Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3426P » Manual Viewer

D-Link DGS-3426P Product Manual - Page 294

IMPB Entry Settings, Allow Zero IP, Forward DHCP PKT, Stop Learning, Threshold 0-500, Recover Learning

UPC - 790069291982

Add to My Manuals
Save this manual to your list of manuals

Page 294 highlights

xStack® DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch packets. An example of this is that a malicious user can perform DoS attacks by statically configuring the ARP table on their PC. In this case, the Switch cannot block such attacks because the PC will not send out ARP packets. Allow Zero IP Use the pull-down menu to enable or disable this feature. Once enabled, the Switch will allow ARP packets with a Source IP of 0.0.0.0 to pass through. This is useful in some scenarios when a client (for example, a wireless Access Point,) sends out an ARP request packet before accepting the IP address from a DHCP server. In this case, the ARP request packet sent out from the client will contain a Source IP of 0.0.0.0. The Switch will need to allow such packets to pass, or else the client cannot know if there is another duplicate IP address in the network. Forward DHCP PKT By default, the Switch will forward all DHCP packets. However, if the port state is set to Strict, all DHCP packets will be dropped. In that case, select Enable so that the port will forward DHCP packets even under Strict state. Enabling this feature also ensures that DHCP snooping works properly. Mode Use the pull-down menu to select ARP or ACL mode. ARP Mode - When selecting this mode, the Switch will perform ARP Packet Inspection only and no ACL rules will be used. ACL Mode - When selecting this mode, the Switch will perform IP Packet Inspection in addition to ARP Packet Inspection. ACL rules will be used under this mode. Stop Learning Threshold (0-500) Whenever a MAC address is blocked by the Switch, it will be recorded in the Switch's L2 Forwarding Database (FDB) and associated with a particular port. To prevent the Switch FDB from overloading in case of an ARP DoS attack, the administrator can configure the threshold when a port should stop learning illegal MAC addresses. Enter a Stop Learning threshold between 0 and 500. Entering 500 means the port will enter the Stop Learning state after 500 illegal MAC entries and will not allow additional MAC entries, both legal or illegal, to be learned on this port. In the Stop Learning state, the port will also automatically purge all blocked MAC entries on this port. Traffic from legal MAC entries are still forwarded. Entering 0 means no limit has been set and the port will keep learning illegal MAC addresses. Recover Learning This feature can only be applied when a port is already in Stop Learning state. Check Normal to recover the port back to normal state, under which the port will start learning both illegal and legal MAC addresses again. Selecting this feature when the port is in Normal state will do nothing. Max Entry (1-50) Specifies the maximum number of dynamic (DHCP snooped) IP-MAC-Port Binding entries that can be learned on the port. Enter a value between 1 to 50 to restrict dynamic IMPB entries on this port. By default, the-per port max entry has No Limit. Click Apply to implement the changes. IMPB Entry Settings The table on this window, which is also known as the "IMPB white list," is used to create Static IP-MAC-Port Binding entries on the Switch. To view this window, click Security > IP-MAC-Port Binding > IMPB Entry Settings, as shown below. 285

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	9
Web-based Switch Configuration	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	10
Web Pages	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	11
Areas of the User Interface	11
Area 2	11
Area 1	11
Area 3	11
Web Pages	12
Administration	13
DGS-3400 Web Management Tool	13
IP Address	13
Interface Settings	13
Stacking	13
Port Configuration	13
User Accounts	13
Password Encryption	13
Mirror	13
System Log	13
System Severity Settings	13
Command Logging Settings	13
SNTP Settings	13
MAC Notification Settings	13
TFTP Services	13
Multiple Image Services	13
RCP	13
Ping Test	13
IPv6 Neighbor	13
Route Redistribution Settings	13
Static/Default Route Settings	13
Route Preference Settings	13
Gratuitous ARP Settings	13
Static ARP Settings	13
DHCP Auto Configuration Settings	13
DHCP/BOOTP Relay	13
DHCP/BOOTP Local Relay Settings	13
DHCPv6 Relay	13
DHCP Server	13
DHCPv6 Server	13
Filter DHCP Server	13
Layer 2 Protocol Tunneling Settings	13
RSPAN	13
DNS Relay	13
DNS Resolver	13
SNMP Manager	13
Trap Source Interface Settings	13
PoE	13
sFlow	14
IP Multicast VLAN Replication	14
Single IP Management (SIM) Overview	14
RIP	14
IP Tunnel Settings	14
Device Information	14
IPv6	16
Overview	16
Packet Format	18
IPv6 Header	18
Extension Headers	19
Packet Fragmentation	19
Address Format	19
Types	20
ICMPv6	21
Neighbor Discovery	21
Neighbor Unreachability Detection	21
Duplicate Address Detection (DAD)	22
Assigning IP Addresses	22
IP Interface Setup	22
IP Address	23
Setting the Switch's IP Address using the Console Interface	24
Interface Settings	25
IPv4 Interface Settings	25
IPv6 Interface Settings	27
Stacking	30
Stack Switch Swapping	32
Stacking Mode Settings	32
Force Master Role Settings	33
Box Information	33
Port Configuration	34
Port Configuration	34
Port Error Disabled	35
Port Description	36
Port Auto Negotiation Information	37
Port Details	38
Port Media Type	39
Cable Diagnostics	40
User Accounts	41
Password Encryption	42
Mirror	43
Port Mirror Global Settings	43
Port Mirror Settings	43
Mirroring within the Switch Stack	45
System Log	45
System Log Host	45
System Log Save Mode Settings	47
System Log Source Interface Settings	48
System Severity Settings	48
Command Logging Settings	49
SNTP Settings	49
Time Settings	49
Time Zone and DST	50
MAC Notification Settings	53
TFTP Services	53
Global Settings	53
Port Settings	53
Multiple Image Services	55
Firmware Information	55
Config Firmware Image	56
RCP	57
RCP Server Settings	57
RCP Services	58
Ping Test	59
IPv4 Ping Test	59
IPv6 Ping Test	60
IPv6 Neighbor	61
IPv6 Neighbor Settings	61
Route Redistribution Settings	62
Static/Default Route Settings	63
IPv4 Static/Default Route Settings	63
IPv6 Static/Default Route Settings	65
Route Preference Settings	66
Gratuitous ARP Settings	67
Static ARP Settings	68
DHCP Auto Configuration Settings	69
DHCP/BOOTP Relay	69
DHCP / BOOTP Relay Global Settings	69
The Implementation of DHCP Information Option 82	72
DHCP/BOOTP Relay Interface Settings	73
DHCP Relay Option 60 Default Settings	73
DHCP Relay Option 60 Settings	74
DHCP Relay Option 61 Default Settings	75
DHCP Relay Option 61 Settings	75
DHCP/BOOTP Local Relay Settings	76
DHCPv6 Relay	77
DHCPv6 Relay Global Settings	77
DHCPv6 Relay Interface Settings	77
DHCP Server	79
DHCP Server Global Settings	79
DHCP Server Exclude Address Settings	80
DHCP Server Pool Settings	80
DHCP Server Dynamic Binding	83
DHCP Server Manual Binding	84
DHCPv6 Server	85
DHCPv6 Server Global Settings	85
DHCPv6 Server Pool Settings	86
DHCPv6 Server Manual Binding Settings	87
DHCPv6 Server Dynamic Binding Settings	88
DHCPv6 Server Interface Settings	89
DHCPv6 Server Excluded Address Settings	90
Filter DHCP Server	91
Filter DHCP Server Global Settings	91
Filter DHCP Server Port Settings	92
Layer 2 Protocol Tunneling Settings	93
RSPAN	94
RSPAN State Settings	94
RSPAN Settings	95
DNS Relay	97
Mapping Domain Names to Addresses	97
Domain Name Resolution	97
DNS Relay Global Settings	98
DNS Relay Static Settings	98
DNS Resolver	99
DNS Resolver Global Settings	99
DNS Resolver Static Name Server Settings	99
DNS Resolver Dynamic Name Server Table	100
DNS Resolver Static Host Name Settings	100
DNS Resolver Dynamic Host Name Table	101
SNMP Manager	102
SNMP Settings	102
Traps	102
MIBs	102
SNMP Trap Settings	103
SNMP User Table	104
SNMP View Table	106
SNMP Group Table	107
SNMP Community Table	108
SNMP Host Table	109
SNMP Engine ID	111
Trap Source Interface Settings	111
PoE	112
PoE System Settings	112
PoE Port Settings	114
sFlow	116
sFlow Global Settings	117
sFlow Analyzer Settings	117
sFlow Sampler Settings	119
sFlow Poller Settings	121
IP Multicast VLAN Replication	123
IP Multicast VLAN Replication Global Settings	123
IP Multicast VLAN Replication Settings	124
Single IP Management (SIM) Overview	127
The Upgrade to v1.61	128
Single IP vs. Switch Stacking	129
SIM Settings	129
Topology	130
Tool Tips	133
Right-click	135
Group Icon	135
Commander Switch Icon	136
Member Switch Icon	136
Candidate Switch Icon	136
Menu Bar	137
File	137
Group	137
Device	137
View	137
Help	138
Firmware Upgrade	138
Configuration Backup/Restore	138
Upload Log	139
RIP	139
RIP Version 1 Message Format	140
RIP Command Codes	140
RIP 1 Message	140
RIP 1 Route Interpretation	140
RIP Version 2 Extensions	140
RIP2 Message Format	140
RIP	140
RIP Global Settings	141
RIP Interface Settings	141
RIPng	142
RIPng Global Settings	142
RIPng Interface Settings	143
IP Tunnel Settings	144
L2 Features	146
VLANs	146
Trunking	146
IGMP Snooping	146
MLD Snooping	146
Loop-back Detection Global Settings	146
Spanning Tree	146
Forwarding & Filtering	146
LLDP	146
Q-in-Q	146
ERPS	146
DULD Settings	146
NLB Multicast FDB Settings	146
VLANs	146
VLAN Description	146
Notes about VLANs on the DGS-3400 Series	146
IEEE 802.1Q VLANs	146
802.1Q VLAN Tags	148
Port VLAN ID	149
Tagging and Untagging	150
Ingress Filtering	150
Default VLANs	150
Port-based VLANs	151
VLAN Segmentation	151
VLAN and Trunk Groups	151
Protocol VLANs	151
Static VLAN Entry	151
VLAN Trunk	153
GVRP Settings	155
Double VLANs	156
Regulations for Double VLANs	157
Double VLAN Settings	158
PVID Auto Assign	160
MAC-based VLAN Settings	161
Protocol VLAN	161
Protocol VLAN Group Settings	162
Protocol VLAN Port Settings	163
Subnet VLAN	164
Subnet VLAN Settings	165
VLAN Precedence Settings	165
Trunking	167
Understanding Port Trunk Groups	167
Link Aggregation	168
LACP Port Settings	171
IGMP Snooping	173
IGMP Snooping Settings	173
Router Port Settings	175
IGMP Snooping Static Group Settings	177
ISM VLAN Settings	178
Restrictions and Provisos	179
Limited IP Multicast Address Range Settings	181
MLD Snooping	183
MLD Control Messages	183
MLD Snooping Settings	183
MLD Router Port Settings	186
Loop-back Detection Global Settings	188
Spanning Tree	190
802.1Q-2005 MSTP	190
802.1D-2004 Rapid Spanning Tree	190
Port Transition States	191
Edge Port	191
P2P Port	191
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	191
STP Bridge Global Settings	192
MST Configuration Identification	194
MSTP Port Information	197
STP Instance Settings	199
STP Port Settings	200
Forwarding & Filtering	202
Unicast Forwarding	202
Multicast Forwarding	202
Multicast Filtering Mode	203
LLDP	204
LLDP Global Settings	205
Basic LLDP Port Settings	206
802.1 Extension LLDP Port Settings	207
802.3 Extension LLDP Port Settings	209
LLDP Management Address Settings	211
LLDP Statistics	213
LLDP Management Address Table	214
LLDP Local Port Table	214
LLDP Remote Port Table	217
Q-in-Q	219
Q-in-Q Settings	219
VLAN Translation Settings	220
ERPS	221
ERPS Global Settings	221
ERPS RAPS VLAN Settings	222
DULD Settings	225
NLB Multicast FDB Settings	227
QoS	229
802.1p Settings	229
Bandwidth Control	229
HOL Prevention Settings	229
Schedule Settings	229
QoS	229
The Advantages of QoS	229
Understanding QoS	230
Understanding IEEE 802.1p Priority	232
802.1p Settings	232
802.1p Default Priority Settings	233
802.1p User Priority Settings	234
Bandwidth Control	235
Bandwidth Control Settings	235
Per Queue Bandwidth Control Settings	237
HOL Prevention Settings	239
Schedule Settings	239
QoS Output Scheduling Settings	239
Configuring the Combination Queue	241
QoS Scheduling Mechanism Settings	241
ACL (Access Control List)	244
Time Range	244
Access Profile Table	244
ACL Flow Meter	244
CPU Interface Filtering	244
Time Range	244
Access Profile Table	245
ACL Flow Meter	263
CPU Interface Filtering	267
CPU Interface Filtering State	267
CPU Interface Filtering Table	268
Security	284
Authorization Attributes State Settings	284
Traffic Control	284
Port Security	284
IP-MAC-Port Binding	284
802.1X	284
Web-based Access Control (WAC)	284
Trust Host	284
BPDU Attack Protection Settings	284
ARP Spoofing Prevention Settings	284
Access Authentication Control	284
MAC-based Access Control (MAC)	284
Safeguard Engine	284
Traffic Segmentation	284
Secure Socket Layer (SSL)	284
Secure Shell (SSH)	284
Compound Authentication	284
Japanese Web-based Access Control (JWAC)	284
Authorization Attributes State Settings	284
Traffic Control	285
Port Security	287
Port Security Settings	287
Port Security Entries	288
IP-MAC-Port Binding	289
IMPB Global Settings	291
IMPB Port Settings	292
IMPB Entry Settings	294
DHCP Snoop Entries	295
MAC Block List	296
ND Snoop Entries	296
802.1X	297
802.1X Port-based and Host-based Access Control	297
Authentication Server	297
Authenticator	298
Client	298
Authentication Process	299
Understanding 802.1X Port-based and MAC-based Network Access Control	299
Port-based Network Access Control	300
MAC-Based Network Access Control	301
Guest VLANs	302
Limitations Using the Guest VLAN	302
802.1X Port Settings	302
Guest VLAN Settings	305
Authentication RADIUS Server Settings	306
802.1X User Settings	307
Initialize Port(s)	308
Reauthenticate Port(s)	309
Web-based Access Control (WAC)	311
Conditions and Limitations	311
WAC Global Settings	312
WAC Port Settings	313
WAC User Account	315
WAC Authentication State	316
Trust Host	317
BPDU Attack Protection Settings	319
ARP Spoofing Prevention Settings	320
Access Authentication Control	321
Authentication Policy and Parameter Settings	323
Application's Authentication Settings	323
Authentication Server Group	324
Authentication Server Host	325
Login Method Lists	327
Enable Method Lists	328
Configure Local Enable Password	330
Enable Admin	331
RADIUS Accounting Settings	332
MAC-based Access Control (MAC)	334
Notes about MAC-based Access Control	334
MAC-based Access Control Global Settings	334
MAC-based Access Control Local MAC Settings	337
Safeguard Engine	338
Safeguard Engine Settings	339
Traffic Segmentation	340
Secure Socket Layer (SSL)	341
SSL	342
Secure Shell (SSH)	343
SSH Server Configuration	344
SSH Authentication Mode and Algorithm Settings	345
SSH User Authentication Mode	347
Compound Authentication	348
Any (MAC, 802.1X, WAC or JWAC) Mode	348
802.1X + IMPB Mode	349
IMPB + JWAC Mode	349
Compound Authentication Global Settings	349
Compound Authentication Settings	350
Authentication Guest VLAN Settings	352
Japanese Web-based Access Control (JWAC)	353
JWAC Global Settings	353
JWAC Port Settings	356
JWAC User Account	359
JWAC Authentication State	360
JWAC Customize Page Language Settings	361
JWAC Customize Page	362
Monitoring	363
Device Status	363
Stacking Information	363
Stacking Device	363
Module Information	363
DRAM & Flash Utilization	363
CPU Utilization	363
Port Utilization	363
Packets	363
Errors	363
Packet Size	363
Browse Router Port	363
Browse MLD Router Port	363
VLAN Status	363
VLAN Status Port	363
Port Access Control	363
MAC Address Table	363
IGMP Snooping Group	363
IGMP Snooping Data Driven Group	363
MLD Snooping Group	363
MLD Snooping Data Driven Group	363
Trace Route	363
Switch Logs	363
Browse ARP Table	363
Session Table	363
IP Forwarding Table	363
Routing Table	363
MAC-based Access Control Authentication Status	363
Device Status	363
Stacking Information	364
Stacking Device	365
Module Information	365
DRAM & Flash Utilization	366
CPU Utilization	367
Port Utilization	368
Packets	369
Received (RX)	369
UMB Cast (RX)	371
Transmitted (TX)	373
Errors	375
Received (RX)	375
Transmitted (TX)	377
Packet Size	379
Browse Router Port	381
Browse MLD Router Port	382
VLAN Status	382
VLAN Status Port	383
Port Access Control	383
Authenticator State	383
Authenticator Statistics	384
Authenticator Session Statistics	384
Authenticator Diagnostics	385
RADIUS Authentication	385
RADIUS Account Client	385
MAC Address Table	387

Match case Limit results 1 per page

xStack

DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch

285

packets. An example of this is that a malicious user can perform DoS attacks by statically

configuring the ARP table on their PC. In this case, the Switch cannot block such attacks

because the PC will not send out ARP packets.

Allow Zero IP

Use the pull-down menu to enable or disable this feature. Once enabled, the Switch will allow

ARP packets with a Source IP of 0.0.0.0 to pass through.

This is useful in some scenarios when a client (for example, a wireless Access Point,) sends

out an ARP request packet before accepting the IP address from a DHCP server. In this case,

the ARP request packet sent out from the client will contain a Source IP of 0.0.0.0. The Switch

will need to allow such packets to pass, or else the client cannot know if there is another

duplicate IP address in the network.

Forward DHCP PKT

By default, the Switch will forward all DHCP packets. However, if the port state is set to Strict,

all DHCP packets will be dropped. In that case, select

Enable

so that the port will forward

DHCP packets even under Strict state. Enabling this feature also ensures that DHCP snooping

works properly.

Mode

Use the pull-down menu to select ARP or ACL mode.

ARP Mode

– When selecting this mode, the Switch will perform ARP Packet Inspection only

and no ACL rules will be used.

ACL Mode

– When selecting this mode, the Switch will perform IP Packet Inspection in

addition to ARP Packet Inspection. ACL rules will be used under this mode.

Stop Learning

Threshold (0-500)

Whenever a MAC address is blocked by the Switch, it will be recorded in the Switch’s L2

Forwarding Database (FDB) and associated with a particular port. To prevent the Switch FDB

from overloading in case of an ARP DoS attack, the administrator can configure the threshold

when a port should stop learning illegal MAC addresses.

Enter a Stop Learning threshold between

and

500

. Entering 500 means the port will enter the

Stop Learning state after 500 illegal MAC entries and will not allow additional MAC entries,

both legal or illegal, to be learned on this port. In the Stop Learning state, the port will also

automatically purge all blocked MAC entries on this port. Traffic from legal MAC entries are still

forwarded.

Entering

means no limit has been set and the port will keep learning illegal MAC addresses.

Recover Learning

This feature can only be applied when a port is already in Stop Learning state. Check

Normal

to recover the port back to normal state, under which the port will start learning both illegal and

legal MAC addresses again.

Selecting this feature when the port is in Normal state will do nothing.

Max Entry (1-50)

Specifies the maximum number of dynamic (DHCP snooped) IP-MAC-Port Binding entries that

can be learned on the port. Enter a value between

to restrict dynamic IMPB entries on

this port.

By default, the-per port max entry has No Limit.

Click

Apply

to implement the changes.

IMPB Entry Settings

The table on this window, which is also known as the “IMPB white list,” is used to create Static IP-MAC-Port Binding entries on

the Switch.

To view this window, click

Security > IP-MAC-Port Binding > IMPB Entry Settings

, as shown below.