![D-Link DGS-3308TG [31/160] Ingress filtering](/img/pdf.png)
D-Link DGS-3308TG [31/160] Ingress filtering
![D-Link DGS-3308TG [31/160] Ingress filtering](/views2/1043668/page31/bg1f.png)
DGS-3224TGR Gigabit Ethernet Switch User’s Guide
19
Port VLAN ID
Packets that are tagged (are carrying the 802.1Q VID information) can be transmitted from one 802.1Q compliant network
device to another with the VLAN information intact. This allows 802.1Q VLANs to span network devices (and indeed, the
entire network – if all network devices are 802.1Q compliant).
Unfortunately, not all network devices are 802.1Q compliant. These devices are referred to as tag-unaware. 802.1Q
devices are referred to as tag-aware.
Prior to the adoption 802.1Q VLANs, port-based and MAC-based VLANs were in common use. These VLANs relied upon
a Port VLAN ID (PVID) to forward packets. A packet received on a given port would be assigned that port’s PVID and
then be forwarded to the port that corresponded to the packet’s destination address (found in the switch’s forwarding table).
If the PVID of the port that received the packet is different from the PVID of the port that is to transmit the packet, the
switch will drop the packet.
Within the switch, different PVIDs mean different VLANs (remember that two VLANs cannot communicate without an
external router). So, VLAN identification based upon the PVIDs cannot create VLANs that extend outside a given switch.
Every physical port on a switch has a PVID. 802.1Q ports are also assigned a PVID, for use within the switch. If no
VLANs are defined on the switch, all ports are then assigned to a default VLAN with a PVID equal to 1. Untagged packets
are assigned the PVID of the port on which they were received. Forwarding decisions are based upon this PVID, in so far as
VLANs are concerned. Tagged packets are forwarded according to the VID contained within the tag. Tagged packets are
also assigned a PVID, but the PVID is not used to make packet forwarding decisions, the VID is.
Tag-aware switches must keep a table to relate PVIDs within the switch to VIDs on the network. The switch will compare
the VID of a packet to be transmitted to the VID of the port that is to transmit the packet. If the two VIDs are different, the
switch will drop the packet. Because of the existence of the PVID for untagged packets and the VID for tagged packets,
tag-aware and tag-unaware network devices can coexist on the same network.
A switch port can have only one PVID, but can have as many VIDs as the switch has memory in its VLAN table to store
them.
Because some devices on a network may be tag-unaware, a decision must be made at each port on a tag-aware device
before packets are transmitted – should the packet to be transmitted have a tag or not? If the transmitting port is connected
to a tag-unaware device, the packet should be untagged. If the transmitting port is connected to a tag-aware device, the
packet should be tagged.
Tagging and Untagging
Every port on an 802.1Q compliant switch can be configured as tagging or untagging.
Ports with tagging enabled will put the VID number, priority and other VLAN information into the header of all packets
that flow into and out of it. If a packet has previously been tagged, the port will not alter the packet, thus keeping the VLAN
information intact. The VLAN information in the tag can then be used by other 802.1Q-compliant devices on the network to
make packet forwarding decisions.
Ports with untagging enabled will strip the 802.1Q tag from all packets that flow into and out of those ports. If the packet
doesn’t have an 802.1Q VLAN tag, the port will not alter the packet. Thus, all packets received by and forwarded by an
untagging port will have no 802.1Q VLAN information (Remember that the PVID is only used internally within the
switch). Untagging is used to send packets from an 802.1Q-compliant network device to a non-compliant network device.
Ingress Filtering
A port on a switch where packets are flowing into the switch and VLAN decisions must be made is referred to as an ingress
port. If ingress filtering is enabled for a port, the switch will examine the VLAN information in the packet header (if
present) and decide whether or not to forward the packet.
If the packet is tagged with VLAN information, the ingress port will first determine if the ingress port itself is a member of
the tagged VLAN. If it is not, the packet will be dropped. If the ingress port is a member of the 802.1Q VLAN, the switch
then determines if the destination port is a member of the 802.1Q VLAN. If it is not, the packet is dropped. If the
destination port is a member of the 802.1Q VLAN, the packet is forwarded and the destination port transmits it to its
attached network segment.
Содержание
- User s guide 1
- Table of contents 3
- Intended readers 7
- Notes notices and cautions 7
- Preface 7
- Safety cautions 9
- Safety instructions 9
- General precautions for rack mountable products 10
- Safety instructions continued 10
- Safety instructions continued 11
- Battery handling reminder 12
- Protecting against electrostatic discharge 12
- Features 13
- Introduction 13
- Performance features 13
- Management 14
- Installation 15
- Unpacking 15
- Unpacking and setup 15
- Desktop or shelf installation 16
- Rack installation 16
- Power on 17
- External redundant power system 18
- Power failure 18
- Front panel 19
- Identifying external components 19
- Rear panel 19
- Led indicators 20
- Side panels 20
- Connecting the switch 21
- Switch to end node 21
- Switch to hub or switch 22
- Diagnostic console port rs 232 dce 23
- Local console management 23
- Switch management and operating concepts 23
- Ip addresses and snmp community names 24
- Setting an ip address 24
- Authentication 26
- Filtering 26
- Mac address aging time 26
- Packet forwarding 26
- Comparing port states 27
- Edge port 27
- P2p port 27
- Port transition states 27
- Spanning tree 27
- W rapid spanning tree 27
- D 802 w compatibility 28
- Ieee 802 q vlans 28
- Q vlan packet forwarding 29
- Q vlan tags 30
- Ingress filtering 31
- Port vlan id 31
- Tagging and untagging 31
- X port based and mac based access control 32
- Authentication server 33
- Authenticator 33
- Client 34
- Authentication process 35
- Port based network access control 35
- Dgs 3224tgr gigabit ethernet switch user s guide 36
- Ethernet switch 36
- Figure 5 10 example of typical port based configuration 36
- Network access controlled port 36
- Network access uncontrolled port 36
- Once the connected client has successfully been authenticated the port then becomes authorized and all subsequent traffic on the port is not subject to access control restriction until an event occurs that causes the port to become unauthorized hence if the port is actually connected to a shared media lan segment with more than one attached device successfully authenticating one of the attached devices effectively provides access to the lan for all devices on the shared segment clearly the security offered in this situation is open to attack 36
- Radius server 36
- Dgs 3224tgr gigabit ethernet switch user s guide 37
- Dynamic address allocation enables a client to be assigned an ip address from a pool of free addresses each address is assigned with a lease and a lease expiration period the client must renew the lease to continue using the assigned address dynamically assigned addresses can be returned to the free address pool if the computer is not being used if it is moved to another subnet of if its lease expires usually network policy ensures that the same ip address is assigned to a client each time and that addresses returned to the free address pool are reassigned 37
- Ethernet switch 37
- Figure 5 11 example of typical mac based configuration 37
- In order to successfully make use of 802 x in a shared media lan segment it would be necessary to create virtual ports one for each attached device that required access to the lan the switch would regard the single physical port connecting it to the shared media segment as consisting of a number of distinct virtual ports each virtual port being independently controlled from the point of view of eapol exchanges and authorization state the switch learns each attached device s individual mac address and effectively creates a virtual port that the attached device can then use to communicate with the lan via the switch 37
- Mac based network access control 37
- Network access controlled port 37
- Network access uncontrolled port 37
- Radius server 37
- The dynamic host configuration protocol dhcp can reduce the administrative burden of assigning and maintaining ip address information dhcp provides reliable and simple tcp ip network configuration ensures that address conflicts do not occur and helps to conserve the use of ip addresses through the centralized management of address allocation 37
- When the address lease expires the dhcp client enters the renewing state the client sends a request message to the dhcp server that provided the address the dhcp server sends an acknowledgement that contains the new lease and configuration parameters the client then updates its configuration values and returns to the bound state 37
- Getting started 39
- Introduction 39
- Web based network management 39
- Basic setup 43
- Switch information 43
- Basic switch setup 45
- Serial port settings 46
- Port configurations 47
- Port description settings 49
- Traffic segmentation table 50
- User accounts 51
- User accounts add 52
- User accounts edit 52
- Snmp network management 53
- Snmp v3 53
- Snmp view table 53
- Snmp community table 54
- Snmp host table 55
- Snmp group table 56
- Engine id 58
- Snmp user table 58
- Download firmware from tftp server 60
- Management station ip addresses 60
- Switch utilities 60
- Tftp services 60
- Download configuration from tftp server 61
- Upload history log to tftp server 62
- Upload settings to tftp server 62
- Ping test 63
- Cpu utilization 64
- Network monitoring 64
- Statistics 64
- Port error packets 65
- Port utilization 65
- Port packet analysis 66
- Address tables 67
- Mac address table 68
- Arp table 69
- Gvrp status 69
- Status 69
- Igmp snooping group table 70
- Router ports 70
- Switch history 71
- Factory reset 72
- Save changes 72
- Advanced setup 73
- Logout 73
- Restart system 73
- Spanning tree 74
- Switch advanced settings 74
- Stp switch settings 75
- Stp port settings 76
- Forwarding 77
- Mac address aging time 77
- Unicast mac address settings 78
- Multicast mac address settings 79
- Broadcast multicast storm control 80
- Configure qos 81
- Qos output scheduling 82
- P default priority 83
- Bandwidth control table 84
- P user priority 84
- Access profile mask setting 85
- Port security 95
- Port mirroring configurations 98
- Asymmetric vlan state 99
- Switch gvrp 99
- Vlan configurations 99
- Q vlans 100
- Q port settings 102
- Link aggregation 103
- Link aggregation algorithm 103
- Link aggregation group 103
- Lacp port settings 105
- X state 107
- X auth mode settings 108
- X port settings 108
- X port auth state 112
- X initialize reauthenticate ports 113
- Radius server settings 114
- X local user settings 115
- X auth diagnostics 116
- X auth statistics 117
- X auth session statistics 118
- Tacacs 119
- Tacacs state configuration 119
- X accounting client 119
- X auth client 119
- Tacacs server settings 120
- Tacacs group 121
- Tacacs group settings 121
- Tacacs method list 122
- Authentication 123
- Enable admin 123
- System log 124
- System log host 124
- System log state 124
- Igmp snooping global 126
- Multicast configuration 126
- Igmp snooping configurations 127
- Ssh management 128
- Static router port settings 128
- Ssh configurations 129
- Ssh account configuration 130
- Download certificate 131
- Ssl management 131
- Cipher suite configuration 132
- Ssl v3 configuration 133
- Tls v1 configuration 134
- Sim settings 135
- Single ip management 135
- Sim using the web interface 136
- Topology 138
- Tool tips 140
- Group icon 141
- Right click 141
- Commander switch icon 142
- Member switch icon 143
- Candidate switch icon 144
- Menu bar 145
- Device 146
- Configuration backup restore 147
- Firmware upgrade 147
- Performance 148
- Physical and environmental 148
- Technical specifications 148
- General 149
- Cable lengths 150
- Glossary 151
- All countries and regions excluding usa 154
- Dgs 3224tgr gigabit ethernet switch user s guide 154
- Limitation of liability 154
- Warranties exclusive 154
- Warranty and registration information 154
- Wichtige sicherheitshinweise 154
- Dgs 3224tgr gigabit ethernet switch user s guide 155
- Hardware 155
- Limited warranty 155
- Software 155
- For detailed warranty information applicable to products purchased outside the united states please contact the corresponding local d link office 157
- All countries and regions excluding usa 159
- Registration card 159
Похожие устройства
- LG 27EA33V-B Инструкция по эксплуатации
- Sony USM4GL Инструкция по эксплуатации
- Sharp SJ-P59M Инструкция по эксплуатации
- D-Link DHS-3226 Инструкция по эксплуатации
- Sony Cyber-Shot DSC-T500 Инструкция по эксплуатации
- Viewsonic VX2753MH-LED Инструкция по эксплуатации
- Sony USM8GL Инструкция по эксплуатации
- Panasonic DVD-K325 Инструкция по эксплуатации
- D-Link DES-3526 Инструкция по эксплуатации
- Viewsonic VX2451MH-LED Инструкция по эксплуатации
- Sony Cyber-Shot DSC-T50 Инструкция по эксплуатации
- Sony 16Gb USM16GL Инструкция по эксплуатации
- D-Link DES-3526DC Инструкция по эксплуатации
- Viewsonic VX2253MH-LED Инструкция по эксплуатации
- Electrolux EW 814 F Инструкция по эксплуатации
- D-Link DES-3550 Инструкция по эксплуатации
- Benq GW2255 Инструкция по эксплуатации
- Sony Cyber-Shot DSC-T33 Инструкция по эксплуатации
- JVC AV-2937V1 Инструкция по эксплуатации
- D-Link DES-3528 Инструкция по эксплуатации