D-Link DGS-3200-10 Product Manual - Page 137

xStack® DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch ACL Mode In ACL Mode, a switch performs IP Packet Inspection in addition to ARP Packet Inspection. Essentially, ACL rules will be used to permit statically configured IMPB entries and deny other IP packets with the incorrect IP-MAC pairs. The distinct advantage of ACL Mode is that it ensures better security by ch ecking both ARP Packets and IP Packets. However, doing so requires the use of ACL rules. ACL Mode can be viewed as an enhanced version of ARP Mode because ARP Mode is enabled by default when ACL Mode is selected. Strict and Loose State Other than ACL and ARP mode, users can also configure the state on a port for granular control. There are two states, Strict an d Loose, and only one state can be selected per port. If a port is set to Stric t state, all packet s sent to the port are denied (dropped) by default. The switch will c ontinuously compare all IP a nd ARP packets it receives on that port with its IMPB entries. If the IPMAC pair in the packet matches the IMPB entry, the MAC address will be unblocked and subsequent packets sent from this client will be fo rwarded. On the o ther hand, if a port is set to Loose state, all p ackets sen t to th e port are p ermitted (forward ed) b y default. The switch will c ontinuously compare all ARP packets it receives on that port with its IMPB entries. If the IP-MAC pair in the ARP packet does not match the IMPB wh ite list, the MAC address will b e blocked and subsequent packets sent from this client will be dropped. DHCP Snooping Option If DHCP snooping is enabled, the switch learns IP-MAC pairs by snooping DHCP packets automatically and then saving them to the IP-MAC-Port Binding white list. This enables a hassle-free configuration because the administrator does not need to manually enter each IM PB entry. A prerequisite for t his is that t he valid DHCP server's IP-MAC pair m ust be on the switch's IMPB list; otherwise the DHCP server packets will be dropped. DHCP snooping is gene rally cons idered to be m ore secure because it enforces all clients to acquire IP through the DHCP server. An ex ample o f DH CP sn ooping in which PC-A and PC-B g et th eir I P addresses from a D HCP ser ver is d epicted b elow. The switch snoops the DHCP conversation between PC-A, PC-B, and the DHCP server. The IP address, MAC address, and connecting ports of both PC-A and PC-B are learned and stored in the switch's IMPB white list. Therefore, these PCs will be able to connect to the network. Then there is PC-C, whose IP address is man ually configured by the user. Since this PC's IP-MAC pair does not match the one on Switch's IMPB white list, traffic from PC-C will be blocked. Doesn't match the White List block PC-C IMP Binding Enabled DHCP Server Address Learning White List PC-A 192.168.1.1 00E0-0211-1111 PC-B 192.168.1.2 (IP assigned by DHCP for 00E0-0211-2222 PC-A and PC-B) PC-C 192.168.1.1 00E0-0211-3333 (IP manually configured by user) 192.168.1.1 00E0-0211-111 Port 1 192.168.1.2 00E0-0211-222 Port 2 Figure 5 - 5. Example of DHCP Snooping The IP-MAC-Port Binding (IMPB) folder contains five windows: IMPB Global Settings, IMPB Port Settings, IMPB Entry Settings, DHCP Snooping Entries, and MAC Blocked List. 124