Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » switch » zyxel_gs1910
Trace:
networking:switch:zyxel_gs1910

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:switch:zyxel_gs1910 [2014/09/20 14:16]
gcooper 		networking:switch:zyxel_gs1910 [2015/08/12 09:20] (current)
gcooper
Line 7: Line 7:
 http://www.zyxel.com/us/en/products_services/xgs1910_gs1910_series.shtml?t=p http://www.zyxel.com/us/en/products_services/xgs1910_gs1910_series.shtml?t=p
  
-Support Notes: ftp://ftp2.zyxel.com/GS1910-24HP/support_note/GS1910-24HP_V1.00.zip+**Support Notes**: ftp://ftp2.zyxel.com/GS1910-24HP/support_note/GS1910-24HP_V1.00.zip 
 + 
 +**CLI Reference**: ftp://ftp.zyxel.com/XS3900-48F/cli_reference_guide/XS3900-48F_1.pdf
  
 ===== Firmware Updates ===== ===== Firmware Updates =====
Line 17: Line 19:
 ==== Default Login Details ==== ==== Default Login Details ====
  
-|IP Address     |http://192.168.1.1           +|IP Address     |http://192.168.1.1                                              
-|User Name      |admin                        +|User Name      |admin                                                           
-|Password       |1234                         +|Password       |1234                                                            
-|Serial Console |115200,N,8,1,No flow control |+|Serial Console |115200,N,8,1,No flow control                                    | 
 +|Serial Cable   |9-pin straight through, USB serial adapter + USB extension only |
  
 ==== CLI Basics ==== ==== CLI Basics ====
  
-<file>+Reset to factory defaults, at boot up:
  
 +<file>
 +ctrl-c
 +default
 +reset
 </file> </file>
  
Line 115: Line 122:
 ==== Example Application ==== ==== Example Application ====
  
-We have created a port-based VLAN on switch ports 1-6 to use a section of the switch as a DMZ.+  - We have created a port-based VLAN on switch ports 1-6 to use a section of the switch as a DMZ
 +  - We have a primary Internet connection via cable modem connected to port 1. 
 +  - We have a server's IPMI interface configured with a static public address connected to port 2. 
 +  - We have a router's WAN interface configured with a static public address connected to port 3. 
 +  - For security reasons, we need to limit access to the server's IPMI (remote management) interface to the support provider's public Internet interface.
  
-We have a primary Internet connection via cable modem connected to port 1.+==== Create an ACL Policy ====
  
-We have a server's IPMI interface configured with a static public address connected to port 2.+:!: Here we create policy that consists of two Access Control Entries (ACEs) and we apply the ACL policy to the port connected to the server's IPMI interface.
  
-We have a router's WAN interface configured with a static public address connected to port 3.+:!: The order of the ACEs is important.
  
-For security reasons, we need to limit access to the server's IPMI (remote managementinterface to the support provider'public Internet interface+  - The first ACE permits traffic from the IPMI device to the support providers external Internet address/subnet. 
- +    - Set the 'Policy Filter' to 'Specific' 
-==== Create an ACE ====+    - Use a 'Policy Value' of 1 or another unused ID number (just not '0' zero)
 +    - Set the 'Frame Type' to 'IPv4' 
 +    - Set the destination IP address or subnet as the IPMI support provider'external IP address
 +    - Set the 'Action' to 'Permit'. 
 +  - The second ACE denies all other traffic from the IPMI device. 
 +    - Set the 'Policy Filter' to 'Specific' 
 +    - Use the same 'Policy Value' as in ACE #1. 
 +    - Set the 'Frame Type' to 'IPv4' 
 +    - Change the 'Action' to 'Deny'.
  
 **Configuration -> Security -> Network -> ACL -> Access Control List -> Add** **Configuration -> Security -> Network -> ACL -> Access Control List -> Add**
  
-We create an Access Control List entry (ACE) that permits traffic from the support provider's public IP address destined to the IPMI public IP address:+{{ :networking:switch:zyxel_create_ace.png?direct&650 |}} 
 + 
 +{{ :networking:switch:zyxel_create_ace_2.png?direct&650 |}} 
 + 
 +==== Apply the ACE ==== 
 + 
 +:!: We apply the ACL policy to the port with the IPMI device. 
 + 
 +:!: We deny all other traffic on that port using an ACE (above), not by changing the 'Action' on the Ports page.  That doesn't seem to work as desired. 
 + 
 +**Configuration -> Security -> Network -> ACL -> Ports**
  
-{{ :networking:switch:zyxel_create_ace.png?direct&750 |}}+  - Enter the ID of the ACL policy you just created in the Policy ID field of the port with the IPMI device. 
 +  - Leave the 'Action' as 'Permit'.
  
 +{{ :networking:switch:zyxel_apply_ace.png?direct&700 |}}
networking/switch/zyxel_gs1910.1411244167.txt.gz · Last modified: 2014/09/20 14:16 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki