Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3200-10 » Manual Viewer

D-Link DGS-3200-10 Product Manual - Page 133

Safeguard Engine, Trusted Host, IP-MAC-Port Binding (IMPB), Port Security, DHCP Server Screening,

UPC - 790069306310

Add to My Manuals
Save this manual to your list of manuals

Page 133 highlights

xStack® DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch Security Safeguard Engine Trusted Host IP-MAC-Port Binding (IMPB) Port Security DHCP Server Screening Guest VLAN 802.1X SSL Settings SSH Access Authentication Control MAC-based Access Control (MAC) Web-based Access Control (WAC) Japanese Web-based Access Control (JWAC) Multiple Authentication IGMP Access Control Settings ARP Spoofing Prevention Settings Section 5 Safeguard Engine Periodically, malicious hosts on the network will attack the Switch by utilizing pac ket flooding (ARP Storm) or other methods. These attacks may increase the switch load beyond its cap ability. To alleviate this problem, the Safeguard Engine function was added to the Switch's software. The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. The Safeguard Engine has two operating modes that can be configured by the user, Strict and Fuzzy. In Strict mode, when the Switch either (a) receives too many packets to process or (b) exerts too much memory, it will en ter the Exhausted mode. When in this mode, the Switch will drop all ARP and IP broadcast packets and packets from untrusted IP addresses for a calculated time interval. Every five seconds, the Safeguard Engine will check to see if there are too many packets flooding the Switch. If the threshold has been crossed, the Switch will initially stop all ingress ARP and IP broadcast packets and packets from untrusted IP addresses for five seconds. After another five-second checking interval arrives, the Switch will again check the ingress flow of packets. If the flooding has stopped, the Switch will again begin accepting all packets. Yet, if the checking shows that there continues to be too many packets flooding the Switch, it will stop accepting all ARP and IP broadcast packets and packets from untrusted IP addresses for double the time of the previous stop period. This doubling of time for stopping these packets will continue until the maximum time has been reached, which i s 320 seconds and e very st op f rom this p oint until a ret urn t o n ormal i ngress fl ow w ould be 320 sec onds. For a better understanding, please examine the following example of the Safeguard Engine. 120

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	10
Safety Cautions	10
General Precautions for Rack-Mountable Products	11
Lithium Battery Precaution	13
Protecting Against Electrostatic Discharge	13
Introduction	14
Logging onto the Web Manager	14
Web-Based User Interface	14
Introduction	14
Logging onto the Web Manager	14
Web-based User Interface	15
Areas of the User Interface	15
Web Pages	16
Device Information	18
System Information	18
Serial Port Settings	18
IP Address	18
IPv6 Interface Settings	18
IPv6 Route Table	18
IPv6 Neighbor Settings	18
Port Configuration	18
Static ARP Settings	18
User Accounts	18
System Log Configuration	18
System Severity Settings	18
DHCP/BOOTP Relay	18
DHCP Local Relay Settings	18
DHCP Auto Configuration Settings	18
MAC Address Aging Time	18
Web Settings	18
Telnet Settings	18
Password Encryption	18
CLI Paging Settings	18
Firmware Information	18
Power Saving Settings	18
Dual Configuration Settings	18
SMTP Settings	18
Ping Test	18
SNTP Settings	18
MAC Notification Settings	18
SNMP Settings	18
CPU Filter L3 Control Packet Settings	18
Single IP Management	18
SD Card FS Settings (DGS-3200-24 only)	18
Device Information	19
System Information	20
Serial Port Settings	21
IP Address	21
Setting the Switch’s IP Address using the Console Interface	23
IPv6 Interface Settings	23
IPv6 Route Table	25
IPv6 Neighbor Settings	26
Port Configuration	27
Port Settings	27
Port Description	28
Port Error Disabled	29
Static ARP Settings	29
User Accounts	31
Admin and User Privileges	31
System Log Configuration	32
System Log Settings	32
System Log Host	33
System Severity Settings	33
DHCP/BOOTP Relay	34
DHCP/BOOTP Relay Global Settings	34
Implementation of DHCP Relay Agent Information Option 82	36
DHCP/BOOTP Relay Interface Settings	37
DHCP Local Relay Settings	37
DHCP Auto Configuration Settings	38
MAC Address Aging Time	39
Web Settings	39
Telnet Settings	40
Password Encryption	40
CLI Paging Settings	41
Firmware Information	41
Power Saving Settings	43
Dual Configuration Settings	44
SMTP Settings	46
Ping Test	47
SNTP Settings	48
Time Settings	48
Time Zone Settings	49
MAC Notification Settings	50
MAC Notification Global Settings	50
MAC Notification Port Settings	51
SNMP Settings	52
Traps	52
MIBs	52
SNMP Global State Settings	53
SNMP Linkchange Trap Settings	53
SNMP View Table	54
SNMP Group Table	55
SNMP User Table	56
SNMP Community Table	57
SNMP Host Table	58
SNMP v6Host Table	59
SNMP Engine ID	60
SNMP Trap Configuration	60
RMON	61
CPU Filter L3 Control Packet Settings	61
Single IP Management	61
Upgrade to v1.61	63
Single IP Settings	63
Topology	65
Tool Tips	67
Right-Click	67
Group Icon	68
Commander Switch Icon	69
Member Switch Icon	69
Candidate Switch Icon	69
Menu Bar	70
File	70
Group	70
Device	70
View	70
Help	70
Firmware Upgrade	71
Configuration File Backup/Restore	71
Upload Log File	71
SD Card FS Settings	72
Jumbo Frame	74
Egress Filter Settings	74
802.1Q VLAN	74
Private VLAN Settings	74
802.1v Protocol VLAN	74
MAC-based VLAN Settings	74
GVRP Settings	74
PVID Auto Assign Settings	74
Port Trunking	74
VLAN Trunk Settings	74
LACP Port Settings	74
Traffic Segmentation	74
IGMP Snooping	74
MLD Snooping Settings	74
Port Mirroring	74
Loopback Detection Settings	74
Spanning Tree	74
Forwarding & Filtering	74
Jumbo Frame	74
Egress Filter Settings	75
802.1Q VLAN	75
Understanding IEEE 802.1p Priority	75
VLAN Description	76
Notes about VLANs on the Switch	76
IEEE 802.1Q VLANs	76
802.1Q VLAN Tags	77
Port VLAN ID	78
Tagging and Untagging	79
Ingress Filtering	79
Default VLANs	79
Port-based VLANs	80
VLAN Segmentation	80
VLAN and Trunk Groups	80
Private VLAN Settings	84
802.1v Protocol VLAN	89
802.1v Protocol Group Settings	89
802.1v Protocol VLAN Settings	90
MAC-based VLAN Settings	91
GVRP Settings	91
PVID Auto Assign Settings	92
Port Trunking	93
Understanding Port Trunk Groups	93
VLAN Trunk Settings	96
LACP Port Settings	97
Traffic Segmentation	98
IGMP Snooping	98
IGMP Snooping Settings	98
Data Driven Learning Settings	102
ISM VLAN Settings	103
Restrictions and Provisos	103
ISM Profile Settings	106
IP Multicast Profile Settings	107
Limited Multicast Address Range Settings	108
Max Multicast Group Settings	109
MLD Snooping Settings	109
MLD Control Messages	110
Port Mirroring	113
Loopback Detection Settings	114
Spanning Tree	115
802.1Q-2005 MSTP	115
802.1D-2004 Rapid Spanning Tree	116
Port Transition States	116
Edge Port	116
P2P Port	116
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	116
STP Bridge Global Settings	118
STP Port Settings	120
MST Configuration Identification	121
STP Instance Settings	122
MSTP Port Information	123
Forwarding & Filtering	124
Unicast Forwarding	124
Multicast Forwarding	124
Multicast Filtering Mode	125
Bandwidth Control	126
Traffic Control	126
802.1p Default Priority	126
802.1p User Priority	126
QoS Scheduling Mechanism	126
Understanding QoS	127
Bandwidth Control	128
Traffic Control	129
802.1p Default Priority	131
802.1p User Priority	131
QoS Scheduling Mechanism	132
Safeguard Engine	133
Trusted Host	133
IP-MAC-Port Binding (IMPB)	133
Port Security	133
DHCP Server Screening	133
Guest VLAN	133
802.1X	133
SSL Settings	133
SSH	133
Access Authentication Control	133
MAC-based Access Control (MAC)	133
Web-based Access Control (WAC)	133
Japanese Web-based Access Control (JWAC)	133
Multiple Authentication	133
IGMP Access Control Settings	133
ARP Spoofing Prevention Settings	133
Safeguard Engine	133
Trusted Host	135
IP-MAC-Port Binding (IMPB)	136
General Overview	136
Common IP Management Security Issues	136
Solutions to Improve IP Management Security	136
ARP Mode	136
ACL Mode	137
Strict and Loose State	137
DHCP Snooping Option	137
IMPB Global Settings	138
IMPB Port Settings	139
IMPB Entry Settings	141
DHCP Snooping Entries	142
MAC Block List	143
Port Security	144
Port Security Settings	144
Port Lock Entries	145
DHCP Server Screening	146
DHCP Screening Port Settings	146
DHCP Offer Filtering	147
Guest VLAN	148
Limitations Using the Guest VLAN	148
802.1X (Port-based and Host-based Access Control)	149
Authentication Server	150
Authenticator	150
Client	151
Authentication Process	151
Understanding 802.1X Port-based and Host-based Network Access Control	152
Port-based Network Access Control	152
Host-based Network Access Control	153
802.1X Settings	154
802.1X User	155
Initialize Port(s)	156
Reauthenticate Port(s)	157
Authentic RADIUS Server	158
SSL Settings	159
SSH	161
SSH Configuration	162
SSH Authmode and Algorithm Settings	163
SSH User Authentication Mode	165
Access Authentication Control	166
Authentication Policy and Parameter Settings	167
Application Authentication Settings	167
Authentication Server Group	168
Authentication Server Host	170
Login Method Lists	171
Enable Method Lists	172
Configure Local Enable Password	173
Enable Admin	173
MAC-based Access Control (MAC)	174
Notes about MAC-based Access Control	174
MAC Settings	174
MAC Local Settings	177
Web-based Access Control (WAC)	177
Conditions and Limitations	179
WAC Global Settings	179
WAC User Settings	180
WAC Port Settings	182
Japanese Web-based Access Control (JWAC)	183
JWAC Global Settings	183
JWAC Port Settings	185
JWAC User Settings	186
JWAC Customize Page Language	186
JWAC Customize Page	187
Multiple Authentication	187
Any (MAC, 802.1X or WAC) Mode	188
Any (MAC, 802.1X or JWAC) Mode	188
802.1X & IMPB Mode	189
IMPB & WAC/JWAC Mode	189
Authorization Network State Settings	190
Multiple Authentication Settings	190
Guest VLAN	191
IGMP Access Control Settings (IGMP Authentication)	192
ARP Spoofing Prevention Settings	193
ACL Configuration Wizard	194
Access Profile List	194
CPU Access Profile List	194
Time Range Settings	194
ACL Configuration Wizard	194
Access Profile List	195
CPU Access Profile List	211
Time Range Settings	223
Device Environment (DGS-3200-16 and DGS-3200-24 only)	225
Cable Diagnostics	225
CPU Utilization	225
Port Utilization	225
Packet Size	225
Packets	225
Errors	225
Port Access Control	225
Browse ARP Table	225
Browse VLAN	225
Browse Router Port	225
Browse MLD Router Port	225
Browse Session Table	225
IGMP Snooping Group	225
MLD Snooping Group	225
WAC Authenticating State	225
JWAC Host Table	225
MAC Address Table	225
System Log	225
MAC Authentication State	225
Device Environment	225
Cable Diagnostics	226
Cable Diagnostics Notes	226
CPU Utilization	227
Port Utilization	228
Packet Size	229
Packets	231
Received (RX)	231
UMB_Cast (RX)	233
Transmitted (TX)	234
Errors	236
Received (RX)	236
Transmitted (TX)	238
Port Access Control	240
RADIUS Authentication	240
RADIUS Account Client	241
Authenticator State	243
Authenticator Statistics	245
Authenticator Session Statistics	248
Authenticator Diagnostics	251
Browse ARP Table	254
Browse VLAN	254
Browse Router Port	255
Browse MLD Router Port	255
Browse Session Table	256
IGMP Snooping Group	256
MLD Snooping Group	257
WAC Authenticating State	258
JWAC Host Table	259
MAC Address Table	260
System Log	261
MAC Authentication State	262
Save Configuration	263
Save Log	263
Save All	263
Download Configuration File/Download Configuration File to NV-RAM (DGS-3200-24 only)	263
Download Configuration File to SD Card (DGS-3200-24 only)	263
Download Firmware/Download Firmware to NV-RAM (DGS-3200-24 only)	263
Download Firmware to SD Card (DGS-3200-24 only)	263
Upload Configuration File/Upload Configuration File to TFTP	263
Upload Log File/Upload Log File to TFTP	263
Reset	263
Reboot System	263
Save Configuration	264
Save Log	264
Save All	265
Download Configuration File/Download Configuration File to NV-RAM	265
Download Configuration File to SD Card	266
Download Firmware/Download Firmware to NV-RAM	266
Download Firmware to SD Card	267
Upload Configuration File/Upload Configuration File to TFTP	267
Upload Log File/Upload Log File to TFTP	268
Reset	268
Reboot System	269
How ARP Spoofing Attacks a Network	273
Prevent ARP Spoofing via Packet Content ACL	274
Log Information	277

Match case Limit results 1 per page

xStack

DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch

120

Section 5

Security

Safeguard Engine

Trusted Host

IP-MAC-Port Binding (IMPB)

Port Security

DHCP Server Screening

Guest VLAN

802.1X

SSL Settings

SSH

Access Authentication Control

MAC-based Access Control (MAC)

Web-based Access Control (WAC)

Japanese Web-based Access Control (JWAC)

Multiple Authentication

IGMP Access Control Settings

ARP Spoofing Prevention Settings

Safeguard Engine

Periodically, malicious hosts on the network will attack the Switch by utilizing pac ket flooding (ARP Storm) or other methods.

These attacks may increase the switch load beyond its capability. To alleviate this problem, the Safeguard Engine function was

added to the Switch’s software.

The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is

ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. The Safeguard Engine has

two operating modes that can be configured by the user,

Strict

and

Fuzzy

. In

Strict

mode, when the Switch either (a) receives too

many packets to process or (b) exerts too much memory, it will enter the Exhausted

mode. When in this mode, the Switch will

drop all ARP and IP broadcast packets and packets from untrusted IP addresses for a calculated time interval. Every five seconds,

the Safeguard Engine will check to see if there are too

many packets flooding the Switch. If the threshold has been crossed, the

Switch will initially stop all ingress ARP and IP broadcast packets and packets from untrusted IP addresses for five seconds. After

another five-second checking interval arrives, the Switch will again check the ingress flow of packets. If the flooding has stopped,

the Switch will again begin accepting all packets. Yet, if the checking shows that there continues to be too many packets flooding

the Switch, it will stop accepting all ARP and IP broadcast packets and packets from untrusted IP addresses for double the time of

the previous stop period. This doubling of time for stopping these packets will continue until the maximum time has been reached,

which is 320 seconds and every stop from this point until a return to normal ingress flow would be 320 seconds. For a better

understanding, please examine the following example of the Safeguard Engine.