Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3200-10 » Manual Viewer

D-Link DGS-3200-10 Product Manual - Page 140

Parameter, Description, From Port/To Port, State, Allow Zero IP, SLT 0-500, Enabled Strict

UPC - 790069306310

Add to My Manuals
Save this manual to your list of manuals

Page 140 highlights

xStack® DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch The following fields can be set or modified: Parameter Description From Port/To Port Select a range of ports to set for IP-MAC-port binding. State Use the drop-down menu to enable or disable these ports for IP-MAC Binding. Enabled (Strict) - This state provides a stricter method of control. If the user selects this mode, all packets are blocked by the Switch by default. The Switch will compare all incoming ARP and IP Packets and attempt to match them against the IMPB white list. If the IP-MAC pair matches the white list entry, the packets from that MAC address are unblocked. If not, the MAC address will stay blocked. While the Strict state uses more CPU resources from checking every incoming ARP and IP packet, it enforces better security and is thus the recommended setting. Enabled (Loose) - This mode provides a looser way of control. If the user selects loose mode, the Switch will forward all packets by default. However, it will still inspect incoming ARP packets and compare them with the Switch's IMPB white list entries. If the IP-MAC pair of a packet is not found in the white list, the Switch will block the MAC address. A major benefit of Loose state is that it uses less CPU resources because the Switch only checks incoming ARP packets. However, it also means that Loose state cannot block users who send only unicast IP packets. An example of this is that a malicious user can perform DoS attacks by statically configuring the ARP table on their PC. In this case, the Switch cannot block such attacks because the PC will not send out ARP packets. Allow Zero IP Use the drop-down menu to enable or disable this feature. Once Enabled, the Switch will allow ARP packets with a Source IP of 0.0.0.0 to pass through. This is useful in some scenarios when a client (for example, a wireless Access Point,) sends out an ARP request packet before accepting the IP address from a DHCP server. In this case, the ARP request packet sent out from the client will contain a Source IP of 0.0.0.0. The Switch will need to allow such packets to pass, or else the client cannot know if there is another duplicate IP address in the network. FDP Forward DHCP Packet - By default, the Switch will forward all DHCP packets. However, if the port state is set to Strict, all DHCP packets will be dropped. In that case, select Enabled so that the port will forward DHCP packets even under Strict state. Enabling this feature also ensures that DHCP snooping works properly. Mode Use the drop-down menu to select ARP or ACL mode. ARP - When selecting this mode, the Switch will perform ARP Packet Inspection only and no ACL rules will be used. ACL - When selecting this mode, the Switch will perform IP Packet Inspection in addition to ARP Packet Inspection. ACL rules will be used under this mode. SLT (0-500) Stop Learning Threshold - Whenever a MAC address is blocked by the Switch, it will be recorded in the Switch's L2 Forwarding Database (FDB) and each entry associated with a particular port. To prevent the Switch FDB from overloading in case of an ARP DoS attack, the administrator can configure the threshold when a port should stop learning illegal MAC addresses. Enter a stop learning threshold between 0 and 500. Entering 500 means the port will enter the Stop Learning state after 500 illegal MAC entries and will not allow additional MAC entries, neither legal nor illegal, to be learned on this port. In the Stop Learning state, the port will also automatically purge all blocked MAC entries on this port. Traffic from legal MAC entries is still forwarded. Entering 0 means no limit has been set and the port will keep learning illegal MAC addresses. 127

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	10
Safety Cautions	10
General Precautions for Rack-Mountable Products	11
Lithium Battery Precaution	13
Protecting Against Electrostatic Discharge	13
Introduction	14
Logging onto the Web Manager	14
Web-Based User Interface	14
Introduction	14
Logging onto the Web Manager	14
Web-based User Interface	15
Areas of the User Interface	15
Web Pages	16
Device Information	18
System Information	18
Serial Port Settings	18
IP Address	18
IPv6 Interface Settings	18
IPv6 Route Table	18
IPv6 Neighbor Settings	18
Port Configuration	18
Static ARP Settings	18
User Accounts	18
System Log Configuration	18
System Severity Settings	18
DHCP/BOOTP Relay	18
DHCP Local Relay Settings	18
DHCP Auto Configuration Settings	18
MAC Address Aging Time	18
Web Settings	18
Telnet Settings	18
Password Encryption	18
CLI Paging Settings	18
Firmware Information	18
Power Saving Settings	18
Dual Configuration Settings	18
SMTP Settings	18
Ping Test	18
SNTP Settings	18
MAC Notification Settings	18
SNMP Settings	18
CPU Filter L3 Control Packet Settings	18
Single IP Management	18
SD Card FS Settings (DGS-3200-24 only)	18
Device Information	19
System Information	20
Serial Port Settings	21
IP Address	21
Setting the Switch’s IP Address using the Console Interface	23
IPv6 Interface Settings	23
IPv6 Route Table	25
IPv6 Neighbor Settings	26
Port Configuration	27
Port Settings	27
Port Description	28
Port Error Disabled	29
Static ARP Settings	29
User Accounts	31
Admin and User Privileges	31
System Log Configuration	32
System Log Settings	32
System Log Host	33
System Severity Settings	33
DHCP/BOOTP Relay	34
DHCP/BOOTP Relay Global Settings	34
Implementation of DHCP Relay Agent Information Option 82	36
DHCP/BOOTP Relay Interface Settings	37
DHCP Local Relay Settings	37
DHCP Auto Configuration Settings	38
MAC Address Aging Time	39
Web Settings	39
Telnet Settings	40
Password Encryption	40
CLI Paging Settings	41
Firmware Information	41
Power Saving Settings	43
Dual Configuration Settings	44
SMTP Settings	46
Ping Test	47
SNTP Settings	48
Time Settings	48
Time Zone Settings	49
MAC Notification Settings	50
MAC Notification Global Settings	50
MAC Notification Port Settings	51
SNMP Settings	52
Traps	52
MIBs	52
SNMP Global State Settings	53
SNMP Linkchange Trap Settings	53
SNMP View Table	54
SNMP Group Table	55
SNMP User Table	56
SNMP Community Table	57
SNMP Host Table	58
SNMP v6Host Table	59
SNMP Engine ID	60
SNMP Trap Configuration	60
RMON	61
CPU Filter L3 Control Packet Settings	61
Single IP Management	61
Upgrade to v1.61	63
Single IP Settings	63
Topology	65
Tool Tips	67
Right-Click	67
Group Icon	68
Commander Switch Icon	69
Member Switch Icon	69
Candidate Switch Icon	69
Menu Bar	70
File	70
Group	70
Device	70
View	70
Help	70
Firmware Upgrade	71
Configuration File Backup/Restore	71
Upload Log File	71
SD Card FS Settings	72
Jumbo Frame	74
Egress Filter Settings	74
802.1Q VLAN	74
Private VLAN Settings	74
802.1v Protocol VLAN	74
MAC-based VLAN Settings	74
GVRP Settings	74
PVID Auto Assign Settings	74
Port Trunking	74
VLAN Trunk Settings	74
LACP Port Settings	74
Traffic Segmentation	74
IGMP Snooping	74
MLD Snooping Settings	74
Port Mirroring	74
Loopback Detection Settings	74
Spanning Tree	74
Forwarding & Filtering	74
Jumbo Frame	74
Egress Filter Settings	75
802.1Q VLAN	75
Understanding IEEE 802.1p Priority	75
VLAN Description	76
Notes about VLANs on the Switch	76
IEEE 802.1Q VLANs	76
802.1Q VLAN Tags	77
Port VLAN ID	78
Tagging and Untagging	79
Ingress Filtering	79
Default VLANs	79
Port-based VLANs	80
VLAN Segmentation	80
VLAN and Trunk Groups	80
Private VLAN Settings	84
802.1v Protocol VLAN	89
802.1v Protocol Group Settings	89
802.1v Protocol VLAN Settings	90
MAC-based VLAN Settings	91
GVRP Settings	91
PVID Auto Assign Settings	92
Port Trunking	93
Understanding Port Trunk Groups	93
VLAN Trunk Settings	96
LACP Port Settings	97
Traffic Segmentation	98
IGMP Snooping	98
IGMP Snooping Settings	98
Data Driven Learning Settings	102
ISM VLAN Settings	103
Restrictions and Provisos	103
ISM Profile Settings	106
IP Multicast Profile Settings	107
Limited Multicast Address Range Settings	108
Max Multicast Group Settings	109
MLD Snooping Settings	109
MLD Control Messages	110
Port Mirroring	113
Loopback Detection Settings	114
Spanning Tree	115
802.1Q-2005 MSTP	115
802.1D-2004 Rapid Spanning Tree	116
Port Transition States	116
Edge Port	116
P2P Port	116
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	116
STP Bridge Global Settings	118
STP Port Settings	120
MST Configuration Identification	121
STP Instance Settings	122
MSTP Port Information	123
Forwarding & Filtering	124
Unicast Forwarding	124
Multicast Forwarding	124
Multicast Filtering Mode	125
Bandwidth Control	126
Traffic Control	126
802.1p Default Priority	126
802.1p User Priority	126
QoS Scheduling Mechanism	126
Understanding QoS	127
Bandwidth Control	128
Traffic Control	129
802.1p Default Priority	131
802.1p User Priority	131
QoS Scheduling Mechanism	132
Safeguard Engine	133
Trusted Host	133
IP-MAC-Port Binding (IMPB)	133
Port Security	133
DHCP Server Screening	133
Guest VLAN	133
802.1X	133
SSL Settings	133
SSH	133
Access Authentication Control	133
MAC-based Access Control (MAC)	133
Web-based Access Control (WAC)	133
Japanese Web-based Access Control (JWAC)	133
Multiple Authentication	133
IGMP Access Control Settings	133
ARP Spoofing Prevention Settings	133
Safeguard Engine	133
Trusted Host	135
IP-MAC-Port Binding (IMPB)	136
General Overview	136
Common IP Management Security Issues	136
Solutions to Improve IP Management Security	136
ARP Mode	136
ACL Mode	137
Strict and Loose State	137
DHCP Snooping Option	137
IMPB Global Settings	138
IMPB Port Settings	139
IMPB Entry Settings	141
DHCP Snooping Entries	142
MAC Block List	143
Port Security	144
Port Security Settings	144
Port Lock Entries	145
DHCP Server Screening	146
DHCP Screening Port Settings	146
DHCP Offer Filtering	147
Guest VLAN	148
Limitations Using the Guest VLAN	148
802.1X (Port-based and Host-based Access Control)	149
Authentication Server	150
Authenticator	150
Client	151
Authentication Process	151
Understanding 802.1X Port-based and Host-based Network Access Control	152
Port-based Network Access Control	152
Host-based Network Access Control	153
802.1X Settings	154
802.1X User	155
Initialize Port(s)	156
Reauthenticate Port(s)	157
Authentic RADIUS Server	158
SSL Settings	159
SSH	161
SSH Configuration	162
SSH Authmode and Algorithm Settings	163
SSH User Authentication Mode	165
Access Authentication Control	166
Authentication Policy and Parameter Settings	167
Application Authentication Settings	167
Authentication Server Group	168
Authentication Server Host	170
Login Method Lists	171
Enable Method Lists	172
Configure Local Enable Password	173
Enable Admin	173
MAC-based Access Control (MAC)	174
Notes about MAC-based Access Control	174
MAC Settings	174
MAC Local Settings	177
Web-based Access Control (WAC)	177
Conditions and Limitations	179
WAC Global Settings	179
WAC User Settings	180
WAC Port Settings	182
Japanese Web-based Access Control (JWAC)	183
JWAC Global Settings	183
JWAC Port Settings	185
JWAC User Settings	186
JWAC Customize Page Language	186
JWAC Customize Page	187
Multiple Authentication	187
Any (MAC, 802.1X or WAC) Mode	188
Any (MAC, 802.1X or JWAC) Mode	188
802.1X & IMPB Mode	189
IMPB & WAC/JWAC Mode	189
Authorization Network State Settings	190
Multiple Authentication Settings	190
Guest VLAN	191
IGMP Access Control Settings (IGMP Authentication)	192
ARP Spoofing Prevention Settings	193
ACL Configuration Wizard	194
Access Profile List	194
CPU Access Profile List	194
Time Range Settings	194
ACL Configuration Wizard	194
Access Profile List	195
CPU Access Profile List	211
Time Range Settings	223
Device Environment (DGS-3200-16 and DGS-3200-24 only)	225
Cable Diagnostics	225
CPU Utilization	225
Port Utilization	225
Packet Size	225
Packets	225
Errors	225
Port Access Control	225
Browse ARP Table	225
Browse VLAN	225
Browse Router Port	225
Browse MLD Router Port	225
Browse Session Table	225
IGMP Snooping Group	225
MLD Snooping Group	225
WAC Authenticating State	225
JWAC Host Table	225
MAC Address Table	225
System Log	225
MAC Authentication State	225
Device Environment	225
Cable Diagnostics	226
Cable Diagnostics Notes	226
CPU Utilization	227
Port Utilization	228
Packet Size	229
Packets	231
Received (RX)	231
UMB_Cast (RX)	233
Transmitted (TX)	234
Errors	236
Received (RX)	236
Transmitted (TX)	238
Port Access Control	240
RADIUS Authentication	240
RADIUS Account Client	241
Authenticator State	243
Authenticator Statistics	245
Authenticator Session Statistics	248
Authenticator Diagnostics	251
Browse ARP Table	254
Browse VLAN	254
Browse Router Port	255
Browse MLD Router Port	255
Browse Session Table	256
IGMP Snooping Group	256
MLD Snooping Group	257
WAC Authenticating State	258
JWAC Host Table	259
MAC Address Table	260
System Log	261
MAC Authentication State	262
Save Configuration	263
Save Log	263
Save All	263
Download Configuration File/Download Configuration File to NV-RAM (DGS-3200-24 only)	263
Download Configuration File to SD Card (DGS-3200-24 only)	263
Download Firmware/Download Firmware to NV-RAM (DGS-3200-24 only)	263
Download Firmware to SD Card (DGS-3200-24 only)	263
Upload Configuration File/Upload Configuration File to TFTP	263
Upload Log File/Upload Log File to TFTP	263
Reset	263
Reboot System	263
Save Configuration	264
Save Log	264
Save All	265
Download Configuration File/Download Configuration File to NV-RAM	265
Download Configuration File to SD Card	266
Download Firmware/Download Firmware to NV-RAM	266
Download Firmware to SD Card	267
Upload Configuration File/Upload Configuration File to TFTP	267
Upload Log File/Upload Log File to TFTP	268
Reset	268
Reboot System	269
How ARP Spoofing Attacks a Network	273
Prevent ARP Spoofing via Packet Content ACL	274
Log Information	277

Match case Limit results 1 per page

xStack

DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch

127

The following fields can be set or modified:

Parameter

Description

From Port/To Port

Select a range of ports to set for IP-MAC-port binding.

State

Use the drop-down menu to enable or disable these ports for IP-MAC Binding.

Enabled (Strict)

– This state provides a stricter method of control. If the user selects this mode,

all packets are blocked by the Switch by default.

The Switch will compare all incoming ARP

and IP Packets and attempt to match them against the IMPB white list. If the IP-MAC pair

matches the white list entry, the packets from that MAC address are unblocked. If not, the

MAC address will stay blocked. While the Strict state uses more CPU resources from checking

every incoming ARP and IP packet, it enforces better security and is thus the recommended

setting.

Enabled (Loose)

– This mode provides a looser way of control. If the user selects loose mode,

the Switch will forward all packets by default. However, it will still inspect incoming ARP

packets and compare them with the Switch’s IMPB white list entries. If the IP-MAC pair of a

packet is not found in the white list, the Switch will block the MAC address. A major benefit of

Loose state is that it uses less CPU resources because the Switch only checks incoming ARP

packets. However, it also means that Loose state cannot block users who send only unicast IP

packets. An example of this is that a malicious user can perform DoS attacks by statically

configuring the ARP table on their PC. In this case, the Switch cannot block such attacks

because the PC will not send out ARP packets.

Allow Zero IP

Use the drop-down menu to enable or disable this feature. Once

Enabled

, the Switch will allow

ARP packets with a Source IP of 0.0.0.0 to pass through.

This is useful in some scenarios when a client (for example, a wireless Access Point,) sends

out an ARP request packet before accepting the IP address from a DHCP server. In this case,

the ARP request packet sent out from the client will contain a Source IP of 0.0.0.0. The Switch

will need to allow such packets to pass, or else the client cannot know if there is another

duplicate IP address in the network.

FDP

Forward DHCP Packet - By default, the Switch will forward all DHCP packets. However, if the

port state is set to Strict, all DHCP packets will be dropped. In that case, select

Enabled

so that

the port will forward DHCP packets even under Strict state. Enabling this feature also ensures

that DHCP snooping works properly.

Mode

Use the drop-down menu to select

ARP

ACL

mode.

ARP

– When selecting this mode, the Switch will perform ARP Packet Inspection only and no

ACL rules will be used.

ACL

– When selecting this mode, the Switch will perform IP Packet Inspection in addition to

ARP Packet Inspection. ACL rules will be used under this mode.

SLT (0-500)

Stop Learning Threshold - Whenever a MAC address is blocked by the Switch, it will be

recorded in the Switch’s L2 Forwarding Database (FDB) and each entry associated with a

particular port. To prevent the Switch FDB from overloading in case of an ARP DoS attack, the

administrator can configure the threshold when a port should stop learning illegal MAC

addresses.

Enter a stop learning threshold between

and

500

. Entering

500

means the port will enter the

Stop Learning state after 500 illegal MAC entries and will not allow additional MAC entries,

neither legal nor illegal, to be learned on this port. In the Stop Learning state, the port will also

automatically purge all blocked MAC entries on this port. Traffic from legal MAC entries is still

forwarded.

Entering

means no limit has been set and the port will keep learning illegal MAC addresses.