Device Provisioning

Configuration templates allow many ReadyLinks devices to be deployed following a single base configuration. This makes it much easier to roll out new devices while maintaining a consistent configuration. Templates allow you to define a standard base configuration with the flexibility to adjust individual device configurations after applying the template.

Before you begin

Login to readyview.io. If this is your first time, create a new account.

Have an idea of your network architecture and configuration requirements

Configuration Templates

A Configuration template is a powerful tool to help you streamline your deployment flow. Provision all your devices with a single template before bringing even a single device online.

Create a template

Follow the steps below to create your first configuration template. This template will then be used as the base configuration for all of the devices bound to it.

  1. Navigate to Settings > Configuration templates
  2. Click Create a new template
  3. You can choose to create a New template or Clone an existing template
  4. Provide a Template name
  5. Click Save

Modify a template

To edit the template's configuration, select it in the Templates table, and make any desired changes. Make sure to save your changes before leaving the page. Refer to the switch settings for more details about the individual device settings.

Bind a template to a device

Once a template has been created you can bind it to a device to update the device's base configuration.

To bind a device to a template:

  1. Click into your device
  2. Select the configuration template to bind
  3. Click Confirm

As the device is being provisioned it will show a configuration status of Updating.

Once the template binds to the device, it will show a configuration status of Up to date.

If the provisioning fails or one of the configurations causes the device to lose connection to the Internet, it will show a configuration status of Out of sync. You can always try to reapply the template, but if a configuration in the template causes the device to go offline, you will need to reboot the device to restore it to the previous running configuration.

Local configurations

After binding a template to a device, you are still able to make individual configuration changes on top of the base configuration. Configuration changes can be made on the Device Details page for each device. Note: Adjusting configurations individually does not put the device Out of sync with the template configuration and the template configuration can be reapplied at anytime which could potentially override individual configuration changes made to the device.

Example Templates

Switch Settings

Management Mode

By default, ReadyLinks switches connect back to the ReadyView dashboard on the default untagged VLAN 1. You can change the management VLAN and uplink port setting (tagged/untagged) once the device is online and adopted into your dashboard. Create a Virtual Interface to manage your device via DHCP or a static IP address.

If your network does not allow default VLAN 1 to connect to the Internet, you will need to manually assign the management VLAN. Setup the device on a provisioning network with DHCP and apply a template that adjusts the Management VLAN and uplink type.

Management mode options:

ReadyView: Management mode ReadyView blocks all management access outside of ReadyView.

VLAN: Management mode VLAN blocks all management access outside of the specified management VLAN.

Disabled: Management mode disabled allows management access on all virtual interfaces.

*Note: When provisioning a new management interface you need to ensure the device has access to the new management network, otherwise you will lose communication to the device.

DoS Prevention

ReadyLinks devices come equipped with a number of mechanisms that can be enabled to prevent common denial of service (DoS) attacks and protect the CPU of your device.

DoS security options:

DOS Protection Land: A LAND Attack is a Layer 4 Denial of Service (DoS) attack in which, the attacker sets the source and destination information of a TCP segment to be the same. A specially crafted TCP SYN packet is created such that the source IP address and port are set to be the same as the destination address and port, which in turn is set to point to an open port on a victim’s device. A vulnerable device would receive such a message and reply to the destination address effectively sending the packet for reprocessing in an infinite loop. Enabling this DoS protection setting prevents the device from crashing or freezing due to the packet being repeatedly processed by the TCP stack.

DOS Protection TCP Null Scan: In case of TCP Null Attack, the victim device gets packets with null parameters in the ‘flag’ field of the TCP header, i.e. none of the 6 TCP flags (URG, ACK, PSH, RST, SYN, FIN) is set. As a rule, packets of this kind are used to scan the server’s ports before a large-scale attack. Enabling this DoS protection setting prevents a TCP Null Scan of the device.

DOS Protection TCP Syn Fin Scan: In SYN scanning, the threat actor attempts to set up a Transmission Control Protocol/Internet Protocol (TCP/IP) connection with a device at every possible port. This is done by sending a SYN (synchronization) packet, as if to initiate a three-way handshake, to every port on the device. If the device replies with an ACK (acknowledgement) response -- or SYN/ACK (synchronization acknowledged) packet -- from a particular port, it means the port is open. Then, the hostile client sends an RST (reset) packet. Enabling this DoS protection setting prevents a TCP Syn Fin Scan of the device.

DOS Protection TCP XMAS Scan: An XMAS scan is similar to the other scan types, and is also used to determine the state of the replying device. These scans are designed to manipulate the PSH, URG, and FIN flags of the TCP header to identify listening ports on the targeted device. Enabling this DoS protection setting prevents an XMAS scan from taking place on the device.

DHCP Snooping

DHCP Snooping examines DHCP packets and maintains a table of DHCP leases seen on the network. It also allows you to set uplink ports to trust DHCP traffic and set downlink ports to untrusted.

DHCP Snooping can be used in conjunction with Dynamic ARP Inspection to provide additional layer 2 security to your network and prevent common network attacks such as DHCP spoofing or ARP spoofing.

Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature in ReadyLinks switches that protects networks against man-in-the-middle ARP spoofing attacks. DAI inspects Address Resolution Protocol (ARP) packets on the LAN and uses the information in the DHCP snooping table on the switch to validate ARP packets. DAI performs validation by intercepting each ARP packet and comparing its MAC and IP address information against the MAC-IP bindings contained in the DHCP snooping table. Any ARP packets that are inconsistent with the information contained in the DHCP snooping table are dropped.

Loop Detection

Loop detection helps prevent network downtime in the event a loop occurs. This feature is by default disabled in ReadyLinks switches. It sends a loop-detection control packet and monitors those to detect the loop and shutdown any affected ports. Each switch with loop detection enabled will periodically generate broadcast probe packets that are sent out on every active port. The default period is 30 seconds. Each port with loop detection enabled can be set to detect loops and automatically shutdown the port in the event a loop occurs.

Loop detection: A global device setting that enables loop detection on the switch.

Loop detection interval: A global device setting that dictates the interval at which the broadcast probe packets are generated.

Loop detection admin: A port setting that enables loop detection on a port. This setting must be enabled in conjuction with the Loop detection global setting.

Loop detection control: A port setting that allows the port to shutdown in the event a loop is detected. This setting must be enabled in conjuction with the Loop detection and Loop detection admin settings.

DHCP Server

The ReadyLinks GL-x series switches have a built-in DHCP service. When enabled, it can provide DHCP to a configured subnet on a specified VLAN.

VLAN: Specify the VLAN this DHCP server will reside on.

Start IP: The first IP address of the range to be handed to clients.

End IP: The last IP address of the range to be handed to clients.

Subnet Mask: The subnet mask to hand to clients.

Gateway: The default gateway IP address that should be given to clients on the subnet. This address must be in the same subnet as the clients.

Lease time: How long (minutes) clients will have an address allocated to them, before the lease expires the client must renew.

Multicast Settings

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. It is often employed for streaming media applications on the Internet and private networks. Since traffic is sent from the source once in total, instead of once per recipient, throughput can be saved. Each host (and in fact each application on the host) that wants to be a receiving member of a multicast group (i.e. receive data corresponding to a particular multicast address) must use the Internet Group Management Protocol (IGMP) to join. IGMP snooping is the process of listening to IGMP network traffic. The feature allows a network switch to listen in on the IGMP conversation between hosts and routers. By listening to these conversations the switch maintains a map of which links need which IP multicast streams. Multicasts are filtered from the links which do not need them and thus controls which ports receive specific multicast traffic

IGMP Snooping: Enable IGMP snooping to prevent the switch from sending multicast traffic to hosts who are not joined with the multicast group.

Fast leave: Allows the device to immediately remove a port from the forwarding entry for a multicast group when the port receives a leave message.

Host timeout: The host timeout (seconds) value determines how long a switch waits to receive an IGMP query from a multicast router before removing a multicast group from its multicast cache table.

Leave wait: Set the wait time before stopping traffic to a port when a leave message is received.

Max response time: When a host receives a query packet, it starts counting to a random value, less that the maximum response time. When this timer expires, the host replies with a report, provided that no other host has responded yet.

Route timeout: The aging time (seconds) of the multicast router ports.

IGMP Querier: Enable the bulit-in IGMP querier on the switch.

Query transmit interval: How long (seconds) a query from the IGMP querier will be transmitted onto the network. Must be used in conjuction with the IGMP querier.

Virtual Interface Settings

Leverage virtual interfaces to modify the management IP address of your device or as Layer 3 IP routing segments in your network.

Management Interface

By default, ReadyLinks switches come with one virtual interface on VLAN 1 set as a DHCP client. The devices connect back to the ReadyView dashboard on the default untagged VLAN 1. You can change the management VLAN and uplink port setting (tagged/untagged) once the device is online and adopted into your dashboard.

If your network does not allow default VLAN 1 to connect to the Internet, you will need to manually assign the management VLAN. Setup the device on a provisioning network with DHCP and apply a template that adjusts the Management VLAN and uplink type.

IP Routing

IP routing is enabled by default when you create a new virtual interface. This means you can use your virtual interfaces to setup IP routes on your device.

VLAN & Port Settings

All ReadyLinks devices support the 802.1Q VLAN networking standard. This means all ReadyLinks devices are interoperable with other devices that support 802.1Q.

Switchports

VLAN-enabled ports are generally categorized in one of two ways, tagged or untagged. These may also be referred to as "trunk" or "access" respectively. The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port accepts traffic for only a single VLAN. Generally speaking, trunk ports will link switches, and access ports will link to end devices.

Switchport action options:

Tag: Add VLAN tags to a port to pass traffic for multiple VLAN's.

Untag: Untag a VLAN on a port to only accept traffic for that single VLAN.

Provision ReadyLink ports as trunk, hybrid or access ports to satisfy your network requirements.

Switchport type options:

Hybrid: All ports are set to hybrid by default. This type allows you to add both VLAN tags and an untagged VLAN to the port. Hybrid ports can function as both a trunk port or an access port, depending on your VLAN configurations.

Trunk: A port enabled for VLAN tagging

Access: A port that does not tag and accepts a single VLAN

DHCP Trust

With DHCP snooping enabled globally on the switch, you can set ports to trust or untrust DHCP pakcets that traverse those ports.

ARP Trust

With Dynamic ARP inspection enabled on a VLAN, you can set ports to trust or untrust ARP pakcets that traverse those ports.

Port Isolation

Port isolation provides layer 2 isolation between protected ports on a switch. By default, ReadyLinks switches do not isolate WAN facing ports, but enables port isolation on ReadyLinks LAN ports.

Rate Limits

Set rate limits on individual ports to impose a throughput ceiling on the port. Rate limits can be set asymmetrically meaning the upload limit and the download limit do not need to match.

Loop Detection

Loop detection helps prevent network downtime in the event a loop occurs. This feature is by default disabled in ReadyLinks switches. It sends a loop-detection control packet and monitors those to detect the loop and shutdown any affected ports. Each switch with loop detection enabled will periodically generate broadcast probe packets that are sent out on every active port. The default period is 30 seconds. Each port with loop detection enabled can be set to detect loops and automatically shutdown the port in the event a loop occurs.

Loop detection: A global device setting that enables loop detection on the switch.

Loop detection interval: A global device setting that dictates the interval at which the broadcast probe packets are generated.

Loop detection admin: A port setting that enables loop detection on a port. This setting must be enabled in conjuction with the Loop detection global setting.

Loop detection control: A port setting that allows the port to shutdown in the event a loop is detected. This setting must be enabled in conjuction with the Loop detection and Loop detection admin settings.

PoE / PoX™

Power over Ethernet (PoE) is a technology that passes electric power over twisted-pair Ethernet cable to powered devices (PD), such as wireless access points, IP cameras, and VoIP phones in addition to the data that the cable usually carries. Most ReadyLinks switches and client devices support PoE/PoE+/PoE++, refer to the individual device specifications for details about each port's capabilities.

Power over X (PoX™) is a ReadyLinks technology that applies electric power over any cable. This allows you to power the ReadyLinks client device without the need of a local power source. Additionally, the client device will convert the additional power provided by PoX and output PoE/PoE+ depending on its capabilities.

Max Mac Learn

Max mac learn specifies the maximum amount of mac addresses allowed to connect to a port. By default, there is no maximum set on any port. *Note: There will always be two mac addresses for any ReadyLink connection. One mac address is allocated for the port itself (domain master) and the other mac address is learned when the client device (end point) connects. So if you would like to limit a port to a single connected device, the max mac setting should be set to 3.