E2ES Console Plug-In Beta1 RN - D-Link
Download
Report
Transcript E2ES Console Plug-In Beta1 RN - D-Link
E2ES Console Plug-In for D-View 6
Beta1 Release Note
Peter Chan, SSPD, D-Link HQ
Preface
This release note is for E2ES Console Plug-In Beta1, a version
intended for field test and demonstration.
Step-by-step configuration samples are included in this release
note as reference
Any feedback from you are welcome
For function suggestions, pls. contact [email protected]
For bugs, pls. open D-Track case to our support team.
Configuration samples for
ACL
IMPB (IP-MAC-Port Binding)
Supported Features in Beta1
IP-MAC-Port Binding (IMPB)
MAC-Based Access Control (MAC)
802.1X Authentication
Web-Based Access Control (WAC)
Access Control List (ACL)
Port Security
Broadcast Storm Control
Traffic Segmentation
Guest VLAN
Loopback Detection
DHCP server screening
ARP spoofing Prevention
Supported Models & Features
DES-3028
(2.00.B27)
DES-3526
(5.01.B58)
DES-3528
(1.01.B029)
DES-3828
(4.50.B14)
DGS-3200-10
(1.35.B023)
DGS-3650
(2.40.B73)
DGS-3426
(2.35.B09)
IMPB
P
P
P
P
P
P
P
802.1X
P
P
P
P
P
P
P
ACL
P
P
P
P
P
P
P
Broadcast Storm Control
P
P
P
P
P
P
P
P
P
P
P
P
MAC
P
P
P
WAC
P
P
P
P
Guest VLAN
P
Port Security
P
P
P
P
P
P
P
Traffic Segmentation
P
P
P
P
P
P
P
LBD
P
P
P
P
P
P
ARP Spoofing Prevention
P
DHCP Server Screening
P
P
The latest information about the supported models for features, please refer to PMD’s “Function Matrix”.
TOP>Product Data>Switch>Switch>D-VIEW6>Product Literature
Known Issues
The known issues for E2ES Console Beta1
1. When enable MAC, WAC, Port Security and IMPB for switch port,
there’s no conflict warning message to notify user.
2. When changing the 802.1X Auth Mode to MAC Based mode, E2ES
Console will not check if there’s a port which already enables IMPB or
Port Security
3. WAC Known Issues for DGS-3200
When user tries to change DGS-3200’s “WAC status” from
“disable” to “enable”, the “Virtual IP” needs to be configured first.
Sometimes, the user account in “WAC User Setting” pages can
not be crated or removed
Known Issues
4. WAC Known Issues for DES-3528
The parameters “Authentication VLAN” and “Redirection Page”
must be configured in switch first before configuring E2ES
Console’s “Port WAC Setting”.
User can not create user account via E2ES Console’s “WAC User
Setting” feature.
5. WAC Known Issues for DES-3828
The parameters “VLAN Name” and “Logout Time” must be
configured in switch first before configuring E2ES Console’s “Port
WAC Setting”
6. WAC Known Issues for DGS-3650
The parameters “VLAN Name” and “Redirection Path” must be
configured in switch first before changing E2ES Console’s “WAC
State” to “Enabled”
Known Issues
7. If there are user accounts exist in E2ES Console’s “WAC User Setting” ,
you will always get a “Fail” status when applying settings to switch.
Known Issues
8. If there are MAC addresses exist in E2ES Console’s “MAC Database
Setting” , you will always get a “Fail” status when applying settings to
switch.
Known Issues
9. IMPB Known Issues for DGS-3650
When enabling “ACL Mode” parameter in the MIB file, actually, it
enables the Trap Log parameter in the Web UI. Also the “Trap Log”
parameter is not configurable. This is switch’s firmware issue.
10. DHCP Server Screening Known Issues
If there is any record in the “DHCP Offer Filtering”
table, user will always get “Fail” status when trying
to apply the setting to switch
Notice
D-View 6 platform must be installed before installing E2ES
Console Plug-In
Please download the latest D-View 6 version on PMD:
TOP>Product Data>Switch>Switch>D-VIEW6>Firmware
E2ES Console beta code files
E2ESConsoleB01(STD).exe: to work with D-View 6 Standard
Edition
E2ESConsoleB01(PRO).exe: to work with D-View 6
Professional Edition
Installation
Double click the installation file, E2ESConsoleB01(STD).exe,
to install E2ES Console Plug-In Beta1
Installation
Please follow up the instruction to complete the installation
Installation
Please follow up the instruction to complete the installation
Installation
Please follow up the instruction to complete the installation
How to Make a Demonstration
- Topology
D-View 6 Standard
E2ES Console Plug-In (Beta1)
DGS-3200-10
1.35B023
DES-3528
1.01.B029
DES-3028
2.00.B27
To expand the demonstration architecture, please check the table in page 3
& 4. Make sure the switch and firmware version can work with E2ES Console
Beta1 version.
How to Make a Demonstration
- Switch’s Configuration
DES-3028 (2.00.B27)
DES-3028:4#config ipif System ipaddress 172.17.5.214/24
DES-3028:4#create iproute default 172.17.5.254
DES-3028:4#create snmp host 172.17.5.104 v1 public
DES-3528 (1.01.B029)
DES-3528:5#config ipif System ipaddress 172.17.5.213/24
DES-3528:5#create iproute default 172.17.5.254
DES-3528:5#enable snmp
DES-3528:5#create snmp host 172.17.5.104 v1 public
DES-3200-10 (1.30.B023)
DGS-3200-10:4#config ipif System ipaddress 172.17.5.211/24
DGS-3200-10:4#create iproute default 172.17.5.254
DGS-3200-10:4#enable snmp
DGS-3200-10:4#create snmp host 172.17.5.104 v1 public
How to Make a Demonstration
- Discover the Topology
How to launch the discovery tool?
By Function Menu
By Quick Menu
By Wizard
How to Make a Demonstration
- Discover the Topology
Discover Topology by Function Menu
NetTools > Topology Generator
The Domain and Netmap must be created before
executing this
Discover Topology by Quick Menu
Right click the mouse on Netmap >
The Domain and Netmap must be created before executing
this
How to Make a Demonstration
- Discover the Topology
Discover Topology by Wizard
When D-View starts, the wizard will pop-up automatically
Select “D-View Startup Wizard”
Please follow up the guidance to complete the discovery
We will demonstrate discovering topology by Wizard in this document
How to Make a Demonstration
- Discover the Topology by Wizard
Step1: Select the “D-View Startup Wizard”
D-View will redirect to original topology-generation wizard
portal
Click “Next” for next step
How to Make a Demonstration
- Discover the Topology by Wizard
Step2: Create Domain
Enter the Domain name and click “Create” button
Click “Next” when complete
How to Make a Demonstration
- Discover the Topology by Wizard
Step3: Create Netmap
Enter Netmap’s name and description if necessary
Click “Next” when complete
Step3-1: Select network adaptor
You may not see this request if
your server/desktop only supports
one network adaptor
Choose the network adaptor from
the candidates and click “OK”
How to Make a Demonstration
- Discover the Topology by Wizard
Step4: Decide the analysis mode
Local Network: D-View will try to discover the topology based
on D-View Server’s subnet
Designated Network: assign an IP range for scan
* Topology name is mandatory
How to Make a Demonstration
- Discover the Topology by Wizard
Step5: assign the community name and start the discovery
Input the community name which are assigned in the switch
Click “Complete”
Process status is displayed in D-View’s Message Board
The “Complete” button
How to Make a Demonstration
- Discover the Topology by Wizard
Step6: export to Domain and Netmap
Select the Domain and Netmap to export the discovery result
Click “Export”
How to Make a Demonstration
- Discover the Topology by Wizard
Step7: Add devices to the polling list
D-View will not poll the switches in gray color
Select gray switches and right click the mouse
Select “Add to Poll List”, these switches will turn Green and DView will monitor their status
ACL (Access Control List)
Introduction and Configuration Sample
ACL Configuration Sample Preface
This section will demonstrate how to configure ACL for
DGS-3200, DES-3528 and DES-3028
Purpose
Know how to configure ACL feature on E2ES Console Plug-In
by following the step-by-step procedures
Be able to demonstrate it to customers with these steps
This document introduces ACL configuration. To test or
demonstrate ACL, please refer to “BSW 2008 - E2ES Demo”
document.
How to Launch ACL
- Wizard Portal
Three ways to launch ACL configuration
Wizard Portal
Quick Menu
Function Menu
Wizard Portal
There are two entry points for ACL configuration
Attack Mitigation
E2ES Console Plug-In Wizard > Endpoint Security Wizard
> Attack Mitigation > High Level ACL*
Traffic Control
E2ES Console Plug-In Wizard > Endpoint Security Wizard
> Traffic Control > ACL*
* Both “High Level ACL” and “ACL” have the same configuration design, there’s no difference between them
How to Launch ACL
- Wizard Portal
1
3
2
4
How to Launch ACL
- Function Menu & Quick Menu
Quick Menu: click the device icon and right click
Function Menu:
Plug-In > E2ES Console Plug-In > ACL
< Function Menu >
< Quick Menu >
Configuration Sample
- ACL
The configuration sample is based on 2009 pre-sales
training scenario
Push ACL to Edge Switch
slow response
slow response
Switch Port
Protocol
Port #
Action
All ports
UDP
135
139
445
Deny
congestion
congestion
Configuration Sample
- ACL (DGS-3200)
Step1: select device on which you want to configure ACL
Configuration Sample
- ACL (DGS-3200)
Step2: select “Access Profile List” to generate ACL
Configuration Sample
- ACL (DGS-3200)
Step3: select “Create Profile” to generate ACL Profile
Configuration Sample
- ACL (DGS-3200)
Step4: configure ACL profile ID and protocol type
Assign a profile ID and type of ACL
In the scenario, we need to deny UDP port
Create new profile & ACL type
The details of selected ACL
ACLs in the switch
Configuration Sample
- ACL (DGS-3200)
Step5: define the checking mask
Source IP Mask: 0.0.0.0 means “any”
Destination IP Mask: 0.0.0.0 means “any”
Source: any
Destination: any
Check destination port with
UDP protocol type
Add the mask rule
Configuration Sample
- ACL (DGS-3200)
Step6: confirm the settings, apply to switch then add rules
D-View will display configured profile ID and associated mask settings
Click “Apply to Switch” if no more modification required
Create associated rules for the profile by clicking “Create Rules” button
The configured profile
The configured rules
Create rules for the profile
Apply settings to switch
Configuration Sample
- ACL (DGS-3200)
Step7: select the profile ID on which you want to create
rules
Configuration Sample
- ACL (DGS-3200)
Step8: create the detailed rules to deny specific UDP port
Source: any
Destination: any
Define the UDP port
Created rules
Configuration Sample
- ACL (DGS-3200)
Step9: confirm and apply the rules to switch
The operation status
Rule ID
Keep on configuring
other switch
Rule content
Apply settings to switch
Configuration Sample
- ACL (DES-3528)
Step1: select device on which you want to configure ACL
Configuration Sample
- ACL (DES-3528)
Step2: select “Access Profile List” to generate ACL
Configuration Sample
- ACL (DES-3528)
Step3: select “Create Profile” to generate ACL Profile
Configuration Sample
- ACL (DES-3528)
Step4: configure ACL profile ID and protocol type
Assign a profile ID and type of ACL
In the scenario, we need to deny UDP port
DES-3528 supports
Profile Name*
ACLs in the switch
*Please make sure no space exists in the name
The details of selected ACL
Configuration Sample
- ACL (DES-3528)
Step5: define the checking mask
Source IP Mask: 0.0.0.0 means “any”
Destination IP Mask: 0.0.0.0 means “any”
Source: any
Destination: any
Check destination port with
UDP protocol type
Add the mask rule
Configuration Sample
- ACL (DES-3528)
Step6: confirm the settings, apply to switch then add rules
D-View will display the profile ID and associated mask settings
Click “Apply to Switch” if no more modification required
Create associated rules for the profile by clicking “Create Rules” button
Operation status
The configured profile
The configured rules
Create rules for the profile
Apply settings to switch
Configuration Sample
- ACL (DES-3528)
Step7: select the profile ID on which you want to create
rules
Select the profile ID
for creating rules
Detail content in that
profile
Configuration Sample
- ACL (DES-3528)
Step8: create the detailed rules to deny specific UDP port
Assign ID and action
Source: any
Destination: any
Ports to apply the rules
Define the UDP port
Add rules to list
Created rules
Configuration Sample
- ACL (DES-3528)
Step9: confirm and apply the rules to switch
The operation status
Rule ID
Keep on configuring
other switch
Rule content
Apply settings to switch
Configuration Sample
- ACL (DES-3028)
Step1: select device on which you want to configure ACL
Configuration Sample
- ACL (DES-3028)
Step2: select “Access Profile List” to generate ACL
Configuration Sample
- ACL (DES-3028)
Step3: select “Create Profile” to generate ACL Profile
Configuration Sample
- ACL (DES-3028)
Step4: configure ACL profile ID and protocol type
Assign a profile ID and type of ACL
In the scenario, we need to deny UDP port
Select Profile ID
No existed ACL in switch
No ACL content to display
Configuration Sample
- ACL (DES-3028)
Step5: define the checking mask
Source IP Mask: 0.0.0.0 means “any”
Destination IP Mask: 0.0.0.0 means “any”
Source: any
Destination: any
Check destination port with
UDP protocol type
Add the mask rule
Configuration Sample
- ACL (DES-3028)
Step6: confirm the settings, apply to switch then add rules
D-View will display the profile ID and associated mask settings
Click “Apply to Switch” if no more modification required
Create associated rules for the profile by clicking “Create Rules” button
Operation status
The configured profile
The configured rules
Create rules for the profile
Apply settings to switch
Configuration Sample
- ACL (DES-3028)
Step7: select the profile ID on which you want to create
rules
Select the profile ID
for creating rules
Detail content in that
profile
Configuration Sample
- ACL (DES-3028)
Step8: create the detailed rules to deny specific UDP port
Assign ID and action
Source: any
Destination: any
Ports to apply the rules
Define the UDP port
Add rules to list
Created rules
Configuration Sample
- ACL (DES-3028)
Step9: confirm and apply the rules to switch
The operation status
Rule ID
Keep on configuring
other switch
Rule content
Apply settings to switch
IMPB (IP-MAC-Port Binding)
Introduction and Configuration Sample
Configuration Sample
- IMPB
This section demonstrates IMPB configuration for DGS3200 and DES-3528
Purpose
Know how to configure IMPB on E2ES Console Plug-In by
following the step-by-step procedures
Be able to demonstrate it to the customers with these steps
This document introduces IMPB configuration. To test or
demonstrate IMPB, please refer to “BSW 2008 - E2ES
Demo” document written by Gary Chuang
Supported models
DES-3028
DGS-3200-10
DES-3528
DGS-3650
DES-3526
DGS-3426
DES-3828
How to Launch IMPB
- Wizard Portal
This configuration sample is for DGS-3200
Three ways to launch IMPB
Wizard Portal
E2ES Console Plug-In Wizard > Endpoint Security Wizard
> Node/Address Control > IMPB
3
1
2
4
How to Launch IMPB
- Function Menu & Quick Menu
Quick Menu: click on the device icon and right click
Function Menu:
Plug-In > E2ES Console Plug-In > IMPB
< Function Menu >
< Quick Menu >
Configuration Sample
- IMPB (DGS-3200)
Step1: select the device on which you want to configure
IMPB
Configuration Sample
- IMPB (DGS-3200)
Step2: configure the global parameters and decide the
client discovery mode
The “Client Discovery” will be disabled once the DHCP Snoop
State is enabled.
Configuration Sample
- IMPB (DGS-3200)
If switch does not support DHCP Snooping, user can use
Client Discovery to generate the IMPB table
Global configuration
The discovery modes
Configuration Sample
- IMPB (DGS-3200)
Step3: configure the binding table
D-View will automatically query switch’s ARP and FDB table
and generate the IP-MAC-Port binding entries.
Select the legitimate entries and add to the “Step2: Binding
Table”
Configure each entry’s ARP/ACL mode
When you complete the setting, you may backup the
configuration
If you have an existing configuration, you may restore it to
the switch.
The backup/restore will only backup/restore the IMPB entries.
It will not backup the whole configuration
Configuration Sample
- IMPB (DGS-3200)
D-View queries switch’s ARP & FDB table and associate the binding entries
Add the legitimate entries to the Binding Table, the White List
Configure the ARP/ACL mode
for each entry
Backup/Restore the configured
IMPB entries
Check the NetBIOS name
Configuration Sample
- IMPB (DGS-3200)
Step4: enable the IMPB on port/ports
Be able to configure single/multiple ports simultaneously
Configuration Sample
- IMPB (DGS-3200)
Step5: enable global parameters, save configuration and
apply to switch
Configure global parameters
Save configuration to specific
location
Back to device list table
Apply settings to switch
Backup and Restore Binding Entries
Backup and Restore the IMPB
Click “Backup” or “Restore” button to complete the task
D-View only backup/restores the binding entries. Other parameters or IMPB associated
configuration are NOT included
Follow up association procedures to complete the IMPB configuration
After restoration
Type of Client Survey Mode
- Auto Scan
D-View will query switch’s ARP & FDB table and associate
to IMPB entries
Uncompleted entries will be gray out
Support querying NetBIOS name to facilitate the identification
Type of Client Survey Mode
- Manually
Manually enter single binding entry with below parameters
IP Address
MAC Address
ARP/CLI Mode
Port
Type of Client Survey Mode
- Scan Mode
Provide an IP range to filter the scanned result
Configuration Sample
- IMPB (DES-3528)
Step1: select device which you want to configure IMPB
Configuration Sample
- IMPB (DES-3528)
Step2: decide the survey mode
D-View will query switch’s ARP & FDB table and associate
IMPB table
Configuration Sample
- IMPB (DES-3528)
Step3: configure the binding table
D-View will automatically queries switch’s ARP and FDB table
to generate the IP-MAC-Port binding entries.
Select the legitimate entries and add to the “Step2: Binding
Table”
Configure each entry’s ARP/ACL mode
When you complete the setting, you may backup the
configuration
If you have existing configuration, you may restore it to the
switch.
The backup/restore will only backup/restore the IMPB entries.
It will not backup the whole configuration
Configuration Sample
- IMPB (DES-3528)
D-View queries switch’s ARP & FDB table and associate the binding entries
Add the legal entries to the Binding Table, the White List
Configure the ARP/ACL mode
for each entry
Backup/Restore the configured
IMPB entries
Check the NetBIOS name
Configuration Sample
- IMPB (DES-3528)
Step4: enable the IMPB on port/ports
Be able to configure single/multiple ports simultaneously
Enable with port range or discrete one
Configuration Sample
- IMPB (DES-3528)
Step5: enable global parameters, save configuration and
apply to switch
Configure global parameters
Save configuration to specific
location
Back to device list table
Status bar for “Apply to Switch”
Apply settings to switch
Configuration Sample
- IMPB (DES-3028)
Step1: select device which you want to configure IMPB
Configuration Sample
- IMPB (DES-3028)
Step2: decide the survey mode
D-View will query switch’s ARP & FDB table and associate
IMPB table
Configuration Sample
- IMPB (DES-3028)
Step3: configure the binding table
D-View will automatically queries switch’s ARP and FDB table
to generate the IP-MAC-Port binding entries.
Select the legitimate entries and add to the “Step2: Binding
Table”
Configure each entry’s ARP/ACL mode
When you complete the setting, you may backup the
configuration
If you have existing configuration, you may restore it to the
switch.
The backup/restore will only backup/restore the IMPB entries.
It will not backup the whole configuration
Configuration Sample
- IMPB (DES-3028)
D-View queries switch’s ARP & FDB table and associate the binding entries
Add the legal entries to the Binding Table, the White List
Configure the ARP/ACL mode
for each entry
Backup/Restore the configured
IMPB entries
Check the NetBIOS name
Configuration Sample
- IMPB (DES-3028)
Step4: enable the IMPB on port/ports
Be able to configure single/multiple ports simultaneously
Enable with port range or discrete one
Configuration Sample
- IMPB (DES-3028)
Step5: enable global parameters, save configuration and
apply to switch
Configure global parameters
Save configuration to specific
location
Back to device list table
Status bar for “Apply to Switch”
Apply settings to switch
Thank You!