Category Archives: D-Link

Configuring the switch D-Link DES-3200

For example, I will take the D-Link DES-3200-18 C1 switch with firmware 4.36.B012. Commands are similar for switches with a different number of ports, they can differ slightly only with different firmware versions and revisions.

Create an administrator account:

create account admin NAME
config admin local_enable

Storing the administrator password in encrypted form:

enable password encryption

Enabling password recovery:

enable password_recovery

Serial port parameters:

config serial_port baud_rate 115200 auto_logout never

Enable access via the web interface:

enable web 80

Disable switch management over SSH:

disable ssh

Enable telnet access:

enable telnet 23

Setting the terminal window width and displaying information in page mode:

config terminal width 80
enable clipaging

Setting the number of displayed lines of the terminal:

config terminal_line default

Disabling logging of input commands:

disable command logging

Delete default VLAN:

config vlan default delete 1-18
config vlan default advertisement enable

Creating a separate VLAN to manage the switch (17 – uplink):

create vlan core tag 50
config vlan core add tagged 17 advertisement disable

Creating a VLAN for users:

create vlan local_smart tag 51
config vlan local_smart add tagged 17
config vlan local_smart add untagged 1-16,18 advertisement disable

Disabling the encapsulation of VLAN tags in L2 VLAN tags:

disable qinq

Disabling auto VLAN configuration and assigning all ports to a PVID client VLAN:

disable gvrp
config port_vlan 1-18 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 51

Enable automatic assignment of PVID ports (enabled by default):

enable pvid auto_assign

Assigning an IP address to a switch in a VLAN to manage:

config ipif System ipaddress 192.168.1.100/24 vlan core
config ipif System dhcp_option12 state disable
disable autoconfig 
config autoconfig timeout 50

Add default gateway:

create iproute default 192.168.1.1 1 primary

Enable restriction of broadcast traffic for all ports except uplink:

config traffic control 1-16,18 broadcast enable multicast disable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control auto_recover_time 0
config traffic trap none
config traffic control log state enable

Just in case, disable port mirroring:

disable mirror

Setting logs:

config log_save_timing on_demand
disable syslog
config system_severity trap information
config system_severity log information

Resolution of large jumbo frame packets and an example of port configuration:

enable jumbo_frame
config ports 1-16 speed auto flow_control disable learning enable state enable mdix auto
config ports 17 medium_type copper speed auto flow_control disable learning enable state enable mdix auto
config ports 17 medium_type fiber speed auto flow_control disable learning enable state enable
config ports 18 speed auto flow_control disable learning enable state enable

Let us manage the switch only from the specified IP addresses:

create trusted_host network 192.168.1.1/24 snmp telnet ssh http https ping
create trusted_host network 172.16.100.100/32 snmp telnet ssh http https ping

Configure snmp traps:

disable snmp traps
disable snmp authenticate_traps 
disable snmp linkchange_traps
config snmp linkchange_traps ports 1-18 disable
config snmp coldstart_traps enable
config snmp warmstart_traps enable
config rmon trap rising_alarm enable
config rmon trap falling_alarm enable

Enable and sample SNMP settings (where TEXT specify the desired password):

enable snmp
config snmp system_contact admin@ixnfo.com
delete snmp community public
delete snmp community private
delete snmp user initial
delete snmp group initial
create snmp group public v1 read_view CommunityView notify_view CommunityView 
create snmp group public v2c read_view CommunityView notify_view CommunityView 
create snmp community public view CommunityView read_only
create snmp group TEXT v2c read_view CommunityView write_view CommunityView notify_view CommunityView 
create snmp community TEXT view CommunityView read_write
disable community_encryption

Disable IGMP MULTICAST VLAN:

disable igmp_snooping multicast_vlan
config igmp_snooping multicast_vlan forward_unmatched disable

Setting and disabling PORT SECURITY:

config port_security system max_learning_addr no_limit
disable port_security trap_log
config port_security ports 1-18 admin_state disable max_learning_addr 32 lock_address_mode deleteonreset

Storage time (s) mac addresses in the table:

config fdb aging_time 300
config block tx ports 1-18 unicast disable

Let’s solve zero IP for a bunch of mac + ip addresses:

config address_binding ip_mac ports 1-18 allow_zeroip enable

You can enable NetBios filtering on ports, so to speak, to prohibit access to shared drives:

config filter netbios 1-18 state enable
config filter extensive_netbios 1-18 state enable

Configure filtering of harmful DoS packets:

config dos_prevention dos_type land_attack action drop state enable 
config dos_prevention dos_type blat_attack action drop state enable 
config dos_prevention dos_type tcp_null_scan action drop state enable 
config dos_prevention dos_type tcp_xmasscan action drop state enable 
config dos_prevention dos_type tcp_synfin action drop state enable 
config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state enable 
config dos_prevention dos_type ping_death_attack action drop state enable 
config dos_prevention dos_type tcp_tiny_frag_attack action drop state enable 
config dos_prevention trap disable
config dos_prevention log disable

Blocking of third-party DHCP servers on all ports except incoming:

config filter dhcp_server ports all state disable
config filter dhcp_server ports 1-16,18 state enable
config filter dhcp_server illegal_server_log_suppress_duration 30min
config filter dhcp_server trap_log enable

BPDU flood protection:

enable bpdu_protection
config bpdu_protection recovery_timer 300
config bpdu_protection trap none
config bpdu_protection log attack_detected
config bpdu_protection ports 1-16,18 state enable  
config bpdu_protection ports 1-18 mode drop

Enabling SAFEGUARD ENGINE:

config safeguard_engine state enable utilization rising 98 falling 90 trap_log enable mode fuzzy

Disable sending emails via SMTP:

disable smtp

Configure SNTP time settings:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 40000
config dst disable

Disable management of multicast traffic and some standard parameters:

disable igmp_snooping
disable mld_snooping

ARP options:

config arp_aging time 20
config gratuitous_arp send ipif_status_up enable
config gratuitous_arp send dup_ip_detected enable
config gratuitous_arp learning enable

Setting temperature notifications:

config temperature threshold high 79
config temperature threshold low 11
config temperature trap state disable
config temperature log state enable

Saving configuration:

save all

See also my articles:
Configuring Traffic Segmentation
Configuring LoopBack Detection

Configuring Traffic Segmentation on D-Link Switches

I will give an example of setting up Traffic Segmentation on D-Link switches.
Traffic Segmentation prohibits ports to communicate with each other directly, on other manufacturers’ switches, this function is called Protected Ports, Port Isolation, etc.

Before configuring Traffic Segmentation, you need to know exactly which of the Uplink ports, let’s say on the switch DES-3200-18 C1, port 17 is incoming (uplink), then we execute the following two commands:

Continue reading “Configuring Traffic Segmentation on D-Link Switches”

How to upgrade the firmware on D-Link DI-804HV

To update the firmware of the router D-Link DI-804HV, perform the following necessary steps:

1) Let’s see the revision on the label under the router and download the new firmware from the official site for it http://ftp.dlink.ru/pub/Router/DI-804HV/Firmware/
Updating the firmware of the router for the wrong revision can lead to its failure.

2) Open the settings of the router by typing in the browser its address, for example http://192.168.1.1 or 192.168.0.1 and enter login/password (can be “user” without password).

3) In the opened interface at the top, open the “Tools” tab, on the left of the menu, select “Firmware“. The current page will show the current version of the firmware, if it is older, then click “Browse” and select the previously downloaded new firmware file, then click “Apply” to start the process updates.

We will wait for the update to complete, usually 2-5 minutes. When finished, the router will reboot.

Done.

Configuring sFlow on D-Link Switches

sFlow – Traffic analysis protocol, similar to NetFlow.

Enable/disable sFlow on the switch:

enable/disable sflow

Viewing parameters:

show sflow
show sflow flow_sampler
show sflow counter_poller
show sflow analyzer_server

Adding/modifying the sFlow analyzer server:

create/config sflow analyzer_server 1-4 owner NAME timeout 1-2000000(sec)/infinite collectoraddress ADDRESS collectorport udp_PORT maxdatagramsize 300-1400

Example of removing the sFlow analyzer server:

delete sflow analyzer_server 1-4

Creating, modifying, deleting the sFlow polling counters:

create/config sflow counter_poller ports NUMBER/all analyzer_server_id 1-4 interval disable/20-120(sec)
delete sflow counter_poller ports NUMBER/all

Create, modify, delete sFlow sample ports:

create/config sflow flow_sampler ports NUMBER/all analyzer_server_id (1-4) rate value 0-65535 tx_rate value 0-65535 maxheadersize value 18-256
delete sflow flow_sampler ports NUMBER/all

I will give an example of setting:

enable sflow
create sflow analyzer_server 1 owner Linux collectoraddress 192.168.1.5 collectorport 6343
create sflow counter_poller ports 1 analyzer_server_id 1 interval 20
create sflow flow_sampler ports 1:1 analyzer_server_id 1 rate 1000 maxheadersize 128

Firmware Update D-Link DIR-815

For the test, I will update the firmware on the router D-Link DIR-815 revision A1.
The router has firmware 1.00 (Fri 06 Aug 2010), on official FTP found version 1.04, b03 (Wed May 15, 2013).

To update the firmware in the D-Link DIR-815 router, perform the following necessary steps:

1) Let’s see the revision on the label under the router and download the new firmware from the official FTP for it http://ftp.dlink.ru/pub/Router/DIR-815/Firmware/
Updating the firmware of the router for the wrong revision can lead to its failure.

2) Open the router settings by typing in the browser address http://192.168.0.1 (can be 192.168.1.1) and enter the default login — admin without password.

3) In the opened interface at the top, open the tab “Tools“, left in the menu select “Firmware“. On the opened page the current version of the firmware will be displayed, if it is older than downloaded, then click “Browse” and select the previously downloaded new firmware file, and then click “Upgrade” to start the update process.

We will wait for the update to be completed, usually about 5 minutes. After the termination the router itself will reboot.
Categorically, you can not turn off the power when the firmware is updated.

Configuring the D-Link DGS-3120 Switch

For example, take the DGS-3120-24SC with firmware 3.00.B026.

Configuring notifications from sensors:

config temperature threshold high 79
config temperature threshold low 11
config temperature trap state enable
config temperature log state enable
config fan trap state enable
config power trap state enable

Adding an administrator account:

create account admin NAME PASSWORD

Enabling password storage in encrypted form:

enable password encryption

Setting the auto exit when connected via the console port:

config serial_port auto_logout never

Enabling the web interface:

enable web 80

Enabling display of information in the console in pagination mode:

enable clipaging

Width of the console line:

config terminal width 80

Disable saving the history of the entered commands:

disable command logging

Enabling password recovery:

enable password_recovery

Disabling trap notification when manipulating the configuration:

config configuration trap save disable
config configuration trap upload disable
config configuration trap download disable

debug config state enable
debug config error_reboot enable

Configuring Traffic Control:

config traffic control 1:1-1:24 broadcast enable multicast disable unicast disable action drop broadcast_threshold 100 multicast_threshold 131072 unicast_threshold 131072 countdown 5 time_interval 5
config traffic control auto_recover_time 0
config traffic trap none
config traffic control log state enable

Enabling loop protection on ports other than the uplink ninth:

enable loopdetect
config loopdetect recover_timer 600 interval 10 mode port-based
config loopdetect log state enable
config loopdetect ports 1:1 state enable
config loopdetect ports 1:2 state enable
config loopdetect ports 1:3 state enable
config loopdetect ports 1:4 state enable
config loopdetect ports 1:5 state enable
config loopdetect ports 1:6 state enable
config loopdetect ports 1:7 state enable
config loopdetect ports 1:8 state enable
config loopdetect ports 1:9 state disable
config loopdetect ports 1:10 state enable
config loopdetect ports 1:11 state enable
config loopdetect ports 1:12 state enable
config loopdetect ports 1:13 state enable
config loopdetect ports 1:14 state enable
config loopdetect ports 1:15 state enable
config loopdetect ports 1:16 state enable
config loopdetect ports 1:17 state enable
config loopdetect ports 1:18 state enable
config loopdetect ports 1:19 state enable
config loopdetect ports 1:20 state enable
config loopdetect ports 1:21 state enable
config loopdetect ports 1:22 state enable
config loopdetect ports 1:23 state enable
config loopdetect ports 1:24 state enable
config loopdetect trap none

Disabling the traffic mirroring function:

disable mirror

Log settings:

config log_save_timing on_demand
disable syslog
config system_severity trap notice
config system_severity log information

Segmentation of traffic (prohibition of traffic between ports, uplink port is indicated ninth):

config traffic_segmentation 1:1-1:8,1:10-1:24 forward_list 1:9
config traffic_segmentation 1:9 forward_list 1:1-1:24

Permission to use large packages:

enable jumbo_frame

Example of port configuration:

config ports 1:1 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto description Kvartiru
config ports 1:1-1:8 medium_type fiber speed auto   flow_control disable learning enable state enable
config ports 1:2 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto description BAT
config ports 1:3-1:7 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto
config ports 1:8 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto description Studentu
config ports 1:9 speed auto   flow_control disable learning enable state enable mdix auto description VHOD
config ports 1:10 speed auto   flow_control disable learning enable state enable mdix auto description Zheleznodorozhnaya
config ports 1:11-1:24 speed auto   flow_control disable learning enable state enable mdix auto

We only allow access to the switch from the specified addresses:

create trusted_host network 10.0.0.100/32 snmp telnet ssh http https ping
create trusted_host network 172.16.0.0/24 snmp telnet ssh http https ping

SNMP settings:

disable snmp traps
disable snmp authenticate_traps
disable snmp linkchange_traps
enable snmp
config snmp system_name DGS-3120-24SC
config snmp system_location текст
config snmp linkchange_traps ports 1:1-1:24 enable
config snmp coldstart_traps disable
config snmp warmstart_traps disable
config rmon trap rising_alarm enable
config rmon trap falling_alarm enable
delete snmp community public
delete snmp community private
create snmp community NEW view CommunityView read_only
disable community_encryption

Example of VLAN configuration:

disable pvid auto_assign
config vlan default delete 1:1-1:24
config vlan default advertisement enable
create vlan core tag 207
config vlan core add tagged 1:8-1:13,1:15-1:16,1:18-1:20,1:22-1:24
config vlan core add forbidden 1:1-1:7 advertisement disable
create vlan local_smart tag 226
config vlan local_smart add tagged 1:9-1:13,1:15-1:16,1:18-1:20,1:22-1:24
config vlan local_smart add untagged 1:1-1:7,1:14,1:17,1:21 advertisement disable
create vlan local_smart2 tag 227
config vlan local_smart2 add tagged 1:8-1:9 advertisement disable
create vlan hpna tag 228
config vlan hpna add tagged 1:9,1:12 advertisement disable
create vlan multicast tag 229
config vlan multicast advertisement disable
create vlan lift tag 300
config vlan lift add tagged 1:9,1:11,1:13 advertisement disable
disable gvrp
disable asymmetric_vlan
disable vlan_trunk
config port_vlan 1:1-1:7,1:9-1:24 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 226
config port_vlan 1:8 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 227

Standard settings for PORT_SECURITY:

config port_security system max_learning_addr no_limit
config port_security trap state disable
config port_security log state disable
config port_security ports 1:1-1:24 admin_state disable max_learning_addr 32 action drop lock_address_mode deleteonreset

Here is an example of blocking mac addresses through ACL rules:

create access_profile profile_id 1 profile_name tank34 ethernet source_mac FF-FF-FF-FF-FF-FF
config access_profile profile_id 1 add access_id 1 ethernet source_mac E8-9A-8F-BB-F8-44 vlan_based vlan_id 226 deny
config access_profile profile_id 1 add access_id auto_assign ethernet source_mac F8-1A-67-FE-E7-00 port 1:24 deny
config access_profile profile_id 1 add access_id auto_assign ethernet source_mac F8-1A-67-FE-E7-00 vlan_based vlan_id 226 deny

PowerSaving

config power_saving mode link_detection enable
config power_saving mode length_detection disable
config power_saving mode hibernation disable
config power_saving mode led disable
config power_saving mode port disable

LED-CTRL

config led state enable

MAC address storage time in the router table in seconds:

config fdb aging_time 300

Filtering NetBios (blocking access to the shared resources of users):

config filter netbios all state disable
config filter netbios 1:1-1:24 state enable
config filter extensive_netbios all state disable

Configuring protection against DoS attacks:

config dos_prevention dos_type land_attack action drop state enable
config dos_prevention dos_type blat_attack action drop state enable
config dos_prevention dos_type tcp_null_scan action drop state enable
config dos_prevention dos_type tcp_xmasscan action drop state enable
config dos_prevention dos_type tcp_synfin action drop state enable
config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state enable
config dos_prevention dos_type ping_death_attack action drop state enable
config dos_prevention dos_type tcp_tiny_frag_attack action drop state enable
config dos_prevention trap disable
config dos_prevention log disable

We resolve replies from DHCP servers only from the uplink port, thereby blocking the others:

config filter dhcp_server ports all state disable
config filter dhcp_server ports 1:1-1:8,1:10-1:24 state enable
config filter dhcp_server illegal_server_log_suppress_duration 30min
config filter dhcp_server trap disable
config filter dhcp_server log enable

Configuring BPDU protection:

enable bpdu_protection
config bpdu_protection recovery_timer 3000
config bpdu_protection log none
config bpdu_protection ports 1:1-1:8,1:10-1:24 state enable
config bpdu_protection ports 1:1-1:24 mode drop

Configuring the Switch Self-Protection “SAFEGUARD ENGINE”:

config safeguard_engine state enable utilization rising 100 falling 93 trap_log enable mode fuzzy

Standard SSH parameters:

config ssh algorithm 3DES enable
config ssh algorithm AES128 enable
config ssh algorithm AES192 enable
config ssh algorithm AES256 enable
config ssh algorithm arcfour enable
config ssh algorithm blowfish enable
config ssh algorithm cast128 enable
config ssh algorithm twofish128 enable
config ssh algorithm twofish192 enable
config ssh algorithm twofish256 enable
config ssh algorithm MD5 enable
config ssh algorithm SHA1 enable
config ssh algorithm RSA enable
config ssh algorithm DSA enable
config ssh authmode password enable
config ssh authmode publickey enable
config ssh authmode hostbased enable
config ssh server maxsession 8
config ssh server contimeout 120
config ssh server authfail 2
config ssh server rekey never
config ssh server port 22
config ssh user NAME authmode password
config ssh publickey bypass_login_screen state disable
disable ssh

Enabling telnet service:

enable telnet 23

SMTP

disable smtp
config smtp server_port 25

Configuring SNTP time parameters:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 192.168.1.1 poll-interval 31720
config dst disable

LACP

config link_aggregation algorithm mac_source
config lacp_port 1:1-1:24 mode passive

IP

config ipif_mac_mapping ipif System mac_offset 0
config ipif System ipaddress 10.0.0.235/24 vlan core
config ipif System dhcpv6_client disable
config ipif System proxy_arp disable local disable
config ipif System dhcp_option12 state disable
disable autoconfig

Disabling DHCP Relay

disable dhcp_relay
disable dhcpv6_relay

ARP

config arp_aging time 20
config gratuitous_arp send ipif_status_up disable
config gratuitous_arp send dup_ip_detected disable
config gratuitous_arp learning disable

Setting the main route:

create iproute default 192.168.1.1 1 primary

Saving configuration:

save all