NETGEAR M4200-10MG-PoE+
ProSAFE Intelligent Edge Managed Switch
Sorry, this product is no longer available, please contact us for a replacement.
More pricing below, click here!
Overview:
The world’s first Multigigabit Ethernet switch with eight full power PoE+ and multi-speed 1G, 2.5G ports combined with two 10G uplinks for a fully non-blocking deployment of eight Wave 2 11ac access points from any vendor.
The ProSAFE M4200 Switch Series delivers a unique, effective solution for Wave 2 802.11ac deployments. The M4200 is the first 8x2.5G Multi-Gigabit switch with full PoE+ provision on all ports and 2x10G line-rate aggregation to the wiring closet. Plenum rated, slim design and mounting accessories allow for access point placement optimization and cabling efficiency even in nontraditional networking environments. L3 feature set includes static routing and RIP dynamic routing. The NETGEAR M4200 is ready for the future, with Software-defined Network (SDN) and OpenFlow 1.3 enabled for your network.
The ProSAFE M4200-10MG-PoE+ Managed Switch was designed from the ground up to optimize the installation of Wave 2 11ac access points. Includes eight full power PoE+ and multi-speed 1G, 2.5G ports for 100 meter legacy cable runs, combined with two 10G uplinks for a fully non-blocking deployment of eight Wave 2 11ac access points. Two of these eight 1G, 2.5G PoE+ ports also support 5G speed. NETGEAR Multigigabit Ethernet is compatible with most major wireless and switching vendors managed solutions, and the only one with 8x2.5G to the AP with 240W PoE available and 2x10G line-rate aggregation to the wiring closet. Plenum rated, slim design and mounting accessories allow you to place this switch to optimize access point placement and cabling efficiency, inside and outside the rack.
NETGEAR Intelligent Edge Switch solutions combine latest advances in hardware and software engineering for higher flexibility, lower complexity and stronger investment protection, at a high-value price point.
Multi-Gigabit Ethernet
- The ProSAFE M4200-10MG-PoE+ comes with NBASE-T compliant 1G/2.5G/5G ports and 8 x 2.5G / 2 x 10G wire speed aggregation
- That is, a purely line-rate access layer for 802.11ac wireless access points with PoE+ full provisioning, and ready for Wave2 3x3 and 4x4 installations
Higher flexibility
- Plenum design with Easy Mount options whether it’s directly on a wall, attached to a rectangular or round pole, or mounted in a standard 19-inch rack
- Secure placement above drop-down ceilings, in air passageways and where other switches will not go, vertical or horizontal, flat or perpendicular
Lower complexity
- Entire feature set including L2 switching (multi-tiered access control, auto-VoIP, auto-iSCSI) and L3 routing (static or RIP) is available without a license
- DHCP/BootP innovative auto-installation including firmware and configuration file upload automation
Investment protection
- Multi-Gigabit NBASE-T enables 2.5X to 5X faster speeds up to 100m on legacy Cat5e/Cat6 cables while providing 100M and 1G backward compatibility
- Even if an organization is not ready for SDN, OpenFlow support offers future-ready design for maximum investment protection
Secure services
- With successive tiering, the Authentication Manager allows for authentication methods per port for a tiered authentication based on configured time-outs
- With BYOD, tiered Dot1x -> MAB -> Captive Portal authentication is powerful and simple to implement with strict policies
Industry standard management
- Industry standard command line interface (CLI), functional NETGEAR web interface (GUI), SNMP, sFlow and RSPAN
- Single-pane-of-glass NMS300 management platform with centralized firmware updates and mass-configuration support
Industry leading warranty
- NETGEAR M4200 series is covered under NETGEAR ProSAFE Lifetime Hardware Warranty*
- 90 days of Technical Support via phone and email, Lifetime Technical Support through online chat and Lifetime Next Business Day hardware replacement
Features:
Key Features
- 1G, 2.5G and 5G NBASE-T compliant access layer in campus LAN and midsize organizations networks
- Line-rate 8 x 2.5G access layer and 2 x 10G aggregation for 802.11ac wireless access points with PoE+ full provisioning
- Advanced Layer 2, Layer 3 and Layer 4 feature set including static routing and RIP dynamic routing
- Multi-Gigabit NBASE-T enables 2.5X to 5X faster speeds up to 100m on legacy Cat5e/Cat6 cables - yet providing 100M and 1G backward compatibility
- Whisper quiet 28.9dB acoustics when operating at 25°C (77°F), well below normal offices ambient background noise
- Secure placement above drop-down ceilings, in air passageways and where other switches will not go, vertical or horizontal, flat or perpendicular
- Easy Mount options whether it's directly on a wall, attached to a rectangular or round pole, or mounted in a standard 19-inch rack
- PoE+ (30 watts per port) across all (8) Multi-Gigabit access ports with 240W budget
- Low latency and scalable table size with 16K MAC, 1K ARP/NDP, 1K VLANs, 64 routes
- SDN-Ready OpenFlow 1.3 support for maximum investment protection
Software
- Advanced classifier-based, time-based hardware implementation for L2 (MAC), L3 (IP) and L4 (UDP/TCP transport ports) security and prioritization
- Selectable Port-Channel / LAG (802.3ad - 802.1AX) L2/L3/L4 hashing for fault tolerance and load sharing with any type of Ethernet channeling
- Voice VLAN with SIP, H323 and SCCP protocols detection and LLDP-MED IP phones automatic QoS and VLAN configuration
- Efficient authentication tiering with successive DOT1X, MAB and Captive Portal methods for streamlined BYOD
- Comprehensive IPv4/IPv6 static and IPv4 dynamic routing including RIP
- Layer 2 multicast forwarding with IGMPv3/MLDv2 Snooping and IGMPv2/MLDv1 Snooping Querier
- Advanced security including malicious code detection, DHCP Snooping, Dynamic ARP Inspection and DoS attacks mitigation
- Innovative multi-vendor Auto-iSCSI capabilities for easier virtualization optimization
Availability
- Link Dependency new feature enables or disables ports based on the link state of different ports
- Per VLAN Spanning Tree and Per VLAN Rapid Spanning Tree (PVSTP/PVRSTP) offer interoperability with PVST+ infrastructures
Management
- DHCP/BootP innovative auto-installation including firmware and configuration file upload automation
- Industry standard SNMP, RMON, MIB, LLDP, AAA, sFlow and RSPAN remote mirroring implementation
- Service port for out-of-band Ethernet management (OOB)
- Standard RS232 straight-through serial RJ45 and Mini-USB ports for local management console
- Standard USB port for local storage, logs, configuration or image files
- Dual firmware image and configuration file for updates with minimum service interruption
- Industry standard command line interface (CLI) for IT admins used to other vendors commands
- Fully functional Web console (GUI) for IT admins who prefer an easy to use graphical interface
- Single-pane-of-glass NMS300 management platform with mass-configuration support
NETGEAR Warranty
- This product is backed by a NETGEAR ProSAFE Lifetime Hardware Warranty.
- Lifetime Next Business Day Hardware Replacement.
- ProSUPPORT 24x7 Advanced Technical Support via phone for 90 days (Remote diagnostics performed by our technical experts for prompt resolution of technical issues). ProSUPPORT coverage can be extended by purchasing one, three, or five year contracts.
- ProSUPPORT Lifetime 24x7 Advanced Technical Support via chat. (Remote diagnostics performed by our technical experts for prompt resolution of technical issues).
At a Glance:
Hardware at a glance | ||||||||
---|---|---|---|---|---|---|---|---|
Front | Side | Management | ||||||
Model name | Form-Factor | Switching Fabric | 100/1000/ 2.5G BASE-T RJ45 ports | 100/1000/ 2.5G/5G BASE-T RJ45 ports | 1000/10GBASE-X SFP+ ports | PSU | Fans | Out-of-band Console |
M4200-10MG-PoE+ | Full width 1-unit 1U rack mount 3.9 in (10 cm) deep |
90 Gbps | 6 ports PoE+ 100M; 1G; 2.5G 240W PoE budget 8-port Multigigabit and PoE+ full provisioning |
2 ports PoE+ 100M; 1G; 2.5G; 5G 240W PoE budget 8-port Multigigabit and PoE+ full provisioning |
2 ports 1G; 10G |
Internal | Fixed Side-to-side 28.9dB Low acoustics |
- |
Software at a glance | ||||||
---|---|---|---|---|---|---|
Layer 3 Package | ||||||
Model name | Management | Usability Enhancements | IPv4/IPv6 ACL and QoS, DiffServ | IPv4/IPv6 Multicast filtering | IPv4 / IPv6 Policing and Convergence | Spanning Tree Green Ethernet |
M4200-10MG-PoE+ | Out-ofband; Web GUI; HTTPs; CLI; Telnet; SSH SNMP, MIBs RSPAN Radius Users, TACACS+ |
Link Dependency (Enable or Disable one or more ports based on the link state of one or more different ports) Syslog and Packet Captures can be sent to USB storage |
Ingress 1 Kbps shaping Time-based Single Rate Policing |
IGMPv3 MLDv2 Snooping IGMPv1,v2 and MLDv1 Snooping Querier Control Packet Flooding |
Auto-VoIP Auto-iSCSI LLDP-MED |
STP, MTP, RSTP PV(R)STP BPDU/STRG Root Guard EEE (802.3az) |
Layer 3 Package | ||||||
Model name | VLANs | Trunking Port Channel | IPv4/IPv6 Authentication Security | IPv4/IPv6 Static Routing | IPv4 Dynamic Routing | |
M4200-10MG-PoE+ | Static, Dynamic, Voice, MAC GVRP/ GMRP QinQ, Private VLANs |
Static or Dynamic LACP Seven (7) L2/L3/L4 hashing algorithms |
Successive Tiering (DOT1X; MAB; Captive Portal) DHCP Snooping IPv4: Dynamic ARP Inspection |
IPv4/IPv6 Port, Subnet, VLAN routing DHCPv4 Relay; DHCPv4 Server |
IPv4: RIP |
Performance at a Glance | ||||||
---|---|---|---|---|---|---|
Table Size | ||||||
Model name | MAC ARP/ NDP | Routing / Switching Capacity | Throughput | Application Route Scaling | Packet Buffer | Latency |
M4200-10MG-PoE+ | 16K MAC 1K ARP/ NDP |
90 Gbps Line-rate |
66.9 Mpps | Static: 32v4/32v6 RIP: 32 |
16Mb | 64-byte frames: <2.8µs 1G RJ45 <7.2µs 2.5G RJ45 <5.7µs 5G RJ45 <0.9µs 10G SFP+ |
Table Size | ||||||
Model name | ACLs | Multicast IGMP Group membership | CPU | VLANs | DHCP | sFlow |
M4200-10MG-PoE+ | 50 ACLs 512 rules per list 16K ACL rules (ingress) |
1K IPv4 1K IPv6 |
CPU 800 Mhz 1GB RAM 256MB Flash |
1K VLANs | DHCP Server: 2K leases IPv4: 256 pools |
10 samplers 10 pollers 8 receivers |
Deployment:
Target Application
Wave 2 11ac Access Point deployment
M4200 is the world’s first Multigigabit Ethernet switch with eight full power PoE+ and multi-speed 1G, 2.5G ports combined with two 10G uplinks for a fully non-blocking deployment of eight Wave 2 11ac access points from any vendor.
Building 1: Wireless Access Layer
- With Wave 2 802.11ac, wired networks need to expand their reach and scope to support speeds greater than 1 Gigabit
- In addition, power-constrained environments can benefit from full power PoE+ to support access points in a range of environments
- The M4200-10MG-PoE+ was designed from the ground up to optimize the installation of Wave 2 11ac access points
- With 8 x 2.5G to the APs and 2 x 10G line rate aggregation, M4200 connects redundantly directly to a M6100 core chassis
- The two SFP+ uplinks connect to two different 10G blades using link aggregation (L2/ L3/L4 LACP) with load-balancing and failover
- M6100 management unit hitless failover and nonstop forwarding ensure no single point of failure
- Using LACP in aggregation to this redundant core, M4200 allows for wire-speed wireless access layer, with PoE+ full provisioning
Building 2: M4300 and M4200 Distribution and Wireless Access Layer
- In this warehouse, two half-width M4300 10GbE models are paired in a single rack space for redundant distribution layer
- Compared with a single aggregation switch, such two-unit horizontal stacking is cost-effective yet highly efficient for HA
- Management unit hitless failover and nonstop forwarding ensures no single point of failure for M4200 access switches
- Every M4200 can connect to both redundant distribution switches using link aggregation (L2/L3/L4 LACP) with load-balancing and failover
- When too far from the wiring closet, M4200 distant switches are securely mounted on poles across the warehouse
- This redundant topology allows for wire-speed 8x2.5G wireless access layer, with PoE+ full provisioning
Specifications:
NETGEAR M4200-10MG-PoE-Plus Specifications | |
---|---|
Acoustics | Whisper quiet 28.9dB @ 25°C (77°F) |
Power Consumption (Max) | 281.6 Watts @ full PoE+ |
RJ45 Ports | 8 x 1G / 2.5G including two of these ports with 5Gbps capability |
10G Fiber SFP+ Ports | 2 x SFP+ (1G and 10G speeds) |
Power over Ethernet | 8 x PoE+ 30W ports |
PoE Budget (Watts) | 240W |
Feature Set | Layer 3 (static routing and RIP dynamic routing) |
Management Ports |
|
Form Factor | Easy Mount for standard rack mounting and plenum mounting on poles or walls |
Warranty and Support | |
ProSAFE Lifetime Warranty | Included, lifetime |
Lifetime Technical Support through online chat | Included, lifetime |
Lifetime Next Business Day hardware replacement | Included, lifetime |
Unrivalled flexibility
- Easy Mount allows for standard rack mounting as well as plenum mounting on rectangular and round poles, or walls
- Secure placement above drop-down ceilings, in air passageways and where other switches will not go, vertical or horizontal, flat or perpendicular
- Ships with four self-adhesive rubber footpads for installation on a flat surface (cushion against shock and vibrations; ventilation space between stacked switches)
- For walls and poles, the switch ships with a mount to which you can click-attach the back or the bottom of the switch (flat or perpendicular)
- The mount provides a locking tab and the switch comes with a power cord locker for additional peace of mind in nontraditional networking environments
- Whisper quiet 28.9dB acoustics when operating at 25°C (77°F), well below normal offices ambient background noise
Best value switching performance
- 16K MAC address table, 1K concurrent VLANs and 32 (IPv4) 32 (IPv6) Layer 3 route table size for the access layer
- Each switch provides line-rate local switching and routing capacity
- 80 PLUS certified power supplies for energy high efficiency
- 16 Mb packet buffer dynamically shared for intensive applications
- Low latency at all network speeds, including 2.5 Gigabit, 5 Gigabit copper and 10 Gigabit fiber interfaces
- Jumbo frames support of up to 9Kb accelerating storage performance for backup and cloud applications
- iSCSI Flow Acceleration and Automatic Protection/QoS for virtualization and server room networks containing iSCSI initiators and iSCSI targets
- Detecting the establishment and termination of iSCSI sessions and connections by snooping packets used in the iSCSI protocol
- Maintaining a database of currently active iSCSI sessions and connections to store data, including classifier rules for desired QoS treatment
- Installing and removing classifier rule sets as needed for the iSCSI session traffic
- Monitoring activity in the iSCSI sessions to allow for aging out session entries if the session termination packets are not received
- Avoiding session interruptions during times of congestion that would otherwise cause iSCSI packets to be dropped
- SDN-ready, M4200 OpenFlow feature enables the switch to be managed by a centralized OpenFlow Controller using the OpenFlow protocol
- Support of a single-table OpenFlow 1.3 data forwarding path
- The OpenFlow feature can be administratively enabled and disabled at any time
- The administrator can allow the switch to automatically assign an IP address to the OpenFlow feature or to specifically select which address should be used
- The administrator can also direct the OpenFlow feature to always use the service port (out-of-band management port)
- The Controller IP addresses are specified manually through the switch user interface
- The list of OpenFlow Controllers and the controller connection options are stored in the Controller Table
- The OpenFlow component in M4200 software uses this information to set up and maintain SSL connections with the OpenFlow Controllers
- M4200 implements a subset of the OpenFlow 1.0.0 protocol and a subset of the OpenFlow 1.3
- It also implements enhancements to the OpenFlow protocol to optimize it for the Data Center environment and to make it compatible with Open vSwitch
Ease of deployment
- Automatic configuration with DHCP and BootP Auto Install eases large deployments with a scalable configuration files management capability, mapping IP addresses and host names and providing individual configuration files to multiple switches as soon as they are initialized on the network
- Both the Switch Serial Number and Switch primary MAC address are reported by a simple "show" command in the CLI - facilitating discovery and remote configuration operations
- M4200 DHCP L2 Relay agents eliminate the need to have a DHCP server on each physical network or subnet
- DHCP Relay agents process DHCP messages and generate new DHCP messages
- Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs
- DHCP Relay agents are typically IP routing-aware devices and can be referred to as Layer 3 relay agents
- Automatic Voice over IP prioritization with Auto-VoIP simplifies most complex multi-vendor IP telephones deployments either based on protocols (SIP, H323 and SCCP) or on OUI bytes (default database and user-based OUIs) in the phone source MAC address; providing the best class of service to VoIP streams (both data and signaling) over other ordinary traffic by classifying traffic, and enabling correct egress queue configuration
- An associated Voice VLAN can be easily configured with Auto-VoIP for further traffic isolation
- When deployed IP phones are LLDP-MED compliant, the Voice VLAN will use LLDP-MED to pass on the VLAN ID, 802.1P priority and DSCP values to the IP phones, accelerating convergent deployments
Versatile connectivity
- 8-port PoE+ full power and NBASE-T compliant, 1G / 2.5G including two of these ports with 5G ability
- All 8-port NBASE-T are backward compatible with standard Gigabit Ethernet (1000BASE-T) and Fast Ethernet (100BASE-T) speeds IEEE 802.3at Power over Ethernet Plus (PoE+) provides up to 30W power per port using 2 pairs while offering backward compatilibity with 802.3af
- IEEE 802.3at Layer 2 LLDP method and 802.3at PoE+ 2-event classification method fully supported for compatibility with most PoE+ PD devices
- 2-port 10G SFP+ uplinks for 8x2.5G to the Wave 2 11ac Access Points and 2x10G line-rate aggregation to the wiring closet
- Automatic MDIX and Auto-negotiation on all ports select the right transmission modes (half or full duplex) as well as data transmission for crossover or straight-through cables dynamically for the admin
- Link Dependancy feature enables or disables one or more ports based on the link state of one or more different ports
- IPv6 support with multicasting (MLD for IPv6 filtering), static IPv6 routes (unicast), ACLs and QoS
Ease of management and granular control
- Dual firmware image and dual configuration file for transparent firmware updates / configuration changes with minimum service interruption
- Flexible Port-Channel/LAG (802.3ad - 802.1AX) implementation for maximum compatibility, fault tolerance and load sharing with any type of Ethernet channeling from other vendors switch, server or storage devices conforming to IEEE 802.3ad - including static (selectable hashing algorithms) - or to IEEE 802.1AX with dynamic LAGs or port-channel (highly tunable LACP Link Aggregation Control Protocol )
- Unidirectional Link Detection Protocol (UDLD) and Aggressive UDLD detect and avoid unidirectional links automatically, in order to prevent forwarding anomalies in a Layer 2 communication channel in which a bi-directional link stops passing traffic in one direction
- Port names feature allows for descriptive names on all interfaces and better clarity in real word admin daily tasks
- SDM (System Data Management, or switch database) templates allow for granular system resources distribution depending on IPv4 or IPv6 applications
- ARP Entries (the maximum number of entries in the IPv4 Address Resolution Protocol ARP cache for routing interfaces)
- IPv4 Unicast Routes (the maximum number of IPv4 unicast forwarding table entries)
- IPv6 NDP Entries (the maximum number of IPv6 Neighbor Discovery Protocol NDP cache entries)
- IPv6 Unicast Routes (the maximum number of IPv6 unicast forwarding table entries)
- ECMP Next Hops (the maximum number of next hops that can be installed in the IPv4 and IPv6 unicast forwarding tables)
- Private VLANs and local Proxy ARP help reduce broadcast with added security
- Management VLAN ID is user selectable for best convenience
- Industry-standard VLAN management in the command line interface (CLI) for all common operations such as VLAN creation; VLAN names; VLAN “make static” for dynamically created VLAN by GVRP registration; VLAN trunking; VLAN participation as well as VLAN ID (PVID) and VLAN tagging for one interface, a group of interfaces or all interfaces at once
- Simplified VLAN configuration with industry-standard Access Ports for 802.1Q unaware endpoints and Trunk Ports for switch-to-switch links with Native VLAN
- System defaults automatically set per-port broadcast, multicast, and unicast storm control for typical, robust protection against DoS attacks and faulty clients which can, with BYOD, often create network and performance issues
- IP Telephony administration is simplified with consistent Voice VLAN capabilities per the industry standards and automatic functions associated
- Comprehensive set of “system utilities” and “Clear” commands help troubleshoot connectivity issues and restore various configurations to their factory defaults for maximum admin efficiency: traceroute (to discover the routes that packets actually take when traveling on a hop-by-hop basis and with a synchronous response when initiated from the CLI), clear dynamically learned MAC addresses, counters, IGMP snooping table entries from the Multicast forwarding database etc...
- Syslog and Packet Captures can be sent to USB storage for rapid network troubleshooting
- Replaceable factory-default configuration file for predictable network reset in distributed branch offices without IT personnel
- All major centralized software distribution platforms are supported for central software upgrades and configuration files management (HTTP, TFTP), including in highly secured versions (HTTPS, SFTP, SCP)
- Simple Network Time Protocol (SNTP) can be used to synchronize network resources and for adaptation of NTP, and can provide synchronized network timestamp either in broadcast or unicast mode (SNTP client implemented over UDP - port 123)
- Embedded RMON (4 groups) and sFlow agents permit external network traffic analysis
Engineered for convergence
- Audio (Voice over IP) and Video (multicasting) comprehensive switching, filtering, routing and prioritization
- Auto-VoIP, Voice VLAN and LLDP-MED support for IP phones QoS and VLAN configuration
- IGMP Snooping and Proxy for IPv4, MLD Snooping and Proxy for IPv6, and Querier mode facilitate fast receivers joins and leaves for multicast streams and ensure multicast traffic only reaches interested receivers everywhere in a Layer 2 or a Layer 3 network, including source-specific (SSM) and any-source (ASM) multicast Multicast VLAN Registration (MVR) uses a dedicated Multicast VLAN to forward multicast streams and avoid duplication for clients in different VLANs
- PoE power management and schedule enablement
Flow Control
- 802.3x Flow Control implementation per IEEE 802.3 Annex 31B specifications with Symmetric flow control, Asymmetric flow control or No flow control
- Asymmetric flow control allows the switch to respond to received PAUSE frames, but the ports cannot generate PAUSE frames
- Symmetric flow control allows the switch to both respond to, and generate MAC control PAUSE frames
- Allows traffic from one device to be throttled for a specified period of time: a device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame
- A device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame
Layer 3 routing package
- Static Routes/ECMP Static Routes for IPv4 and IPv6
- Static and default routes are configurable with next IP address hops to any given destination
- Permitting additional routes creates several options for the network administrator
- The admin can configure multiple next hops to a given destination, intending for the router to load share across the next hops
- The admin distinguishes static routes by specifying a route preference value: a lower preference value is a more preferred static route
- A less preferred static route is used if the more preferred static route is unusable (down link, or next hop cannot be resolved to a MAC address)
- Preference option allows admin to control the preference of individual static routes relative to routes learned from other sources (such as OSPF) since a static route will be preferred over a dynamic route when routes from different sources have the same preference
- Advanced Static Routing functions for administrative traffic control
- Static Reject Routes are configurable to control the traffic destined to a particular network so that it is not forwarded through the router
- Such traffic is discarded and the ICMP destination unreachable message is sent back to the source
- Static reject routes can be typically used to prevent routing loops
- Default routes are configurable as a preference option
- In order to facilitate VLAN creation and VLAN routing using Web GUI, a VLAN Routing Wizard offers following automated capabilities:
- Create a VLAN and generate a unique name for VLAN
- Add selected ports to the newly created VLAN and remove selected ports from the default VLAN
- Create a LAG, add selected ports to a LAG, then add this LAG to the newly created VLAN
- Enable tagging on selected ports if the port is in another VLAN
- Disable tagging if a selected port does not exist in another VLAN
- Exclude ports that are not selected from the VLAN
- Enable routing on the VLAN using the IP address and subnet mask entered as logical routing interface
- DHCP Relay Agents relay DHCP requests from any routed interface, including VLANs, when DHCP server doesn’t reside on the same IP network or subnet
- The agent relays requests from a subnet without a DHCP server to a server or next-hop agent on another subnet
- Unlike a router which switches IP packets transparently, a DHCP relay agent processes DHCP messages and generates new DHCP messages
- Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs
- Multiple Helper IPs feature allows to configure a DHCP relay agent with multiple DHCP server addresses per routing interface and to use different server addresses for client packets arriving on different interfaces on the relay agent server addresses for client packets arriving on different interfaces on the relay agent
- Support of Routing Information Protocol (RIPv2) as a distance vector protocol specified in RFC 2453 for IPv4
- Each route is characterized by the number of gateways, or hops, a packet must traverse to reach its intended destination
- Categorized as an interior gateway protocol, RIP operates within the scope of an autonomous system
- IP Multinetting allows to configure more than one IP address on a network interface (other vendors may call it IP Aliasing or Secondary Addressing)
- ICMP Throttling feature adds configuration options for the transmission of various types of ICMP messages
- ICMP Redirects can be used by a malicious sender to perform man-in-the-middle attacks, or divert packets to a malicious monitor, or to cause Denial of Service (DoS) by blackholing the packets
- ICMP Echo Requests and other messages can be used to probe for vulnerable hosts or routers
- Rate limiting ICMP error messages protects the local router and the network from sending a large number of messages that take CPU and bandwidth
Enterprise security
- Traffic control MAC Filter and Port Security help restrict the traffic allowed into and out of specified ports or interfaces in the system in order to increase overall security and block MAC address flooding issues
- DHCP Snooping monitors DHCP traffic between DHCP clients and DHCP servers to filter harmful DHCP message and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoofing attacks
- Dynamic ARP Inspection (IPv4) use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any binding and to enforce source IP / MAC addresses for malicious users traffic elimination
- Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation Groups or Port channel) for fast unauthorized data prevention and right granularity
- For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to define the IP/MAC or protocol through which management access is allowed for increased HTTP/HTTPS or Telnet/SSH management security
- Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs
- Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to influence the overall STP by creating loops
- Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unexpected new equipment in the network may accidentally become a root bridge for a given VLAN
- Dynamic 802.1x VLAN assignment mode, including Dynamic VLAN creation mode and Guest VLAN / Unauthenticated VLAN are supported for rigorous user and equipment RADIUS policy server enforcement
- Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in order to facilitate convergent deployments. For instance when IP phones connect PCs on their bridge, IP phones and PCs can authenticate on the same switch port but under different VLAN assignment policies (Voice VLAN versus other Production VLANs)
- 802.1x MAC Address Authentication Bypass (MAB) is a supplemental authentication mechanism that lets non-802.1x devices bypass the traditional 802.1x process altogether, letting them authenticate to the network using their client MAC address as an identifier
- A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose
- MAB can be configured on a per-port basis on the switch
- MAB initiates after unsuccesful dot1x authentication process (configurable time out), when clients don’t respond to any of EAPOL packets
- When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the authentication server
- The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses
- The RADIUS server returns the access policy and VLAN assignment to the switch for each client
- With Successive Tiering, the Authentication Manager allows for authentication methods per port for a Tiered Authentication based on configured time-outs
- By default, configuration authentication methods are tried in this order: Dot1x, then MAB, then Captive Portal (web authentication)
- With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies – For instance, when a client is connecting, M4200 tries to authencate the user/client using the three methods above, the one after the other
- The admin can restrict the configuration such that no other method is allowed to follow the captive portal method, for instance
- Double VLANs (DVLAN - QinQ) pass traffic from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are preserved and a service provider VLAN ID is added to the traffic so the traffic can pass the metro core in a simple, secure manner
- Private VLANs (with Primary VLAN, Isolated VLAN, Community VLAN, Promiscuous port, Host port, Trunks) provide Layer 2 isolation between ports that share the same broadcast domain, allowing a VLAN broadcast domain to be partitioned into smaller pointto-multipoint subdomains accross switches in the same Layer 2 network
- Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but need to communicate with a router
- They remove the need for more complex port-based VLANs with respective IP interface/subnets and associated L3 routing
- Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop or attack other users’ traffic
- Secure Shell (SSH) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured
- TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch configuration, based on latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password
Superior quality of service
- Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
- 8 queues for priorities and various QoS policies based on 802.1p (CoS) and DiffServ can be applied to interfaces and VLANs
- Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity
- Single Rate Policing feature enables support for Single Rate Policer as defined by RFC 2697
- Committed Information Rate (average allowable rate for the class)
- Committed Burst Size (maximum amount of contiguous packets for the class)
- Excessive Burst Size (additional burst size for the class with credits refill at a slower rate than committed burst size)
- DiffServ feature applied to class maps
- Automatic Voice over IP prioritization with protocol-based (SIP, H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls
- iSCSI Flow Acceleration and automatic protection / QoS with Auto-iSCSI
UDLD Support
- UDLD implementation detects unidirectional links physical ports (UDLD must be enabled on both sides of the link in order to detect an unidirectional link)
- UDLD protocol operates by exchanging packets containing information about neighboring devices
- The purpose is to detect and avoid unidirectional link forwarding anomalies in a Layer 2 communication channel
- Both “normal-mode” and “aggressive-mode” are supported for perfect compatibility with other vendors implementations, including port “D-Disable” triggering cases in both modes
Documentation:
Download the NETGEAR M4200 Series Datasheet (PDF).
Pricing Notes:
- Pricing and product availability subject to change without notice.