Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3426P » Manual Viewer

D-Link DGS-3426P Product Manual - Page 291

IMPB Global Settings, Strict Mode Behavior Change

UPC - 790069291982

Add to My Manuals
Save this manual to your list of manuals

Page 291 highlights

xStack® DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch Figure 6 - 7 ARP Cache Poisoning When the user configures strict mode and enables IMPB on a port, ARP inspection is enabled. For an ARP inspection active port: All ARP packets should be captured to the CPU (including broadcast ARP and unicast ARP packets) and the CPU will make the decision to either forward or drop. The switch will validate the ARP packets by retrieving the sender's MAC/ IP address from the ARP packet payload and sender hardware address. If the IP/ MAC address are in the IMPB forwarding list, the ARP packets will be forwarded. Otherwise, the ARP packet will be discarded. Strict Mode Behavior Change As the figure below shows, in a mixed network (both IPv4 and IPv6 used), if illegal IPv4-A packets are detected and there are write-blocked FDB entries, then IPv6-Global also cannot access the network. To avoid this case, do not write-block FDB. Not write-blocking FDB can also avoid netcut attacks and recover attacks. Figure 6 - 8 IPv4 and IPv6 Sharing When enabling Strict mode, the Switch will stop writing dropped FDB entries on these ports. If the Switch detects legal packets, the Switch will need to create the FDB forwarding entries. ACL mode always run under strict mode. When a user enables ACL mode on some ports, these ports will change from Loose mode to Strict mode and the configuration will also change to Strict mode. For compound authentication AND mode (IMPB+1X, IMPB+WAC, IMPB+JWAC), the ports always run in Strict mode. IMPB Global Settings This window is used to enable or disable the global IMPB settings: Trap Log State and DHCP Snoop state, on the Switch. The Trap/Log field will enable and disable the sending of trap / log messages for IMPB. When enabled, the Switch will send traps and log messages when an ARP packet is received that doesn't match the IP-MAC binding entries configured on the Switch. 282

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	9
Web-based Switch Configuration	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	10
Web Pages	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	11
Areas of the User Interface	11
Area 2	11
Area 1	11
Area 3	11
Web Pages	12
Administration	13
DGS-3400 Web Management Tool	13
IP Address	13
Interface Settings	13
Stacking	13
Port Configuration	13
User Accounts	13
Password Encryption	13
Mirror	13
System Log	13
System Severity Settings	13
Command Logging Settings	13
SNTP Settings	13
MAC Notification Settings	13
TFTP Services	13
Multiple Image Services	13
RCP	13
Ping Test	13
IPv6 Neighbor	13
Route Redistribution Settings	13
Static/Default Route Settings	13
Route Preference Settings	13
Gratuitous ARP Settings	13
Static ARP Settings	13
DHCP Auto Configuration Settings	13
DHCP/BOOTP Relay	13
DHCP/BOOTP Local Relay Settings	13
DHCPv6 Relay	13
DHCP Server	13
DHCPv6 Server	13
Filter DHCP Server	13
Layer 2 Protocol Tunneling Settings	13
RSPAN	13
DNS Relay	13
DNS Resolver	13
SNMP Manager	13
Trap Source Interface Settings	13
PoE	13
sFlow	14
IP Multicast VLAN Replication	14
Single IP Management (SIM) Overview	14
RIP	14
IP Tunnel Settings	14
Device Information	14
IPv6	16
Overview	16
Packet Format	18
IPv6 Header	18
Extension Headers	19
Packet Fragmentation	19
Address Format	19
Types	20
ICMPv6	21
Neighbor Discovery	21
Neighbor Unreachability Detection	21
Duplicate Address Detection (DAD)	22
Assigning IP Addresses	22
IP Interface Setup	22
IP Address	23
Setting the Switch's IP Address using the Console Interface	24
Interface Settings	25
IPv4 Interface Settings	25
IPv6 Interface Settings	27
Stacking	30
Stack Switch Swapping	32
Stacking Mode Settings	32
Force Master Role Settings	33
Box Information	33
Port Configuration	34
Port Configuration	34
Port Error Disabled	35
Port Description	36
Port Auto Negotiation Information	37
Port Details	38
Port Media Type	39
Cable Diagnostics	40
User Accounts	41
Password Encryption	42
Mirror	43
Port Mirror Global Settings	43
Port Mirror Settings	43
Mirroring within the Switch Stack	45
System Log	45
System Log Host	45
System Log Save Mode Settings	47
System Log Source Interface Settings	48
System Severity Settings	48
Command Logging Settings	49
SNTP Settings	49
Time Settings	49
Time Zone and DST	50
MAC Notification Settings	53
TFTP Services	53
Global Settings	53
Port Settings	53
Multiple Image Services	55
Firmware Information	55
Config Firmware Image	56
RCP	57
RCP Server Settings	57
RCP Services	58
Ping Test	59
IPv4 Ping Test	59
IPv6 Ping Test	60
IPv6 Neighbor	61
IPv6 Neighbor Settings	61
Route Redistribution Settings	62
Static/Default Route Settings	63
IPv4 Static/Default Route Settings	63
IPv6 Static/Default Route Settings	65
Route Preference Settings	66
Gratuitous ARP Settings	67
Static ARP Settings	68
DHCP Auto Configuration Settings	69
DHCP/BOOTP Relay	69
DHCP / BOOTP Relay Global Settings	69
The Implementation of DHCP Information Option 82	72
DHCP/BOOTP Relay Interface Settings	73
DHCP Relay Option 60 Default Settings	73
DHCP Relay Option 60 Settings	74
DHCP Relay Option 61 Default Settings	75
DHCP Relay Option 61 Settings	75
DHCP/BOOTP Local Relay Settings	76
DHCPv6 Relay	77
DHCPv6 Relay Global Settings	77
DHCPv6 Relay Interface Settings	77
DHCP Server	79
DHCP Server Global Settings	79
DHCP Server Exclude Address Settings	80
DHCP Server Pool Settings	80
DHCP Server Dynamic Binding	83
DHCP Server Manual Binding	84
DHCPv6 Server	85
DHCPv6 Server Global Settings	85
DHCPv6 Server Pool Settings	86
DHCPv6 Server Manual Binding Settings	87
DHCPv6 Server Dynamic Binding Settings	88
DHCPv6 Server Interface Settings	89
DHCPv6 Server Excluded Address Settings	90
Filter DHCP Server	91
Filter DHCP Server Global Settings	91
Filter DHCP Server Port Settings	92
Layer 2 Protocol Tunneling Settings	93
RSPAN	94
RSPAN State Settings	94
RSPAN Settings	95
DNS Relay	97
Mapping Domain Names to Addresses	97
Domain Name Resolution	97
DNS Relay Global Settings	98
DNS Relay Static Settings	98
DNS Resolver	99
DNS Resolver Global Settings	99
DNS Resolver Static Name Server Settings	99
DNS Resolver Dynamic Name Server Table	100
DNS Resolver Static Host Name Settings	100
DNS Resolver Dynamic Host Name Table	101
SNMP Manager	102
SNMP Settings	102
Traps	102
MIBs	102
SNMP Trap Settings	103
SNMP User Table	104
SNMP View Table	106
SNMP Group Table	107
SNMP Community Table	108
SNMP Host Table	109
SNMP Engine ID	111
Trap Source Interface Settings	111
PoE	112
PoE System Settings	112
PoE Port Settings	114
sFlow	116
sFlow Global Settings	117
sFlow Analyzer Settings	117
sFlow Sampler Settings	119
sFlow Poller Settings	121
IP Multicast VLAN Replication	123
IP Multicast VLAN Replication Global Settings	123
IP Multicast VLAN Replication Settings	124
Single IP Management (SIM) Overview	127
The Upgrade to v1.61	128
Single IP vs. Switch Stacking	129
SIM Settings	129
Topology	130
Tool Tips	133
Right-click	135
Group Icon	135
Commander Switch Icon	136
Member Switch Icon	136
Candidate Switch Icon	136
Menu Bar	137
File	137
Group	137
Device	137
View	137
Help	138
Firmware Upgrade	138
Configuration Backup/Restore	138
Upload Log	139
RIP	139
RIP Version 1 Message Format	140
RIP Command Codes	140
RIP 1 Message	140
RIP 1 Route Interpretation	140
RIP Version 2 Extensions	140
RIP2 Message Format	140
RIP	140
RIP Global Settings	141
RIP Interface Settings	141
RIPng	142
RIPng Global Settings	142
RIPng Interface Settings	143
IP Tunnel Settings	144
L2 Features	146
VLANs	146
Trunking	146
IGMP Snooping	146
MLD Snooping	146
Loop-back Detection Global Settings	146
Spanning Tree	146
Forwarding & Filtering	146
LLDP	146
Q-in-Q	146
ERPS	146
DULD Settings	146
NLB Multicast FDB Settings	146
VLANs	146
VLAN Description	146
Notes about VLANs on the DGS-3400 Series	146
IEEE 802.1Q VLANs	146
802.1Q VLAN Tags	148
Port VLAN ID	149
Tagging and Untagging	150
Ingress Filtering	150
Default VLANs	150
Port-based VLANs	151
VLAN Segmentation	151
VLAN and Trunk Groups	151
Protocol VLANs	151
Static VLAN Entry	151
VLAN Trunk	153
GVRP Settings	155
Double VLANs	156
Regulations for Double VLANs	157
Double VLAN Settings	158
PVID Auto Assign	160
MAC-based VLAN Settings	161
Protocol VLAN	161
Protocol VLAN Group Settings	162
Protocol VLAN Port Settings	163
Subnet VLAN	164
Subnet VLAN Settings	165
VLAN Precedence Settings	165
Trunking	167
Understanding Port Trunk Groups	167
Link Aggregation	168
LACP Port Settings	171
IGMP Snooping	173
IGMP Snooping Settings	173
Router Port Settings	175
IGMP Snooping Static Group Settings	177
ISM VLAN Settings	178
Restrictions and Provisos	179
Limited IP Multicast Address Range Settings	181
MLD Snooping	183
MLD Control Messages	183
MLD Snooping Settings	183
MLD Router Port Settings	186
Loop-back Detection Global Settings	188
Spanning Tree	190
802.1Q-2005 MSTP	190
802.1D-2004 Rapid Spanning Tree	190
Port Transition States	191
Edge Port	191
P2P Port	191
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	191
STP Bridge Global Settings	192
MST Configuration Identification	194
MSTP Port Information	197
STP Instance Settings	199
STP Port Settings	200
Forwarding & Filtering	202
Unicast Forwarding	202
Multicast Forwarding	202
Multicast Filtering Mode	203
LLDP	204
LLDP Global Settings	205
Basic LLDP Port Settings	206
802.1 Extension LLDP Port Settings	207
802.3 Extension LLDP Port Settings	209
LLDP Management Address Settings	211
LLDP Statistics	213
LLDP Management Address Table	214
LLDP Local Port Table	214
LLDP Remote Port Table	217
Q-in-Q	219
Q-in-Q Settings	219
VLAN Translation Settings	220
ERPS	221
ERPS Global Settings	221
ERPS RAPS VLAN Settings	222
DULD Settings	225
NLB Multicast FDB Settings	227
QoS	229
802.1p Settings	229
Bandwidth Control	229
HOL Prevention Settings	229
Schedule Settings	229
QoS	229
The Advantages of QoS	229
Understanding QoS	230
Understanding IEEE 802.1p Priority	232
802.1p Settings	232
802.1p Default Priority Settings	233
802.1p User Priority Settings	234
Bandwidth Control	235
Bandwidth Control Settings	235
Per Queue Bandwidth Control Settings	237
HOL Prevention Settings	239
Schedule Settings	239
QoS Output Scheduling Settings	239
Configuring the Combination Queue	241
QoS Scheduling Mechanism Settings	241
ACL (Access Control List)	244
Time Range	244
Access Profile Table	244
ACL Flow Meter	244
CPU Interface Filtering	244
Time Range	244
Access Profile Table	245
ACL Flow Meter	263
CPU Interface Filtering	267
CPU Interface Filtering State	267
CPU Interface Filtering Table	268
Security	284
Authorization Attributes State Settings	284
Traffic Control	284
Port Security	284
IP-MAC-Port Binding	284
802.1X	284
Web-based Access Control (WAC)	284
Trust Host	284
BPDU Attack Protection Settings	284
ARP Spoofing Prevention Settings	284
Access Authentication Control	284
MAC-based Access Control (MAC)	284
Safeguard Engine	284
Traffic Segmentation	284
Secure Socket Layer (SSL)	284
Secure Shell (SSH)	284
Compound Authentication	284
Japanese Web-based Access Control (JWAC)	284
Authorization Attributes State Settings	284
Traffic Control	285
Port Security	287
Port Security Settings	287
Port Security Entries	288
IP-MAC-Port Binding	289
IMPB Global Settings	291
IMPB Port Settings	292
IMPB Entry Settings	294
DHCP Snoop Entries	295
MAC Block List	296
ND Snoop Entries	296
802.1X	297
802.1X Port-based and Host-based Access Control	297
Authentication Server	297
Authenticator	298
Client	298
Authentication Process	299
Understanding 802.1X Port-based and MAC-based Network Access Control	299
Port-based Network Access Control	300
MAC-Based Network Access Control	301
Guest VLANs	302
Limitations Using the Guest VLAN	302
802.1X Port Settings	302
Guest VLAN Settings	305
Authentication RADIUS Server Settings	306
802.1X User Settings	307
Initialize Port(s)	308
Reauthenticate Port(s)	309
Web-based Access Control (WAC)	311
Conditions and Limitations	311
WAC Global Settings	312
WAC Port Settings	313
WAC User Account	315
WAC Authentication State	316
Trust Host	317
BPDU Attack Protection Settings	319
ARP Spoofing Prevention Settings	320
Access Authentication Control	321
Authentication Policy and Parameter Settings	323
Application's Authentication Settings	323
Authentication Server Group	324
Authentication Server Host	325
Login Method Lists	327
Enable Method Lists	328
Configure Local Enable Password	330
Enable Admin	331
RADIUS Accounting Settings	332
MAC-based Access Control (MAC)	334
Notes about MAC-based Access Control	334
MAC-based Access Control Global Settings	334
MAC-based Access Control Local MAC Settings	337
Safeguard Engine	338
Safeguard Engine Settings	339
Traffic Segmentation	340
Secure Socket Layer (SSL)	341
SSL	342
Secure Shell (SSH)	343
SSH Server Configuration	344
SSH Authentication Mode and Algorithm Settings	345
SSH User Authentication Mode	347
Compound Authentication	348
Any (MAC, 802.1X, WAC or JWAC) Mode	348
802.1X + IMPB Mode	349
IMPB + JWAC Mode	349
Compound Authentication Global Settings	349
Compound Authentication Settings	350
Authentication Guest VLAN Settings	352
Japanese Web-based Access Control (JWAC)	353
JWAC Global Settings	353
JWAC Port Settings	356
JWAC User Account	359
JWAC Authentication State	360
JWAC Customize Page Language Settings	361
JWAC Customize Page	362
Monitoring	363
Device Status	363
Stacking Information	363
Stacking Device	363
Module Information	363
DRAM & Flash Utilization	363
CPU Utilization	363
Port Utilization	363
Packets	363
Errors	363
Packet Size	363
Browse Router Port	363
Browse MLD Router Port	363
VLAN Status	363
VLAN Status Port	363
Port Access Control	363
MAC Address Table	363
IGMP Snooping Group	363
IGMP Snooping Data Driven Group	363
MLD Snooping Group	363
MLD Snooping Data Driven Group	363
Trace Route	363
Switch Logs	363
Browse ARP Table	363
Session Table	363
IP Forwarding Table	363
Routing Table	363
MAC-based Access Control Authentication Status	363
Device Status	363
Stacking Information	364
Stacking Device	365
Module Information	365
DRAM & Flash Utilization	366
CPU Utilization	367
Port Utilization	368
Packets	369
Received (RX)	369
UMB Cast (RX)	371
Transmitted (TX)	373
Errors	375
Received (RX)	375
Transmitted (TX)	377
Packet Size	379
Browse Router Port	381
Browse MLD Router Port	382
VLAN Status	382
VLAN Status Port	383
Port Access Control	383
Authenticator State	383
Authenticator Statistics	384
Authenticator Session Statistics	384
Authenticator Diagnostics	385
RADIUS Authentication	385
RADIUS Account Client	385
MAC Address Table	387

Match case Limit results 1 per page

xStack

DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch

282

Figure 6 - 7 ARP Cache Poisoning

When the user configures strict mode and enables IMPB on a port, ARP inspection is enabled. For an ARP inspection active port:

All ARP packets should be captured to the CPU (including broadcast ARP and unicast ARP packets) and the CPU will make the

decision to either forward or drop.

The switch will validate the ARP packets by retrieving the sender’s MAC/ IP address from the ARP packet payload and sender

hardware address. If the IP/ MAC address are in the IMPB forwarding list, the ARP packets will be forwarded. Otherwise, the

ARP packet will be discarded.

Strict Mode Behavior Change

As the figure below shows, in a mixed network (both IPv4 and IPv6 used), if illegal IPv4-A packets are detected and there are

write-blocked FDB entries, then IPv6-Global also cannot access the network. To avoid this case, do not write-block FDB. Not

write-blocking FDB can also avoid netcut attacks and recover attacks.

Figure 6 - 8 IPv4 and IPv6 Sharing

When enabling Strict mode, the Switch will stop writing dropped FDB entries on these ports. If the Switch detects legal packets,

the Switch will need to create the FDB forwarding entries. ACL mode always run under strict mode. When a user enables ACL

mode on some ports, these ports will change from Loose mode to Strict mode and the configuration will also change to Strict

mode. For compound authentication AND mode (IMPB+1X, IMPB+WAC, IMPB+JWAC), the ports always run in Strict mode.

IMPB Global Settings

This window is used to enable or disable the global IMPB settings: Trap Log State and DHCP Snoop state, on the Switch.

The Trap/Log

field will enable and disable the sending of trap / log messages for IMPB.

When enabled, the Switch will send

traps and log messages when an ARP packet is received that doesn’t match the IP-MAC binding entries configured on the Switch.