive a reply to an NTP query within 15 seconds, the switch tries again up to 16 times. You can change the update interval but not the timeout or number of retries. D-Link DWS-1008 User Manual...
Page 102: Adding An Ntp Server
Note: If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the switch time may take many NTP update intervals. D-Link recommends that you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in convergence.
Page 103: Resetting The Update Interval To The Default
Timezone is set to ‘PST’, offset from UTC is -8:0 hours. Summertime is enabled. Last NTP update: Sun Feb 29 2004, 23:58:00 NTP Server Peer state Local State -------------------------------------------------- 192.168.1.5 SYSPEER SYNCED The Timezone and Summertime fields are displayed only if you change the timezone or enable summertime. D-Link DWS-1008 User Manual...
Page 104: Managing The Arp Table
The ARP table can also contain static and permanent entries, which are added by an administrator. The State field indicates whether an entry is resolved (RESOLVED) or whether MSS has sent an ARP request for the entry and is waiting for the reply (RESOLVING). D-Link DWS-1008 User Manual...
Page 105: Adding An Arp Entry
For example, to disable aging of dynamic ARP entries, type the following command: DWS-1008# set arp agingtime 0 success: set arp aging time to 0 seconds Note: To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command. D-Link DWS-1008 User Manual...
Page 106: Pinging Another Device
5 packets transmitted, 5 packets received, 0 errors, 0% packet loss In this example, the ping is successful, indicating that the switch has IP connectivity with the other device. Note: A switch cannot ping itself. MSS does not support this. D-Link DWS-1008 User Manual...
Page 107: Logging In To A Remote Device
Session 0 pty tty2.d Trying 10.10.10.90... Connected to 10.10.10.90 Disconnect character is ‘^t’ Copyright (c) 2002, 2003 D-Link Systems, Inc. Username: When you press Ctrl+t or type exit to end the client session, the management session returns to the local prompt:.
Page 108: Tracing A Route
1 ms 12 engineering-2.example.com (192.168.196.204) 2 In this example, server1 is four hops away. The hops are listed in order, beginning with the hop that is closest to the switch and ending with the route’s destination. D-Link DWS-1008 User Manual...
Page 109: Configuring Snmp
• Configure a notification profile or modify the default one, to enable sending of notifications to notification targets. By default, notifications of all types are dropped (not sent). • Configure notification targets. • Enable the MSS SNMP engine. D-Link DWS-1008 User Manual...
Page 110: Setting The System Location And Contact Strings
{read-only | read-notify | notify-only | read-write | notify-read-write} The comm-string can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 10 community strings. D-Link DWS-1008 User Manual...
Page 111: Creating A Usm User For Snmpv3
To clear a USM user, use the following command: clear snmp usm usm-username snmp-engine-id {ip (ip-addr) | local | hex (hex-string)} The usm-username can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 20 SNMPv3 users. D-Link DWS-1008 User Manual...
Page 112 8 to 32 alphanumeric characters long, with no spaces. Type a string at least 8 characters long for DES or 3DES, or at least 12 characters long for AES. • To specify a key, use the encrypt-key hex-string option. Type a 16-byte hexadecimal string. D-Link DWS-1008 User Manual...
Page 113: Command Examples
- SNMP message exchanges are authenticated and encrypted. (This security level is the same as the authPriv level described in SNMPv3 RFCs.) auth-req-unsec-notify - SNMP message exchanges are authenticated but are not encrypted, and notifications are neither authenticated nor encrypted. D-Link DWS-1008 User Manual...
Page 114: Command Example
AutoTuneRadioChannelChangeTraps - Generated when the RF Auto-Tuning feature changes the channel on a radio. AutoTuneRadioPowerChangeTraps - Generated when the RF Auto-Tuning feature changes the power setting on a radio. ClientAssociationFailureTraps - Generated when a client’s attempt to associate with a radio fails. D-Link DWS-1008 User Manual...
Page 115 RFDetectClientViaRogueWiredAPTraps - Generated when MSS detects, on the wired part of the network, the MAC address of a wireless client associated with a third-party AP. RFDetectDoSPortTraps - Generated when MSS detects an associate request flood, reassociate request flood, or disassociate request flood. D-Link DWS-1008 User Manual...
Page 116: Command Examples
RFDetectSpoofedMacAPTraps - Generated when MSS detects a wireless packet with the source MAC address of a D-Link AP, but without the spoofed AP’s signature (fingerprint). RFDetectSpoofedSsidAPTraps - Generated when MSS detects beacon frames for a valid SSID, but sent by a rogue AP.
Page 117: Configuring A Notification Target
To configure a notification target for traps from SNMPv2c, use the following command: set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string trap [profile profile-name] To configure a notification target for traps from SNMPv1, use the following command: set snmp notify target target-num ip-addr[:udp-port-number] v1 community-string [profile profile-name] D-Link DWS-1008 User Manual...
Page 118 You can specify from 0 to 3 retries. The default is 0. The timeout option specifies the number of seconds MSS waits for acknowledgement of a notification. You can specify from 1 to 5 seconds. The default is 2. D-Link DWS-1008 User Manual...
Page 119: Command Examples
• Configured community strings • User-based security model (USM) settings • Notification targets • SNMP statistics counters Displaying SNMP Version and Status Information To display SNMP version and status information, use the following command: show snmp status D-Link DWS-1008 User Manual...
Page 120: Displaying The Configured Snmp Community Strings
Displaying Notification Targets To display a list of the SNMP notification targets, use the following command: show snmp notify target Displaying SNMP Statistics Counters To display SNMP statistics counters, use the following command: show snmp counters D-Link DWS-1008 User Manual...
Page 121: Configuring Dwl-8220Ap Access Points
Overview The diagram below shows an example of a D-Link network containing DWL-8220AP access points and DWS-1008 switches. An AP can be directly connected to a switch port or indirectly connected to a switch through a Layer 2 or IPv4 Layer 3 network.
Page 122: Country Of Operation
Distributed AP based on the AP’s serial number. Similar to ports configured for directly connected APs, Distributed AP configurations are numbered and can reference a particular AP. These numbered configurations do not, however, reference any physical port. D-Link DWS-1008 User Manual...
Page 123: Distributed Ap Network Requirements
• Power - PoE must be provided on one of the Ethernet connections to the AP. Be sure to use a PoE injection device that has been tested by D-Link. Providing PoE on both of the Ethernet connections (on models that have two Ethernet ports) allows redundant PoE.
Page 124: Distributed Aps And Stp
You can use an IP address list or a hostname list, but not both. If the list contains both types of values, the AP does not attempt to use the list. D-Link DWS-1008 User Manual...
Page 125: Ap Parameters
LED blink mode - blinking LEDs on upgrade-firmware enable disable an AP make the AP visually easy to identify. Information about the physical location None location of an AP. contact None Contact information for the AP. D-Link DWS-1008 User Manual...
Page 126: Resiliency And Dual-Homing Options For Aps
DWS-1008 and Ethernet switch. If an intermediate Ethernet connection is used, you also need a Distributed AP configuration on a switch somewhere in the network. Dual-homing support for data link redundancy is automatically enabled when you connect both AP Ethernet ports. D-Link DWS-1008 User Manual...
Page 127: Boot Process For Distributed Aps
3. The AP broadcasts a DHCP Request to the DHCP servers, and receives an Ack from a DHCP server. The AP then configures its network connection with the information contained in the Ack message from that server. D-Link DWS-1008 User Manual...
Page 128: Static Ip Address Configuration For Distributed Aps
Find switch message to each address. The process skips to step 6. • If no switches reply, the AP repeatedly resends the Find switch messages. If no switches reply, the process continues with step 3. D-Link DWS-1008 User Manual...
Page 129 • If both DLINK and wlan-switch are defined in DNS, and the AP is unable to contact the IP address returned for DLINK, the AP never contacts the IP address returned for wlan-switch. The AP does not boot. D-Link DWS-1008 User Manual...
Page 130: How A Distributed Ap Contacts An Switch (Statically Configured Address)
B. The IP address of a suitable switch for the AP to use as a boot device. C. The fully qualified domain name of a switch to use as a boot device, and the IP address of a DNS server used to resolve the switch’s name. D-Link DWS-1008 User Manual...
Page 131 • If a response is received from the switch, then the AP sends a unicast message to the switch, to request an operational image. • If a response is not received from the switch, then the process skips to step 4 on page 113. D-Link DWS-1008 User Manual...
Page 132: Loading And Activating An Operational Image
AP, regulate power levels, assign SSIDs, and so on. After the AP receives the configuration information from the switch, it is then operational on the network as a wireless access point. D-Link DWS-1008 User Manual...
Page 133: Session Load Balancing
D-Link recommends that you configure small groups and ensure that all the radios in the group provide comparable coverage within the same service area.
Page 134 WPA. To enable PSK encryption for WPA, use the set radio-profileauth-psk command. Sends a short unicast frame up to five times without short-retry-count acknowledgment. Sygate On Demand Agent (SODA) files are not downloaded soda Disable to connecting clients. D-Link DWS-1008 User Manual...
Page 135 Acks instead of forwarding them as multicasts. Uses WEP key 1 for static WEP encryption of unicast traffic wpa-ie if WEP encryption is enabled and keys are defined. shared-key-auth Disable Does not use the WPA IE intransmitted frames. D-Link DWS-1008 User Manual...
Page 136: Public And Private Ssids
MAC address assignments by using the show {ap | dap} status command. Encryption Encrypted SSIDs can use the following encryption methods: • Wi-Fi Protected Access (WPA) • Non-WPA dynamic Wired Equivalent Privacy (WEP) • Non-WPA static WEP Dynamic WEP is enabled by default. D-Link DWS-1008 User Manual...
Page 137: Radio Profiles
You must configure a profile. The service profile sets service-profile No service profiles defined defined the SSID name and other parameters. Requires clients to send a separate PSpoll to retrieve wmm-powersave Disable each unicast packet buffered by the AP radio. D-Link DWS-1008 User Manual...
Page 138: Rf Auto-Tuning
Location of the radio’s antenna. Note: This parameter applies only to APs that support antenna-location indoors external antennas. D-Link external antenna model antennatype internal. Note: This parameter is configurable only on APs that support external antennas. Highest setting allowed for the...
Page 139: Configuring Dwl-8220Ap Access Points
Although these parameters have default values, D-Link recommends that you change the values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interference among the radios.
Page 140: Show System
DWS-1008# show system =============================================================== Product Name: DWS-1008 System Name: DWS-1008 System Countrycode: System Location: System Contact: System IP: 30.30.30.2 System idle timeout: 3600 System MAC: 00:0B:0E:02:76:F6 =============================================================== Boot Time: 2003-05-07 08:28:39 Uptime: 0 days 04:00:07 D-Link DWS-1008 User Manual...
Page 141: Configuring An Auto-Ap Profile For Automatic Ap Configuration
• Maximum number of APs that can be configured on the switch, minus the number that are configured. • Maximum number of APs that can be active on the switch, minus the number that are active. D-Link DWS-1008 User Manual...
Page 142: Configured Aps Have Precedence Over Unconfigured Aps
Auto-AP profile parameters and their defaults. The only parameter that requires configuration is the Auto-AP profile mode. The Auto-AP profile is disabled by default. To use the Auto-AP profile to configure Distributed APs, you must enable the profile. D-Link DWS-1008 User Manual...
Page 143: Changing Ap Parameter Values
{11a | 11b| 11g} set dap auto radio {1 | 2} auto-tune max-power power-level set dap auto radio {1 | 2} mode {enable | disable} set dap auto radio {1 | 2} radio-profile name mode {enable | disable} D-Link DWS-1008 User Manual...
Page 144: Enabling The Auto-Ap Profile
To display status information for APs configured by the Auto-AP profile, type the following command: DWS-1008# show dap status auto Dap: 100 (auto), IP-addr: 10.8.255.6 (vlan ‘default’), AP model: DWL-8220AP, manufacturer: D-Link, name: DAP100 ==================================================== State: operational (not encrypted) CPU info: IBM:PPC speed=266666664 Hz...
Page 145: Converting An Ap Configured By The Auto-Ap Profile Into A Permanent Ap
Layer network, configure a Distributed AP on the switch. • Optionally, you also can change other parameters that affect the entire AP: • AP name. • Dual-home bias. • Load-balancing group. • Automatic firmware upgrade capability. • LED blink mode D-Link DWS-1008 User Manual...
Page 146: Setting The Port Type For A Directly Connected Ap
Caution: When you set the port type for AP use, you must specify the PoE state (enable or disable) of the port. Use the DWS-1008 switch’s PoE to power D-Link DWL-8220AP access points only. If you enable PoE on a port connected to another device, physical damage to the device can result.
Page 147: Configuring Static Ip Addresses On Distributed Aps
DNS server used to resolve the switch’s name. If you specify both the address of the switch, and the switch’s name and DNS server address, then the AP ignores the switch’s address and uses the name. D-Link DWS-1008 User Manual...
Page 148: Specifying Vlan Information
Note: The clear port type command does not place the cleared port in any VLAN, not even in the default VLAN (VLAN 1). To use the cleared port in a VLAN, you must add the port to the VLAN. To clear a Distributed AP, use the following command: clear dap dap-num D-Link DWS-1008 User Manual...
Page 149: Changing Ap Names
{ap port-list | dap dap-num} group name To configure a load-balancing group named loadbalance1 that contains directly-connected access points on ports 1, 4, and 6, type the following command: DWS-1008# set ap 1,4,6 group loadbalance1 success: change accepted. D-Link DWS-1008 User Manual...
Page 150: Disabling Or Reenabling Automatic Firmware Upgrades
AP image than the one in the AP’s local storage. If the switch is not running MSS Version 5.0 or later, or the switch has a newer version of the AP image than the version in the AP ’s local storage, the AP loads its image from the switch. D-Link DWS-1008 User Manual...
Page 151: Enabling Led Blink Mode
APs are configured with an encryption key pair at the factory. The fingerprint for the public key is displayed on a label on the back of the AP, in the following format: RSA aaaa:aaaa:aaaa:aaaa: aaaa:aaaa:aaaa:aaaa If the AP is already installed, you can display the fingerprint in MSS. D-Link DWS-1008 User Manual...
Page 152: Encryption Options
To verify an AP’s fingerprint, find the fingerprint and use the set dap fingerprint command to enter the fingerprint in MSS. Finding the Fingerprint An AP’s fingerprint is listed on a label on the back of the AP. D-Link DWS-1008 User Manual...
Page 153: Verifying A Fingerprint On The Switch
If the AP is already installed and operating, use the show dap status command to display the fingerprint. The following example shows information for Distributed AP 8, including its fingerprint: DWS-1008# show dap status 8 Dap: 8, IP-addr: 10.2.26.40 (vlan ‘default’), AP model: DWL-8220AP, manufacturer: D-Link, name: DAP08 fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 ====================================================...
Page 154: Fingerprint Log Message
You can include blank spaces in the name, if you delimit the name with single or double quotation marks. You must use the same type of quotation mark (either single or double) on both ends of the string. D-Link DWS-1008 User Manual...
Page 155: Removing A Service Profile
Do not use the clear service-profile command. Disabling or Reenabling Encryption for an SSID To specify whether the SSID is encrypted or unencrypted, use the following command: set service-profile name ssid-type [clear | crypto] The default is crypto. D-Link DWS-1008 User Manual...
Page 156: Disabling Or Reenabling Beaconing Of An Ssid
The valid rates depend on the radio type: • 11b - 1, 2, 5.5, 11 • 11g - 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Use a comma to separate multiple rates; for example: 6.0,9.0,12.0 D-Link DWS-1008 User Manual...
Page 157 The following command sets 802.11a mandatory rates for service profile sp1 to 6Mbps and 9 Mbps, disables rates 48 Mbps and 54Mbps, and changes the beacon rate to 9 Mbps: DWS-1008# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.0 disabled 48.0,54.0 beacon-rate 9.0 success: change accepted. D-Link DWS-1008 User Manual...
Page 158: Disabling Idle-Client Probing
To change the user-idle timeout, use the following command: set service-profile name user-idle-timeout seconds The following command increases the user idle timeout to 360 seconds (6 minutes): DWS-1008# set service-profile sp1 user-idle-timeout 360 success: change accepted. D-Link DWS-1008 User Manual...
Page 159: Changing The Short Retry Threshold
• Change radio parameters. • Map the radio profile to one or more service profiles. The channel number, transmit power, and external antenna type are unique to each radio and are not controlled by radio profiles. D-Link DWS-1008 User Manual...
Page 160: Creating A New Profile
The beacon interval does not change even when advertisement is enabled for multiple SSIDs. MSS still sends one beacon for each SSID during each beacon interval. To change the beacon interval for radio profile rp1 to 200 ms, type the following command: DWS-1008# set radio-profile rp1 beacon-interval 200 success: change accepted. D-Link DWS-1008 User Manual...
Page 161: Changing The Dtim Interval
The threshold can be a value from 256 bytes through 3000 bytes. The default is 2346. To change the RTS threshold for radio profile rp1 to 1500 bytes, type the following command: DWS-1008# set radio-profile rp1 rts-threshold 1500 success: change accepted. D-Link DWS-1008 User Manual...
Page 162: Changing The Fragmentation Threshold
The time can be from 500 ms (0.5 second) through 250,000 ms (250 seconds). The default is 2000 ms (2 seconds). To change the maximum transmit threshold for radio profile rp1 to 4000 ms, type the following command: DWS-1008# set radio-profile rp1 max-tx-lifetime 4000 success: change accepted. D-Link DWS-1008 User Manual...
Page 163: Changing The Preamble Length
To reset a radio profile parameter to its default value, use the following command: clear radio-profile name parameter Caution: Make sure you specify the radio profile parameter you want to reset. If you do not specify a parameter, MSS deletes the entire profile from the configuration. D-Link DWS-1008 User Manual...
Page 164: Removing A Radio Profile
• For the 802.1 1a radio in a two-radio model, specify radio 2. Note: The maximum transmit power you can configure on any D-Link radio is the highest setting allowed for the country of operation or the highest setting supported on the hardware, whichever is lower.
Page 165 To configure the 802.11a radio on port 5 for channel 36 with a transmit power of 10 dBm, type the following command: DWS-1008# set ap 5 radio 2 channel 36 tx-power 10 success: change accepted. You also can change the channel and transmit power on an individual basis. D-Link DWS-1008 User Manual...
Page 166: Mapping The Radio Profile To Service Profiles
DWS-1008# set ap 2-4, 6 radio 2 radio-profile rp1 mode enable success: change accepted. To disable radio 1 on port 6 without disabling the other radios using radio profile rp1, type the following command: DWS-1008# set ap 6 radio 1 radio-profile rp1 mode disable D-Link DWS-1008 User Manual...
Page 167: Disabling Or Reenabling Radios
The following commands disable all radios that use radio profile rp1, change the beacon interval, then reenable the radios: DWS-1008# set radio-profile rp1 mode disable success: change accepted. DWS-1008# set radio-profile rp1 beacon-interval 200 success: change accepted. DWS-1008# set radio-profile rp1 mode enable success: change accepted. D-Link DWS-1008 User Manual...
Page 168: Resetting A Radio To Its Factory Default Settings
• List of Distributed APs that are not configured on a DWS-1008 switch • Connection information for Distributed APs • Service profile information • Radio profile information • Status information • Information about static IP addresses on Distributed APs • Statistics counters D-Link DWS-1008 User Manual...
Page 169: Displaying Ap Configuration Information
Bob the IT guy Radio 1: type: 802.11g, mode: disabled, channel: dynamic tx pwr: 1, profile: default auto-tune max-power: default, Radio 2: type: 802.11a, mode: disabled, channel: dynamic tx pwr: 1, profile: default auto-tune max-power: default, D-Link DWS-1008 User Manual...
Page 170: Displaying Connection Information For Distributed Aps
A hyphen ( -) in the DAP field indicates that the AP is configured on another switch in the same Mobility Domain. Displaying a List of Distributed APs that Are Not Configured To display a list on Distributed APs that are not configured, use the following command: show dap unconfigured D-Link DWS-1008 User Manual...
Page 171: Displaying Active Connection Information For Distributed Aps
Web Portal Session Timeout: Web Portal ACL: WEP Key 1 value: <none> WEP Key 2 value: WEP Key 3 value: <none> WEP Key 4 value: WEP Unicast Index: 1 WEP Multicast Index: Shared Key Auth: NO D-Link DWS-1008 User Manual...
Page 172: Displaying Radio Profile Information
The terse option displays a brief line of essential status information for each directly connected AP or Distributed AP. The all option displays information for all directly attached access points and all Distributed AP access points configured on the switch. D-Link DWS-1008 User Manual...
Page 173: Displaying Static Ip Address Information For Distributed Aps
The following command displays the status of a Distributed AP access point: DWS-1008# show dap status 1 Dap: 1, IP-addr: 10.2.30.5 (vlan ‘vlan-corp’), AP model: dwl-8220ap, manufacturer: D-Link, name: DAP01 fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 =============================================================== State: operational (not encrypted) CPU info: IBM:PPC speed=266666664...
Page 174: Displaying Ap Statistics Counters
3964 2.0: 5643 5568 8225 8699 3 1670 0 8695 5.5: 6.0: 9.0: 11.0: 0 12.0: 0 18.0: 0 24.0: 0 36.0: 0 48.0: 0 54.0: 0 TOTL: 6660 55683 832715 8697520 11513 0 0 12948 D-Link DWS-1008 User Manual...
Page 175: Configuring User Encryption
Note: MSS does not encrypt traffic in the wired part of the network. MSS does not encrypt wireless or wired traffic for users who associate with an unencrypted (clear) SSID. D-Link DWS-1008 User Manual...
Page 176: Configuring Wpa
You can configure access points to support one or more of these cipher suites. For all of these cipher suites, MSS dynamically generates unique session keys for each session. MSS periodically changes the keys to reduce the likelihood that a network intruder can intercept enough frames to decode a key. D-Link DWS-1008 User Manual...
Page 177: Tkip Countermeasures
The MIC used by CCMP, CBC-MAC, is even stronger than Michael and does not require or provide countermeasures. WEP does not use a MIC. Instead, WEP performs a cyclic redundancy check (CRC) on the frame and generates an integrity check value (ICV). D-Link DWS-1008 User Manual...
Page 178: Wpa Authentication Methods
WPA information that is contained in the beacon frame. • Association request or reassociation (sent by a client - The WPA IE in an association request lists the authentication method and cipher suite the client wants to use. D-Link DWS-1008 User Manual...
Page 179: Client Support
WPA - CCMP WPA - TKIP Static WEP Type WEP40 WEP104 WPA - CCMP Supported WPA - TKIP Supported WPA - WEP40 Supported Supported WPA - WEP 104 Supported Supported Dynamic WEP Supported Static WEP Supported D-Link DWS-1008 User Manual...
Page 180: Configuring Wpa
To use WPA, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: • CCMP • TKIP • 40-bit WEP • 104-bit WEP By default, TKIP is enabled and the other cipher suites are disabled. D-Link DWS-1008 User Manual...
Page 181: Changing The Tkip Countermeasures Timer Value
To change the countermeasures timer value, use the following command: set service-profile name tkip-mc-time wait-time To change the countermeasures wait time in service profile wpa to 30 seconds, type the following command: DWS-1008# set service-profile wpa tkip-mc-time 30000 success: change accepted. D-Link DWS-1008 User Manual...
Page 182: Enabling Psk Authentication
ASCII form of each hexadecimal number. Examples: To configure service profile wpa to use a raw PSK with PSK clients, type a command such as the following: DWS-1008# set service-profile wpa psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa0 836162e758100f5f6b87965e59d success: change accepted. D-Link DWS-1008 User Manual...
Page 183: Disabling 802.1X Authentication For Wpa
AUTO 11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 The WPA settings appear at the bottom of the output. Note: The WPA fields appear in the show service-profile output only when WPA is enabled. D-Link DWS-1008 User Manual...
Page 184: Assigning The Service Profile To Radios And Enabling The Radios
To assign radio profile bldg1 to radio 2 on ports 1-3 and port 5 and enable the radios, type the following command: DWS-1008# set ap 1-3,5 radio 2 radio-profile bldg1 mode enable success: change accepted. D-Link DWS-1008 User Manual...
Page 185: Configuring Rsn (802.11I)
To enable RSN, you must enable the RSN information element (IE) in the service profile. To enable the RSN IE, use the following command: set service-profile name rsn-ie {enable | disable} To enable RSN in service profile wpa, type the following command: DWS-1008# set service-profile rsn rsn-ie enable success: change accepted. D-Link DWS-1008 User Manual...
Page 186: Specifying The Rsn Cipher Suites
To display the RSN settings in a service profile, use the following command: show service-profile {name | ?} The RSN settings appear at the bottom of the output. The RSN-related fields appear in the show service-profile output only when RSN is enabled. D-Link DWS-1008 User Manual...
Page 187: Assigning The Service Profile To Radios And Enabling The Radios
Static WEP encryption is disabled by default. To enable static WEP encryption, configure the static WEP keys and assign them to unicast and multicast traffic. Make sure you configure the same static keys on the clients. D-Link DWS-1008 User Manual...
Page 188: Setting Static Wep Key Values
The num parameter specifies the key and the value can be from 1 to 4. D-Link DWS-1008 User Manual...
Page 189: Encryption Configuration Scenarios
3. Set the SSID in the service profile to mycorp. Type the following command: DWS-1008# set service-profile wpa ssid-name wpa success: change accepted. 4. Enable WPA in service profile wpa. Type the following command: DWS-1008# set service-profile wpa wpa-ie enable success: change accepted. D-Link DWS-1008 User Manual...
Page 190: Enabling Dynamic Wep In A Wpa Network
Type the following command: DWS-1008# set authentication dot1x ssid thiscorp EXAMPLE\* pass-through shorebirds 2. Create a service profile named wpa-wep for the SSID. Type the following command: DWS-1008# set service-profile wpa-wep success: change accepted. D-Link DWS-1008 User Manual...
Page 191 1, profile: rp2 auto-tune max-power: default Radio 2: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp2 auto-tune max-power: default 9. Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 192: Configuring Encryption For Mac Clients
= blue mac-user aa:bb:cc:dd:ee:ff Group = wpa-for-mac mac-user a1:b1:c1:d1:e1:f1 Group = wpa-for-mac 5. Create a service profile named wpa-wep-for-mac for SSID voice. Type the following command: DWS-1008# set service-profile wpa-wep-for-mac success: change accepted. D-Link DWS-1008 User Manual...
Page 193 Web Portal ACL: WEP Key 1 value: <none> WEP Key 2 value: <none> WEP Key 3 value: <none> WEP Key 4 value: <none> WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO WPA enabled: D-Link DWS-1008 User Manual...
Page 194 1, profile: rp3 auto-tune max-power: default Radio 2: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default 14. Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 195: Configuring Rf Auto-Tuning
(regulatory domain). In a deployment with few APs, the radio remains at maximum power. Otherwise, the radio reduces power until the power is just enough to reach the AP’s nearest neighbor that is on the same channel. D-Link DWS-1008 User Manual...
Page 196: How Channels Are Selected
Ramp-up or ramp-down of the power occurs in 1dBm increments, at regular time intervals. The default interval is 60 seconds and is configurable. The power ramp amount (1dBm per interval) is not configurable. D-Link DWS-1008 User Manual...
Page 197: Channel Tuning
By default, a radio cannot change its channel more often than every 900 seconds, regardless of the RF environment. This channel holddown avoids unnecessary changes due to very transient RF changes, such as activation of a microwave oven. D-Link DWS-1008 User Manual...
Page 198: Tuning The Transmit Data Rate
60 seconds until the power setting is reached. RF Auto-Tuning never sets a radio’s power to a level that is Maximum allowed for higher than the maximum allowed for the country of operation max-power country of operation (countrycode). D-Link DWS-1008 User Manual...
Page 199: Changing Rf Auto-Tuning Settings
65535 seconds. If you set the interval to 0, RF Auto-Tuning does not reevaluate the channel at regular intervals. However, RF Auto-Tuning can still change the channel in response to RF anomalies. D-Link recommends that you use an interval of at least 300 seconds (5 minutes).
Page 200: Changing The Channel Holddown Interval
To change the power tuning interval, use the following command: set radio-profile name auto-tune power-interval seconds To set the power tuning interval for radios in radio profile rp2 to 240 seconds, type the following command: DWS-1008# set radio-profile rp2 auto-tune power-interval 240 success: change accepted. D-Link DWS-1008 User Manual...
Page 201: Changing The Maximum Default Power Allowed On A Radio
To save the locked down settings, you must save the switch’s configuration. The following commands lock down the channel and power settings for radios in radio profile rp2: DWS-1008# set radio-profile rp2 auto-tune channel -lockdown success: change accepted. DWS-1008# set radio-profile rp2 auto-tune power-lockdown success: change accepted. D-Link DWS-1008 User Manual...
Page 202: Displaying Rf Auto-Tuning Information
DWS-1008# show ap config 2 radio 1 Port 2: AP model: DWL-8220AP, POE: enable, bias: high, name: AP02 boot-download-enable: YES force-image-download: NO Radio 1: type: 802.11g, mode: disabled, channel: 6 tx pwr: 1, profile: default auto-tune max-power: default D-Link DWS-1008 User Manual...
Page 203: Displaying Rf Neighbors
1, profile: default auto-tune max-power: default Displaying RF Neighbors To display the other radios that a specific D-Link radio can hear, use the following commands: show auto-tune neighbors [ap ap-num [radio {1 | 2| all}]] show auto-tune neighbors [dap dap-num [radio {1 | 2| all}]] The list of radios includes beaconed third-party SSIDs, and both beaconed and unbeaconed D-Link SSIDs.
Page 204: Displaying Rf Attributes
To display RF attribute information for radio 1 on the directly connected access point on port 2, type the following command: DWS-1008# show auto-tune attributes ap 2 radio 1 Auto-tune attributes for port 2 radio 1: Noise: -92 Packet Retransmission Count: 0 Utilization: 0 Phy Errors Count: 0 CRC Errors count: 122 D-Link DWS-1008 User Manual...
Page 205: Configuring Aps To Be Aeroscout Listeners
Engine is configured to request the information from the AP, the AP also sends the information to the AeroScout Engine. The accuracy of the location information depends on the number of listeners (APs). D-Link recommends that you configure at least three listeners.
Page 206 DWS-1008# set dap 68 radio 1 channel 7 success: change accepted. DWS-1008# set dap 69 radio 1 channel 7 success: change accepted. DWS-1008# set dap 67 radio 1 radio-profile success: change accepted. DWS-1008# set dap 68 radio 1 radio-profile success: change accepted. D-Link DWS-1008 User Manual...
Page 207: Locating An Rfid Tag
4. Add each AP configured as a listener to the map, and enter its IP address. 5. Enable RSSI location calculation. 6. Enable tag positioning. 7. Enable the map to use the APs. To check an AP’s status, right-click on the AP icon and select Status. D-Link DWS-1008 User Manual...
Page 208: Configuring Quality Of Service
One or more of the following can be enabled: set service-profile proxy-arp • Proxy ARP set service-profile no-broadcast Broadcast control • No-Broadcast set service-profile dhcp-restrict • DHCP Restrict All three options are disabled by default. D-Link DWS-1008 User Manual...
Page 209: Qos Mode
The static CoS option enables you to easily set CoS for all traffic on an SSID by marking all the SSID’s traffic with the same CoS value. You can use ACLs to override CoS markings or set CoS for non-WMM traffic. The following sections describe each of these options. D-Link DWS-1008 User Manual...
Page 210: Wmm Qos Mode
802.1p determines CoS for packets with DSCP 0. CoS 0 of the CoS-to-DSCP map is also reserved. CoS 0 packets are marked with DSCP 0. The table below shows how WMM priority information is mapped across the network. When WMM is enabled, D-Link switches and APs perform these mappings automatically. Service IP IP ToS DSCP 802.1p...
Page 211: Wmm Qos On An Ap
The QoS mode affects forwarding of SVP traffic only. The random wait times for other types of traffic are the same as those used when the QoS mode is WMM. D-Link DWS-1008 User Manual...
Page 212: U-Apsd Support
Note: CAC is configured on a service profile basis and limits association to radios only for the service profile’s SSID. Association to the radios by clients on other SSIDs is not limited. To ensure voice quality, do not map other service profiles to the radio profile you plan to use for voice traffic. D-Link DWS-1008 User Manual...
Page 213: Broadcast Control
ACE (ACL rule) that sets the CoS. Note: If static CoS is enabled, the static CoS value is always used. The CoS cannot be changed using an ACL. D-Link DWS-1008 User Manual...
Page 214: Changing Qos Settings
U-APSD support is disabled by default. To enable it on a radio profile, use the following command: set radio-profile name wmm-powersave {enable | disable} For example, the following command enables U-APSD on radio profile rp1: DWS-1008# set radio-profile rp1 qos-mode svp success: change accepted. D-Link DWS-1008 User Manual...
Page 215: Configuring Call Admission Control
To enable static CoS and set the CoS value, use the following commands: set service-profile name static-cos {enable | disable} set service-profile name cos level The level can be a value from 0 (lowest priority) to 7 (highest priority). The default is 0 D-Link DWS-1008 User Manual...
Page 216: Changing Cos Mappings
For example, to enable all these broadcast control features in service profile sp1, use the following commands: DWS-1008# set service-profile sp1 proxy-arp enabled success: change accepted. DWS-1008# set service-profile sp1 dhcp-restrict enable success: change accepted. DWS-1008# set service-profile sp1 no-broadcast enable success: change accepted. D-Link DWS-1008 User Manual...
Page 217: Displaying Qos Information
Power ramp interval: 60 Channel Holddown: 300 Countermeasures: none Active-Scan: yes RFID enabled: no WMM Powersave: no QoS Mode: wmm Service profiles: sp1 In this example, the QoS mode is WMM and U-APSD support (WMM powersave) is disabled. D-Link DWS-1008 User Manual...
Page 218: Displaying A Service Profile's Qos Settings
Note: Configuration information for some settings appears in other chapters. To configure transmit rates, or the long or short retry, see “Configuring a Service Profile”. To configure the user-idle timeout and idle-client probing, see “Displaying and Changing Network Session Timers”. D-Link DWS-1008 User Manual...
Page 219: Displaying Cos Mappings
To display the DSCP value to which a specific CoS value is mapped during marking, use the following command: show qos cos-to-dscp-map cos-value The following command displays the DSCP value to which CoS value 6 is mapped: DWS-1008# show qos cos-to-dscp-map 6 cos 6 is marked with dscp 48 (tos 0xC0) D-Link DWS-1008 User Manual...
Page 220: Displaying The Dscp Table
The following command shows statistics for the AP forwarding queues on a Distributed AP: DWS-1008# show dap qos-stats 4 Queue TxDrop ========================================== DAP: 4 radio: 1 Background BestEffort 15327 Video VoiceDAP: 4 radio: 2 1714881 Background BestEffort Video Voice D-Link DWS-1008 User Manual...
Page 221: Configuring And Managing Spanning Tree Protocol
To enable STP on all VLANs configured on a switch, type the following command: DWS-1008# set spantree enable success: change accepted. To verify the STP state and display the STP parameter settings, enter the show spantree command. D-Link DWS-1008 User Manual...
Page 222: Changing Standard Spanning Tree Parameters
Full Duplex Aggregate Link (Port Group) 1000 Mbps Full Duplex 100 Mbps Full Duplex Aggregate Link(Port Group) 100 Mbps Full Duplex 100 Mbps Half Duplex 10 Mbps Full Duplex Aggregate Link(Port Group) 10 Mbps Full Duplex 10 Mbps Half Duplex D-Link DWS-1008 User Manual...
Page 223: Port Priority
DWS-1008# set spantree portcost 3,4 cost 20 success: change accepted. To change the cost for the same ports in VLAN mauve, type the following command: DWS-1008# set spantree portvlancost 3,4 cost 20 vlan mauve success: change accepted. D-Link DWS-1008 User Manual...
Page 224: Resetting The Stp Port Cost To The Default Value
DWS-1008# set spantree portpri 3-4 priority 48 success: change accepted. To set the priority of ports 3 and 4 to 48 in VLAN mauve, type the following command: DWS-1008# set spantree portvlanpri 3-4 priority 48 vlan mauve success: change accepted. D-Link DWS-1008 User Manual...
Page 225: Resetting The Stp Port Priority To The Default Value
The all option applies the change to all VLANs. Alternatively, specify an individual VLAN. To change the hello interval for all VLANs to 4 seconds, type the following command: DWS-1008# set spantree hello 4 all success: change accepted. D-Link DWS-1008 User Manual...
Page 226: Changing The Stp Forwarding Delay
In some configurations, this delay is unnecessary. The switch provides the following fast convergence features to bypass the forwarding delay: • Port fast • Backbone fast • Uplink fast D-Link DWS-1008 User Manual...
Page 227: Port Fast Convergence
To enable or disable port fast convergence, use the following command: set spantree portfast port port-list {enable | disable} To enable port fast convergence on ports 1, 3, and 5, type the following command: DWS-1008# set spantree portfast port 1,3,5 enable success: change accepted. D-Link DWS-1008 User Manual...
Page 228: Displaying Port Fast Convergence Information
To display the state of the backbone fast convergence feature, use the following command: show spantree backbonefast Here is an example: DWS-1008# show spantree backbonefast Backbonefast is enabled In this example, backbone fast convergence is enabled. D-Link DWS-1008 User Manual...
Page 229: Configuring Uplink Fast Convergence
• Bridge STP settings and individual port information • Blocked ports • Statistics • Port fast, backbone fast, and uplink fast convergence information Note: For information about the show commands for the fast convergence features, see “Configuring and Managing STP Fast Convergence Features”. D-Link DWS-1008 User Manual...
Page 230: Displaying Stp Bridge And Port Information
------------------------------------------------------------------------------------ Forwarding Disabled Blocking Disabled Blocking Disabled Forwarding Disabled Blocking Disabled Blocking Disabled In this example, VLAN mauve contains ports 1 through 6. Ports 1 and 4 are forwarding traffic. The other ports are blocking traffic. D-Link DWS-1008 User Manual...
Page 231: Displaying The Stp Port Cost On A Vlan Basis
To display information about blocked ports on a switch for the default VLAN (VLAN 1), type the following command: DWS-1008# show spantree blockedports vlan default Port Vlan Port-State Cost Prio Portfast ----------------------------------------------------------------------- Blocking Disabled Number of blocked ports (segments) in VLAN 1 : 1 D-Link DWS-1008 User Manual...
Page 232: Displaying Spanning Tree Statistics
Actual Type Media =============================================================== auto 100/full network 10/100BaseTx down auto network 10/100BaseTx down auto network 10/100BaseTx down auto network 10/100BaseTx down auto network 10/100BaseTx down auto network 10/100BaseTx down down auto network down down auto network D-Link DWS-1008 User Manual...
Page 233 Forward Delay 15 sec Bridge ID MAC ADDR 00-0b-0e-00-04-0c Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan STP-State Cost Prio Portfast ------------------------------------------------------------------- Disabled Disabled Disabled Disabled D-Link DWS-1008 User Manual...
Page 234 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan STP-State Cost Prio Portfast ----------------------------------------------------------------------- Forwarding 4 Disabled Blocking Disabled 6. Save the configuration. Type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 235: Configuring And Managing Igmp Snooping
One report is sufficient to cause the routers to continue sending data for the group. Proxy reporting is enabled by default. To disable or reenable proxy reporting, use the following command: set igmp proxy-report {enable | disable} [vlan vlan-id] D-Link DWS-1008 User Manual...
Page 236: Enabling The Pseudo-Querier
The IGMP pseudo-querier enables IGMP snooping to operate in a VLAN that does not have a multicast router to send IGMP general queries to clients. Note: D-Link recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet.
Page 237: Changing The Query Interval
To change the robustness value, use the following command: set igmp rv num [vlan vlan-id] You can specify a value from 2 through 255. The default is 2. D-Link DWS-1008 User Manual...
Page 238: Enabling Router Solicitation
You can add network ports as static multicast router ports or multicast receiver ports. Ports you add do not age out. Note: You cannot add access ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic. D-Link DWS-1008 User Manual...
Page 239: Adding Or Removing A Static Multicast Router Port
To display multicast configuration information and statistics, use the following command: show igmp [vlan vlan-id] The show igmp command displays the IGMP snooping state, the settings of all multicast parameters you can configure, and multicast statistics. D-Link DWS-1008 User Manual...
Page 240 GS-Queries Report V1 Report V2 Leave Mrouter-Adv Mrouter-Term Mrouter-Sol DVMRP PIM V1 PIM V2 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 D-Link DWS-1008 User Manual...
Page 241: Displaying Multicast Statistics Only
[vlan vlan-id] To display the multicast routers in VLAN orange, type the following command: DWS-1008# show igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter-IPaddr Mrouter-MAC Type ------------------------------------------------------------------------------------------------ 192.28.7.5 00:01:02:03:04:05 dvmrp D-Link DWS-1008 User Manual...
Page 242: Displaying Multicast Receivers
VLANs, type the following command: DWS-1008# show igmp receiver-table group 237.255.255.0/24 VLAN: red Session Port Receiver-IP Receiver-MAC ----------------------------------------------------------------------------------------------------------- 237.255.255.2 10.10.20.19 00:02:04:06:09:0d 237.255.255.119 10.10.30.31 00:02:04:06:01:0b VLAN: green Session Port Receiver-IP Receiver-MAC ----------------------------------------------------------------------------------------------------------- 237.255.255.17 10.10.40.41 00:02:06:08:02:0c 237.255.255.255 10.10.60.61 00:05:09:0c:0a:01 D-Link DWS-1008 User Manual...
Page 243: Configuring And Managing Security Acls
D-Link provides a very powerful mapping application for security ACLs. In addition to being assigned to physical ports, VLANs, virtual ports in a VLAN, or Distributed APs, ACLs can be mapped dynamically to a user’s session, based on authorization information passed back from the AAA server during the...
Page 244: Security Acl Filters
ACLs. For example, if different ACLs are mapped to both a user and a VLAN, and a user’s traffic can match both ACLs, only the ACL mapped to the user is applied. D-Link DWS-1008 User Manual...
Page 245: Traffic Direction
ACL to be saved to the permanent configuration. You must commit a security ACL before you can apply it to an authenticated user’s session or map it to a port, VLAN, virtual port, or Distributed AP. Every security ACL must have a name. D-Link DWS-1008 User Manual...
Page 246: Setting A Source Ip Acl
Authentication Header for IPSec (IPSec-AH) IP Mobility (Mobile IP) Enhanced Interior Gateway Routing Protocol (EIGRP) Open Shortest Path First (OSPF) protocol Protocol Independent Multicast (PIM) protocol Virtual Router Redundancy Protocol (VRRP) Layer Two Tunneling Protocol (L2TP) D-Link DWS-1008 User Manual...
Page 247: Wildcard Masks
Optionally, for WMM or non-WMM traffic, you can use ACLs to change the priority of traffic sent to an AP or VLAN. (To change CoS for WMM or non-WMM traffic, see “Using ACLs to Change CoS”.) D-Link DWS-1008 User Manual...
Page 248: Setting An Icmp Acl
None • Time to Live (TTL) Exceeded (0) Time Exceeded (11) • Fragment Reassembly Time Exceeded (1) Parameter Problem (12) None Timestamp (13) None Timestamp Reply (14) None Information Request (15) None Information Reply (16) None D-Link DWS-1008 User Manual...
Page 249: Setting Tcp And Udp Acls
192.168.1.8, with any UDP destination port less than 65,535. It puts this ACE first in the ACL, and counts the number of hits generated by the ACE. DWS-1008# set security acl ip acl-5 permit udp 192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.0 lt 65535 precedence 7 tos 15 before 1 hits D-Link DWS-1008 User Manual...
Page 250: Determining The Ace Order
ACLs. After you commit an ACL, MSS removes it from the edit buffer. To display ACLs, use the following commands: show security acl editbuffer show security acl info all editbuffer show security acl info show security acl D-Link DWS-1008 User Manual...
Page 251: Viewing The Edit Buffer
Viewing Committed Security ACLs To view a summary of the committed security ACLs in the configuration, type the following command: DWS-1008# show security acl ACL table Type Class Mapping ------------------------------------------------------------- acl-2 Static acl-3 Static acl-4 Static D-Link DWS-1008 User Manual...
Page 252: Viewing Security Acl Details
Once you map an ACL, you can view the number of packets it has filtered, if you included the keyword hits. (For information on setting hits, see “Setting a Source IP ACL”.) Type the following command: DWS-1008# show security acl hits ACL hit-counters Index Counter ACL-name --------------------------------------------------- acl-2 acl-999 acl-123 D-Link DWS-1008 User Manual...
Page 253: Clearing Security Acls
ACL. The switch maps the named ACL automatically to the user’s authenticated session. Security ACLs can also be mapped statically to ports, VLANs, virtual ports, or Distributed APs. User- based ACLs are processed before these ACLs, because they are more specific and closer to the network edge. D-Link DWS-1008 User Manual...
Page 254: Mapping User-Based Security Acls
For instructions, see the documentation for your RADIUS server. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the switch, the user fails authorization and cannot be authenticated. D-Link DWS-1008 User Manual...
Page 255: Mapping Security Acls To Ports, Vlans, Virtual Ports, Or Distributed Aps
Plan your security ACL maps to ports, VLANs, virtual ports, and Distributed APs so that only one security ACL filters a flow of packets. If more than one security ACL filters the same traffic, you cannot guarantee the order in which the ACE rules are applied. D-Link DWS-1008 User Manual...
Page 256: Displaying Acl Maps To Ports, Vlans, And Virtual Ports
Clearing a security ACL mapping does not stop the current filtering function if the ACL has other mappings. If the security ACL is mapped to another port, a VLAN, a virtual port, or a Distributed AP, you must enter a clear security acl map command to clear each map. D-Link DWS-1008 User Manual...
Page 257: Modifying A Security Acl
• Use the clear security acl map command to stop the filtering action of an ACL on a port, VLAN, or virtual port. (See “Clearing a Security ACL Map”.) • Use clear security acl plus commit security acl to completely delete the ACL from the switch’s configuration. (See “Clearing Security ACLs”.) D-Link DWS-1008 User Manual...
Page 258: Adding Another Ace To A Security Acl
DWS-1008# show security acl info ACL information for all set security acl ip acl-violet (hits #2 0) ---------------------------------------------------- 1. permit IP source IP 192.168.253.1 0.0.0.255 destination IP any enable-hits 2. permit IP source IP 192.168.123.11 0.0.0.255 destination IP any enable-hits D-Link DWS-1008 User Manual...
Page 259: Placing One Ace Before Another
2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits D-Link DWS-1008 User Manual...
Page 260: Modifying An Existing Security Acl
2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1. permit L4 Protocol 115 source IP 192.168.1.11 0.0.0.0 destination IP 192.168.1.15 0.0.0.0 precedence 0 tos 0 enable-hits D-Link DWS-1008 User Manual...
Page 261: Clearing Security Acls From The Edit Buffer
2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any 3. deny SRC source IP 192.168.253.1 0.0.0.255 set security acl ip acl-a (ACEs 1, add 1, del 0, modified 0) ---------------------------------------------------- 1. permit SRC source IP 192.168.1.1 0.0.0.0 D-Link DWS-1008 User Manual...
Page 262: Using Acls To Change Cos
ACE on that interface and traffic direction. The permit any ACE ensures that traffic that does not match the first ACE is permitted. Without this additional ACE at the end, traffic that does not match the other ACE is dropped. D-Link DWS-1008 User Manual...
Page 263: Filtering Based On Dscp Values
10.10.90.0 0.0.0.255 dscp 46 success: change accepted. DWS-1008# set security acl ip acl2 permit any success: change accepted. DWS-1008# commit security acl acl2 success: change accepted. DWS-1008# set security acl map acl2 dap 4 out success: change accepted. D-Link DWS-1008 User Manual...
Page 264: Using The Precedence And Tos Options
Note: You cannot use the dscp option along with the precedence and tos options in the same ACE. The CLI rejects an ACE that has this combination of options. D-Link DWS-1008 User Manual...
Page 265: Enabling Prioritization For Legacy Voice Over Ip
CoS”. General Guidelines D-Link recommends that you follow these guidelines for any wireless VoIP implementation: • Ensure end-to-end priority forwarding by making sure none of the devices that will forward voice traffic resets IP ToS or Diffserv values to 0. Some devices, such as some types of Layer 2 switches with basic Layer 3 awareness, reset the IP ToS or Diffserv value of untrusted packets to 0.
Page 266: Enabling Voip Support For Telesym Voip
Note: If you are upgrading a switch running MSS Version 3.x to MSS Version 4.x, and the switch uses ACLs to map VoIP traffic to CoS 4 or 5, and you plan to leave WMM enabled, D-Link recommends that you change the ACLs to map the traffic to CoS 6 or 7.
Page 267: Enabling Svp Optimization For Spectralink Phones
SpectraLink’s Voice Interoperability for Enterprise Wireless (VIEW) Certification Program is designed to ensure interoperability and high performance between SVP phones and WLAN infrastructure products. D-Link DWS-1008 switches and APs are VIEW certified. This section describes how to configure switches and APs for SVP phones.
Page 268: Configuring A Service Profile For Rsn (Wpa2)
The following commands configure a service profile called vowlan-wpa2 for RSN: DWS-1008# set service-profile vowlan-wpa ssid-name phones DWS-1008# set service-profile vowlan-wpa wpa-ie enable DWS-1008# set service-profile vowlan-wpa auth-dot1x disable DWS-1008# set service-profile vowlan-wpa auth-psk enable DWS-1008# set service-profile vowlan-wpa psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d D-Link DWS-1008 User Manual...
Page 269: Configuring A Radio Profile
Note: Some radio settings that are beneficial for voice traffic might not be beneficial for other wireless clients. If you plan to support other wireless clients in addition to voice clients, D-Link recommends that you create a new radio profile specifically for voice clients, or use the default radio profile only for voice clients and create a new profile for other clients.
Page 270: Configuring An Acl To Prioritize Voice Traffic
10.2.4.69 to any IP address, to or from any UDP port other than 0. The second ACE sets CoS to 7 for all SVP traffic. The third ACE matches on all traffic that does not match on either of the previous ACEs. D-Link DWS-1008 User Manual...
Page 271: Reason The Acl Needs To Be Mapped To Both Traffic Directions
802.11b mode only. This type of phone expects the AP to operate at 802.11b rates only, not at 802.11g rates. To change a radio to support 802.11b mode only, use the radiotype 11b option with the set port type ap or set dap command. D-Link DWS-1008 User Manual...
Page 272: Disabling Rf Auto-Tuning Before Upgrading A Spectralink Phone
Disabling RF Auto-Tuning Before Upgrading a SpectraLink Phone If you plan to upgrade a SpectraLink phone using TFTP over an AP, D-Link recommends that you disable RF Auto-Tuning before you begin the upgrade. This feature can increase the length of time required for the upgrade.
Page 273: Security Acl Configuration Scenario
You must then map the security ACL to Natasha’s session in RADIUS. For instructions, see the documentation for your RADIUS server. 7. To save your configuration, type the following command: DWS-1008# save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 274: Managing Keys And Certificates
TLS allows the client to authenticate the switch (and optionally allows the switch to authenticate the client) through the use of digital signatures. Digital signatures require a public-private key pair. The signature is created with a private key and verified with a public key. TLS enables secure key exchange. D-Link DWS-1008 User Manual...
Page 275: Peap-Ms-Chap-V2 Security
• If the switch has a self-signed certificate in its certificate and key store, the switch responds to the request from MSS. If the certificate is not self-signed, the switch looks for a CA’s certificate with which to validate the server certificate. D-Link DWS-1008 User Manual...
Page 276: Public Key Infrastructures
Public and Private Keys D-Link’s identity-based networking uses public key cryptography to enforce the privacy of data transmitted over the network. Using public-private key pairs, users and devices can send encrypted messages that only the intended receiver can decrypt.
Page 277: Digital Certificates
PKCS #7, PKCS #10, and PKCS #12 Object Files Public-Key Cryptography Standards (PKCS) are encryption interface standards created by RSA Data Security, Inc., that provide a file format for transferring data and cryptographic information. D-Link supports the PKCS object files listed in the table on the next page.
Page 278 CA. (This password secures the file so that the keys and certificate cannot be installed by an unauthorized party. You must know the password in order to install them.) Use the crypto pkcs12 command to unpack the file. D-Link DWS-1008 User Manual...
Page 279: Certificates Automatically Generated By Mss
Management access to the CLI through Secure Shell (SSH) also requires a key pair, but does not use a certificate. DWS-1008 security also requires a key pair and certificate. However, the certificate is generated automatically when you enable DWS-1008 security. D-Link DWS-1008 User Manual...
Page 280: Choosing The Appropriate Certificate Installation Method For Your Network
Certificate Signing Request signed certificate (a PEM-encoded (CSR) certificate PKCS #7 object file). 4. Paste the PEM-encoded file into the CLI to store the certificate on the switch. 5. Obtain and install the CA’s own certificate. D-Link DWS-1008 User Manual...
Page 281: Creating Public-Private Key Pairs
You must include a common name (string) when you generate a self-signed certificate. The other information is optional. Use a fully qualified name if such names are supported on your network. The certificate appears after you enter this information. D-Link DWS-1008 User Manual...
Page 282: Installing A Key Pair And Certificate From A Pkcs #12 Object File
{admin | eap | web} filename The filename is the location of the file on the switch. Note: MSS erases the OTP password entered with the crypto otp command when you enter the crypto pkcs12 command. D-Link DWS-1008 User Manual...
Page 283: Creating A Csr And Installing A Certificate From A Pkcs #7 Object File
3. Use a text editor to open the PKCS #7 file, and copy and paste the entire text block, including the beginning and ending delimiters, into the CLI. Note: You must paste the entire block, from the beginning -----BEGIN CERTIFICATE----- to the end -----END CERTIFICATE-----. D-Link DWS-1008 User Manual...
Page 284: Installing A Ca's Own Certificate
The last two rows of the display indicate the period for which the certificate is valid. Make sure the date and time set on the switch are within the date and time range of the certificate. D-Link DWS-1008 User Manual...
Page 285: Key And Certificate Configuration Scenarios
State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: DL 6 Email Address: admin@example.com Unstructured Name: wiring closet 4 Self-signed cert for eap is success: self-signed cert for eap generated D-Link DWS-1008 User Manual...
Page 286 Subject: C=US, ST=CA, L=PLEAS, O=DLINK, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=CA, L=PLEAS, O=DLINK, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Validity: Not Before: Oct 19 02:02:02 2004 GMT Not After : Oct 19 02:02:02 2005 GMT D-Link DWS-1008 User Manual...
Page 287: Installing Ca-Signed Certificates From Pkcs #12 Object Files
PKCS #12 file. To enter a one-time password, use the following command: crypto otp {admin | eap | web} one-time-password For example: DWS-1008# crypto otp admin SeC%#6@o%c OTP set DWS-1008# crypto otp eap SeC%#6@o%d OTP set DWS-1008# crypto otp web SeC%#6@o%e OTP set D-Link DWS-1008 User Manual...
Page 288: Installing Ca-Signed Certificates Using A Pkcs #10 Object File (Csr) And A Pkcs #7 Object File
1. Set time and date parameters, if not already set. (See “Configuring and Managing Time Parameters”.) 2. Generate public-private key pairs: DWS-1008# crypto generate key admin 1024 key pair generated DWS-1008# crypto generate key eap 1024 key pair generated DWS-1008# crypto generate key web 1024 key pair generated D-Link DWS-1008 User Manual...
Page 289 DWS-1008# crypto certificate admin Enter PEM-encoded certificate 8. Paste the signed certificate text block into the switch’s CLI, below the prompt. 9. Display information about the certificate, to verify it: DWS-1008# show crypto certificate admin D-Link DWS-1008 User Manual...
Page 290 13. Paste the CA’s signed certificate under the prompt. 14. Display information about the CA’s certificate, to verify it: DWS-1008# show crypto ca-certificate admin 15. Repeat step 12 through step 14 to install the CA’s certificate for EAP (802.1X) and WebAAA. D-Link DWS-1008 User Manual...
Page 291: Configuring Aaa For Network Users
About AAA for Network Users Network users include the following types of users: • Wireless users—Users who access the network by associating with an SSID on a D-Link radio. Wired authentication users—Users who access the network over an Ethernet connection •...
Page 292: Authentication Types
(no 802.1X or MAC access rules have the wired option set), MSS checks for user last- resort-wired. If this user is configured, the authorization attributes set for the user are applied to the user who is on the wired authentication port and the user is allowed onto the network. D-Link DWS-1008 User Manual...
Page 293: Authentication Algorithm
If no 802.1X or MAC access rules are configured for wired, and the wired authentication port’s fallthru type is last-resort, MSS allows users onto the port without prompting for a username or password. The authorization attributes set on user last-resort-wired are applied to the user. D-Link DWS-1008 User Manual...
Page 294: User Credential Requirements
(ACLs) to the user’s traffic, and so on. To assign attributes on the RADIUS server, use the standard RADIUS attributes supported on the server. To assign attributes in the switch’s local database, use the MSS vendor-specific attributes (VSAs). D-Link DWS-1008 User Manual...
Page 295 These authorization attributes are applied to users accessing the SSID managed by the service profile (in addition to any attributes supplied by a RADIUS server or the switch’s local database). D-Link DWS-1008 User Manual...
Page 296: Accounting
You can track sessions through accounting information stored locally or on a remote RADIUS server. D-Link DWS-1008 User Manual...
Page 297: Aaa Tools For Network Users
IT group into the group infotech-people. AAA Methods for IEEE 802.1X and Web Network Access The following AAA methods are supported by D-Link for 802.1X and Web network access mode: • Client certificates issued by a certificate authority (CA) for authentication.
Page 298: Aaa Rollover Process
1. To configure server-1 and server-2 at IP addresses 192.168.253.1 and 192.168.253.2 with the password chey3nn3, the administrator enters the following commands: DWS-1008# set radius server server-1 address 192.168.253.1 key chey3nn3 DWS-1008# set radius server server-2 address 192.168.253.2 key chey3nn3 D-Link DWS-1008 User Manual...
Page 299: Ieee 802.1X Extensible Authentication Protocol Types
• The MS-CHAP-V2 portion an encrypted session. Mutual Authentication is processed on the RADIUS The client needs only a authentication is performed by Protocol version 2) server or locally, username and password. MS-CHAP-V2. depending on the configuration. D-Link DWS-1008 User Manual...
Page 300: Ways A Switch Can Use Eap
Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be authenticated by an EAP method, a MAC address, or a Web login page served by the switch. D-Link DWS-1008 User Manual...
Page 301: Configuring 802.1X Authentication
DWS-1008# set authentication dot1x ssid marshes *@example.com peap-mschapv2 shorebirds To offload both PEAP and MS-CHAP-V2 processing onto the switch, use the following command: DWS-1008# set authentication dot1x ssid marshes *@example.com peap-mschapv2 local D-Link DWS-1008 User Manual...
Page 302: Using Pass-Through
You can use Bonded Auth with Microsoft Windows clients that support separate 802.1X authentication ® for the machine itself and for a user who uses the machine to log on to the network. D-Link DWS-1008 User Manual...
Page 303: Authentication Rule Requirements
(Generally, in a Bonded Auth configuration, the RADIUS servers will use a user database stored on an Active Directory server.) D-Link recommends that you make the rules as general as possible. For example, if the Active Directory domain is mycorp.com, the following userglobs match on all machine names and users in the domain: •...
Page 304: Bonded Auth Period
By default, the Bonded Auth period is 0 seconds. MSS does not wait for a Bonded Auth user to reauthenticate. You can set the Bonded Auth period to a value up to 300 seconds. D-Link recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.
Page 305: Bonded Auth Configuration Example
The following command sets the Bonded Auth period to 60 seconds, to allow time for WEP users to reauthenticate: DWS-1008# set dot1x bonded-period 60 success: change accepted. Displaying Bonded Auth Configuration Information To display Bonded Auth configuration information, use the following command: show dot1x config D-Link DWS-1008 User Manual...
Page 306: Configuring Authentication And Authorization By Mac Address
Users authorized by MAC address require a MAC authorization password if RADIUS authentication is desired. The default well-known password is dlink. Caution: Use this method with care. IEEE 802.11 frames can be forged and can result in unauthorized network access if MAC authentication is employed. D-Link DWS-1008 User Manual...
Page 307: Adding And Clearing Mac Users And User Groups Locally
For example, the following command removes MAC user 01:0f:03:04:05:06 from the group the user is DWS-1008# clear mac-user 01:0f:03:04:05:06 group success: change accepted. The clear mac-usergroup command removes the group. To remove a MAC user profile from the local database on the switch, type the following command: clear mac-user mac-address D-Link DWS-1008 User Manual...
Page 308: Configuring Mac Authentication And Authorization
MAC user profile in the local database, use the following command: clear mac-user mac-addr attr attribute-name For example, the following command clears the VLAN assignment from MAC user 01:0f:02:03:04:05: DWS-1008# clear mac-user 01:0f:03:04:05:06 attr vlan-name success: change accepted. D-Link DWS-1008 User Manual...
Page 309: Changing The Mac Authorization Password For Radius
If the MAC address is in the database, MSS uses the VLAN attribute and other attributes associated with it for user authorization. Otherwise, MSS tries the fallthru authentication type, which can be last-resort, Web, or none. D-Link DWS-1008 User Manual...
Page 310: Configuring Web Portal Webaaa
SSID, you can use static WEP or WPA with PSK as the encryption type. MSS provides a D-Link login page, which is used by default. You can add custom login pages to the switch’s nonvolatile storage, and configure MSS to serve those pages instead.
Page 311: Display Of The Login Page
SSID the Web-Portal user associates with. Previous MSS Versions required this special user for Web- Portal configurations. Any web-portal-ssid users are removed from the configuration during upgrade to MSS Version 5.0. However, the web-portal-wired user is still required for Web Portal on wired authentication ports. D-Link DWS-1008 User Manual...
Page 312: Dws-1008 Switch Requirements
To set the fallthru authentication type for an SSID, set it in the service profile for the SSID, using the set service-profile auth-fallthru command. To set it on a wired authentication port, use the auth-fall-thru web-portal parameter of the set port type wired-auth command. D-Link DWS-1008 User Manual...
Page 313 To configure authentication rules, use the set authentication web command. • Web Portal WebAAA must be enabled, using the set web-portal command. The feature is enabled by default. D-Link DWS-1008 User Manual...
Page 314: Portal Acl And User Acls
ACL and map that ACL instead to the service profile or the web-portal-wired user. Make sure to use the capture option for traffic you do not want to allow. D-Link recommends that you do not change the portalacl ACL. Leave the ACL as a backup in case you need to refer to it or you need to use it again.
Page 315: Client Web Browser Recommendations
Note: The VLAN does not need to be configured on the switch where you configure Web Portal but the VLAN does need to be configured on a switch somewhere in the network. The user’s traffic will be tunneled to the switch where the VLAN is configured. D-Link DWS-1008 User Manual...
Page 316 WEP Key 3 value: <none> WEP Key 4 value: <none> WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO RSN enabled: ciphers: cipher-tkip, cipher-ccmp authentication: 802.1X TKIP countermeasures time: 60000ms vlan-name = mycorp-vlan D-Link DWS-1008 User Manual...
Page 317 2-3 set interface corpvlan ip 192.168.12.10 255.255.255.0 set security acl ip portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67 set security acl ip portalacl deny 0.0.0.0 255.255.255.255 capture commit security acl portalacl D-Link DWS-1008 User Manual...
Page 318: Displaying Session Information For Web Portal Webaaa Users
DWS-1008# show sessions network ssid mycorp User Sess IP or MAC VLAN Port/ Name Address Name Radio ------------------------------------------------------------------------------------------------ alice 192.168.12.101 corpvlan 192.168.12.102 corpvlan 2 sessions total D-Link DWS-1008 User Manual...
Page 319: Using A Custom Login Page
By default, MSS serves the D-Link login page for Web login. To serve a custom page instead, do the following: 1. Copy and modify the D-Link page, or create a new page. 2. Create a subdirectory in the user files area of the switch’s nonvolatile storage, and copy the custom page into the subdirectory.
Page 320: Copying And Modifying The Web Login Page
Copying and Modifying the Web Login Page To copy and modify the D-Link Web login page: 1. Configure an unencrypted SSID on a switch. The SSID is temporary and does not need to be one you intend to use in your network. To configure the SSID, use the following...
Page 321: Custom Login Page Scenario
4. Delete the temporary SSID, along with the temporary service profile and radio profile you created for it. DWS-1008# set ap 2 radio 1 radio-profile temprad mode disable success: change accepted. DWS-1008# clear radio-profile temprad success: change accepted. DWS-1008# clear service-profile tempsrvc success: change accepted. D-Link DWS-1008 User Manual...
Page 322 1202 bytes in 0.402 seconds [ 2112 bytes/sec] DWS-1008# dir mycorp-webaaa ========================================================== file: Filename Size Created file:mycorp-login.html 637 bytes Aug 12 2004, 15:42:26 file:mylogo.gif 1202 bytes Aug 12 2004, 15:57:11 Total: 1839 bytes used, 206577 Kbytes free D-Link DWS-1008 User Manual...
Page 323: Using Dynamic Fields In Webaaa Redirect Urls
When user djoser is successfully authenticated and authorized, MSS redirects the user to the following URL: https://saqqara.org/login.php?user=djoser To verify configuration of a redirect URL and other user attributes, type the show aaa command. D-Link DWS-1008 User Manual...
Page 324: Using An Acl Other Than Portalacl
6. Change the Web-Portal ACL name set on the service profile, using the following command: set service-profile name web-portal-acl aclname 7. Verify the change by displaying the service profile. 8. Save the configuration changes. D-Link DWS-1008 User Manual...
Page 325: Configuring The Web Portal Webaaa Session Timeout Period
Web Portal WebAAA sessions already authenticated with a username and password. For all other Web Portal WebAAA sessions, the default Web Portal WebAAA session timeout period of 5 seconds is used. D-Link DWS-1008 User Manual...
Page 326: Configuring Last-Resort Access
DWS-1008# set service-profile last-resort-srvcprof rsn-ie enable success: change accepted. DWS-1008# set service-profile last-resort-srvcprof wpa-ie enable success: change accepted. DWS-1008# set service-profile last-resort-srvcprof cipher-ccmp enable success: change accepted. DWS-1008# set service-profile last-resort-srvcprof cipher-wep40 enable success: change accepted. D-Link DWS-1008 User Manual...
Page 327: Configuring Last-Resort Access For Wired Authentication Ports
The following commands configure wired authentication port 5 for last-resort access and add the special user: DWS-1008# set port type wired-auth 5 auth-fall-thru last-resort success: change accepted. DWS-1008# set user last-resort-wired attr vlan-name guest-vlan2 success: change accepted. D-Link DWS-1008 User Manual...
Page 328: Configuring Aaa For Users Of Third-Party Aps
MSS assigns authorization attributes to the user from the RADIUS server’s access- accept response. 6. When the user’s session ends, the third-party AP sends a RADIUS stop-accounting record to the switch. The switch then removes the session. D-Link DWS-1008 User Manual...
Page 329: Requirements
AP but remains a RADIUS client to the real RADIUS servers. • An authentication proxy rule must be configured for the AP’s users. The rule matches based on SSID and username, and selects the authentication method (a RADIUS server group) for proxying. D-Link DWS-1008 User Manual...
Page 330: Radius Server Requirements
AP. Use the following command: set radius proxy client address ip-address [port udp-port-number] [acct-port acct-udp-port-number] key string • Configure a proxy authentication rule for the AP’s users. Use the following command: set authentication proxy ssid ssid-name user-glob radius-server-group D-Link DWS-1008 User Manual...
Page 331 SSID mycorp. MSS uses RADIUS server group srvrgrp1 to proxy RADIUS requests and hence to authenticate and authorize the users. DWS-1008# set authentication proxy ssid mycorp ** srvrgrp1 To verify the changes, use the show config area aaa command. D-Link DWS-1008 User Manual...
Page 332: Configuring Authentication For Non-802.1X Users Of A Third-Party Ap With Tagged Ssids
The user does not need to wait for the user group’s start date. The VLAN attribute is required. MSS can authorize a user to access the network only if the VLAN to place the user on is specified. D-Link DWS-1008 User Manual...
Page 333 Mobility Profile attribute for the user. Note: If the Mobility Profile feature is enabled, and a mode only) user is assigned the name of a Mobility Profile that does not exist on the switch, the user is denied access. D-Link DWS-1008 User Manual...
Page 334 SSID the user is allowed to be configured in a service profile, and the service profile (network access mode access after authentication. must be used by a radio profile assigned to D-Link radios in only) the network. Date and time at which the...
Page 335 URL string: (network access mode is redirected after • $u—Username only) successful WebAAA. • $v—VLAN • $s—SSID • $p—Service profile name To use the literal character $ or ?, use the following: • $$ • $q D-Link DWS-1008 User Manual...
Page 336: Assigning Attributes To Users And Groups
To change the value of an authorization attribute, reenter the command with the new value. To assign an authorization attribute to a user’s configuration on a RADIUS server, see the documentation for your RADIUS server. D-Link DWS-1008 User Manual...
Page 337: Assigning Ssid Default Attributes To A Service Profile
RADIUS server. Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the switch, the user fails authorization and cannot be connected. D-Link DWS-1008 User Manual...
Page 338: Assigning A Security Acl Locally
DWS-1008# set user Jose attr filter-id acl-101.in success: change accepted. The following command applies the incoming filters of acl-101 to the users who belong to the group eastcoasters: DWS-1008# set usergroup eastcoasters attr filter-id acl-101.in success: change accepted. D-Link DWS-1008 User Manual...
Page 339: Assigning A Security Acl On A Radius Server
When you assign the Encryption-Type attribute to a user or group, the encryption type or types are entered as an authorization attribute into the user or group record in the local database or on the RADIUS server. Encryption-Type is a D-Link vendor-specific attribute (VSA).
Page 340: Assigning And Clearing Encryption Types Locally
To clear an encryption type from the profile of a use or group of users in the local database, use one of the following commands: clear user username attr encryption-type clear usergroup groupname attr encryption-type clear mac-user username attr encryption-type clear mac-usergroup groupname attr encryption-type D-Link DWS-1008 User Manual...
Page 341: Assigning And Clearing Encryption Types On A Radius Server
SSID the user is associated with.) • As shown in the table above, even when keep-initial-vlan is set, a user’s VLAN can be reassigned by AAA or a location policy. D-Link DWS-1008 User Manual...
Page 342: Overriding Or Adding Attributes Locally With A Location Policy
150 rules. The action can be one of the following: • Deny access to the network • Permit access, but set or change the user’s VLAN assignment, inbound ACL, outbound ACL, or any combination of these attributes D-Link DWS-1008 User Manual...
Page 343: How The Location Policy Differs From A Security Acl
{ssid operator ssid-name | vlan operator vlan-glob | user operator user-glob | port port-list | dap dap-num} [before rule-number | modify rule-number] Note: Asterisks (wildcards) are not supported in SSID names. You must specify the complete SSID name. D-Link DWS-1008 User Manual...
Page 344: Applying Security Acls In A Location Policy Rule
DWS-1008# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.* You can optionally add the suffixes .in and .out to inacl-name and outacl-name for consistency with their usage in entries stored in the local database. D-Link DWS-1008 User Manual...
Page 345: Displaying And Positioning Location Policy Rules
To delete a location policy rule, use the following command: clear location policy rule-number Type show location policy to display the numbers of configured location policy rules. To disable the location policy on a DWS-1008 switch, delete all the location policy rules. D-Link DWS-1008 User Manual...
Page 346: Configuring Accounting For Wireless Network Users
AP port number and radio number Access point’s MAC address Access point’s MAC address Number of octets received by theswitch Number of octets sent by the switch Number of packets received by the switch Number of packets sent by the switch D-Link DWS-1008 User Manual...
Page 347: Configuring Periodic Accounting Update Records
When you enter this command, an Accounting-Off message is generated and sent to the server or server group specified with the set accounting system command. No further Accounting-On or Accounting-Off messages are generated. D-Link DWS-1008 User Manual...
Page 348: Viewing Local Accounting Records
May 21 17:01:32 Acct-Status-Type=START Acct-Authentic=2 User-Name=Administrator@example.com Acct-Multi-Session-Id=SESSION-4-1106424789 Event-Timestamp=1053536492 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=1/1 Called-Station-Id=00-0B-0E-76-56-A8 The user roamed to DWS-0017. DWS-0017# show accounting statistics May 21 17:05:00 Acct-Status-Type=UPDATE Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.com Acct-Session-Time=209 Acct-Output-Octets=1280 Acct-Input-Octets=1920 Acct-Output-Packets=10 Acct-Input-Packets=15 Event-Timestamp=1053536700 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 D-Link DWS-1008 User Manual...
Page 349: Displaying The Aaa Configuration
* local set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set accounting dot1x Nin ssid mycorp stop-only sg2 set accounting admin Natasha start-stop local user Nin D-Link DWS-1008 User Manual...
Page 350: Avoiding Aaa Problems In Configuration Order
Here is an example of a AAA configuration where the most-specific rules for 802.1X are first and the rules with any are last: DWS-1008# show aaa set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 D-Link DWS-1008 User Manual...
Page 351: Using Authentication And Accounting Rules Together
802.1X users in the local database and ignores the command for EXAMPLE/ users. DWS-1008# show aaa set accounting dot1x ssid mycorp * start-stop group1 set authentication dot1x ssid mycorp * peap-mschapv2 local set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 D-Link DWS-1008 User Manual...
Page 352: Configuration For A Correct Processing Order
The configuration order now shows that all 802.1X users are processed as you intended: DWS-1008# show aaa set accounting dot1x ssid mycorp EXAMPLE/* start-stop group1 set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 set accounting dot1x ssid mycorp * start-stop group1 set authentication dot1x ssid mycorp * peap-mschapv2 local D-Link DWS-1008 User Manual...
Page 353: Network User Configuration Scenarios
5. Create a Mobility Profile called tulip by typing the following commands: DWS-1008# set mobility-profile name tulip port 2,4-6 success: change accepted. DWS-1008# set mobility-profile mode enable success: change accepted. DWS-1008# show mobility-profile Mobility Profiles Name Ports ========================= tulip D-Link DWS-1008 User Manual...
Page 354 EXAMPLE\* pass-through shorebirds user tech Password = 1315021018 (encrypted) user EXAMPLE/nin filter-id = acl.101.in mobility-profile = tulip user EXAMPLE/tamara filter-id = acl.101.in mobility-profile = tulip 8. Save the configuration: DWS-1008 save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 355: Enabling Radius Pass-Through Authentication
DWS-1008# set user Natasha attr vlan-name red 4. To assign Natasha a session timeout value of 1200 seconds, type the following command: DWS-1008# set user Natasha attr session-timeout 1200 5. Save the configuration: DWS-1008 save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 356: Enabling Peap-Ms-Chap-V2 Offload
3. To authenticate all 802.1X users of SSID bobblehead in the group mktg using PEAP on the switch and MS-CHAP-V2 on server sg1, type the following command: DWS-1008# set authentication dot1x ssid bobblehead mktg\* peap-mschapv2 sg1 D-Link DWS-1008 User Manual...
Page 357: Overriding Aaa-Assigned Vlans
3. Display the configuration: DWS-1008# show location policy Id Clauses ----------------------------------------------------- 1) permit vlan bldgb-teach if vlan eq bldga-prof-* 2) permit vlan bldgb-eng if vlan eq *-techcomm 4. Save the configuration: DWS-1008 save config success: configuration saved. D-Link DWS-1008 User Manual...
Page 358: Configuring Communication With Radius
For RADIUS servers that do not explicitly set their own dead time and timeout timers and transmission attempts, MSS sets the following values by default: • Dead time—0 (zero) minutes (The switch does not designate unresponsive RADIUS servers as unavailable.) • Transmission attempts—3 • Timeout (wait for a server response)—5 seconds D-Link DWS-1008 User Manual...
Page 359: Configuring Global Radius Defaults
For failover authentication or authorization to work promptly, D-Link recommends that you change the dead time to a value other than 0. With the default setting, the dead time is never invoked and MSS does not hold down requests to unresponsive RADIUS servers.
Page 360: Setting The System Ip Address As The Source Address
You can configure multiple RADIUS servers. When you define server names and keys, case is significant. For example: DWS-1008# set radius server rs1 address 10.6.7.8 key seCret success: change accepted. DWS-1008# set radius server rs2 address 10.6.7.9 key BigSecret success: change accepted. D-Link DWS-1008 User Manual...
Page 361: Deleting Radius Servers
Note: You must provide RADIUS servers with names that are unique. To prevent confusion, D-Link recommends that RADIUS server names differ in ways other than case. For example, avoid naming two servers RS1 and rs1. You must configure RADIUS servers into server groups before you can access them.
Page 362: Ordering Server Groups
For example, to configure RADIUS servers pelican and seagull as the server group swampbirds with load balancing: 1. Configure the members of a server group by typing the following command: DWS-1008# set server group swampbirds members pelican seagull success: change accepted. D-Link DWS-1008 User Manual...
Page 363: Adding Members To A Server Group
The RADIUS server coot is configured but not part of the server group shorebirds. 2. To add RADIUS server coot as the last server in the server group shorebirds, type the following command: DWS-1008# set server group shorebirds members sandpiper heron egret coot success: change accepted. D-Link DWS-1008 User Manual...
Page 364: Deleting A Server Group
DWS-1008# set radius server egret address 192.168.243.15 key pine DWS-1008# set radius server sandpiper address 192.168.253.17 key oak 2. Place two of the RADIUS servers into a server group called swampbirds. Type the following command: DWS-1008# set server group swampbirds members pelican seagull D-Link DWS-1008 User Manual...
Page 365 Radius Servers Server Addr Ports Tries Dead State -------------------------------------------------------------------------------------------------- sandpiper 192.168.253.17 1812 1813 seagull 192.168.243.12 1812 1813 egret 192.168.243.15 1812 1813 pelican 192.168.253.11 1812 1813 Server groups swampbirds (load-balanced): pelican seagull shorebirds (load-balanced): egret pelican sandpiper D-Link DWS-1008 User Manual...
Page 366: Managing 802.1X
Setting 802.1X Port Control The following command specifies the way a wired authentication port or group of ports handles user 802.1X authentication attempts: set dot1x port-control {forceauth | forceunauth | auto} port-list D-Link DWS-1008 User Manual...
Page 367: Managing 802.1X Encryption Keys
The secret Wired-Equivalent Privacy protocol (WEP) keys used by MSS on access points for broadcast communication on a VLAN are automatically rotated (rekeyed) every 30 minutes to maintain secure packet transmission. You can disable WEP key rotation for debugging purposes, or change the rotation interval. D-Link DWS-1008 User Manual...
Page 368: Enabling 802.1X Key Transmission
The rekeying process can be performed automatically on a periodic basis. By setting the Session- Timeout RADIUS attribute, you make the reauthentication transparent to the client, who is unaware that reauthentication is occurring. A good value for Session-Timeout is 30 minutes. D-Link DWS-1008 User Manual...
Page 369: Configuring 802.1X Wep Rekeying
The default is 1800 seconds (30 minutes). You can set the interval from 30 to 1,641,600 seconds (19 days). For example, type the following command to set the WEP-rekey period to 900 seconds: DWS-1008# set dot1x wep-rekey-period 900 success: dot1x wep-rekey-period set to 900 D-Link DWS-1008 User Manual...
Page 370: Setting Eap Retransmission Attempts
In this case, MSS uses the timeout that has the lower value. If the session-timeout is set to fewer seconds than the global reauthentication timeout, MSS uses the session-timeout for the client. However, if the global reauthentication timeout is shorter than the session-timeout, MSS uses the global timeout instead. D-Link DWS-1008 User Manual...
Page 371: Enabling And Disabling 802.1X Reauthentication
Note: If the number of reauthentications for a wired authentication client is greater than the maximum number of reauthentications allowed, MSS sends an EAP failure packet to the client and removes the client from the network. However, MSS does not remove a wireless client from the network under these circumstances. D-Link DWS-1008 User Manual...
Page 372: Setting The 802.1X Reauthentication Period
The Bonded Auth period applies only to 802.1X authentication rules that contain the bonded option. To reset the Bonded Auth period to its default value, use the following command: clear dot1x max-req D-Link DWS-1008 User Manual...
Page 373: Managing Other Timers
For example, type the following command to set the authorization server timeout to 60 seconds: DWS-1008# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60. To reset the authorization server timeout to the default, type the following command: DWS-1008# clear dot1x timeout auth-server success: change accepted. D-Link DWS-1008 User Manual...
Page 374: Setting The 802.1X Timeout For A Client
00:05:5d:7e:94:83 Authenticated vlan-eng EXAMPLE\jgarcia 00:02:2d:86:bd:38 Authenticated vlan-eng wong@exmpl.com 00:05:5d:7e:97:b4 Authenticated vlan-eng EXAMPLE\hosni 00:05:5d:7e:98:1a Authenticated vlan-eng EXAMPLE\tsmith 00:0b:be:a9:dc:4e Authenticated vlan-pm havel@trpz.com 00:05:5d:7e:96:e3 Authenticated vlan-eng EXAMPLE\geetha 00:02:2d:6f:44:77 Authenticated vlan-eng EXAMPLE\tamara 00:05:5d:7e:94:89 Authenticated vlan-eng EXAMPLE\nwong 00:06:80:00:5c:02 Authenticated vlan-eng EXAMPLE\hhabib D-Link DWS-1008 User Manual...
Page 375: Viewing The 802.1X Configuration
----------------------------------------------------- Enters Connecting: Logoffs While Connecting: Enters Authenticating: Success While Authenticating: Timeouts While Authenticating: Failures While Authenticating: Reauths While Authenticating: Starts While Authenticating: Logoffs While Authenticating: Starts While Authenticated: Logoffs While Authenticated: Bad Packets Received: D-Link DWS-1008 User Manual...
Page 376: Configuring Soda Endpoint Security
• Cache Cleaner – Ensures that Web browser information, such as cookies, history, auto- completion data, stored passwords, and temporary files are erased or removed upon termination of the user’s session, inactivity timeout, or closing of the browser. D-Link DWS-1008 User Manual...
Page 377: Soda Endpoint Security Support
SSID where the SODA functionality is enabled. Note that in the current release, the SODA functionality works only in conjunction with the Web Portal WebAAA feature. D-Link DWS-1008 User Manual...
Page 378 If the user’s computer fails one of the SODA agent checks, then a customizable failure page is loaded in the browser window. The user is then disconnected from the network, or can optionally be granted limited network access, based on a specified security ACL. D-Link DWS-1008 User Manual...
Page 379: Configuring Soda Functionality
11. Specify an alternate name for the directory where the SODA agent files for a service profile are located (optional). See “Specifying an Alternate SODA Agent Directory for a Service Profile”. 12. Remove the SODA agent files from the switch (optional). See “Uninstalling the SODA Agent Files from the Switch”. D-Link DWS-1008 User Manual...
Page 380: Configuring Web Portal Webaaa For The Service Profile
/soda/ and success.html or failure.html. The /soda/ keyword must immediately follow the hostname. The hostname must match the Common Name specified in the WebAAA certificate. • The logout page is required to have /logout.html in the URL. D-Link DWS-1008 User Manual...
Page 381: Copying The Soda Agent To The Switch
This command may take up to 20 seconds... DWS-1008# If SODA functionality is enabled for the service profile that manages SSID sp1, then SODA agent files in this directory are downloaded to clients attempting to connect to SSID sp1. D-Link DWS-1008 User Manual...
Page 382: Enabling Soda Functionality For The Service Profile
Note that if you disable the enforcement of the SODA security checks, you cannot apply the success and failure URLs to client devices. In addition, you should not configure the SODA agent to refer to the success and failure pages on the switch if you have disabled enforcement of SODA agent checks. D-Link DWS-1008 User Manual...
Page 383: Specifying A Soda Agent Success Page
To specify a page that is loaded when a client fails the security checks performed by the SODA agent, use the following command: set service-profile name soda failure-page page To reset the failure page to the default value, use the following command: clear service-profile name soda failure-page D-Link DWS-1008 User Manual...
Page 384: Specifying A Remediation Acl
SODA agent checks. For example, the following command configures the switch to apply acl-1 to a client when it loads the failure page: DWS-1008# set service-profile sp1 soda remediation-acl acl-1 success: change accepted. D-Link DWS-1008 User Manual...
Page 385: Specifying A Soda Agent Logout Page
SSID configured for the service profile. You can optionally specify a different directory for the SODA agent files used for a service profile. To do this, use the following command: set service-profile name soda agent-directory directory D-Link DWS-1008 User Manual...
Page 386: Uninstalling The Soda Agent Files From The Switch
DWS-1008# uninstall soda agent agent-directory sp1 This will delete all files in agent-directory, do you wish to continue? (y|n) [n]y Displaying SODA Configuration Information To view information about the SODA configuration for a service profile, use the show service profile command. D-Link DWS-1008 User Manual...
Page 387 11a mandatory rate: 6.0,12.0,24.0 standard rates: 9.0,18.0,36.0,48.0,54.0 11b beacon rate: 2.0 multicast rate: AUTO 11b mandatory rate: 1.0,2.0 standard rates: 5.5,11.0 11g beacon rate: 2.0 multicast rate: AUTO 11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0,48.0,54.0 D-Link DWS-1008 User Manual...
Page 388: Managing Sessions
Telnet tty3 sshadmin 3 admin sessions To clear the sessions of all administrative users, type the following command: DWS-1008# clear sessions admin This will terminate manager sessions, do you wish to continue? (y|n) [n]y D-Link DWS-1008 User Manual...
Page 389: Displaying And Clearing An Administrative Console Session
To view administrative sessions of Telnet clients, type the following command: DWS-1008# show sessions telnet client Session Server Address Server Port Client Port ---------------------------------------------------------------------------------- 192.168.1.81 48000 10.10.1.22 48001 To clear the administrative sessions of Telnet clients, use the following command: clear sessions telnet [client [session-id]] D-Link DWS-1008 User Manual...
Page 390: Displaying And Clearing Network Sessions
• By the local session ID. (See “Displaying and Clearing Network Sessions by Session ID”.) Note: Authorization attribute values can be changed during authorization. If the values are changed, show sessions output shows the values that are actually in effect following any changes. D-Link DWS-1008 User Manual...
Page 391: Displaying Verbose Network Session Information
You can view sessions by a username or user glob. (For a definition of user globs and their format, see “User Globs” on page 10.) To see all sessions for a specific user or for a group of users, type the following command: show sessions network user user-glob D-Link DWS-1008 User Manual...
Page 392 To clear all the network sessions of a user or group of users, use the following command: clear sessions network user user-glob For example, the following command clears the sessions of users named Bob: DWS-1008# clear sessions network user Bob* D-Link DWS-1008 User Manual...
Page 393: Displaying And Clearing Network Sessions By Mac Address
------------------------------------------------------------------------------------------------------- EXAMPLE\tamara 192.168.12.174 west host/laptop.example.com 192.168.12.164 west EXAMPLE\havel 192.168.12.195 west EXAMPLE\jose 192.168.12.171 west EXAMPLE\geetha 192.168.12.169 west To clear the sessions on a VLAN or set of VLANs, use the following command: clear sessions network vlan vlan-glob D-Link DWS-1008 User Manual...
Page 394: Displaying And Clearing Network Sessions By Session Id
Number of bytes with encryption errors: 0 Last packet data rate: 48 Last packet signal strength: -60 dBm Last packet data S/N ratio: 35 Protocol: 802.11 Session CAC: disabled The verbose option is not available with the show sessions network session-id command. D-Link DWS-1008 User Manual...
Page 395: Displaying And Changing Network Session Timers
For example, to change the user idle timeout for service profile sp1 to 6 minutes (360 seconds), use the following command: DWS-1008# set service-profile sp1 user-idle-timeout 360 success: change accepted. To disable the user idle timeout, use the following command: DWS-1008# set service-profile sp1 user-idle-timeout 0 success: change accepted. D-Link DWS-1008 User Manual...
Page 396: Rogue Detection And Countermeasures
• Rogue—The device is in the D-Link network but does not belong there. • Interfering device—The device is not part of the D-Link network but also is not a rogue. No client connected to the device has been detected communicating with any network entity listed in the forwarding database (FDB) of any switch in the network.
Page 397: Rogue Detection Lists
MSS also can place a client in the black list due to an association, reassociation or disassociation flood from the client. The rogue classification algorithm examines each of these lists when determining whether a device is a rogue. D-Link DWS-1008 User Manual...
Page 398: Rf Detection Scans
When an AP radio detects radar on a channel, the radio switches to another channel and does not attempt to use the channel where the radar was detected for 30 minutes. MSS also generates a message. Note: The RF Auto-tuning feature must be enabled. Otherwise MSS cannot change the channel. D-Link DWS-1008 User Manual...
Page 399: Countermeasures
MSS does not classify devices on this list as rogues or Ignore list interfering devices, and does not issue countermeasures against them. Packets sent by D-Link APs to interfere with the operation Countermeasures of a rogue or interfering device. Countermeasures are configurable on a radio-profile basis.
Page 400: Configuring Rogue Detection Lists
To remove an entry from the permitted vendor list, use the following command: clear rfdetect vendor-list {client | ap} {mac-addr | all} The following command removes client OUI aa:bb:cc:00:00:00 from the permitted vendor list: DWS-1008# clear rfdetect vendor-list client aa:bb:cc:00:00:00 success: aa:bb:cc:00:00:00 is no longer in client vendor-list. D-Link DWS-1008 User Manual...
Page 401: Configuring A Permitted Ssid List
To remove an SSID from the permitted SSID list, use the following command: clear rfdetect ssid-list ssid-name The following command clears SSID mycorp from the permitted SSID list: DWS-1008# clear rfdetect ssid-list mycorp success: mycorp is no longer in ssid-list. D-Link DWS-1008 User Manual...
Page 402: Configuring A Client Black List
To remove a MAC address from the client black list, use the following command: clear rfdetect black-list mac-addr The following command removes MAC address 11:22:33:44:55:66 from the black list: DWS-1008# clear rfdetect black-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer blacklisted. D-Link DWS-1008 User Manual...
Page 403: Configuring An Attack List
To remove a MAC address from the attack list, use the following command: clear rfdetect attack-list mac-addr The following command clears MAC address 11:22:33:44:55:66 from the attack list: DWS-1008# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist. D-Link DWS-1008 User Manual...
Page 404: Configuring An Ignore List
Configuring an Ignore List By default, when countermeasures are enabled, MSS considers any non-D-Link transmitter to be a rogue device and can send countermeasures to prevent clients from using that device. To prevent MSS from sending countermeasures against a friendly device, add the device to the known devices list: If you add a device that MSS has classified as a rogue to the permitted vendor list or permitted SSID list, but not to the ignore list, MSS can still classify the device as a rogue.
Page 405: Enabling Countermeasures
DWS-1008# set radio-profile radprof3 countermeasures configured success: change accepted. To disable countermeasures on a radio profile, use the following command: clear radio-profile name countermeasures The following command disables countermeasures in radio profile radprof3: DWS-1008# clear radio-profile radprof3 countermeasures success: change accepted. D-Link DWS-1008 User Manual...
Page 406: Disabling Or Reenabling Active Scan
Enabling AP Signatures An AP signature is a set of bits in a management frame sent by an AP that identifies that AP to MSS. If someone attempts to spoof management packets from a D-Link AP, MSS can detect the spoof attempt.
Page 407: Enabling Rogue And Countermeasures Notifications
The source MAC address is spoofed so that clients think the packet is coming from a legitimate AP. If an AP detects a packet with its own source MAC address, the AP knows that the packet was spoofed. D-Link DWS-1008 User Manual...
Page 408: Netstumbler And Wellenreiter Applications
• Spoofed AP—A rogue device pretends to be a D-Link AP by sending packets with the source MAC address of the D-Link AP. Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device.
Page 409: Ad-Hoc Network
Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Client aa:bb:cc:dd:ee:ff is sending authentication message Authentication message flood flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. D-Link DWS-1008 User Manual...
Page 410 Fake AP SSID (when source MAC address is not known) 1 on channel 11 with RSSI -53 SSID myssid. AP Mac aa:bb:cc:dd:ee:ff(ssid myssid) is masquerading our Spoofed SSID ssid used by aa:bb:cc:dd:ee:fd. Detected by listener aa:bb: cc:dd:ee:fc(port 2, radio 1), channel 11 with RSSI -53. D-Link DWS-1008 User Manual...
Page 411: Displaying Rf Detection Information
This command is valid on any switch in the Mobility Domain. show rfdetect visible mac-addr Displays the BSSIDs detected by a specific D-Link radio. show rfdetect visible ap AP-num [radio {1 | 2}] show rfdetect visible dap dap-num [radio {1 | 2}]...
Page 412: Displaying Rogue Clients
Client Mac Address: 00:0c:41:63:fd:6d, Vendor: D-Link Port: dap 1, Radio: 1, Channel: 11, RSSI: -82, Rate: 2, Last Seen (secs ago): 84 Bssid: 00:0b:0e:01:02:00, Vendor: D-Link, Type: intfr, Dst: ff:ff:ff:ff:ff:ff Last Rogue Status Check (secs ago): 3 The first line lists information for the client. The other lines list information about the most recent 802.11 packet detected from the client.
Page 413: Displaying Rogue Detection Counters
Access points present in attack-list Access points not present in ssid-list Access points not present in vendor-list Clients not present in vendor-list Clients added to automatic black-list Note: MSS generates log messages for most of these statistics. D-Link DWS-1008 User Manual...
Page 414: Displaying Rf Detect Data
= CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w = WEP(non-WPA) BSSID Vendor Type Ch Flags RSSI Age SSID ------------------------------------------------------------------------------------------------------------------------ 00:07:50:d5:cc:91 D-Link intfr i----w -61 00:07:50:d5:dc:78 D-Link intfr i----w -82 r116 00:09:b7:7b:8a:54 Cisco intfr i----- D-Link DWS-1008 User Manual...
Page 415: Displaying Countermeasures Information
This command is valid only on the network’s seed switch. DWS-1008# show rfdetect countermeasures Total number of entries: 190 Rogue MAC Type Countermeasures IPaddr Port/Radio Radio Mac /Channel -------------------------------------------------------------------------------------------------------------- 00:0b:0e:00:71:c0 intfr 00:0b:0e:44:55:66 10.1.1.23 dap 4/1/6 00:0b:0e:03:00:80 rogue 00:0b:0e:11:22:33 10.1.1.23 dap 2/1/11 D-Link DWS-1008 User Manual...
Page 416: Managing System Files
To display version information for a DWS-1008 switch, type the following command: DWS-1008# show version Mobility System Software, Version: 4.1.0 QA 67 Copyright (c) 2002, 2003, 2004, 2005 D-Link, Inc. All rights reserved. Build Information: (build#67) TOP 2005-07-21 04:41:00 Model: DWS-1008 Hardware Mainboard: version 24 ;...
Page 417: Displaying Boot Information
To also display access point information, type the following command: DWS-1008# show version details Mobility System Software, Version: 4.1.0 QA 67 Copyright (c) 2002, 2003, 2004, 2005 D-Link, Inc. All rights reserved. Build Information: (build#67) TOP 2005-07-21 04:41:00 Label: 4.1.0.67_072105_MX20...
Page 418: Working With Files
The boot area is divided into two partitions, boot0 and boot1. Each partition can contain one system image file. The file area can contain subdirectories. Subdirectory names are indicated by a forward slash at the end of the name. In the following example, dangdir and old are subdirectories. D-Link DWS-1008 User Manual...
Page 419 The following command displays the files in the old subdirectory: DWS-1008# dir old ================================================================== file: Filename Size Created file:configuration.txt 3541 bytes Sep 22 2003, 22:55:44 file:configuration.xml 24 KB Sep 22 2003, 22:55:44 Total: 27 Kbytes used, 207824 Kbytes free D-Link DWS-1008 User Manual...
Page 420 Total: 37 bytes used, 91707 Kbytes free The following command limits the output to the contents of the boot0 partition: DWS-1008# dir boot0: ================================================================== file: Filename Size Created boot0:mx040100.020 9780 KB Aug 23 2005, 15:54:08 Total: 9780 Kbytes used, 207663 Kbytes free D-Link DWS-1008 User Manual...
Page 421: Copying A File
Note: You can copy a file from a switch to a TFTP server or from a TFTP server to a switch, but you cannot use MSS to copy a file directly from one TFTP server to another. D-Link DWS-1008 User Manual...
Page 422 To copy file corpa-login.html from a TFTP server into subdirectory corpa in a DWS-1008 switch’s nonvolatile storage, type the following command: DWS-1008# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] D-Link DWS-1008 User Manual...
Page 423: Using An Image File's Md5 Checksum To Verify Its Integrity
Using an Image File’s MD5 Checksum To Verify Its Integrity If you download an image file from the D-link support site and install it in a switch’s boot partition, you can verify that the file has not been corrupted while being copied.
Page 424: Deleting A File
Caution: MSS does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, MSS immediately deletes the specified file. D-Link recommends that you copy a file to a TFTP server before deleting the file.
Page 425: Removing A Subdirectory
The all parameter includes all commands that are set at their default values. Without the all parameter, the show config command lists only those configuration commands that set a parameter to a value other than the default. D-Link DWS-1008 User Manual...
Page 426 10 name backbone tunnel-affinity 5 set vlan 10 port 21 set vlan 10 port 22 set vlan 3 name red tunnel-affinity 5 set igmp mrsol mrsi 60 vlan 1 set igmp mrsol mrsi 60 vlan 10 D-Link DWS-1008 User Manual...
Page 427: Saving Configuration Changes
To configure a switch to load the configuration file floor2mx from nonvolatile storage following the next software reboot, type the following command: DWS-1008# set boot configuration-file floor2mx success: boot config set. D-Link DWS-1008 User Manual...
Page 428: Loading A Configuration File
Caution: This command completely removes the running configuration and replaces it with the configuration contained in the file. D-Link recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration.
Page 429: Resetting To The Factory Default Configuration
If you do not use the force option, the command first compares the running configuration to the configuration file. If the files do not match, MSS does not restart the switch but instead displays a message advising you to either save the configuration changes or use the force option. D-Link DWS-1008 User Manual...
Page 430: Backing Up And Restoring The System
This is the default for the backup command. Note: If the archive’s files cannot fit on the switch, the restore operation fails. D-link recommends deleting unneeded image files before creating or restoring an archive.
Page 431: Managing Configuration Changes
28263 bytes in 0.324 seconds [ 87231 bytes/sec] The following command restores system-critical files on a switch, from archive sysa_bak: DWS-1008# restore system tftp:/10.10.20.9/sysa_bak success: received 11908 bytes in 0.150 seconds [ 79386 bytes/sec] success: restore complete. D-Link DWS-1008 User Manual...
Page 432: Upgrading The System Image
Caution: Save the configuration, then create a backup of your switch files before you upgrade the switch. D-Link recommends that you make a backup of the switch files before you install the upgrade. If an error occurs during the upgrade, you can restore your switch to its previous state.
Page 433 AP. If the boot image is newer, the AP completes installation of its new boot image by copying the boot image into the AP’s flash memory, which takes about 30 seconds, then restarts again. The upgrade of the AP is complete after the second restart. D-Link DWS-1008 User Manual...
Page 434: Troubleshooting
Some show commands are particularly useful in troubleshooting. The show tech-support command combines a number of show commands into one, and provides an extensive snapshot of your switch configuration settings for D-Link Technical Support. Fixing Common Setup Problems The table below contains remedies for some common problems that can occur during basic installation and setup of a DWS-1008 switch.
Page 435: Recovering The System When The Enable Password Is Lost
Console”. Caution: Use an enable password that you will remember. If you lose the password, the only way to restore it causes the system to return to its default settings and wipes out the configuration. D-Link DWS-1008 User Manual...
Page 436: Configuring And Managing The System Log
Debug output is logged to the trace buffer by default. The table on the next page summarizes the destinations and defaults for system log messages. D-Link DWS-1008 User Manual...
Page 437 Output from debugging. Note: The debug level produces a lot of messages, many of which can appear to be somewhat debug cryptic. Debug messages are used primarily by D-Link for troubleshooting and are not intended for administrator use. D-Link DWS-1008 User Manual...
Page 438: Using Log Commands
To modify settings to another severity level, use the following command: set log buffer severity severity-level For example, to set logging to the buffer for events at the warning level and higher, type the following command: DWS-1008# set log buffer severity warning success: change accepted. D-Link DWS-1008 User Manual...
Page 439 RAPDA, WEBVIEW, EAP, FP, STAT, SSHD, SUP, DNSD, CONFIG, BACKUP. To clear the buffer, type the following command: DWS-1008# clear log buffer To disable logging to the system buffer, type the following command: DWS-1008# set log buffer disable D-Link DWS-1008 User Manual...
Page 440: Logging To The Console
If you do not specify a local facility, MSS sends the messages with their default MSS facilities. For example, AAA messages are sent with facility 4 and boot messages are sent with facility 20 by default. D-Link DWS-1008 User Manual...
Page 441: Setting Telnet Session Defaults
To enable current session logging, type the following command: DWS-1008# set log current enable success: change accepted To disable current session logging, type the following command: DWS-1008# set log current disable success: change accepted D-Link DWS-1008 User Manual...
Page 442: Logging To The Trace Buffer
You can configure MSS to generate mark messages at regular intervals. The mark messages indicate the current system time and date. D-Link can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred.
Page 443: Displaying The Log Configuration
Caution: Using the set trace command can have adverse effects on system performance. D-Link recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
Page 444: Tracing Authentication Activity
Tracing 802.1X sessions can help diagnose problems with wireless clients. For example, to trace 802.1X activity for user tamara@example.com at level 4, type the following command: DWS-1008# set trace dot1x user tamara@example.com level 4 success: change accepted. D-Link DWS-1008 User Manual...
Page 445: Displaying A Trace
Because traces use the logging facility, any other logging target can be used to capture trace messages if its severity is set to debug. However, since tracing can be voluminous, D-Link discourages this in practice. To enable trace output to the console, enter the command set log console severity debug.
Page 446: Displaying Trace Results
To find the name of the trace buffer file, use the dir command. For example, the following command copies the log messages in trace buffer 0000000001 to a TFTP server at IP address 192.168.253.11, in a file called log-file: DWS-1008# copy 0000000001 tftp://192.168.253.11/log-file D-Link DWS-1008 User Manual...
Page 447: Clearing The Trace Log
To view interface information for VLANs, type the following command: DWS-1008# show interface * = From DHCP VLAN Name Address Mask Enabled State RIB ------------------------------------------------------------------------------------------------------------------- default 0.0.0.0 0.0.0.0 Down ipv4 vlan-eng 192.168.12.7 255.255.255.0 ipv4 vlan-wep 192.168.19.7 255.255.255.0 ipv4 D-Link DWS-1008 User Manual...
Page 448: Viewing Aaa Session Statistics
*@xmpl.com pass-through SQA set authentication dot1x EXAMPLE\* peap-mschapv2 sg1 user sqa password = 08325d4f (encrypted) session-timeout = 3600 mac-user 00:00:a6:47:ad:03 session-timeout = 3600 vlan-name = vlan-wep mac-user 00:00:65:16:0d:69 session-timeout = 3600 vlan-name = vlan-eng D-Link DWS-1008 User Manual...
Page 449: Viewing Fdb Information
(the source port) to another switch port (the observer). You can attach a protocol analyzer to the observer port to examine the source port’s traffic. Both traffic directions (send and receive) are mirrored. Note: Port mirroring enables you to snoop traffic on wired ports. To snoop wireless traffic, see “Remotely Monitoring Traffic”. D-Link DWS-1008 User Manual...
Page 450: Configuration Requirements
Remote traffic monitoring enables you to snoop wireless traffic, by using a Distributed AP as a sniffing device. The AP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal. D-Link DWS-1008 User Manual...
Page 451: How Remote Traffic Monitoring Works
All Snooped Traffic Is Sent in the Clear Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear) version is sent to the observer. D-Link DWS-1008 User Manual...
Page 452: Best Practices For Remote Traffic Monitoring
AP Mar 25 13:15:21.681369 ERROR DAP 3 ap_network: Observer 10.10.101.2 is not accepting TZSP packets To prevent ICMP error messages from the observer, D-Link recommends using the Netcat application on the observer to listen to UDP packets on the TZSP port.
Page 453 The snap-length num option specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. D-Link recommends specifying a snap length of 100 bytes or less. The following command configures a snoop filter named snoop1 that matches on all traffic, and copies the traffic to the device that has IP address 10.10.30.2:...
Page 454: Displaying Configured Snoop Filters
If the filter does not have an observer, the AP still maintains a counter of the number of packets that match the filter. The following command maps snoop filter snoop1 to radio 2 on Distributed AP 3: DWS-1008# set snoop map snoop1 dap 3 radio 2 success: change accepted. D-Link DWS-1008 User Manual...
Page 455: Displaying The Snoop Filters Mapped To A Radio
The following command removes snoop filter snoop2 from radio 2 on Distributed AP 3: DWS-1008# clear snoop map snoop2 dap 3 radio 2 success: change accepted. To remove all snoop filter mappings from all radios, use the following command: clear snoop map all D-Link DWS-1008 User Manual...
Page 456: Enabling Or Disabling A Snoop Filter
To display statistics for packets matching a snoop filter, use the following command: show snoop stats [filter-name [dap-num [radio {1 | 2}]]] The following command shows statistics for snoop filter snoop1: DWS-1008# show snoop stats snoop1 Filter Radio Rx Match Tx Match Dropped Stop-After ===================================================== snoop 1 stopped D-Link DWS-1008 User Manual...
Page 457: Preparing An Observer And Capturing Traffic
(To display the Distributed AP’s IP address, use the show dap status command.) 4. Start the capture application: • For Ethereal capture, use ethereal filter port 37008. • For Tethereal capture, use tethereal -V port 37008. D-Link DWS-1008 User Manual...
Page 458: Capturing System Information And Sending It To Technical Support
Capturing System Information and Sending it to Technical Support If you need help from D-link Technical Support to diagnose a system problem, you can make troubleshooting the problem easier by providing the following: • show tech-support output •...
Page 459: The Show Tech-Support Command
Boot0: Total: 9780 Kbytes used, 2460 Kbytes free Boot1: Total: 9796 Kbytes used, 2464 Kbytes free =============================================================== temporary files: Filename Size Created core:command_audit.cur 37 bytes Aug 28 2005, 21:11:41 core:netsys.core.217.tar 560 KB May 06 2005, 21:48:33 Total: 560 Kbytes used, 91147 Kbytes free D-Link DWS-1008 User Manual...
Page 460: Debug Messages
In addition to generating a core file, the switch also sends debug messages to the serial console during a system crash. To capture the messages, attach a PC to the port (if one is not already attached) and use the terminal emulation application on the PC to capture a log of the messages. D-Link DWS-1008 User Manual...
Page 461: Enabling And Logging Into Web View
Note: If you are configuring a new DWS-1008, you can access Web View without any preconfiguration. Attach your PC directly to the switch’s Ethernet management port. Then enter http://192.168.100.1 in the web browser’s Location or Address field. D-Link DWS-1008 User Manual...
Page 462: Logging Into Web View
Web View to be highlighted in yellow. If you want to turn off the yellow highlighting, disable the Automatically highlight fields that Autofill can fill option, which is one of the toolbar’s options. D-Link DWS-1008 User Manual...
Page 463: Supported Radius Attributes
Supported RADIUS Attributes D-Link Mobility System Software (MSS) supports the standard and extended RADIUS authentication and accounting attributes. An attribute is sent to RADIUS accounting only if the table listing it shows Yes or Optional in the column marked Sent in Accounting-Request for the attribute and the attribute is applied to the client’s session configuration.
Page 464 Class packets sent to the RADIUS server for that client session. Vendor-Specific String. Allows MSS to support D-Link VSAs. Maximum number of seconds of service allowed the user before reauthentication of the session. Note. If the global reauthentication Session-Timeout...
Page 465 (for example, 00-10-A4-23-19-C0). Name of the RADIUS client originating an NAS-Identifier Access-Request. The value in the current release is D-Link and cannot be changed. Valid values: • Acct-Start Acct-Status-Type • Acct-Interim-Update • Acct-Stop...
Page 466 2869.) Time that the user session started, stopped, Event-Timestamp or was updated, in seconds since January 1, 1970. Tunnel-Private- Same as VLAN-Name. Group-ID Physical port that authenticates the user, in NAS-Port-Id the form AP port number/radio. D-Link DWS-1008 User Manual...
Page 467: Traffic Ports Used By Mss
Traffic Ports Used by MSS When deploying a D-Link wireless network, you might attach D-Link equipment to subnets that have firewalls or access controls between them. Trapeze equipment uses various protocol ports to exchange information. To ensure full operation of your network, make sure the equipment can exchange information on the ports listed in the table below.
Page 468: Dhcp Server
Note: Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks. D-Link recommends that you do not use the MSS DHCP server to allocate client addresses in a production network.
Page 469: How The Mss Dhcp Server Works
• Option 6—Domain Name Servers. If these options are not set with the set interface dhcp- server command’s primary-dns and secondary-dns options, the MSS DHCP server uses the values set by the set ip dns server command. D-Link DWS-1008 User Manual...
Page 470: Configuring The Dhcp Server
To remove all IP information from a VLAN, including the DHCP client and user-configured DHCP server, use the following command: clear interface vlan-id ip Note: This command clears all IP configuration information from the interface. D-Link DWS-1008 User Manual...
Page 471: Displaying Dhcp Server Information
In addition to information for addresses leased from the VLANs where you configured the server, information for the Direct AP interface is also displayed. The Direct AP interface is an internal VLAN interface for directly connected APs. D-Link DWS-1008 User Manual...
Page 472: Glossary
802.11b A supplement to the IEEE 802.11 wireless LAN (WLAN) specification, describing transmission through the Physical layer (PHY) based on direct-sequence spread-spectrum (DSSS), at a frequency of 2.4 GHz and data rates of up to 11 Mbps. D-Link DWS-1008 User Manual...
Page 473 In a D-Link Mobility System, the DWS-1008 switch can use a RADIUS server or its own local database for AAA services.
Page 474 - An entity that provides an authentication service to an authenticator. From the credentials provided by a client (or supplicant), the authentication service determines whether the supplicant is authorized to access the services of the authenticator. In a D-Link Mobility System, one or more RADIUS servers can act as authentication servers.
Page 475 Detection (CSMA-CD) network. A collision occurs when two or more Layer 2 devices in the network transmit at the same time. Ethernet segments separated by a Layer 2 switch are within different collision domains. comma-separated values file - See CSV file. communications plenum cable - See plenum-rated cable. D-Link DWS-1008 User Manual...
Page 476 DHCP is the successor to the Bootstrap Protocol (BOOTP). dictionary attack - An attempt to gain illegal access to a computer or network by logging in repeatedly with passwords that are based on a list of terms in a dictionary. D-Link DWS-1008 User Manual...
Page 477 (BSS) is in power-save mode. A DTIM indicates that any buffered broadcast or multicast frames are immediately transmitted by an access point (AP). DXF format - A tagged data representation, in ASCII format, of the information contained in an AutoCAD drawing file. D-Link DWS-1008 User Manual...
Page 478 (or supplicant) and the authenticator must support the same EAP type for successful authentication to occur. EAP types supported in a D-Link Mobility System wireless LAN (WLAN) include EAP-MD5, EAP-TLS, PEAP-TLS, PEAP-MS-CHAP, and Tunneled Transport Layer Security (TTLS).
Page 479 ESS - Extended service set. A logical connection of multiple basic service sets (BSSs) connected to the same network. Roaming within an ESS is guaranteed by the D-link Mobility System. Ethernet II - The original Ethernet specification produced by Digital, Intel, and Xerox (DIX) that served as the basis of the IEEE 802.3 standard.
Page 480 HMAC - Hashed message authentication code. A function, defined in RFC 2104, for keyed hashing for message authentication. HMAC is used with MD5 and the secure hash algorithm (SHA). hashed message authentication code - See HMAC. Hewlett-Packard Open View - See HPOV. D-Link DWS-1008 User Manual...
Page 481 Like most corporate wireless LANs (WLANs), which must access a wired LAN for file servers and printers, a D-Link Mobility System is an infrastructure network. Compare ad hoc network.
Page 482 VLAN or security ACL to users without these assignments. Defining location policy rules creates a location policy for local access within a DWS-1008 switch. Each switch can have only one location policy. See also location policy rule. D-Link DWS-1008 User Manual...
Page 483 MAC address glob - A D-Link convention for matching media access control (MAC) addresses or sets of MAC addresses by means of known characters plus a “wildcard” asterisk (*) character that stands for from 1 byte to 5 bytes of the address.
Page 484 RF Auto-Tuning is enabled. Mobility System Software™ (MSS™) - The Trapeze operating system, accessible through a command-line interface (CLI), that enables D-link Mobility System products to operate as a single system. Mobility System Software (MSS) performs authentication, authorization, and accounting (AAA) functions;...
Page 485 The certificates are stored (and, when necessary, revoked) by directory services and managed by a certificate management system. See also certificate authority (CA); registration authority (RA). D-Link DWS-1008 User Manual...
Page 486 Protected Extensible Authentication Protocol - See PEAP. Protocol Independent Multicast protocol - See PIM. pseudorandom function - See PRF. pseudorandom number generator - See PRNG. D-Link DWS-1008 User Manual...
Page 487 The RADIUS server stores user profiles, which include passwords and authorization attributes. RC4 - A common encryption algorithm, designed by RSA Data Security, Inc., used by the Wired- Equivalent Privacy (WEP) protocol and Temporal Key Integrity Protocol (TKIP). received signal strength indication - See RSSI. D-Link DWS-1008 User Manual...
Page 488 1 milliwatt (dBm). scalability - The ability to adapt easily to increased or decreased requirements without impairing performance. secure hashing algorithm - See SHA. Secure Shell protocol - See SSH. Secure Sockets Layer protocol - See SSL. D-Link DWS-1008 User Manual...
Page 489 SSL uses the public-and-private key encryption system from RSA Data Security, Inc., which also includes the use of a digital certificate. See also HTTPS; TLS. D-Link DWS-1008 User Manual...
Page 490 IEEE 802 networks. Wireless clients and DWL-8220AP access points are stations in a D-Link Mobility System. STP - Spanning Tree Protocol. A link management protocol, defined in the IEEE 802.1D standard, that provides path redundancy while preventing undesirable loops in a network.
Page 491 Unlicensed National Information Infrastructure - See U-NII. user - A person who uses a client. In a D-link Mobility System, users are indexed by username and associated with authorization attributes such as user group membership. user glob - A D-Link convention for matching fully qualified structured usernames or sets of usernames during authentication by means of known characters plus two special “wildcard”...
Page 492 Wired-Equivalent Privacy protocol (WEP), WPA is not as secure as IEEE 802.11i, which includes both the RC4 encryption used in WEP and Advanced Encryption Standard (AES) encryption, but is not yet ratified by IEEE. See also AES; RC4; TKIP. D-Link DWS-1008 User Manual...
Page 493 World Wide Web Consortium (W3C), the XML specification provides a flexible way to create common information formats and share both the format and the data on the Internet, intranets, and elsewhere. Designers can create their own customized tags to define, transmit, validate, and interpret data between applications and between organizations. D-Link DWS-1008 User Manual...
Page 494: Technical Specifications
PoE on 10/100 Mbps RJ-45 ports using pins 4, 5 (node) and 7, 8 (return) on standard Category 5 UTP or STP Regulatory Safety • UL 60950 • TUV/GS EN 60950 • CSA 22.2 NO. 60950 D-Link DWS-1008 User Manual...
Page 495: Software Specifications
• Version 0 (Implementation in Windows XP SP1; Win2K SP3) • draft-kamath-pppext-eap-mschapv2 - Microsoft EAP CHAP extensions v2 Cryptography • WEP and TKIP: RC4 40-bit and 104-bit • SSL and TLS: RC4 128-bit and RSA 1024-bit and 2048-bit • CCMP: AES 128-bit (FIPS-197) D-Link DWS-1008 User Manual...
Page 496 • Trapeze private MIB IP Multicast • RFC 1112 IGMP v1 • RFC 2236 IGMP v2 Quality of Service • RFC 2472 DiffServ Precedence • RFC 2597 DiffServ Assured Forwarding • RFC 2598 DiffServ Expedited Forwarding D-Link DWS-1008 User Manual...
Page 497: Warranty
D-Link at an Authorized D-Link Service Office. The replacement Hardware need not be new or have an identical make, model or part. D-Link may in its sole discretion replace the defective Hardware (or any part thereof) with any reconditioned product that D-Link reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.
Page 498 Except as otherwise agreed by D-Link in writing, the replacement Software is provided only to the original licensee, and is subject to the terms and conditions of the license granted by D-Link for the Software. Software will be warranted for the remainder of the original Warranty Period from the date or original retail purchase.
Page 499 D-Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements, or for which an RMA number is not visible from the outside of the package. The product owner agrees to pay D-Link’s reasonable handling and return shipping charges for any product that is not packaged and shipped in accordance with the foregoing requirements, or that is determined by D-Link not to be defective or non-conforming.
Page 500: Governing Law
Trademarks: D-Link is a registered trademark of D-Link Systems, Inc. Other trademarks or registered trademarks are the property of their respective manufacturers or owners.
Page 501: Fcc Caution
The antenna(s) used for this equipment must be installed to provide a separation distance of at least eight inches (20 cm) from all persons. This equipment must not be operated in conjunction with any other antenna. D-Link DWS-1008 User Manual...
Page 502: Registration
Registration Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights. Version 2.0 December 8, 2006 D-Link DWS-1008 User Manual...

D-Link DWS-1008 - AirPremier MobileLAN Switch Product Manual

Product Overview

Installation

Using the Command-Line Interface

DWS-1008 Setup Methods

Configuring AAA for Administrative and Local Access

Configuring and Managing Ports and Vlans

Configuring and Managing IP Interfaces and Services

Configuring SNMP

Configuring DWL-8220AP Access Points

Quick Links

Related Manuals for D-Link DWS-1008 - AirPremier MobileLAN Switch

Summary of Contents for D-Link DWS-1008 - AirPremier MobileLAN Switch