ProSAFE® Intelligent Edge Managed Switches Data Sheet
M4100 series
Page9of36
Dynamic 802.1x VLAN assignment mode, including
Dynamic VLAN creation mode and Guest VLAN/
Unauthenticated VLAN are supported for rigorous user
andequipmentRADIUSpolicyserverenforcement
• Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in
order to facilitate convergent deployments: for instance when IP phones connect PCs on their bridge, IP
phones and PCs can authenticate on the same switch port but under dierent VLAN assignment policies
(Voice VLAN versus data VLAN)
802.1x MAC Address Authentication Bypass (MAB)
is an alternative method for non-Radius clients
• A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose
• MAB can be configured on a per-port basis on the switch
• MAB initiates only aer the dot1x authentication process times out, and only when clients don’t respond
to any of the EAPOL packets sent by the switch
• When 802.1x unaware clients try to connect, the switch sends the MAC address of each client to the
authentication server
• The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses
• The RADIUS server returns the access policy and VLAN assignment to the switch for each client
DoubleVLANs(DVLAN-QoQ)passtracfromonecustomerdomaintoanotherthroughthe“metrocore”inamulti-tenancyenvironment:customerVLANIDsare
preservedandaserviceproviderVLANIDisaddedtothetracsothetraccanpassthemetrocoreinasimple,securemanner
Private VLANs (with Primary VLAN, Isolated VLAN,
CommunityVLAN,Promiscuousport,Hostport,
Trunks) provide Layer 2 isolation between ports
that share the same broadcast domain, allowing a
VLAN broadcast domain to be partitioned into smaller
point-to-multipoint subdomains across switches in
the same Layer 2 network
• Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but
need to communicate with a router; they remove the need for more complex port-based VLANs with
respective IP interface/subnets and associated L3 routing
• Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop
orattackotherusers’trac
SecureShell(SSH)andSNMPv3(withorwithoutMD5orSHAauthentication)ensureSNMPandTelnetsessionsaresecured
TACACS+ and RADIUS enhanced administrator management provides strict "Login" and "Enable" authentication enforcement for the switch configuration, based on
latestindustrystandards:execauthorizationusingTACACS+orRADIUS;commandauthorizationusingTACACS+andRADIUSServer;userexecaccountingforHTTP
andHTTPSusingTACACS+orRADIUS;andauthenticationbasedonuserdomaininadditiontouserIDandpassword
Superior quality of service
Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
8queuesforprioritiesandvariousQoSpoliciesbasedon802.1p(CoS)andDiServcanbeappliedtointerfacesandVLANs
Advancedratelimitingdownto1Kbpsgranularityandmininum-guaranteedbandwidthcanbeassociatedwithACLsforbestgranularity
Automatic Voice over IP prioritization with Auto-VoIP
Flow Control
802.3x Flow Control implementation per IEEE 802.3
Annex31BspecicationswithSymmetricow
control,AsymmetricowcontrolorNoowcontrol
AsymmetricowcontrolallowstheswitchtorespondtoreceivedPAUSEframes,buttheportscannot
generate PAUSE frames
Symmetricowcontrolallowstheswitchtobothrespondto,andgenerateMACcontrolPAUSEframes
Allowstracfromonedevicetobethrottledforaspeciedperiodoftime:adevicethatwishestoinhibittransmissionofdataframesfromanotherdeviceonthe
LAN transmits a PAUSE frame
Modern access layer features highlights
Comments to this Manuals