Call a Specialist Today! 877-352-0547
Free Shipping! Free Shipping!

NETGEAR M4300-16X
Half-Width Intelligent Edge Managed Switch with 16x100M/1G/2.5G/5G/10GBASE-T with PoE+

NETGEAR M4300-16X

Netgear Products
NETGEAR Managed Switches
NETGEAR M4300-16X Half-Width Stackable Managed Switch with 16x100M/1G/2.5G/5G/10GBASE-T with PoE+ (299W PSU)
*Includes a Life Time Hardware Warranty, 90 Days of Free Tech Support, and Lifetime Online Tech Support
#XSM4316PA-100NES
Price: $3,743.83
Add to Cart for Pricing
NETGEAR M4300-16X Half-Width Stackable Managed Switch with 16x100M/1G/2.5G/5G/10GBASE-T with PoE+ (600W PSU)
*Includes a Life Time Hardware Warranty, 90 Days of Free Tech Support, and Lifetime Online Tech Support
#XSM4316PB-100NES
Price: $3,431.84
Add to Cart for Pricing

More pricing below, click here!

Overview:

The NETGEAR M4300 Stackable Switch Series delivers L2/L3/L4 and IPv4/IPv6 cost-effective services for mid-enterprise edge and SMB core deployments with unrivalled ease of use: 10/40 Gigabit models can seamlessly stack with 1 Gigabit models within the series, enabling spine and leaf line-rate topologies. Nonstop forwarding (NSF) virtual chassis architectures provide advanced High Availability (HA) with hitless failover across the stack. Intelligent NETGEAR IGMP Plus™ multicast allows for scalable Pro AV installations at Layer 2 without the PIM complexity. Dual redundant, modular power supplies equipping full width models contribute to business continuity management. Layer 3 feature set includes static, dynamic and policy-based routing – as standard. The NETGEAR M4300 Switch Series is perfect for wireless access, unified communications and professional AV-over-IP installations.

NETGEAR Intelligent Edge Switch solutions combine latest advances in hardware and software engineering for higher flexibility, lower complexity and stronger investment protection, at a highvalue price point.

Highlights

Best-in-class stacking

  • M4300 is flexible enough for mixed stacking between 10/40 Gigabit and 1 Gigabit models, using any 10G/40G port with any media type (RJ45, SFP+, DAC cables)
  • High-availability is another key differentiator for stackable solutions: in case of a master switch failure, NSF and hitless failover ensure the standby switch takes over while forwarding plane continues to forward traffic on the operational stack members without any service interruption

10G/40G modular solution

  • The M4300-96X scales from 8 to 96 ports of 10G Ethernet by multiple of 8 ports, and from 2 to 24 ports of 40G Ethernet by multiple of 2 ports
  • The 96X lets you start small with copper and fiber, including Multi-Gigabit 2.5G/5G and PoE+ over 10G, and grow later in “non-blocking” mode just by adding port expansion cards

Higher flexibility

  • Two half-width M4300 switches can be paired in a single rack space for redundant Top of Rack installations with Auto-iSCSI prioritization
  • Removing the need for Layer-3 PIM routing, IGMP Plus greatly simplifies system architectures with automated IGMP techniques across the entire AV over-IP network

Lower complexity

  • Entire feature set including L2 switching (multi-tiered access control) and L3 routing (static, RIP, OSPF, VRRP, PIM, PBR) is available without license
  • DHCP/BootP innovative auto-installation including firmware and configuration file upload automation

Investment protection

  • Line-rate spine and leaf stacking topologies offer multiple possibilities in server rooms, in branch collapsed cores or at the edge of growing networks
  • Even if an organization is not ready for high-speed backbone, 10G and 40G models can be added later to stacks of 1G models

Secure services

  • With successive tiering, the Authentication Manager allows for authentication methods per port for a tiered authentication based on configured time-outs
  • With BYOD, tiered Dot1x -> MAB Captive Portal authentication is powerful and simple to implement with strict policies

Industry standard management

  • Industry standard command line interface (CLI), functional NETGEAR web interface (GUI), SNMP, sFlow and RSPAN
  • Single-pane-of-glass NMS300 management platform with centralized firmware updates and mass-configuration support

Industry leading warranty

  • NETGEAR M4300 series is covered under NETGEAR ProSAFE Lifetime Hardware Warranty*
  • 90 days of Technical Support via phone and email, Lifetime Technical Support through online chat and Lifetime Next Business Day hardware replacement

Features:

The M4300 Stackable L3 Managed Switch Series comes with 40G, 10G and 1G models in a variety of form factors including PoE+ full provisioning. M4300 Switch Series delivers IPv4/IPv6 rich services for mid-enterprise edge and SMB core with mixed stacking between 40-, 10- and 1-Gigabit models. Layer 3 feature set includes static and policy-based routing, RIP, VRRP, OSPF, and PIM dynamic routing. M4300 is ideal for server aggregation, wireless access, unified communications and Video-over-IP.

NETGEAR M4300 series key features:

  • Cost effective 1G access layer in campus LAN networks, and high performance 10G/40G distribution layer for midsize organizations networks
  • Zero Touch AV-over-IP with pre-configured L2 Multicast (SDVoE-ready)
  • Advanced Layer 2, Layer 3 and Layer 4 feature set - no license required - including Policy Based Routing, RIP, VRRP, OSPF and PIM
  • Innovative mixed “Spine and Leaf”, 1G, 10G and 40G stacking with nonstop forwarding (NSF) and hitless failover redundancy
  • Low acoustics, half-width 16-port and 24-port 10G models can be paired in a single rack space for redundant Top of Rack
  • Modular 12-slot 2RU model scaling up to 96-port 10G by multiple of 8 ports or 24-port 40G by multiple of 2 ports
  • Up to 768 (10 Gigabit) ports, 192 (40 Gigabit) ports or 384 (1 Gigabit) ports, or a combination in a single logical switch
  • PoE+ (30 watts per port) with hot swap, redundant power supplies and full provisioning

NETGEAR M4300 series software features:

  • Advanced classifier-based, time-based hardware implementation for L2 (MAC), L3 (IP) and L4 (UDP/TCP transport ports) security and prioritization
  • Selectable Port-Channel/LAG (802.3ad - 802.1AX) L2/L3/L4 hashing for fault tolerance and load sharing with any type of Ethernet channeling
  • Voice VLAN with SIP, H323 and SCCP protocols detection and LLDPMED IP phones automatic QoS and VLAN configuration
  • Efficient authentication tiering with successive DOT1X, MAB and Captive Portal methods for streamlined BYOD
  • Comprehensive IPv4/IPv6 static and dynamic routing including Proxy ARP, OSPF, Policy-based routing and automatic 6-to-4 tunneling
  • Scalable Pro AV deployments with NETGEAR IGMP Plus™ automatic L2 multicast (only subscribed videos flow from one switch to the other across the L2 topology)
  • High performance IPv4/IPv6 multicast routing with PIM timer accuracy and unhandled PIM (S,G,rpt) state machine events transitioning
  • Advanced IPv4/IPv6 security implementation including malicious code detection, DHCP Snooping, IP Source Guard protection and DoS attacks mitigation
  • Innovative multi-vendor Auto-iSCSI capabilities for easier virtualization optimization

NETGEAR M4300 series resiliency and availability features:

  • Dual redundant, modular power supplies equipping full width models contribute to business continuity management
  • Vertical or horizontal flexible stacking with management unit hitless failover and nonstop forwarding (NSF) across operational stack members
  • Spine and leaf architecture with every leaf switch (1G access switches) connecting to every spine switch (distributed 10G “core” switches)
  • Stacking and distributed link aggregation allow for multi-resiliency with zero downtime and load balancing capabilities
  • Link Dependency new feature enables or disables ports based on the link state of different ports
  • Per VLAN Spanning Tree and Per VLAN Rapid Spanning Tree (PVSTP/ PVRSTP) offer interoperability with PVST+ infrastructures

NETGEAR M4300 series management features:

  • DHCP/BootP innovative auto-installation including firmware and configuration file upload automation
  • Industry standard SNMP, RMON, MIB, LLDP, AAA, sFlow, RSPAN and PTPv2 1-step transparent clock implementation (select M4300 models)
  • Service port for out-of-band Ethernet management (OOB)
  • Standard RS232 straight-through serial RJ45 and Mini-USB ports for local management console
  • Standard USB port for local storage, logs, configuration or image files
  • Dual firmware image for updates with minimum service interruption
  • Industry standard command line interface (CLI) for IT admins used to other vendors commands
  • Fully functional Web console (GUI) for IT admins who prefer an easy to use graphical interface
  • Single-pane-of-glass NMS300 management platform with massconfiguration support

NETGEAR M4300 series warranty and support:

  • NETGEAR ProSAFE Lifetime Hardware Warranty
  • Included Lifetime Technical Support
  • Included Lifetime Next Business Day Hardware Replacement

Modern Access Layer Features:


High Density Layer 2/Layer 3/Layer 4 Stackable Switch Solution
M4300 switch series supports Nonstop Forwarding (NSF) virtual chassis stacking with up to 8 switches in a single logical switch, with hitless management failover
  • Any 40G or 10G port (copper, fiber) and any media type (RJ45, SFP+, DAC) can be used for stacking on any M4300 models
  • Hot-swappable stacking of up to 8 units, vertical or horizontal
  • 40G and 10G models can stack with 1G models in legacy dual ring topologies, or innovative spine and leaf topologies
  • L2, L3 and L4 switching features (access control list, classification, filtering, IPv4/IPv6 routing, IPv6 transition services) are performed in hardware at interface line rate for voice, video, and data convergence
M4300 series Layer 3 software package provides advanced IPv4/IPv6 fault tolerant routing capabilities for interfaces, VLANs, subnets and multicast
Best value switching performance
  • 96p 10G models: 256K MAC address table, 4K concurrent VLANs and 12K Layer 3 route table size for the most demanding enterprise or campus networks
  • 48p 10G models: 128K MAC address table and same other constants as 96p 10G models
  • All other models: 16K MAC address table, 4K concurrent VLANs and 512 Layer 3 route table size for typical midsize environnements
  • Mixed stacking between more capable and less capable devices uses SDM template based on “least commom denominator” set of capacities and capabilities
  • Each switch provides line-rate local switching and routing capacity
  • 80 PLUS certified power supplies for energy high efficiency
  • Full width models come with two PSU bays: a second PSU (sold separately) will add 1+1 power redundancy
  • Increased packet buffering with up to 96Mb (96p 10G models), 72 Mb (48p 10G models), 32 Mb (24p 10G models) and 16 Mb (all other models)
  • Low latency at all network speeds, including 40 Gigabit and 10 Gigabit copper / fiber interfaces
  • Jumbo frames support of up to 9Kb accelerating storage performance for backup and cloud applications
iSCSI Flow Acceleration and Automatic Protection/ QoS for virtualization and server room networks containing iSCSI initiators and iSCSI targets
  • Detecting the establishment and termination of iSCSI sessions and connections by snooping packets used in the iSCSI protocol
  • Maintaining a database of currently active iSCSI sessions and connections to store data, including classifier rules for desired QoS treatment
  • Installing and removing classifier rule sets as needed for the iSCSI session traffic
  • Monitoring activity in the iSCSI sessions to allow for aging out session entries if the session termination packets are not received
  • Avoiding session interruptions during times of congestion that would otherwise cause iSCSI packets to be dropped
Virtual Chassis Stacking technology upsurges overall network availability, providing both better resiliency in network architectures, and better performance with advanced load balancing capabilities between network uplinks
  • Up to (8) M4300 switches can be aggregated using a virtual back plane and a single console or web management interface
  • There is no 10G or 40G port pre-configured as Stacking port: all 10G or 40G ports are configured in Ethernet mode by default – Port configuration can be changed to Stack mode in Web GUI (System/ Stacking/Advanced/Stack-port Configuration) – Or using CLI command << #stack-port unit/slot/port stack >> in Stack Global Configuration section
  • Other devices in the network see the stack as a single bridge or a single router
  • Within the stack, a switch is elected (or chosen based on priority settings) as the “management unit” responsible for the stack members’ routing tables
  • Another switch is designated (or chosen based on priority settings) as an alternate, backup management unit
  • In typical spine and leaf architectures, 10G / 40G “spine” switches are meant to handle management unit and backup management unit roles • The Non-Stop Forwarding (NSF) feature enables the stack to secure forwarding end-user traffic when the management unit fails
  • Non-Stop Forwarding is supported for the following events: – Power failure of the management unit – Other hardware failure causing the management unit to hang or to reset – Software failure causing the management unit to hang or to reset – Failover initiated by the administrator – Loss of cascade connectivity between the management unit and the backup unit
  • As the backup management unit takes over, end-user data streams may lose a few packets, but do not lose their IP sessions, such as VoIP calls
  • Instant failover from management unit to redundant management unit is hitless for world-class resiliency and availability
  • Back to normal production conditions, hitless failback requires a command in CLI or in GUI, for more control
Adding a second PSU to full width models enables redundant 1+1 power protection and contributes to business continuity management
Distributed Link Aggregation, also called Port Channeling or Port Trunking, offers powerful network redundancy and load balancing between stacked members
  • Servers and other network devices benefit from greater bandwidth capacity with active-active teaming (LACP—link aggregation control protocol) • From a system perspective, a LAG (Link Aggregation Group) is treated as a physical port by M4300 stack for even more simplicity
Rapid Spanning Tree (RSTP) and Multiple Spanning Tree (MSTP) allow for rapid transitionning of the ports to the Forwarding state and the suppression of Topology Change Notification
NETGEAR PVSTP implementation (CLI only) follows the same rules than other vendor’s Per VLAN STP for strict interoperability
  • Including industry-standard PVST+ interoperability
  • PVSTP is similar to the MSTP protocol as defined by IEEE 802.1s, the main difference being PVSTP runs one instance per VLAN
  • In other words, each configured VLAN runs an independent instance of PVSTP
  • FastUplink feature immediately moves an alternate port with lowest cost to forwarding state when the root port goes down to reduce recovery time
  • FastBackbone feature selects new indirect port when an indirect port fails
NETGEAR PVRSTP implementation (CLI only) follows the same rules than other vendor’s Per VLAN RSTP for strict interoperability
  • Including industry-standard RPVST+ interoperability
  • PVRSTP is similar to the RSTP protocol as defined by IEEE 802.1w, the main difference being PVRSTP runs one instance per VLAN
  • In other words, each configured VLAN runs an independent instance of PVRSTP
  • Each PVRSTP instance elects a root bridge independent of the other
  • Hence there are as many Root Bridges in the region as there are VLANs configured
  • Per VLAN RSTP has in built support for FastUplink and FastBackbone
IP address conflict detection performed by embedded DHCP servers prevents accidental IP address duplicates from perturbing the overall network stability
IP Event Dampening reduces the effect of interface flaps on routing protocols: the routing protocols temporarily disable their processing (on the unstable interface) until the interface becomes stable, thereby greatly increasing the overall stability of the network
Ease of deployment
  • Automatic configuration with DHCP and BootP Auto Install eases large deployments with a scalable configuration files management capability, mapping IP addresses and host names and providing individual configuration files to multiple switches as soon as they are initialized on the network
  • Both the Switch Serial Number and Switch primary MAC address are reported by a simple "show" command in the CLI - facilitating discovery and remote configuration operations
  • Automatic Voice over IP prioritization with Auto-VoIP simplifies most complex multi-vendor IP telephones deployments either based on protocols (SIP, H323 and SCCP) or on OUI bytes (default database and user-based OUIs) in the phone source MAC address; providing the best class of service to VoIP streams (both data and signaling) over other ordinary traffic by classifying traffic, and enabling correct egress queue configuration
  • An associated Voice VLAN can be easily configured with Auto-VoIP for further traffic isolation
  • When deployed IP phones are LLDP-MED compliant, the Voice VLAN will use LLDP-MED to pass on the VLAN ID, 802.1P priority and DSCP values to the IP phones, accelerating convergent deployments
M4300 DHCP L2 Relay agents eliminate the need to have a DHCP server on each physical network or subnet
  • DHCP Relay agents process DHCP messages and generate new DHCP messages
  • Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs
  • DHCP Relay agents are typically IP routing-aware devices and can be referred to as Layer 3 relay agents
Versatile connectivity
  • 24- and 48-port 1G models with 10G uplinks, including 2-port 10GBASE-T and 2-port 10GBASE-X SFP+
  • 16-, 24-, 48- and 96-port 10G models with a variety of 10GBASE-T and 10GBASE-X SFP+ interfaces
  • M4300-96X offers 12 slots for 8x10G or 2x40G port expansion cards and hundreds of combinations
  • Large 10 Gigabit choice with SFP+ ports for fiber or short, low-latency copper DAC cables; 10GBASE-T ports for legacy Cat6 RJ45 short connexions (up to 55m) and Cat6A / Cat7 connections up to 100m
  • Automatic MDIX and Auto-negotiation on all ports select the right transmission modes (half or full duplex) as well as data transmission for crossover or straight-through cables dynamically for the admin
  • 1G models (M4300-28G and M4300-52G, PoE+ versions included): the 10 Mbps / Half Duplex mode isn’t supported on ports 17-24 and 41-48
  • Link Dependency feature enables or disables one or more ports based on the link state of one or more different ports
  • IPv6 full support with IPv6 host, dual stack (IPv4 and IPv6), multicasting (MLD for IPv6 filtering and PIM-SM / PIM-DM for IPv6 routing), ACLs and QoS, static routing and dynamic routing (OSPFv3) as well as Configured 6to4 and Automatic 6to4 tunneling for IPv6 traffic encapsulation into IPv4 packets
IEEE 802.3at Power over Ethernet Plus (PoE+) provides up to 30W power per port using 2 pairs while offering backward compatilibity with 802.3af
  • IEEE 802.3at Layer 2 LLDP method and 802.3at PoE+ 2-event classification method fully supported for compatibility with most PoE+ PD devices
Ease of management and granular control
  • Dual firmware image and dual configuration file for transparent firmware updates / configuration changes with minimum service interruption
  • Flexible Port-Channel/LAG (802.3ad - 802.1AX) implementation for maximum compatibility, fault tolerance and load sharing with any type of Ethernet channeling from other vendors switch, server or storage devices conforming to IEEE 802.3ad - including static (selectable hashing algorithms) - or to IEEE 802.1AX with dynamic LAGs or port-channel (highly tunable LACP Link Aggregation Control Protocol )
  • LACP mode automatically reverts to and from Static LAG, useful when the host isn’t LACP anymore, for instance during a factory reset or re-configuration
  • Unidirectional Link Detection Protocol (UDLD) and Aggressive UDLD detect and avoid unidirectional links automatically, in order to prevent forwarding anomalies in a Layer 2 communication channel in which a bi-directional link stops passing traffic in one direction
  • Port names feature allows for descriptive names on all interfaces and better clarity in real word admin daily tasks
  • Loopback interfaces management for routing protocols administration
  • Private VLANs and local Proxy ARP help reduce broadcast with added security
  • Management VLAN ID is user selectable for best convenience
  • Industry-standard VLAN management in the command line interface (CLI) for all common operations such as VLAN creation; VLAN names; VLAN “make static” for dynamically created VLAN by GVRP registration; VLAN trunking; VLAN participation as well as VLAN ID (PVID) and VLAN tagging for one interface, a group of interfaces or all interfaces at once
  • Simplified VLAN configuration with industry-standard Access Ports for 802.1Q unaware endpoints and Trunk Ports for switch-to-switch links with Native VLAN
  • System defaults automatically set per-port broadcast, multicast, and unicast storm control for typical, robust protection against DoS attacks and faulty clients which can, with BYOD, often create network and performance issues
  • IP Telephony administration is simplified with consistent Voice VLAN capabilities per the industry standards and automatic functions associated
  • Comprehensive set of “system utilities” and “Clear” commands help troubleshoot connectivity issues and restore various configurations to their factory defaults for maximum admin efficiency: traceroute (to discover the routes that packets actually take when traveling on a hop-by-hop basis and with a synchronous response when initiated from the CLI), clear dynamically learned MAC addresses, counters, IGMP snooping table entries from the Multicast forwarding database etc...
  • Syslog and Packet Captures can be sent to USB storage for rapid network troubleshooting
  • Replaceable factory-default configuration file for predictable network reset in distributed branch offices without IT personnel
  • All major centralized software distribution platforms are supported for central software upgrades and configuration files management (HTTP, TFTP), including in highly secured versions (HTTPS, SFTP, SCP)
  • Simple Network Time Protocol (SNTP) can be used to synchronize network resources and for adaptation of NTP, and can provide synchronized network timestamp either in broadcast or unicast mode (SNTP client implemented over UDP - port 123)
  • Embedded RMON (4 groups) and sFlow agents permit external network traffic analysis
SDM (System Data Management, or switch database) templates allow for granular system resources distribution depending on IPv4 or IPv6 applications
  • ARP Entries (the maximum number of entries in the IPv4 Address Resolution Protocol ARP cache for routing interfaces)
  • IPv4 Unicast Routes (the maximum number of IPv4 unicast forwarding table entries)
  • IPv6 NDP Entries (the maximum number of IPv6 Neighbor Discovery Protocol NDP cache entries)
  • IPv6 Unicast Routes (the maximum number of IPv6 unicast forwarding table entries)
  • ECMP Next Hops (the maximum number of next hops that can be installed in the IPv4 and IPv6 unicast forwarding tables)
  • IPv4 Multicast Routes (the maximum number of IPv4 multicast forwarding table entries)
  • IPv6 Multicast Routes (the maximum number of IPv6 multicast forwarding table entries)
Engineered for convergence and AV-over-IP
  • Audio (Voice over IP) and Video (multicasting) comprehensive switching, filtering, routing and prioritization
  • Auto-VoIP, Voice VLAN and LLDP-MED support for IP phones QoS and VLAN configuration
  • IGMP Snooping and Proxy for IPv4, MLD Snooping and Proxy for IPv6, and Querier mode facilitate fast receivers joins and leaves for multicast streams and ensure multicast traffic only reaches interested receivers everywhere in a Layer 2 or a Layer 3 network, including source-specific (SSM) and any-source (ASM) multicast
  • Multicast VLAN Registration (MVR) uses a dedicated Multicast VLAN to forward multicast streams and avoid duplication for clients in different VLANs
  • PoE power management and schedule enablement
  • Power redundancy for higher availability when mission critical convergent installation, including hot-swap main PSU replacement without interruption
IEEE 1588 (section 10 and 11.5) PTPv2 Transparent Clock (TC) End-to-End implementation considering the residence time of PTPv2 packets from ingress to egress
  • The 48-port 10G models (M4300-24X24F, M4300-48X, M4300-48XF) don’t support PTPv2 E2E TC
  • 1-step Transparent Clock mode, using the residence time of the PPTPv2 packet at the egress port level in Standalone mode, or Stack Master only
  • On M4300-52G and M4300-52G-PoE+ models, PTPv2 is supported between port 1 and port 24, and between port 25 and port 48
  • The “Sync & Delay_Req” field of passing/egressing out PTPv2 packets is updated with the residence time in the switch, the other fields in PTPv2 packets (“Announce”, “Delay_Resp”, “Pdelay_Req” and “Pdelay_Resp”) are not updated
NETGEAR IGMP Plus™ enhanced implementation for automatic multicast across a M4300 / M4500 L2 network (Spine and Leaf topologies), removing the need for L3 PIM routing
  • IGMP Plus is pre-configured on default VLAN 1 out of the box in all M4300 and M4500 models (M4300: starting 12.0.8.x release)
  • GMP Plus can be configured on another VLAN for automatic IGMP across switches on that VLAN (uplinks can make part of that VLAN in trunk mode)
  • IGMP Plus allow AV-over-IP devices (TX/Encoders and RX/Decoders) to be connected across multiple M4300 and M4500 switches in a star topology
  • New show igmpsnooping group command in CLI and GUI displays the Source and Group IP addresses along with their corresponding MAC addresses that are learnt through IGMP Snooping in a given VLAN on a given interface
Distance Vector Multicast Routing Protocol (DVMRP) is a dense mode multicast protocol also called Broadcast and Prune Multicasting protocol
  • DVMRP uses a distributed routing algorithm to build per-source-group multicast trees
  • DVMRP assumes that all hosts are part of a multicast group until it is informed of multicast group changes
  • It dynamically generates per-source-group multicast trees using Reverse Path Multicasting
  • Trees are calculated and updated dynamically to track membership of individual groups
Multicast routing (PIM-SM and PIM-DM, both IPv4 and IPv6) ensure multicast streams can reach receivers in different L3 subnets
  • Multicast static routes allowed in Reverse Path Forwarding (RPF) selection
  • Multicast dynamic routing (PIM associated with OSPF) including PIM multi-hop RP support for routing around damage advanced capabilities
  • Full support of PIM (S,G,Rpt) state machine events as described in RFC 4601
  • Improved Multicast PIM timer accuracy with hardware abstraction layer (HAPI) polling hit status for multicast entries in real time (without caching)
Layer 3 routing package
Static Routes/ECMP Static Routes for IPv4 and IPv6
  • Static and default routes are configurable with next IP address hops to any given destination
  • Permitting additional routes creates several options for the network administrator
  • The admin can configure multiple next hops to a given destination, intending for the router to load share across the next hops
  • The admin distinguishes static routes by specifying a route preference value: a lower preference value is a more preferred static route
  • A less preferred static route is used if the more preferred static route is unusable (down link, or next hop cannot be resolved to a MAC address)
  • Preference option allows admin to control the preference of individual static routes relative to routes learned from other sources (such as OSPF) since a static route will be preferred over a dynamic route when routes from different sources have the same preference
Advanced Static Routing functions for administrative traffic control
  • Static Reject Routes are configurable to control the traffic destined to a particular network so that it is not forwarded through the router
  • Such traffic is discarded and the ICMP destination unreachable message is sent back to the source
  • Static reject routes can be typically used to prevent routing loops
  • Default routes are configurable as a preference option
In order to facilitate VLAN creation and VLAN routing using Web GUI, a VLAN Routing Wizard offers following automated capabilities:
  • Create a VLAN and generate a unique name for VLAN
  • Add selected ports to the newly created VLAN and remove selected ports from the default VLAN
  • Create a LAG, add selected ports to a LAG, then add this LAG to the newly created VLAN
  • Enable tagging on selected ports if the port is in another VLAN
  • Disable tagging if a selected port does not exist in another VLAN
  • Exclude ports that are not selected from the VLAN
  • Enable routing on the VLAN using the IP address and subnet mask entered as logical routing interface
DHCP Relay Agents relay DHCP requests from any routed interface, including VLANs, when DHCP server doesn’t reside on the same IP network or subnet
  • The agent relays requests from a subnet without a DHCP server to a server or next-hop agent on another subnet
  • Unlike a router which switches IP packets transparently, a DHCP relay agent processes DHCP messages and generates new DHCP messages
  • Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs
  • Multiple Helper IPs feature allows to configure a DHCP relay agent with multiple DHCP server addresses per routing interface and to use different server addresses for client packets arriving on different interfaces on the relay agent server addresses for client packets arriving on different interfaces on the relay agent
Virtual Router Redundancy Protocol (VRRP) provides backup for any statically allocated next-hop router address going down, based on RFC 3768 (IPv4)
  • VRRP is based on the concept of having more than one router recognize the same router IP address
  • VRRP increases the availability of the default path without requiring configuration of dynamic routing, or router discovery protocols on end stations
  • Multiple virtual routers can be defined on any single router interface
  • One of the routers is elected the master router and handles all traffic sent to the specified virtual router IP address
  • When the master router fails, one of the backup routers is elected in its place and starts handling traffic sent to the address
As an enhancement to RFC 3768, VRRP Interface can be configured as pingable to help troubleshoot network connectivity issues
  • In that case, VRRP master responds to both fragmented and unfragmented ICMP echo requests packets destined to VRRP address(es)
  • VRRP master responds with VRRP address as the source IPv4 address and VRMAC as the source MAC address
  • A virtual router in backup state discards these ICMP echo requests
VRRP Route/Interface Tracking feature extends the capability of the Virtual Router Redundancy Protocol (VRRP)
  • Allows tracking of specific route/interface IP states, within the router, that can alter the priority level of a virtual router for a VRRP group
  • It ensures the best VRRP router is master for the group
Router Discovery Protocol is an extension to ICMP and enables hosts to dynamically discover the IP address of routers on local IP subnets
  • Based on RFC 1256 for IPv4
  • Routers periodically send router discovery messages to announce their presence to locally-attached hosts
  • The router discovery message advertises one or more IP addresses on the router that hosts can use as their default gateway
  • Hosts can send a router solicitation message asking any router that receives the message to immediately send a router advertisement
  • Router discovery eliminates the need to manually configure a default gateway on each host
  • It enables hosts to switch to a different default gateway if one goes down
Loopback interfaces are available as dynamic, stable IP addresses for other devices on the network, and for routing protocols
Tunnel interfaces are available for IPv4 and IPv6
  • Each router interface (port, or VLAN interface) can have multiple associated tunnel interfaces
  • Support for Configured 6to4 (RFC 4213) and Automatic 6to4 tunneling (RFC 3056) for IPv6 traffic encapsulation into IPv4 packets
  • 6to4 tunnels are automatically formed for IPv4 tunnels carrying IPv6 traffic
  • M4300 can act as a 6to4 border router that connects a 6to4 site to a 6to4 domain
Support of Routing Information Protocol (RIPv2) as a distance vector protocol specified in RFC 2453 for IPv4
  • Each route is characterized by the number of gateways, or hops, a packet must traverse to reach its intended destination
  • Categorized as an interior gateway protocol, RIP operates within the scope of an autonomous system
Route Redistribution feature enables the exchange of routing information among different routing protocols all operating within a router
  • Configurable when different routing protocols use different ways of expressing the distance to a destination or different metrics and formats
  • For instance, when OSPF redistributes a route from RIP, and needs to know how to set each of the route’s path attributes
Open Shortest Path First (OSPF) link-state protocol for IPv4 and IPv6
  • For IPv4 networks, OSPF version 2 is supported in accordance with RFC 2328, including compatibility mode for the RFC 1583 older specification
  • For IPv6 networks, OSPF version 3 is fully supported
  • OSPF can operate within a hierarchy, the largest entity within the hierarchy is the autonomous system (AS)
  • An AS is a collection of networks under a common administration sharing a common routing strategy (routing domain)
  • An AS can be divided into a number of areas or groups of contiguous networks and attached hosts
  • Two different types of OSPF routing occur as a result of area partitioning: Intra-area and Inter-area
  • Intra-area routing occurs if a source and destination are in the same area
  • Inter-area routing occurs when a source and destination are in different areas
  • An OSPF backbone distributes information between areas
Advanced OSPF implementation for large routing domains
  • OSPF NSSA feature supports RFC 3101, The OSPF Not-So-Stubby Area (NSSA) Option
  • Forwarding of OSPF Opaque LSAs is enabled by default
  • Passive interface feature can disable sending OSPF routing updates on an interface
  • Static Area Range Costs feature allows to configure a fixed OSPF cost that is always advertised when an area range is active
  • OSPF Equal Cost Multipath (ECMP) feature allows to forward traffic through multiple paths, taking advantage of more bandwidth
  • ECMP routes can be learned dynamically, or configured statically with multiple static routes to same destination but with different next hops
  • OSPF Max Metric feature allows to to override the metric in summary type 3 and type 4 LSAs while in stub router mode
  • Automatic Exiting of Stub Router Mode feature allows to exit stub router mode, reoriginating the router LSA with proper metric values on transit links
  • Static Area Range Costs feature allows to configure a fixed OSPF cost that is always advertised when an area range is active
OSPF LSA Pacing feature improves the efficiency of LSA flooding, reducing or eliminating the packet drops caused by bursts in OSPF control packets
  • LSA transmit pacing limits the rate of LS Update packets that OSPF can send
  • With LSA refresh groups, OSPF efficiently bundles LSAs into LS Update packets when periodically refreshing self-originated LSAs
OSPF Flood Blocking feature allows to disable LSA flooding on an interface with area or AS (domainwide) scope
  • In that case, OSPF does not advertise any LSAs with area or AS scope in its database description packets sent to neighbors
OSPF Transit-Only Network Hiding is supported based on RFC 6860 with transit-only network defined as a network connecting only routers
  • Transit-only networks are usually configured with routable IP addresses which are advertised in LSAs but are not needed for data traffic
  • If router-to-router subnets are advertised, remote attacks can be launched against routers by sending packets to these transit-only networks
  • Hiding transit-only networks speeds up network convergence and reduces vulnerability to remote attacks
  • ‘Hiding’ implies that the prefixes are not installed in the routing tables on OSPFv2 and OSPFv3 routers
IP Multinetting allows to configure more than one IP address on a network interface (other vendors may call it IP Aliasing or Secondary Addressing)
ICMP Throttling feature adds configuration options for the transmission of various types of ICMP messages
  • ICMP Redirects can be used by a malicious sender to perform man-in-the-middle attacks, or divert packets to a malicious monitor, or to cause Denial of Service (DoS) by blackholing the packets
  • ICMP Echo Requests and other messages can be used to probe for vulnerable hosts or routers
  • Rate limiting ICMP error messages protects the local router and the network from sending a large number of messages that take CPU and bandwidth
The Policy Based Routing feature (PBR) overrides routing decision taken by the router and makes the packet to follow different actions based on a policy
  • It provides freedom over packet routing/forwarding instead of leaving the control to standard routing protocols based on L3
  • For instance, some organizations would like to dictate paths instead of following the paths shown by routing protocols
  • Network Managers/Administrators can set up policies such as:
    • My network will not carry traffic from the Engineering department
    • Traffic originating within my network with the following characteristics will take path A, while other traffic will take path B
    • When load sharing needs to be done for the incoming traffic across multiple paths based on packet entities in the incoming traffic
Enterprise security
  • Traffic control MAC Filter and Port Security help restrict the traffic allowed into and out of specified ports or interfaces in the system in order to increase overall security and block MAC address flooding issues
  • DHCP Snooping monitors DHCP traffic between DHCP clients and DHCP servers to filter harmful DHCP message and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoofing attacks
  • IP source guard and Dynamic ARP Inspection use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any binding and to enforce source IP/MAC addresses for malicious users traffic elimination
  • Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation Groups or Port channel) for fast unauthorized data prevention and right granularity
  • For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to define the IP/MAC or protocol through which management access is allowed for increased HTTP/HTTPS or Telnet/SSH management security
  • Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs
  • Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to influence the overall STP by creating loops
  • Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unexpected new equipment in the network may accidentally become a root bridge for a given VLAN
  • Double VLANs (DVLAN) pass traffic from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are preserved and a service provider VLAN ID is added to the traffic so the traffic can pass the metro core in a simple, secure manner
  • SSL version 3 and TLS version 2 ensure Web GUI sessions are secured
  • Secure Shell (SSH version 2) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured
  • 2048-bit RSA key pairs, SHA2-256 and SHA2-512 cryptographic hash functions for SSLv3 and SSHv2 are supported on all M4300 models
  • TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch configuration, based on latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password
Dynamic 802.1x VLAN assignment mode, including Dynamic VLAN creation mode and Guest VLAN / Unauthenticated VLAN are supported for rigorous user and equipment RADIUS policy server enforcement
  • Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in order to facilitate convergent deployments. For instance when IP phones connect PCs on their bridge, IP phones and PCs can authenticate on the same switch port but under different VLAN assignment policies (Voice VLAN versus other Production VLANs)
802.1x MAC Address Authentication Bypass (MAB) is a supplemental authentication mechanism that lets non-802.1x devices bypass the traditional 802.1x process altogether, letting them authenticate to the network using their client MAC address as an identifier
  • A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose
  • MAB can be configured on a per-port basis on the switch
  • MAB initiates after unsuccessful dot1x authentication process (configurable time out), when clients don’t respond to any of EAPOL packets
  • When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the authentication server
  • The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses
  • The RADIUS server returns the access policy and VLAN assignment to the switch for each client
With Successive Tiering, the Authentication Manager allows for authentication methods per port for a Tiered Authentication based on configured time-outs
  • By default, configuration authentication methods are tried in this order: Dot1x, then MAB, then Captive Portal (web authentication)
  • With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies
    • For instance, when a client is connecting, M4300 tries to authenticate the user/client using the three methods above, the one after the other
  • The admin can restrict the configuration such that no other method is allowed to follow the captive portal method, for instance
Private VLANs (with Primary VLAN, Isolated VLAN, Community VLAN, Promiscuous port, Host port, Trunks) provide Layer 2 isolation between ports that share the same broadcast domain, allowing a VLAN broadcast domain to be partitioned into smaller point-to-multipoint subdomains accross switches in the same Layer 2 network
  • Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but need to communicate with a router
  • They remove the need for more complex port-based VLANs with respective IP interface/subnets and associated L3 routing
  • Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop or attack other users’ traffic
Superior quality of service
  • Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
  • 8 queues (7 in a stack) for priorities and various QoS policies based on 802.1p (CoS) and DiffServ can be applied to interfaces and VLANs
  • Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity
  • Automatic Voice over IP prioritization with protocol-based (SIP, H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls
  • iSCSI Flow Acceleration and automatic protection / QoS with Auto-iSCSI
Single Rate Policing feature enables support for Single Rate Policer as defined by RFC 2697
  • Committed Information Rate (average allowable rate for the class)
  • Committed Burst Size (maximum amount of contiguous packets for the class)
  • Excessive Burst Size (additional burst size for the class with credits refill at a slower rate than committed burst size)
  • DiffServ feature applied to class maps
802.3x Flow Control implementation per IEEE 802.3 Annex 31B specifications with Symmetric flow control, Asymmetric flow control or No flow control
  • Asymmetric flow control allows the switch to respond to received PAUSE frames, but the ports cannot generate PAUSE frames
  • Symmetric flow control allows the switch to both respond to, and generate MAC control PAUSE frames
Allows traffic from one device to be throttled for a specified period of time: a device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame
  • A device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame
The Priority Flow Control (PFC) is standardized by the IEEE 802.1Qbb specification and enables flow control per traffic class on IEEE 802 full-duplex links
  • By pausing congested priorities independently, highly loss sensitive protocols can share the same link with traffic that has different loss tolerances
  • The priorities are differentiated by the priority field of the 802.1Q VLAN header
  • PFC uses a new control packet defined in 802.1Qbb and therefore disables 802.3x standard flow control on PFC configured interfaces
  • PFC comes with CLI configuration and it is only supported on M4300-12X12F, 24X, 24X24F, 48X and 96X models
UDLD Support
UDLD implementation detects unidirectional links physical ports (UDLD must be enabled on both sides of the link in order to detect an unidirectional link)
  • UDLD protocol operates by exchanging packets containing information about neighboring devices
  • The purpose is to detect and avoid unidirectional link forwarding anomalies in a Layer 2 communication channel
Both “normal-mode” and “aggressive-mode” are supported for perfect compatibility with other vendors implementations, including port “D-Disable” triggering cases in both modes

Deployment:

Target Application

Target Application

Building 1

  • For midsize server installations, two half-width M4300 10GbE models can be paired in a single rack space for redundant top-of-rack
  • Compared with single top-of-rack switch installation, such two-unit horizontal stacking is cost-effective yet highly efficient for HA
  • Management unit hitless failover and nonstop forwarding ensure no single point of failure for servers and storage

Building 2

  • Common for intermediate distribution frames (IDF) in K-12 and other large campuses, stacking topologies greatly simplify deployments at the edge
  • While reducing the number of logical units to manage, stacking also brings network resiliency with distributed uplinks in aggregation to the core
  • Management unit hitless failover and nonstop forwarding ensures continuous uptime for clients across the stack

Building 3

  • For typical collapsed core installations, with a variety of 1G and 10G access ports in branch offices, server rooms or campus high performance labs
  • M4300 10G models can stack with M4300 1G models, enabling innovative “spine and leaf” topologies
  • Spine and leaf architectures deliver highest performance with every leaf switch (1G) connecting to every spine switch (10G) for a fully non-blocking deployment
  • With management unit hitless failover and nonstop forwarding, leaf switches keep forwarding L2 and L3 traffic in and out, while backup spine unit guarantees connectivity to the core

Target Application (SDVoE)

Target Application (SDVoE)

To take the complexity out of your AV-over-IP deployment, NETGEAR created M4300 switches that are preconfigured for easy, true AV and multicast Zero Touch network configuration. Namely, IGMP Snooping, IGMP Fast Leave, IGMP Querier are already enabled for the default VLAN 1 that all your devices will automatically use. Connect your encoder and decoder devices, and power on the switch – it just works!

Enabling Zero-Touch install of SDVoE Video-over-IP

  • M4300-96X streamlines AV-over-IP SDVoE solutions, replacing 48x48 switchers and any other in/out distribution
    • Non-blocking fabric for 96x10G or 24x40G or a combination
    • 12 empty slots in 2RU for 8x10G or 2x40G port expansion cards
  • Use the M4300-96X online configurator to design your modular switch
    • www.netgear.com/96x-config
  • Plug and play and ready to grow as per your requirements
  • Takes the complexity out of your AV-over-IP deployment
  • Zero Touch AV-over-IP with pre-configured L2 Multicast (SDVoE-ready)
    • IGMP Snooping, IGMP Fast Leave, IGMP Querier are already enabled
  • Easy-to-use Web browser-based management GUI

The SDVoE Alliance is an eco-system of companies in and around the AV-over-IP space, working together to create a platform for the next generation of audiovisual applications. NETGEAR SDVoE Partners provide the SDVoE audio-video products and NETGEAR provides the backbone network that makes it all possible.

Specifications:

M4300-16X Stackable Managed Switch

  • 16-port 100M/1G/2.5G/5G/10GBASE-T with PoE+ (copper RJ45)
  • 320Gbps non-blocking fabric across 16 ports
  • Out-of-band 1G Ethernet management port
  • Mini-USB and RJ45 RS232 console ports and USB storage port
  • Full L3 feature set and non-stop forwarding (NSF) stacking
  • Half-width form factor with one- and two-unit rack mount kit
  • Two half-width switches can be installed in a single rack space for redundant top-of-rack
  • (XSM4316PA) Ships with one modular APS299W PSU in its power supply slot
  • (XSM4316PB) Ships with one modular APS600W PSU in its power supply slot
  • Low acoustics (36dB with APS299W, 35dB with APS600W, @25°C / 77°F )
M4300-16X Specifications
Hardware
Form Factor Half-width
1-unit 1U rack mount
2-unit 1U rack mount
Switching Fabric 320 Gps
10GBASE-T RJ45 ports 16 ports: PoE+100M; 1G; 2.5G; 5G; 10G
10GBASE-X SFP+ ports -
40GBASE-X QSFP+ports -
PSU Modular 1 bays
For either APS299W or APS600W
1 PSU included: APS299W (199 W PoE Budget)
1 PSU included: APS600W (500 W PoE Budget)
Fans Fixed Front-to-back
35dB
Out-of-band Console Ethernet: Out-of-band 1G port (Back)
Console: RJ45 RS232 (Back)
Console: Mini-USB (Front)
Storage: USB (Front)
Software
Management Out-of-band; Web GUI; HTTPs; CLI; Telnet; SSH
SNMP, MIBs RSPAN
Radius Users, TACACS+
Usability Enhancements Stacking NSF witth Hitless Failover
Link Dependency (Enable or Disable one or more ports based on the link state of one or more different ports)
Syslog and Packet Captures can be sent to USB storage
IPv4/IPv6 ACL and QoS, DiffServ Ingress/ egress
1 Kbps shaping Time-based
Single Rate Policing
IPv4/IPv6 Multicast filtering NETGEAR IGMP Plus™ for automatic IGMP
IGMPv3 MLDv2 Snooping, Proxy ASM & SSM
IGMPv1,v2 Querier (compatible v3)
Control Packet Flooding
IPv4 / IPv6 Policing and Convergence Auto-VoIP
Auto-iSCSI
Policy-based routing (PBR)
LLDP-MED
IEEE 1588 PTPv2**
1-Step Endto-End Transparent Clock
Spanning Tree Green Ethernet STP, MTP, RSTP
PV(R)STP1
BPDU/STRG Root Guard
EEE (802.3az)
VLANs Static, Dynamic, Voice, MAC
GVRP/ GMRP
Double VLAN mode
Private VLANs
Trunking Port Channel Distributed LAG across the stack
Static or Dynamic LACP (LACP automatically reverts to and from Static LAG)
Seven (7) L2/ L3/L4 hashing algorithms
IPv4/IPv6 Authentication Security Successive Tiering (DOT1X; MAB; Captive Portal)
DHCP Snooping Dynamic ARP Inspection
IP Source Guard
IPv4/IPv6 Static Routing Port, Subnet, VLAN routing, DHCP Relay;
Multicast static routes;
Stateful DHCPv6 Server
IPv4/IPv6 Dynamic Routing IPv4: RIP, VRRP
IPv4/IPv6: OSPF, Proxy ARP, PIM-SM, PIM-DM, 6-to-4 tunnels
Performance
MAC ARP/ NDP 16K MAC
888 ARP/ NDP
Routing / Switching Capacity Up to 480 Gbps
Line-rate
Throughput Up to 357 Mpps
Application Route Scaling Static: 64v4/ 64v6
RIP: 512
OSPF: 512
Packet Buffer 16Mb
Latency <2.76µs 10G RJ45
<1.83µs 10G SFP+
IP Multicast Forwarding Entries 96 IPv4
32 IPv6
CPU CPU 800 Mhz
1GB RAM
256MB Flash
Multicast IGMP Group membership 2K IPv4
2K IPv6
VLANs 4K VLANs
DHCP DHCP Server: 2K leases
IPv4: 256 pools
IPv6: 16 pools
sFlow 416 samplers
416 pollers
8 receivers

* For mixed stacking between more capable devices and less capable devices, SDM mixed stacking template is used based on “least common denominator” set of capacities and capabilities. Other SDM “native” templates can be used on superior platforms, for a larger table size. A stack requires an uniform table size across all stack members.
** All M4300 models except 48-port 10G platforms (M4300-24X24F, M4300-48X, M4300-48XF). Standalone mode, or Stack Master only. On M4300-52G and M4300-52G-PoE+ models, PTP is supported between port 1 and port 24, and between port 25 and port 48.


High Density Layer 2/Layer 3/Layer 4 Stackable Switch Solution

  • M4300 switch series supports Nonstop Forwarding (NSF) virtual chassis stacking with up to 384 ports in a single logical switch, with hitless management failover
    • Any 10G port (copper, fiber) and any media type (RJ45, SFP+, DAC) can be used for stacking on any M4300 model
    • Hot-swappable stacking of up to 8 units, vertical or horizontal
    • 10G models can stack with 1G models in legacy dual ring topologies, or innovative spine and leaf topologies
    • L2, L3 and L4 switching features (access control list, classification, filtering, IPv4/IPv6 routing, IPv6 transition services) are performed in hardware at interface line rate for voice, video, and data convergence
  • M4300 series Layer 3 software package provides advanced IPv4/IPv6 fault tolerant routing capabilities for interfaces, VLANs, subnets and multicast

Best value switching performance

  • 48p 10G models: 128K MAC address table, 4K concurrent VLANs and 12K Layer 3 route table size for the most demanding enterprise or campus networks
  • All other models: 16K MAC address table, 4K concurrent VLANs and 512 Layer 3 route table size for typical midsize environnements
  • Mixed stacking between more capable and less capable devices uses SDM template based on “least commom denominator” set of capacities and capabilities
  • Each switch provides line-rate local switching and routing capacity 80 PLUS certified power supplies for energy high efficiency
  • Full width models come with two PSU bays and one modular power supply: a second PSU (sold separately) will add 1+1 power redundancy
  • Increased packet buffering with up to 72 Mb (48p 10G models), 32 Mb (24p 10G models) and 16 Mb (all other models) for most intensive applications
  • Low latency at all network speeds, including 10 Gigabit copper and fiber interfaces Jumbo frames support of up to 9Kb accelerating storage performance for backup and cloud applications
  • iSCSI Flow Acceleration and Automatic Protection/QoS for virtualization and server room networks containing iSCSI initiators and iSCSI targets
    • Detecting the establishment and termination of iSCSI sessions and connections by snooping packets used in the iSCSI protocol
    • Maintaining a database of currently active iSCSI sessions and connections to store data, including classifier rules for desired QoS treatment
    • Installing and removing classifier rule sets as needed for the iSCSI session traffic
    • Monitoring activity in the iSCSI sessions to allow for aging out session entries if the session termination packets are not received
    • Avoiding session interruptions during times of congestion that would otherwise cause iSCSI packets to be dropped
  • SDN-ready, M4300 OpenFlow feature enables the switch to be managed by a centralized OpenFlow Controller using the OpenFlow protocol
    • Support of a single-table OpenFlow 1.3 data forwarding path
    • The OpenFlow feature can be administratively enabled and disabled at any time
    • The administrator can allow the switch to automatically assign an IP address to the OpenFlow feature or to specifically select which address should be used
    • The administrator can also direct the OpenFlow feature to always use the service port (out-of-band management port)
    • The Controller IP addresses are specified manually through the switch user interface
    • The list of OpenFlow Controllers and the controller connection options are stored in the Controller Table
    • The OpenFlow component in M4300 software uses this information to set up and maintain SSL connections with the OpenFlow Controllers
    • M4300 implements a subset of the OpenFlow 1.0.0 protocol and a subset of the OpenFlow 1.3
    • It also implements enhancements to the OpenFlow protocol to optimize it for the Data Center environment and to make it compatible with Open vSwitch

Tier 1 availability

  • Virtual Chassis Stacking technology upsurges overall network availability, providing both better resiliency in network architectures, and better performance with advanced load balancing capabilities between network uplinks
    • Up to (8) M4300 switches can be aggregated using a virtual back plane and a single console or web management interface
    • There is no 10G port pre-configured as Stacking port: all 10G ports are configured in Ethernet mode by default
      – Port configuration can be changed to Stack mode in Web GUI (System/ Stacking/Advanced/Stack-port Configuration)
      – Or using CLI command << #stack-port unit/slot/port stack >> in Stack Global Configuration section
    • Other devices in the network see the stack as a single bridge or a single router
    • Within the stack, a switch is elected (or chosen based on priority settings) as the “management unit” responsible for the stack members’ routing tables
    • Another switch is designated (or chosen based on priority settings) as an alternate, backup management unit
    • In typical spine and leaf architectures, 10G “spine” switches are meant to handle management unit and backup management unit roles
    • The Nonstop Forwarding (NSF) feature enables the stack to secure forwarding end-user traffic when the management unit fails
    • Nonstop forwarding is supported for the following events:
      – Power failure of the management unit
      – Other hardware failure causing the management unit to hang or to reset
      – Software failure causing the management unit to hang or to reset
      – Failover initiated by the administrator
      – Loss of cascade connectivity between the management unit and the backup unit
    • As the backup management unit takes over, end-user data streams may lose a few packets, but do not lose their IP sessions, such as VoIP calls
    • Instant failover from management unit to redundant management unit is hitless for world-class resiliency and availability
    • Back to normal production conditions, hitless failback requires a command in CLI or in GUI, for more control
  • Adding a second PSU to full width models enables redundant 1+1 power protection and contributes to business continuity management
  • Distributed Link Aggregation, also called Port Channeling or Port Trunking, offers powerful network redundancy and load balancing between stacked members
    • Servers and other network devices benefit from greater bandwidth capacity with active-active teaming (LACP—link aggregation control protocol)
    • From a system perspective, a LAG (Link Aggregation Group) is treated as a physical port by M4300 stack for even more simplicity
  • Rapid Spanning Tree (RSTP) and Multiple Spanning Tree (MSTP) allow for rapid transitionning of the ports to the Forwarding state and the suppression of Topology Change Notification
  • NETGEAR PVSTP implementation (CLI only) follows the same rules than other vendor’s Per VLAN STP for strict interoperability
    • Including industry-standard PVST+ interoperability
    • PVSTP is similar to the MSTP protocol as defined by IEEE 802.1s, the main difference being PVSTP runs one instance per VLAN
    • In other words, each configured VLAN runs an independent instance of PVSTP
    • FastUplink feature immediately moves an alternate port with lowest cost to forwarding state when the root port goes down to reduce recovery time
    • FastBackbone feature selects new indirect port when an indirect port fails
  • NETGEAR PVRSTP implementation (CLI only) follows the same rules than other vendor’s Per VLAN RSTP for strict interoperability
    • Including industry-standard RPVST+ interoperability
    • PVRSTP is similar to the RSTP protocol as defined by IEEE 802.1w, the main difference being PVRSTP runs one instance per VLAN
    • In other words, each configured VLAN runs an independent instance of PVRSTP
    • Each PVRSTP instance elects a root bridge independent of the other
    • Hence there are as many Root Bridges in the region as there are VLANs configured
    • Per VLAN RSTP has in built support for FastUplink and FastBackbone
  • IP address conflict detection performed by embedded DHCP servers prevents accidental IP address duplicates from perturbing the overall network stability
  • IP Event Dampening reduces the effect of interface flaps on routing protocols: the routing protocols temporarily disable their processing (on the unstable interface) until the interface becomes stable, thereby greatly increasing the overall stability of the network

Ease of deployment

  • Automatic configuration with DHCP and BootP Auto Install eases large deployments with a scalable configuration files management capability, mapping IP addresses and host names and providing individual configuration files to multiple switches as soon as they are initialized on the network
  • Both the Switch Serial Number and Switch primary MAC address are reported by a simple "show" command in the CLI - facilitating discovery and remote configuration operations
  • M4300 DHCP L2 Relay agents eliminate the need to have a DHCP server on each physical network or subnet
    • DHCP Relay agents process DHCP messages and generate new DHCP messages
    • Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs
    • DHCP Relay agents are typically IP routing-aware devices and can be referred to as Layer 3 relay agents
  • Automatic Voice over IP prioritization with Auto-VoIP simplifies most complex multi-vendor IP telephones deployments either based on protocols (SIP, H323 and SCCP) or on OUI bytes (default database and user-based OUIs) in the phone source MAC address; providing the best class of service to VoIP streams (both data and signaling) over other ordinary traffic by classifying traffic, and enabling correct egress queue configuration
  • An associated Voice VLAN can be easily configured with Auto-VoIP for further traffic isolation
  • When deployed IP phones are LLDP-MED compliant, the Voice VLAN will use LLDP-MED to pass on the VLAN ID, 802.1P priority and DSCP values to the IP phones, accelerating convergent deployments

Versatile connectivity

  • 24- and 48-port 1G models with 10G uplinks, including 2-port 10GBASE-T and 2-port 10GBASE-X SFP+
  • IEEE 802.3at Power over Ethernet Plus (PoE+) provides up to 30W power per port using 2 pairs while offering backward compatilibity with 802.3af
    • IEEE 802.3at Layer 2 LLDP method and 802.3at PoE+ 2-event classification method fully supported for compatibility with most PoE+ PD devices
  • 16-, 24- and 48-port 10G models with a variety of 10GBASE-T and 10GBASE-X SFP+ interfaces
  • Large 10 Gigabit choice with SFP+ ports for fiber or short, low-latency copper DAC cables; 10GBASE-T ports for legacy Cat6 RJ45 short connexions (up to 50m) and Cat6A / Cat7 connections up to 100m
  • Automatic MDIX and Auto-negotiation on all ports select the right transmission modes (half or full duplex) as well as data transmission for crossover or straight-through cables dynamically for the admin
  • Link Dependancy feature enables or disables one or more ports based on the link state of one or more different ports
  • IPv6 full support with IPv6 host, dual stack (IPv4 and IPv6), multicasting (MLD for IPv6 filtering and PIM-SM / PIM-DM for IPv6 routing), ACLs and QoS, static routing and dynamic routing (OSPFv3) as well as Configured 6to4 and Automatic 6to4 tunneling for IPv6 traffic encapsulation into IPv4 packets

Ease of management and granular control

  • Dual firmware image and dual configuration file for transparent firmware updates / configuration changes with minimum service interruption
  • Flexible Port-Channel/LAG (802.3ad - 802.1AX) implementation for maximum compatibility, fault tolerance and load sharing with any type of Ethernet channeling from other vendors switch, server or storage devices conforming to IEEE 802.3ad - including static (selectable hashing algorithms) - or to IEEE 802.1AX with dynamic LAGs or port-channel (highly tunable LACP Link Aggregation Control Protocol )
  • Unidirectional Link Detection Protocol (UDLD) and Aggressive UDLD detect and avoid unidirectional links automatically, in order to prevent forwarding anomalies in a Layer 2 communication channel in which a bi-directional link stops passing traffic in one direction
  • Port names feature allows for descriptive names on all interfaces and better clarity in real word admin daily tasks
  • SDM (System Data Management, or switch database) templates allow for granular system resources distribution depending on IPv4 or IPv6 applications
    • ARP Entries (the maximum number of entries in the IPv4 Address Resolution Protocol ARP cache for routing interfaces)
    • IPv4 Unicast Routes (the maximum number of IPv4 unicast forwarding table entries)
    • IPv6 NDP Entries (the maximum number of IPv6 Neighbor Discovery Protocol NDP cache entries)
    • IPv6 Unicast Routes (the maximum number of IPv6 unicast forwarding table entries)
    • ECMP Next Hops (the maximum number of next hops that can be installed in the IPv4 and IPv6 unicast forwarding tables)
    • IPv4 Multicast Routes (the maximum number of IPv4 multicast forwarding table entries)
    • IPv6 Multicast Routes (the maximum number of IPv6 multicast forwarding table entries)
  • Loopback interfaces management for routing protocols administration
  • Private VLANs and local Proxy ARP help reduce broadcast with added security
  • Management VLAN ID is user selectable for best convenience
  • Industry-standard VLAN management in the command line interface (CLI) for all common operations such as VLAN creation; VLAN names; VLAN “make static” for dynamically created VLAN by GVRP registration; VLAN trunking; VLAN participation as well as VLAN ID (PVID) and VLAN tagging for one interface, a group of interfaces or all interfaces at once
  • Simplified VLAN configuration with industry-standard Access Ports for 802.1Q unaware endpoints and Trunk Ports for switch-to-switch links with Native VLAN
  • System defaults automatically set per-port broadcast, multicast, and unicast storm control for typical, robust protection against DoS attacks and faulty clients which can, with BYOD, often create network and performance issues
  • IP Telephony administration is simplified with consistent Voice VLAN capabilities per the industry standards and automatic functions associated
  • Comprehensive set of “system utilities” and “Clear” commands help troubleshoot connectivity issues and restore various configurations to their factory defaults for maximum admin efficiency: traceroute (to discover the routes that packets actually take when traveling on a hop-by-hop basis and with a synchronous response when initiated from the CLI), clear dynamically learned MAC addresses, counters, IGMP snooping table entries from the Multicast forwarding database etc...
  • Syslog and Packet Captures can be sent to USB storage for rapid network troubleshooting
  • Replaceable factory-default configuration file for predictable network reset in distributed branch offices without IT personnel
  • All major centralized software distribution platforms are supported for central software upgrades and configuration files management (HTTP, TFTP), including in highly secured versions (HTTPS, SFTP, SCP)
  • Simple Network Time Protocol (SNTP) can be used to synchronize network resources and for adaptation of NTP, and can provide synchronized network timestamp either in broadcast or unicast mode (SNTP client implemented over UDP - port 123)
  • Embedded RMON (4 groups) and sFlow agents permit external network traffic analysis

Engineered for convergence

  • Audio (Voice over IP) and Video (multicasting) comprehensive switching, filtering, routing and prioritization
  • Auto-VoIP, Voice VLAN and LLDP-MED support for IP phones QoS and VLAN configuration
  • IGMP Snooping and Proxy for IPv4, MLD Snooping and Proxy for IPv6, and Querier mode facilitate fast receivers joins and leaves for multicast streams and ensure multicast traffic only reaches interested receivers everywhere in a Layer 2 or a Layer 3 network, including source-specific (SSM) and any-source (ASM) multicast
  • Multicast VLAN Registration (MVR) uses a dedicated Multicast VLAN to forward multicast streams and avoid duplication for clients in different VLANs
  • Distance Vector Multicast Routing Protocol (DVMRP) is a dense mode multicast protocol also called Broadcast and Prune Multicasting protocol
    • DVMRP uses a distributed routing algorithm to build per-source-group multicast trees
    • DVMRP assumes that all hosts are part of a multicast group until it is informed of multicast group changes
    • It dynamically generates per-source-group multicast trees using Reverse Path Multicasting
    • Trees are calculated and updated dynamically to track membership of individual groups
  • Multicast routing (PIM-SM and PIM-DM, both IPv4 and IPv6) ensure multicast streams can reach receivers in different L3 subnets
    • Multicast static routes allowed in Reverse Path Forwarding (RPF) selection
    • Multicast dynamic routing (PIM associated with OSPF) including PIM multi-hop RP support for routing around damage advanced capabilities
    • Full support of PIM (S,G,Rpt) state machine events as described in RFC 4601
    • Improved Multicast PIM timer accuracy with hardware abstraction layer (HAPI) polling hit status for multicast entries in real time (without caching)
  • PoE power management and schedule enablement
  • Power redundancy for higher availability when mission critical convergent installation, including hot-swap main PSU replacement without interruption

Flow Control

  • 802.3x Flow Control implementation per IEEE 802.3 Annex 31B specifications with Symmetric flow control, Asymmetric flow control or No flow control
    • Asymmetric flow control allows the switch to respond to received PAUSE frames, but the ports cannot generate PAUSE frames
    • Symmetric flow control allows the switch to both respond to, and generate MAC control PAUSE frames
  • Allows traffic from one device to be throttled for a specified period of time: a device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame
    • A device that wishes to inhibit transmission of data frames from another device on the LAN transmits a PAUSE frame

Layer 3 routing package

  • Static Routes/ECMP Static Routes for IPv4 and IPv6
    • Static and default routes are configurable with next IP address hops to any given destination
    • Permitting additional routes creates several options for the network administrator
    • The admin can configure multiple next hops to a given destination, intending for the router to load share across the next hops
    • The admin distinguishes static routes by specifying a route preference value: a lower preference value is a more preferred static route
    • A less preferred static route is used if the more preferred static route is unusable (down link, or next hop cannot be resolved to a MAC address)
    • Preference option allows admin to control the preference of individual static routes relative to routes learned from other sources (such as OSPF) since a static route will be preferred over a dynamic route when routes from different sources have the same preference
  • Advanced Static Routing functions for administrative traffic control
    • Static Reject Routes are configurable to control the traffic destined to a particular network so that it is not forwarded through the router
    • Such traffic is discarded and the ICMP destination unreachable message is sent back to the source
    • Static reject routes can be typically used to prevent routing loops
    • Default routes are configurable as a preference option
  • In order to facilitate VLAN creation and VLAN routing using Web GUI, a VLAN Routing Wizard offers following automated capabilities:
    • Create a VLAN and generate a unique name for VLAN
    • Add selected ports to the newly created VLAN and remove selected ports from the default VLAN
    • Create a LAG, add selected ports to a LAG, then add this LAG to the newly created VLAN
    • Enable tagging on selected ports if the port is in another VLAN
    • Disable tagging if a selected port does not exist in another VLAN
    • Exclude ports that are not selected from the VLAN
    • Enable routing on the VLAN using the IP address and subnet mask entered as logical routing interface
  • DHCP Relay Agents relay DHCP requests from any routed interface, including VLANs, when DHCP server doesn’t reside on the same IP network or subnet
    • The agent relays requests from a subnet without a DHCP server to a server or next-hop agent on another subnet
    • Unlike a router which switches IP packets transparently, a DHCP relay agent processes DHCP messages and generates new DHCP messages
    • Supports DHCP Relay Option 82 circuit-id and remote-id for VLANs
    • Multiple Helper IPs feature allows to configure a DHCP relay agent with multiple DHCP server addresses per routing interface and to use different server addresses for client packets arriving on different interfaces on the relay agent server addresses for client packets arriving on different interfaces on the relay agent
  • Virtual Router Redundancy Protocol (VRRP) provides backup for any statically allocated next-hop router address going down, based on RFC 3768 (IPv4)
    • VRRP is based on the concept of having more than one router recognize the same router IP address
    • VRRP increases the availability of the default path without requiring configuration of dynamic routing, or router discovery protocols on end stations
    • Multiple virtual routers can be defined on any single router interface
    • One of the routers is elected the master router and handles all traffic sent to the specified virtual router IP address
    • When the master router fails, one of the backup routers is elected in its place and starts handling traffic sent to the address
  • As an enhancement to RFC 3768, VRRP Interface can be configured as pingable to help troubleshoot network connectivity issues
    • In that case, VRRP master responds to both fragmented and unfragmented ICMP echo requests packets destined to VRRP address(es)
    • VRRP master responds with VRRP address as the source IPv4 address and VRMAC as the source MAC address
    • A virtual router in backup state discards these ICMP echo requests
  • VRRP Route/Interface Tracking feature extends the capability of the Virtual Router Redundancy Protocol (VRRP)
    • Allows tracking of specific route/interface IP states, within the router, that can alter the priority level of a virtual router for a VRRP group
    • It ensures the best VRRP router is master for the group
  • Router Discovery Protocol is an extension to ICMP and enables hosts to dynamically discover the IP address of routers on local IP subnets
    • Based on RFC 1256 for IPv4
    • Routers periodically send router discovery messages to announce their presence to locally-attached hosts
    • The router discovery message advertises one or more IP addresses on the router that hosts can use as their default gateway
    • Hosts can send a router solicitation message asking any router that receives the message to immediately send a router advertisement
    • Router discovery eliminates the need to manually configure a default gateway on each host
    • It enables hosts to switch to a different default gateway if one goes down
  • Loopback interfaces are available as dynamic, stable IP addresses for other devices on the network, and for routing protocols
  • Tunnel interfaces are available for IPv4 and IPv6
    • Each router interface (port, or VLAN interface) can have multiple associated tunnel interfaces
    • Support for Configured 6to4 (RFC 4213) and Automatic 6to4 tunneling (RFC 3056) for IPv6 traffic encapsulation into IPv4 packets
    • 6to4 tunnels are automatically formed for IPv4 tunnels carrying IPv6 traffic
    • M4300 can act as a 6to4 border router that connects a 6to4 site to a 6to4 domain
  • Support of Routing Information Protocol (RIPv2) as a distance vector protocol specified in RFC 2453 for IPv4
    • Each route is characterized by the number of gateways, or hops, a packet must traverse to reach its intended destination
    • Categorized as an interior gateway protocol, RIP operates within the scope of an autonomous system
  • Route Redistribution feature enables the exchange of routing information among different routing protocols all operating within a router
    • Configurable when different routing protocols use different ways of expressing the distance to a destination or different metrics and formats
    • For instance, when OSPF redistributes a route from RIP, and needs to know how to set each of the route’s path attributes
  • Open Shortest Path First (OSPF) link-state protocol for IPv4 and IPv6
    • For IPv4 networks, OSPF version 2 is supported in accordance with RFC 2328, including compatibility mode for the RFC 1583 older specification
    • For IPv6 networks, OSPF version 3 is fully supported
    • OSPF can operate within a hierarchy, the largest entity within the hierarchy is the autonomous system (AS)
    • An AS is a collection of networks under a common administration sharing a common routing strategy (routing domain)
    • An AS can be divided into a number of areas or groups of contiguous networks and attached hosts
    • Two different types of OSPF routing occur as a result of area partitioning: Intra-area and Inter-area
    • Intra-area routing occurs if a source and destination are in the same area
    • Inter-area routing occurs when a source and destination are in different areas
    • An OSPF backbone distributes information between areas
  • Advanced OSPF implementation for large routing domains
    • OSPF NSSA feature supports RFC 3101, The OSPF Not-So-Stubby Area (NSSA) Option
    • Forwarding of OSPF Opaque LSAs is enabled by default
    • Passive interface feature can disable sending OSPF routing updates on an interface
    • Static Area Range Costs feature allows to configure a fixed OSPF cost that is always advertised when an area range is active
    • OSPF Equal Cost Multipath (ECMP) feature allows to forward traffic through multiple paths, taking advantage of more bandwidth
    • ECMP routes can be learned dynamically, or configured statically with multiple static routes to same destination but with different next hops
    • OSPF Max Metric feature allows to to override the metric in summary type 3 and type 4 LSAs while in stub router mode
    • Automatic Exiting of Stub Router Mode feature allows to exit stub router mode, reoriginating the router LSA with proper metric values on transit links
    • Static Area Range Costs feature allows to configure a fixed OSPF cost that is always advertised when an area range is active
  • OSPF LSA Pacing feature improves the efficiency of LSA flooding, reducing or eliminating the packet drops caused by bursts in OSPF control packets
    • LSA transmit pacing limits the rate of LS Update packets that OSPF can send
    • With LSA refresh groups, OSPF efficiently bundles LSAs into LS Update packets when periodically refreshing self-originated LSAs
  • OSPF Flood Blocking feature allows to disable LSA flooding on an interface with area or AS (domainwide) scope
    • In that case, OSPF does not advertise any LSAs with area or AS scope in its database description packets sent to neighbors
  • OSPF Transit-Only Network Hiding is supported based on RFC 6860 with transit-only network defined as a network connecting only routers
    • Transit-only networks are usually configured with routable IP addresses which are advertised in LSAs but are not needed for data traffic
    • If router-to-router subnets are advertised, remote attacks can be launched against routers by sending packets to these transit-only networks
    • Hiding transit-only networks speeds up network convergence and reduces vulnerability to remote attacks
    • ‘Hiding’ implies that the prefixes are not installed in the routing tables on OSPFv2 and OSPFv3 routers
  • IP Multinetting allows to configure more than one IP address on a network interface (other vendors may call it IP Aliasing or Secondary Addressing)
  • ICMP Throttling feature adds configuration options for the transmission of various types of ICMP messages
    • ICMP Redirects can be used by a malicious sender to perform man-in-the-middle attacks, or divert packets to a malicious monitor, or to cause Denial of Service (DoS) by blackholing the packets
    • ICMP Echo Requests and other messages can be used to probe for vulnerable hosts or routers
    • Rate limiting ICMP error messages protects the local router and the network from sending a large number of messages that take CPU and bandwidth
  • The Policy Based Routing feature (PBR) overrides routing decision taken by the router and makes the packet to follow different actions based on a policy
    • It provides freedom over packet routing/forwarding instead of leaving the control to standard routing protocols based on L3
    • For instance, some organizations would like to dictate paths instead of following the paths shown by routing protocols
    • Network Managers/Administrators can set up policies such as:
      – My network will not carry traffic from the Engineering department
      – Traffic originating within my network with the following characteristics will take path A, while other traffic will take path B
      – When load sharing needs to be done for the incoming traffic across multiple paths based on packet entities in the incoming traffic

Enterprise security

  • Traffic control MAC Filter and Port Security help restrict the traffic allowed into and out of specified ports or interfaces in the system in order to increase overall security and block MAC address flooding issues
  • DHCP Snooping monitors DHCP traffic between DHCP clients and DHCP servers to filter harmful DHCP message and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are considered authorized in order to prevent DHCP server spoofing attacks
  • IP source guard and Dynamic ARP Inspection use the DHCP snooping bindings database per port and per VLAN to drop incoming packets that do not match any binding and to enforce source IP/MAC addresses for malicious users traffic elimination
  • Time-based Layer 2 / Layer 3-v4 / Layer 3-v6 / Layer 4 Access Control Lists (ACLs) can be binded to ports, Layer 2 interfaces, VLANs and LAGs (Link Aggregation Groups or Port channel) for fast unauthorized data prevention and right granularity
  • For in-band switch management, management ACLs on CPU interface (Control Plane ACLs) are used to define the IP/MAC or protocol through which management access is allowed for increased HTTP/HTTPS or Telnet/SSH management security
  • Out-of-band management is available via dedicated service port (1G RJ45 OOB) when in-band management can be prohibited via management ACLs
  • Bridge protocol data unit (BPDU) Guard allows the network administrator to enforce the Spanning Tree (STP) domain borders and keep the active topology consistent and predictable - unauthorized devices or switches behind the edge ports that have BPDU enabled will not be able to influence the overall STP by creating loops
  • Spanning Tree Root Guard (STRG) enforces the Layer 2 network topology by preventing rogue root bridges potential issues when for instance, unauthorized or unexpected new equipment in the network may accidentally become a root bridge for a given VLAN
  • Dynamic 802.1x VLAN assignment mode, including Dynamic VLAN creation mode and Guest VLAN / Unauthenticated VLAN are supported for rigorous user and equipment RADIUS policy server enforcement
    • Up to 48 clients (802.1x) per port are supported, including the authentication of the users domain, in order to facilitate convergent deployments. For instance when IP phones connect PCs on their bridge, IP phones and PCs can authenticate on the same switch port but under different VLAN assignment policies (Voice VLAN versus other Production VLANs)
  • 802.1x MAC Address Authentication Bypass (MAB) is a supplemental authentication mechanism that lets non-802.1x devices bypass the traditional 802.1x process altogether, letting them authenticate to the network using their client MAC address as an identifier
    • A list of authorized MAC addresses of client NICs is maintained on the RADIUS server for MAB purpose
    • MAB can be configured on a per-port basis on the switch
    • MAB initiates after unsuccesful dot1x authentication process (configurable time out), when clients don’t respond to any of EAPOL packets
    • When 802.1X unaware clients try to connect, the switch sends the MAC address of each client to the authentication server
    • The RADIUS server checks the MAC address of the client NIC against the list of authorized addresses
    • The RADIUS server returns the access policy and VLAN assignment to the switch for each client
  • With Successive Tiering, the Authentication Manager allows for authentication methods per port for a Tiered Authentication based on configured time-outs
    • By default, configuration authentication methods are tried in this order: Dot1x, then MAB, then Captive Portal (web authentication)
    • With BYOD, such Tiered Authentication is powerful and simple to implement with strict policies
      – For instance, when a client is connecting, M4200 tries to authencate the user/client using the three methods above, the one after the other
    • The admin can restrict the configuration such that no other method is allowed to follow the captive portal method, for instance
  • Double VLANs (DVLAN - QinQ) pass traffic from one customer domain to another through the “metro core” in a multi-tenancy environment: customer VLAN IDs are preserved and a service provider VLAN ID is added to the traffic so the traffic can pass the metro core in a simple, secure manner
  • Private VLANs (with Primary VLAN, Isolated VLAN, Community VLAN, Promiscuous port, Host port, Trunks) provide Layer 2 isolation between ports that share the same broadcast domain, allowing a VLAN broadcast domain to be partitioned into smaller pointto-multipoint subdomains accross switches in the same Layer 2 network
    • Private VLANs are useful in DMZ when servers are not supposed to communicate with each other but need to communicate with a router
    • They remove the need for more complex port-based VLANs with respective IP interface/subnets and associated L3 routing
    • Another Private VLANs typical application are carrier-class deployments when users shouldn’t see, snoop or attack other users’ traffic
  • Secure Shell (SSH) and SNMPv3 (with or without MD5 or SHA authentication) ensure SNMP and Telnet sessions are secured
  • TACACS+ and RADIUS enhanced administrator management provides strict “Login” and “Enable” authentication enforcement for the switch configuration, based on latest industry standards: exec authorization using TACACS+ or RADIUS; command authorization using TACACS+ and RADIUS Server; user exec accounting for HTTP and HTTPS using TACACS+ or RADIUS; and authentication based on user domain in addition to user ID and password

Superior quality of service

  • Advanced classifier-based hardware implementation for Layer 2 (MAC), Layer 3 (IP) and Layer 4 (UDP/TCP transport ports) prioritization
  • 8 queues for priorities and various QoS policies based on 802.1p (CoS) and DiffServ can be applied to interfaces and VLANs
  • Advanced rate limiting down to 1 Kbps granularity and mininum-guaranteed bandwidth can be associated with ACLs for best granularity
  • Single Rate Policing feature enables support for Single Rate Policer as defined by RFC 2697
    • Committed Information Rate (average allowable rate for the class)
    • Committed Burst Size (maximum amount of contiguous packets for the class)
    • Excessive Burst Size (additional burst size for the class with credits refill at a slower rate than committed burst size)
    • DiffServ feature applied to class maps
  • Automatic Voice over IP prioritization with protocol-based (SIP, H323 and SCCP ) or OUI-based Auto-VoIP up to 144 simultaneous voice calls
  • iSCSI Flow Acceleration and automatic protection / QoS with Auto-iSCSI

UDLD Support

  • UDLD implementation detects unidirectional links physical ports (UDLD must be enabled on both sides of the link in order to detect an unidirectional link)
    • UDLD protocol operates by exchanging packets containing information about neighboring devices
    • The purpose is to detect and avoid unidirectional link forwarding anomalies in a Layer 2 communication channel
  • Both “normal-mode” and “aggressive-mode” are supported for perfect compatibility with other vendors implementations, including port “D-Disable” triggering cases in both modes

Views:

Documentation:

Download the NETGEAR M4300 Series Datasheet (PDF).

* This product comes with a limited warranty that is valid only if purchased from a NETGEAR authorized reseller and modifications to product may void the warranty; covers hardware, fans and internal power supplies - not software or external power supplies . Lifetime technical support includes basic phone support for 90 days from purchase date and lifetime online chat support when purchased from a NETGEAR authorized reseller.

Pricing Notes:

Netgear Products
NETGEAR Managed Switches
NETGEAR M4300-16X Half-Width Stackable Managed Switch with 16x100M/1G/2.5G/5G/10GBASE-T with PoE+ (299W PSU)
*Includes a Life Time Hardware Warranty, 90 Days of Free Tech Support, and Lifetime Online Tech Support
#XSM4316PA-100NES
Price: $3,743.83
Add to Cart for Pricing
NETGEAR M4300-16X Half-Width Stackable Managed Switch with 16x100M/1G/2.5G/5G/10GBASE-T with PoE+ (600W PSU)
*Includes a Life Time Hardware Warranty, 90 Days of Free Tech Support, and Lifetime Online Tech Support
#XSM4316PB-100NES
Price: $3,431.84
Add to Cart for Pricing
NETGEAR Accessories
NETGEAR APS299W Power Supply Unit for M4300-16X (non- or limited PoE applications, PA version)
#APS299W-100NES
Price: $369.44
Add to Cart for Pricing