Netgear M4200-10MG-PoE Installation Manual [fr]

Switches manageables Web/CLI niveau 3 ProSAFE®

La gamme de switches NETGEAR M4200 est une solution unique et e cace
pour accompagner les déploiements Wifi 802.11ac Wave 2. Le M4200 est le
premier switch 8 x 2.5G Multi-Gigabit équipé de la fonctionnalité full PoE+ sur
tous les ports et de 2 x 10 Gigabit pour des liaisons uplinks vers l’armoire de
câblage. Les fonctionnalités de niveau 3 comprennent le routage statique et le
routage dynamique avec le protocole RIP. Le M4200 NETGEAR est prêt pour
les futures évolutions grâce aux fonctions SDN (So ware-defined Network) et
OpenFlow 1.3 activées sur votre réseau.

Les solutions de switching intelligentes pour la périphérie de réseau NETGEAR
combinent les dernières avancées matérielles et le génie logiciel pour une plus
grande flexibilité, plus de facilité, une protection accrue des investissements et
une meilleure valeur ajoutée.

En résumé

Série M4200

Multi-Gigagit Ethernet

• Le ProSAFE® M4200-10MG-PoE+
dispose de ports 1G/2.5G/5G NBASE-T
ports et de liens d’agrégation fi laires
8 x 2.5G / 2 x 10G.

• Accès aux couches réseaux pour les
points d’accès Wifi 802.11ac avec
un approvisionnement PoE+ total et
compatible avec les installations 3x3 et 4x4
Wave2

Haute fl exibilité

• Conception o rant des options de montage
faciles que ce soit sur un mur, sur un poteau
rond ou carré ou un rack standard de
19 pouces

• Postionnement fi able dans des plafonds
suspendus ou dans les conduites d’aérations
où d’autres switches ne peuvent pas être
déployés. Placement vertical, horizontal sur
des surfaces ou perpendiculaire

Page 2 Les modèles en bref

Page 3 Fonctionnalités

Page 4-10 Caractéristiques

Page 11 Applications cibles

Page 12-13 Composants et modules

Page 14-31 Spécifi cations techniques

Moins complexe

• Les fonctionnalités comprenant le switching
de niveau 2 (Contrôle d’accès à plusieurs
niveaux, auto-VoIP, auto-iSCSI) et routage
de niveau 3 (statique ou RIP) est disponible
sans l’achat de licence

• L’installation automatique innovante
DHCP/BootP comprend le fi rmware et le
téléchargement automatique du fi chier de
confi guration

Protection des investissements

• Le Multi-Gigabit NBASE-T permet
d’accéder à des vitesses 2.5 à 5 fois plus
rapides sur des câbles Cat5e/Cat6 de 100
m max et fournit une compatibilté des
connexions 100M et G igabit

• Même si une entreprise n’est pas prête
pour le RPS, le support OpenFlow o re
une conception prête pour les évolutions
futures pour une protection maximale des
investissements.

Services sécurisés

• Avec la hiérarchisation successive, le
gestionnaire d’authentifi cation permet
une certifi cation par port pour une
authentifi cation basées sur plusieurs
niveaux dans les délais d’attente préétablis

• Les politiques de sécurité sont puissantes
et simples à mettre en œuvre avec la
méthode BYOD, tiered Dot1x -> MAB ->
authentifi cation du portail captif

Mangement standard

• Interface de management en ligne de
commande standard (CLI), interface
de management via une interface web
graphique (GUI), SNMP, sFlow et RSPAN

• Plateforme de gestion transparente
NMS300 qui permet la mise à jour unifi ée
des fi rmwares et supporte la confi guration
de masse

Garantie

• La gamme NETGEAR M4200 est couverte
par la garantie à vie ProSAFE*

• Support technique téléphonique d’une
durée de 90 jours ou par email, support
technique à vie via Chat en ligne,
remplacement matériel le jour ouvrable
suivant à vie.

Page 1 sur 31

(entrée)

Switches manageables Web/CLI niveau 3 ProSAFE®

Matériel

FACADE ARRIERE MANAGEMENT

Nom du modèle Format Switching

Largeur

totale

M4200-10MG-PoE+

1 unité 1U

rackable

(10 cm) de
profondeur

90 Gbps

Ports 100/1000/

2.5G BASE-T
RJ45

6 ports PoE+

100M; 1G; 2.5G

Budget PoE 240W PoE

8 ports Multigigabit et

prise en charge PoE+

Ports 100/1000/

2.5G/5G BASE-T
RJ45

2 ports PoE+

100M; 1G; 2.5G; 5G

So ware

PACKAGE DE NIVEAU 3

Ports 1000/
10GBASE-X

SFP+

2 ports

1G; 10G

Série M4200

Alim. Ventilateur Console Hors bande Référence

Interne

Fixe

Côte à côte

28.9dB

Faible

acoustique

Ethernet : port Gigabit Out-of-band
(en façade)
Console : RJ45 RS232 (en façade)
Console : Mini-USB (en façade)
Stockage : USB (en façade)

GSM4210P

Nom du modèle

M4200-10MG-PoE+

1

CLI uniquement

Manage-

ment

Out-of-

band;

Web GUI;

HTTPs;

CLI;

Telnet; SSH

SNMP, MIBs

RSPAN

Utilisateurs

Radius,

TACACS+

Performance

Nom du modèle

M4200-10MG-PoE+ 16K MAC

MAC
ARP/
NDP

1K ARP/

NDP

Optimisation

de l’utilisation

Liens dépen-

dants

(Activer ou

désactiver un

ou plusieurs

ports en fonc-

tion de l’état du

lien sur un ou

plusieurs ports

di érents)

Syslog et la

capture des pa-

quets peuvent

être envoyés

vers le port USB

(stockage)

Routage

/ Ca-

pacité de

switch-

ing

90 Gbps

Ligne-

débit

IPv4/IPv6

ACL et

QoS,

Di Serv

Entrée

1 Kbps basé
sur le temps

de confor-

mation

Single Rate

Policing

Débit

66.9 Mpps Statique

Application

Route

Scaling

: 32v4/32v6

RIP: 32

IPv4/IPv6

Multicast

fi ltering

IGMPv3

MLDv2

Snooping

IGMPv1,v2

et MLDv1

Snooping

Querier

Contrôle

du Packet

Flooding

IPv4 / IPv6

LLDP-MED

Mé­moire
tam-

pon

16Mb trames de

<7.2µs 2.5G RJ45

<0.9µs 10G SFP+

Policing et

Conver-

gence

Auto-VoIP

Auto-iSCSI

Spanning

Ethernet

STP, MTP,

PV(R)STP

BPDU/STRG

Root Guard

(802.3az)

TAILLE DE LA BASE

Latence ACLs

64 octets :

<2.8µs 1G RJ45

<5.7µs 5G RJ45

Tre e

Green

RSTP

EEE

50 ACLs

512 règles

16K règle-

(entrée)

1

par liste

sACL

VLANs

Statique,

Dy-

namique,

Voix, MAC

GVRP/
GMRP

QinQ,

VLANs

privés

Membres

groupes

Multicast

1K IPv4

1K IPv6

IGMP

Trunking

Port

Channel

LACP
Statique ou
Dynamique

Sept (7)

L2/L3/L4

algorithmes

de hashing

Proces-

seur

CPU 800

Mhz

1GB RAM

256MB

Flash

Authen­tifi cation
Sécurité

IPv4/IPv6

Hiérarchisation

successives

(DOT1X;

MAB;

Portail captif)

DHCP

Snooping

IPv4:

Inspection

ARP

dynamique

VLANs DHCP sFlow Référence

1K

VLANs

Routage
statique

IPv4/

IPv6

Port IPv4/
IPv6, sous

réseau,

Routage

VLAN

Relai

DHCPv4;

Serveur

DHCPv4

Serveur

DHCP :

2K leases

IPv4: 256

pools

IPv4

dy­namique
Routage

IPv4: RIP GSM4210P

10 samplers

10 pollers

8 receivers

Référence

GSM4210P

Kit de montage en rack

Colliers de
serrage

Kit pour la fi xation à un mur ou un
poteau rond ou rectangulaire

Colliers en caoutchouc

M4200-10MG-PoE+

Câble d’alimentation
et de verrouillage

Kit de montage en rack

Page 2 sur 31

Switches manageables Web/CLI niveau 3 ProSAFE®

Série M4200

Fonctionnalités

Le switch manageable ProSAFE M4200-10MG-PoE + a été conçu pour optimiser l’installation de points d’accès 11ac Wave 2. Il comprend 8
ports 2.5 Gigabit PoE+ et multi vitesse Gigabit pour des longueurs de câbles de 100 mètres max. Il peut combiner 2 liaisons montantes 10
Gigabit pour un déploiement non bloquant de huit points d’accès 11ac Wave 2. Ce Switch Multi Gigabit Ethernet est compatible avec la plupart
des constructeurs de produits Wifi et de switching. Il est le seul à disposer de huit ports 2.5 G pour connecteur des points d’accès Wifi et 2 liens
d’agrégation 10 Gigabit pour établir des connexions vers l’armoire de câblage. Sa conception et ses accessoires de montage permettent d’optimiser
son positionnement pour connecter des points d’accès et son e cacité.

Caractéristiques clés

• 8 ports PoE+ et multi-vitesse 1 G, 2.5G combinés avec 2 liaisons 10G
SFP+

• Il permet un déploiement non-bloquant de 8 points d’accès 11ac wave
2 grâce à un budget PoE de 240W

• Deux de ces ports multi-vitesse 1G, 2,5G PoE + prennent également
en charge 5G

• Standard NBase-T Multigigabit Ethernet (basé pour le futur standard
IEEE 802.3bz)

• 2.5 à 5 fois plus rapide avec l’utilisation de câbles Cat5e / Cat6 d’une
longueur de 100 mètres max - tout en o rant une compatibilité
descendante 100M et 1G

• Fonctionnement silencieux à 25° C (28.9 dB) - positionnement au
dessus des bureaux, se mèle au bruit de fond ambiant

• Postionnement fi able dans des plafonds suspendus ou dans les
conduites d’aérations où d’autres switches ne peuvent pas être
déployés. Placement vertical, horizontal sur des surfaces ou
perpendiculaire

• Conception o rant des options de montage faciles que ce soit sur un
mur, sur un poteau rond ou carré ou un rack standard de 19 pouces

• Faible latence et la taille de la table évolutive avec 16K MAC, 1K ARP /
NPD, 1K VLANs, 32 routes (IPv4) et 32 routes (IPv6)

• SDN - OpenFlow 1.3 Ready - protection maximale des investissements

Caractéristiques logicielles

• Classifcation avancée basée le temps de mise en œuvre pour la
sécurité et la priorisation de niveau 2 (MAC), niveau 3 (IP) et niveau 4
(UDP/TCP transport ports)

• Port-Channel sélectionnable / LAG (802.3ad - 802.1AX) L2 / L3 / L4,
hachage pour la tolérance de pannes et l’équilibrage de charge avec
tout type de channeling Ethernet

• VLAN voix avec les protocoles de détection SIP, H323 et SCCP,
Confi guration automatique de la QoS et des VLAN pour les téléphones
IP LLDP-MED

• Provisionnement de l’authentifi cation e cace avec DOT1X, MAB et
méthodes de portail captif pour un BYOD rationalisé

• Routage statique IPv4/IPv6 complet et Routage dynamique IPv4
comprenant RIP

• Multicast forwarding Layer 2 avec IGMPv3 / MLDv2 Snooping et
IGMPv2/MLDv1 requête Snooping

• Sécurité avancée comprenant la détection de code malveillant, DHCP
Snooping, Inspection dynamique ARP et atténuation des attaques DoS

• ICapacité Auto-iSCSI multi-fournisseurs innovantes

Caractéristiques de résilience et de disponibilité

• Lien de dépendance nouvelle fonctionnalité - Activation ou
désactivation des ports en fonction de l’état du lien sur une ou
plusieurs liaisons di érentes

• Le Spanning Tree par VLANs et le Rapid Spanning Tree par VLANs
(PVST / PVST +) o rent une interopérabilité avec les infrastructures
PVST +

Caractéristiques de management

• Installation automatique DHCP/BootP innovante incluant le
téléchargement automatique du fi rmware et du fi chier de confi guration

• Standards professionnels SNMP, RMON, MIB, LLDP, AAA, sFlow, RSPAN
et implémentation miroir distante

• Port de service sélectionnable pour la gestion Ethernet out-of-band
(OOB)

• Sélection du port série RS232 via RJ45 série et ports mini-USB pour
accéder à la console d’administration en local

• Port USB standard pour le stockage local, les logs, les fi chiers de
confi guration ou les fi chiers images

• Double gestion des fi rmwares et de confi guration pour une mise à jour
avec une interruption minimale des services.

• Interface de gestion en ligne de commande (CLI) pour les
administrateurs IT habitués aux invites de commande des autres
constructeurs

• Interface d’administration web (GUI) entièrement fonctionnelle pour
les administrateurs IT qui préfèrent les interfaces graphiques plus
simple à utiliser

• Plate-forme de gestion unifi ée NMS300 avec centralisation des mises
à jour des fi rmwares et un support de confi guration de masse.

Garantie et support

• Garantie matérielle ProSAFE à vie*

• Support technique à vie

• Remplacement matériel sur site le jour ouvrable suivant à vie

Page 3 sur 31

Switches manageables Web/CLI niveau 3 ProSAFE®

Caractéristiques

Switch 8 ports Multi-Gigabit avec fonctionnalité PoE+ sur tous les ports

Série M4200

NBASE-T (basé sur la future norme IEEE 802.3bz)
permet des vitesses de connexions 2.5 à 5 fois plus
rapides sur des câbles de Cat5e/Cat6 (100 mètres
max)

Caractéristiques de switching L2, L3 et L4 (Accès aux listes de contrôle, classifi cation, fi ltrage, routage statique IPv4 / IPv6, routage IPv4 dynamique) sont exécutées
au niveau du hardware vers l’interface pour la voix, la vidéo et la convergence des données.

Exemple de typologie redondante, vitesse fi laire 8x2.5G 2x10G pour une mise en place Wifi :

Liaison montante
10G fi bre

LACP

Point d’accès Wifi

11ac Wave 2

• 8 ports PoE+ Multi-Gigabit Ethernet 1G/2.5G BASE-T - 8 x 30W = 240 Watts de budget PoE total

• 2 des ports ont une capacité de 5G BASE-T

• Pas d’inverstissement pour un plan de câblage requis

• Rétro compatibilité 1000BASE-T

• Liaisons montantes via 2 ports 10G SFP+ pour connecter 8 points d’accès 11ac Wave 2 à 2.5G et 2 liens
d’agrégation 10 G pour les armoires de câblage

• Matrice non bloquante 90Gbps pour (6 x 2.5G) + (2 x 5G) + (2 x 10G) les opérations full duplex

Stack de 2 switches M4300 10G,
ou châssis M6100 équipés de 2 lames de 10G

2.5G PoE+ (Cuivre)

Switches M4200 pour l’accès aux couches

de distribution

Une fl exibilité inégalée

Montage en rack facile ainsi que sur des des poteaux rectangulaires et ronds ou sur des murs

Postionnement fi able dans des plafonds suspendus ou dans les conduites d’aérations où d’autres switches ne peuvent pas être déployés. Placement vertical, horizontal
sur des surfaces ou perpendiculaire

Livré avec 4 patins caoutchouc auto-adhésif pour une installation sur une surface plane (patins prévus contre les chocs et les vibrations, espace de ventilation entre les
switches empilés)

Pour un montage sur murs et poteaux, le switch est livré avec une monture sur laquelle vous pouvez cliquer-attacher le switch sur le dos ou le fond (à plat ou perpen­diculaire)

Le support fournit une patte de verrouillage et le switch est livré avec un cordon d’alimentation verrouillable afi n que vous soyez tranquille dans vos déploiements dans
des environnements réseaux non conventionnels.

Fonctionnement silencieux à 25° C (28.9 dB) - positionnement au dessus des bureaux, se mèle au bruit de fond ambiant

Montage en rack standard

Fixation murale Fixation à un mât rond Fixation à un poteau rectangulaire

Page 4 sur 31

ronds

g

Switches manageables Web/CLI niveau 3 ProSAFE®

Série M4200

Verrouillage du câble d’alimentation

et sangle

Montage pour une fi xation en dehors du rack

Les panneaux arrière et du dessous

sont dotés encoches de montage

pour permettre la fi xation

Colliers de serrage de 10 cm pour mâts

ronds

Bande en caoutchouc pour poteaux

carrés

Best value switching performance

16K MAC address table, 1K concurrent VLANs and 32 (IPv4) 32 (IPv6) Layer 3 route table size for the access layer

Each switch provides line-rate local switching and routing capacity

80 PLUS certifi ed power supplies for energy high e ciency

16 Mb packet bu er dynamically shared for intensive applications

Low latency at all network speeds, including 2.5 Gigabit, 5 Gigabit copper and 10 Gigabit fi ber interfaces

Jumbo frames support of up to 9Kb accelerating storage performance for backup and cloud applications

iSCSI Flow Acceleration and Automatic Protection/QoS
for virtualization and server room networks containing
iSCSI initiators and iSCSI targets

• Detecting the establishment and termination of iSCSI sessions and connections by snooping packets used
in the iSCSI protocol

• Maintaining a database of currently active iSCSI sessions and connections to store data, including classifi er
rules for desired QoS treatment

• Installing and removing classifi er rule sets as needed for the iSCSI session tra c

• Monitoring activity in the iSCSI sessions to allow for aging out session entries if the session termination
packets are not received

• Avoiding session interruptions during times of congestion that would otherwise cause iSCSI packets to be
dropped

SDN-ready, M4200 OpenFlow feature enables the
switch to be managed by a centralized OpenFlow
Controller using the OpenFlow protocol

• Support of a single-table OpenFlow 1.3 data forwarding path

• The OpenFlow feature can be administratively enabled and disabled at any time

• The administrator can allow the switch to automatically assign an IP address to the OpenFlow feature or to
specifi cally select which address should be used

• The administrator can also direct the OpenFlow feature to always use the service port (out-of-band
management port)

• The Controller IP addresses are specifi ed manually through the switch user interface

• The list of OpenFlow Controllers and the controller connection options are stored in the Controller Table

• The OpenFlow component in M4200 so ware uses this information to set up and maintain SSL
connections with the OpenFlow Controllers

• M4200 implements a subset of the OpenFlow 1.0.0 protocol and a subset of the OpenFlow 1.3

• It also implements enhancements to the OpenFlow protocol to optimize it for the Data Center
environment and to make it compatible with Open vSwitch

Access layer availability

Link Aggregation, also called Port Channeling or Port Trunking, o ers powerful network redundancy and load balancing in aggregation to a dual network core

Rapid Spanning Tree (RSTP) and Multiple Spanning Tree (MSTP) allow for rapid transitionning of the ports to the Forwarding state and the suppression of Topology
Change Notifi cation

Page 5 sur 31

Switches manageables Web/CLI niveau 3 ProSAFE®

Série M4200

NETGEAR PVSTP implementation (CLI only) follows
the same rules than other vendor’s Per VLAN STP for
strict interoperability

NETGEAR PVRSTP implementation (CLI only) follows
the same rules than other vendor’s Per VLAN RSTP for
strict interoperability

IP address confl ict detection performed by embedded DHCP servers prevents accidental IP address duplicates from perturbing the overall network stability

• Including industry-standard PVST+ interoperability

• PVSTP is similar to the MSTP protocol as defi ned by IEEE 802.1s, the main di erence being PVSTP runs
one instance per VLAN

• In other words, each confi gured VLAN runs an independent instance of PVSTP

• FastUplink feature immediately moves an alternate port with lowest cost to forwarding state when the
root port goes down to reduce recovery time

• FastBackbone feature selects new indirect port when an indirect port fails

• Including industry-standard RPVST+ interoperability

• PVRSTP is similar to the RSTP protocol as defi ned by IEEE 802.1w, the main di erence being PVRSTP runs
one instance per VLAN

• In other words, each confi gured VLAN runs an independent instance of PVRSTP

• Each PVRSTP instance elects a root bridge independent of the other

• Hence there are as many Root Bridges in the region as there are VLANs confi gured

• Per VLAN RSTP has in built support for FastUplink and FastBackbone

Ease of deployment

Automatic confi guration with DHCP and BootP Auto Install eases large deployments with a scalable confi guration fi les management capability, mapping IP addresses and
host names and providing individual confi guration fi les to multiple switches as soon as they are initialized on the network

Both the Switch Serial Number and Switch primary MAC address are reported by a simple "show" command in the CLI - facilitating discovery and remote confi guration
operations

M4200 DHCP L2 Relay agents eliminate the need
to have a DHCP server on each physical network or
subnet

Automatic Voice over IP prioritization with Auto-VoIP simplifi es most complex multi-vendor IP telephones deployments either based on protocols (SIP, H323 and SCCP)
or on OUI bytes (default database and user-based OUIs) in the phone source MAC address; providing the best class of service to VoIP streams (both data and signaling)
over other ordinary tra c by classifying tra c, and enabling correct egress queue confi guration

An associated Voice VLAN can be easily confi gured with Auto-VoIP for further tra c isolation

• DHCP Relay agents process DHCP messages and generate new DHCP messages

• Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs

• DHCP Relay agents are typically IP routing-aware devices and can be referred to as Layer 3 relay agents

When deployed IP phones are LLDP-MED compliant, the Voice VLAN will use LLDP-MED to pass on the VLAN ID, 802.1P priority and DSCP values to the IP phones,
accelerating convergent deployments

Versatile connectivity

8-port PoE+ full power and NBASE-T compliant, 1G / 2.5G including two of these ports with 5G ability

All 8-port NBASE-T are backward compatible with standard Gigabit Ethernet (1000BASE-T) and Fast Ethernet (100BASE-T) speeds

IEEE 802.3at Power over Ethernet Plus (PoE+)
provides up to 30W power per port using 2 pairs
while o ering backward compatilibity with 802.3af

2-port 10G SFP+ uplinks for 8x2.5G to the Wave 2 11ac Access Points and 2x10G line-rate aggregation to the wiring closet

Automatic MDIX and Auto-negotiation on all ports select the right transmission modes (half or full duplex) as well as data transmission for crossover or straight-through
cables dynamically for the admin

Link Dependancy feature enables or disables one or more ports based on the link state of one or more di erent ports

IPv6 support with multicasting (MLD for IPv6 fi ltering), static IPv6 routes (unicast), ACLs and QoS

• IEEE 802.3at Layer 2 LLDP method and 802.3at PoE+ 2-event classifi cation method fully supported for
compatibility with most PoE+ PD devices

Page 6 sur 31

Switches manageables Web/CLI niveau 3 ProSAFE®

Série M4200

Ease of management and granular control

Dual fi rmware image and dual confi guration fi le for transparent fi rmware updates / confi guration changes with minimum service interruption

Flexible Port-Channel/LAG (802.3ad - 802.1AX) implementation for maximum compatibility, fault tolerance and load sharing with any type of Ethernet channeling
from other vendors switch, server or storage devices conforming to IEEE 802.3ad - including static (selectable hashing algorithms) - or to IEEE 802.1AX with dynamic
LAGs or port-channel (highly tunable LACP Link Aggregation Control Protocol )

Unidirectional Link Detection Protocol (UDLD) and Aggressive UDLD detect and avoid unidirectional links automatically, in order to prevent forwarding anomalies in a
Layer 2 communication channel in which a bi-directional link stops passing tra c in one direction

Port names feature allows for descriptive names on all interfaces and better clarity in real word admin daily tasks

SDM (System Data Management, or switch database)
templates allow for granular system resources
distribution depending on IPv4 or IPv6 applications

Private VLANs and local Proxy ARP help reduce broadcast with added security

Management VLAN ID is user selectable for best convenience

Industry-standard VLAN management in the command line interface (CLI) for all common operations such as VLAN creation; VLAN names; VLAN “make static” for
dynamically created VLAN by GVRP registration; VLAN trunking; VL AN participation as well as VLAN ID (PVID) and VL AN tagging for one interface, a group of interfaces
or all interfaces at once

Simplifi ed VLAN confi guration with industry-standard Access Ports for 802.1Q unaware endpoints and Trunk Ports for switch-to-switch links with Native VLAN

System defaults automatically set per-port broadcast, multicast, and unicast storm control for typical, robust protection against DoS attacks and faulty clients which
can, with BYOD, o en create network and performance issues

IP Telephony administration is simplifi ed with consistent Voice VLAN capabilities per the industry standards and automatic functions associated

Comprehensive set of “system utilities” and “Clear” commands help troubleshoot connectivity issues and restore various confi gurations to their factory defaults for
maximum admin e ciency: traceroute (to discover the routes that packets actually take when traveling on a hop-by-hop basis and with a synchronous response when
initiated from the CLI), clear dynamically learned MAC addresses, counters, IGMP snooping table entries from the Multicast forwarding database etc...

Syslog and Packet Captures can be sent to USB storage for rapid network troubleshooting

Replaceable factory-default confi guration fi le for predictable network reset in distributed branch o ces without IT personnel

All major centralized so ware distribution platforms are supported for central so ware upgrades and confi guration fi les management (HTTP, TFTP), including in highly
secured versions (HTTPS, SFTP, SCP)

Simple Network Time Protocol (SNTP) can be used to synchronize network resources and for adaptation of NTP, and can provide synchronized network timestamp
either in broadcast or unicast mode (SNTP client implemented over UDP - port 123)

Embedded RMON (4 groups) and sFlow agents permit external network tra c analysis

Engineered for convergence

Audio (Voice over IP) and Video (multicasting) comprehensive switching, fi ltering, routing and prioritization

Auto-VoIP, Voice VLAN and LLDP-MED support for IP phones QoS and VLAN confi guration

IGMP Snooping and Proxy for IPv4, MLD Snooping and Proxy for IPv6, and Querier mode facilitate fast receivers joins and leaves for multicast streams and ensure mul­ticast tra c only reaches interested receivers everywhere in a Layer 2 or a Layer 3 network, including source-specifi c (SSM) and any-source (ASM) multicast

Multicast VLAN Registration (MVR) uses a dedicated Multicast VLAN to forward multicast streams and avoid duplication for clients in di erent VLANs

PoE power management and schedule enablement

• ARP Entries (the maximum number of entries in the IPv4 Address Resolution Protocol ARP cache for
routing interfaces)

• IPv4 Unicast Routes (the maximum number of IPv4 unicast forwarding table entries)

• IPv6 NDP Entries (the maximum number of IPv6 Neighbor Discovery Protocol NDP cache entries)

• IPv6 Unicast Routes (the maximum number of IPv6 unicast forwarding table entries)

• ECMP Next Hops (the maximum number of next hops that can be installed in the IPv4 and IPv6 unicast
forwarding tables)

Page 7 sur 31

Switches manageables Web/CLI niveau 3 ProSAFE®

Layer 3 routing package

Static Routes/ECMP Static Routes for IPv4 and IPv6 • Static and default routes are confi gurable with next IP address hops to any given destination

• Permitting additional routes creates several options for the network administrator

• The admin can confi gure multiple next hops to a given destination, intending for the router to load share
across the next hops

• The admin distinguishes static routes by specifying a route preference value: a lower preference value is a
more preferred static route

• A less preferred static route is used if the more preferred static route is unusable (down link, or next hop
cannot be resolved to a MAC address)

• Preference option allows admin to control the preference of individual static routes relative to routes
learned from other sources (such as OSPF) since a static route will be preferred over a dynamic route when
routes from di erent sources have the same preference

Advanced Static Routing functions for administrative
tra c control

In order to facilitate VLAN creation and VLAN routing
using Web GUI, a VLAN Routing Wizard o ers follow­ing automated capabilities:

DHCP Relay Agents relay DHCP requests from any
routed interface, including VLANs, when DHCP server
doesn’t reside on the same IP network or subnet

Support of Routing Information Protocol (RIPv2) as
a distance vector protocol specifi ed in RFC 2453 for
IPv4

IP Multinetting allows to confi gure more than one IP address on a network interface (other vendors may call it IP Aliasing or Secondary Addressing)

• Static Reject Routes are confi gurable to control the tra c destined to a particular network so that it is not
forwarded through the router

• Such tra c is discarded and the ICMP destination unreachable message is sent back to the source

• Static reject routes can be typically used to prevent routing loops

• Default routes are confi gurable as a preference option

• Create a VLAN and generate a unique name for VLAN

• Add selected ports to the newly created VLAN and remove selected ports from the default VLAN

• Create a LAG, add selected ports to a LAG, then add this LAG to the newly created VLAN

• Enable tagging on selected ports if the port is in another VLAN

• Disable tagging if a selected port does not exist in another VLAN

• Exclude ports that are not selected from the VLAN

• Enable routing on the VLAN using the IP address and subnet mask entered as logical routing interface

• The agent relays requests from a subnet without a DHCP server to a server or next-hop agent on another
subnet

• Unlike a router which switches IP packets transparently, a DHCP relay agent processes DHCP messages
and generates new DHCP messages

• Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs

• Multiple Helper IPs feature allows to confi gure a DHCP relay agent with multiple DHCP server addresses per
routing interface and to use di erent server addresses for client packets arriving on di erent interfaces on
the relay agent server addresses for client packets arriving on di erent interfaces on the relay agent

• Each route is characterized by the number of gateways, or hops, a packet must traverse to reach its
intended destination

• Categorized as an interior gateway protocol, RIP operates within the scope of an autonomous system

Série M4200

ICMP Throttling feature adds confi guration options for
the transmission of various types of ICMP messages

• ICMP Redirects can be used by a malicious sender to perform man-in-the-middle attacks, or divert
packets to a malicious monitor, or to cause Denial of Service (DoS) by blackholing the packets

• ICMP Echo Requests and other messages can be used to probe for vulnerable hosts or routers

• Rate limiting ICMP error messages protects the local router and the network from sending a large number
of messages that take CPU and bandwidth

Enterprise security

Tra  c control MAC Filter and Port Security help restrict the tra c allowed into and out of specifi ed ports or interfaces in the system in order to increase overall security
and block MAC address fl ooding issues

DHCP Snooping monitors DHCP tra c between DHCP clients and DHCP servers to fi lter harmful DHCP message and builds a bindings database of (MAC address, IP
address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoofi ng attacks

Dynamic ARP Inspection (IPv4) use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any binding and to
enforce source IP / MAC addresses for malicious users tra c elimination

Page 8 sur 31

Switches manageables Web/CLI niveau 3 ProSAFE®

Série M4200

Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation
Groups or Port channel) for fast unauthorized data prevention and right granularity

For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to defi ne the IP/MAC or protocol through which management
access is allowed for increased HTTP/HTTPS or Telnet/SSH management security

Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs

Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent
and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to infl uence the overall STP by creating loops

Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unex­pected new equipment in the network may accidentally become a root bridge for a given VLAN

Dynamic 802.1x VLAN assignment mode, including
Dynamic VLAN creation mode and Guest VLAN /
Unauthenticated VLAN are supported for rigorous user
and equipment RADIUS policy server enforcement

802.1x MAC Address Authentication Bypass (MAB)
is a supplemental authentication mechanism that lets
non-802.1x devices bypass the traditional 802.1x
process altogether, letting them authenticate to the
network using their client MAC address as an identifi er

With Successive Tiering, the Authentication Manager
allows for authentication methods per port for a Tiered
Authentication based on confi gured time-outs

Double VLANs (DVLAN - QinQ) pass tra c from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are
preserved and a service provider VLAN ID is added to the tra c so the tra c can pass the metro core in a simple, secure manner

Private VLANs (with Primary VLAN, Isolated VLAN,
Community VLAN, Promiscuous port, Host port,
Trunks) provide Layer 2 isolation between ports that
share the same broadcast domain, allowing a VLAN
broadcast domain to be partitioned into smaller point­to-multipoint subdomains accross switches in the
same Layer 2 network

Secure Shell (SSH) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured

• Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in
order to facilitate convergent deployments. For instance when IP phones connect PCs on their bridge, IP
phones and PCs can authenticate on the same switch port but under di erent VLAN assignment policies
(Voice VLAN versus other Production VLANs)

• A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose

• MAB can be confi gured on a per-port basis on the switch

• MAB initiates a er unsuccesful dot1x authentication process (confi gurable time out), when clients don’t
respond to any of EAPOL packets

• When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the
authentication server

• The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses

• The RADIUS server returns the access policy and VLAN assignment to the switch for each client

• By default, confi guration authentication methods are tried in this order: Dot1x, then MAB, then Captive
Portal (web authentication)

• With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies

– For instance, when a client is connecting, M4200 tries to authencate the user/client using the three

methods above, the one a er the other

• The admin can restrict the confi guration such that no other method is allowed to follow the captive portal
method, for instance

• Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but
need to communicate with a router

• They remove the need for more complex port-based VLANs with respective IP interface/subnets and
associated L3 routing

• Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop
or attack other users’ tra c

TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch confi guration, based on
latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP
and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password

Superior quality of service

Advanced classifi er-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization

8 queues for priorities and various QoS policies based on 802.1p (CoS) and Di Serv can be applied to interfaces and VLANs

Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity

Page 9 sur 31

Switches manageables Web/CLI niveau 3 ProSAFE®

Série M4200

Single Rate Policing feature enables support for Single
Rate Policer as defi ned by RFC 2697

Automatic Voice over IP prioritization with protocol-based (SIP, H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls

iSCSI Flow Acceleration and automatic protection / QoS with Auto-iSCSI

• Committed Information Rate (average allowable rate for the class)

• Committed Burst Size (maximum amount of contiguous packets for the class)

• Excessive Burst Size (additional burst size for the class with credits refi ll at a slower rate than committed
burst size)

• Di Serv feature applied to class maps

Flow Control

802.3x Flow Control implementation per IEEE 802.3
Annex 31B specifi cations with Symmetric fl ow
control, Asymmetric fl ow control or No fl ow control

Allows tra c from one device to be throttled for a
specifi ed period of time: a device that wishes to inhibit
transmission of data frames from another device on
the LAN transmits a PAUSE frame

• Asymmetric fl ow control allows the switch to respond to received PAUSE frames, but the ports cannot
generate PAUSE frames

• Symmetric fl ow control allows the switch to both respond to, and generate MAC control PAUSE frames

• A device that wishes to inhibit transmission of data frames from another device on the LAN transmits a
PAUSE frame

UDLD Support

UDLD implementation detects unidirectional links
physical ports (UDLD must be enabled on both sides
of the link in order to detect an unidirectional link)

Both “normal-mode” and “aggressive-mode” are supported for perfect compatibility with other vendors implementations, including port “D-Disable” triggering cases in
both modes

• UDLD protocol operates by exchanging packets containing information about neighboring devices

• The purpose is to detect and avoid unidirectional link forwarding anomalies in a Layer 2 communication
channel

Page 10 sur 31