Home » D-Link Manuals » Hubs & Switches » D-Link DGS-6600-48TS » Manual Viewer

D-Link DGS-6600-48TS Configuration Guide - Page 472

IP Source Guard, Overview, An Introduction to IP Source Guard

Get D-Link DGS-6600-48TS PDF manuals and user guides

View all D-Link DGS-6600-48TS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 472 highlights

Volume 8-Security & Authentication / Chapter 46-IP Source Guard Chapter Overview Chapter 46 IP Source Guard Chapter Overview The following topics are included in this chapter, please go to the topic for more detailed information: • Chapter Overview • An Introduction to IP Source Guard • IP Source Guard Configuration Commands • ip verify source vlan dhcp-snooping port-security • ip source binding An Introduction to IP Source Guard IP Source Guard is a security application used on edge switches are usually directly connected to hosts. IP Source Guard provides administrators to configure pairs of MAC and IP addresses that are allowed to access networks through the switch. IP Source Guard binds together the network layer, which uses an IP address, and the Ethernet link layer, which uses a MAC address, to authenticate packets from host. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports. In IP Source Guard, all IP packets will be drop by default ACL rule if enable IP Source Guard. While user enables IP Source Guard will use ACL rules to authorize IP packet. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. All L2 packets will be drop before IP packet with same MAC address authorized by IP source guard. The key of IP Source Guard database is MAC address and VLAN. When user configures (IP, MAC, VLAN, Port) in IP Source Guard will add a ACL permit rule. The IP packets received by switch not match the IP Source Guard database will be blocked by the ACL deny rule and the non-IP packets will be passed. If the IP Source Guard is disabled, all ACL deny and permit rules which configure by user will be removed from the hardware ACL table. Each permit and deny rule of ACL will use a double wide slice (two single wide slices) to add rules. So if ACL has no enough slices even has enough entries to enable IP source guard or config static IP source guard entry, config will be failed and prompt warning message under this situation. While user configures an IP Source guard static entry then FDB will add a dynamic entry. If user config a static FDB entry and the MAC address is conflict with IP source guard entry before this dynamic FDB entry age out, then static FDB entry will not be add and prompt message. If the dynamic FDB entry that IP source guard is age out, then static FDB entry will be add success. If user configure a static entry of IP source guard and conflict with static FDB will log and prompt error message then this configure will fail. If user config a static ARP entry confilict with the IP address of IP source guard entry, then static ARP entry will be replease the entry that IP source guard configure. If user configure a static entry of IP source guard and conflict with the IP address of static ARP will log and prompt error message then this configure will fail. If the sender of the packet is an authorized client, the packets sent from this client will be forwarded. While user configures a static entry to IP Source Guard, if the HW ACL table has no enough entry or DGS-6600 Configuration Guide 472

Section	Page
DGS-6600 Configuration Guide v1.0.pdf	3
Audience	3
Related Documentation	3
Typographical Conventions	3
Notes, Notices, and Cautions	4
Table of Contents	5
DGS-6600 Series Switch Product Summary	18
Chapter Overview	18
An Introduction to the DGS-6600 Series Switch	18
Components and Hardware	19
Chassis	20
Module Plug-in Frame	20
Module List	21
Supported User Interfaces	24
Quick Start	25
Chapter Overview	25
An Introduction to Quickly Setting Up the DGS-6600 Series Switch	25
Preparation for Installation	25
Static Discharge Damage Prevention	26
Moving the Device	26
System Grounding Requirements	27
Simple Grounding Steps	28
Installation Site Requirements	28
Ventilation Requirements	28
Removing and Installing Modules from the DGS-6600 Series Switch	29
Removing Modules from the DGS-6600	29
Installing Modules in the DGS-6604 & DGS-6608	29
Configuring the Connection To The Switch	30
Connecting a Terminal to the Console Port	30
SNMP-Based Management	30
Part 1- Configuration Fundamentals	31
Command-Line Interface (CLI)	32
Command-Line Interface Overview	32
An Introduction to the Command-Line Interface	32
Command Mode and User Privilege Level	32
User EXEC Mode Configuration Commands	35
Help Features	38
Editing Features	40
Using Abbreviated Commands	41
Error Messages	42
Command Prompt	43
Login Banner	46
Establishing a Telnet Connection to a Remote Device	47
Common Parameter Syntax Conventions	48
Allowed Character Strings And String Examples	49
Time and Date Configuration	50
Calendar Dates	50
Time	51
Countdown Timer	51
Accessing the Command Line Interface	52
Chapter Overview	52
An Introduction to Accessing the Switch Using a Console Connection	52
Accessing the Switch Using a Telnet Connection	54
Enabling the Telnet Service	55
Configuring the Telnet Service Port	55
Specifying Telnet Terminals	55
Displaying Trusted Host Telnet Terminals	56
Closing an Active Terminal Session	56
Terminal Settings	56
Configuring the Number of Lines Displayed on Terminal Screen	56
Configuring the Max Number of Characters Displayed per Terminal Line	57
Configuring the Terminal Timeout	58
List of Constants and Default Settings	58
User Account Configuration	59
Chapter Overview	59
An Introduction to Configuring User Accounts	59
Creating User Accounts with Different Privilege Levels	59
Creating User Accounts	59
Displaying the User Accounts Setup on the Switch	60
Displaying Active User Sessions on the Switch	61
Creating and Configuring Enabled Passwords	61
Creating an Enabling Password	61
Displaying Enabled Passwords	62
Logging into the Switch with a Different User Account	62
Encrypting Passwords	63
List of Constants and Default Settings	64
Accessing the Web Interface (Web UI)	65
Chapter Overview	65
An Introduction to Accessing the Switch using the Web Interface	65
Configuration Commands	65
List of Constants and Default Settings	67
Time Configuration	68
Chapter Overview	68
An Introduction to Time Configuration	68
Configuration Commands	68
Manual Configuration of Time	68
Automatic Configuration of Time	69
Configuring Summer Time	70
List of Constants and Default Settings	71
DGS-6600 Default Metric	73
Chapter Overview	73
Part 2- Interface and Hardware Configurations	74
Interface Configuration	75
Chapter Overview	75
An Introduction to Interface Configuration	76
Identification of an Interface	76
Switch Port Interface	76
Port Channel Interface	76
VLAN Interface	76
Out-of-Band (OOB) Management Port Interface	76
Configuration Commands	77
Entering Interface Configuration Mode	77
Adding a Description to an Interface	77
Removing a Description from an Interface	78
Displaying Interface Status	78
Configuring Switch Port Interfaces	79
Configuring Duplex Mode	80
Configuring Flow Control	80
Configuring Speed	80
Shutting Down an Interface	81
Configuring the Maximum Allowed Frame Size	81
Configuring the MTU	82
Clearing Counters	82
Configuring VLAN Interfaces	83
Configuring the MTU on a VLAN Interface	83
Configuring the OOB Management Interface	83
Configuring an IP Address on the Management Interface	84
Configuring a Default Gateway on the OOB Management Interface	84
Configuring the IP MTU on the OOB Management Interface	85
Configuring an IPv6 Address on the OOB Management Interface	85
Configuring a IPv6 Default Gateway on the OOB Management Interface	86
Shutting Down the Management Interface	86
Displaying the OOB Management Port Interface Status	87
List of Constants and Default Settings	87
Part 3- Layer 2 Configurations	88
VLAN Configuration	89
Chapter Overview	89
An Introduction to VLAN	89
Packet Classification	90
VLAN Configuration Commands	90
Configuration Examples	96
VLAN Configuration Examples	96
Relations with Other Modules	98
List of Constants and Default Settings	98
VLAN Tunneling	99
Chapter Overview	99
An Introduction to VLAN Tunneling	99
VLAN Encapsulation	100
VLAN Remarking	101
CoS Remarking	101
Packet Forwarding Flow	101
UNI to NNI or UNI to UNI Forwarding	102
NNI to UNI or NNI to NNI Forwarding	104
VLAN Tunneling Configuration Commands	107
Configuration Examples	112
QinQ Configuration Example	112
List of Constants and Default Settings	116
GARP VLAN Registration Protocol (GVRP) Configuration	117
Chapter Overview	117
An Introduction to GARP	117
GARP Configuration Commands	117
List of Constants and Default Settings	123
MAC Address Tables	124
Chapter Overview	124
An Introduction to Mac Address Tables	124
Mac Address Configuration Commands	124
Relations with Other Modules	127
List of Constants and Default Settings	127
Spanning Tree Protocol (STP) Configuration	128
Chapter Overview	128
An Introduction to Spanning Tree Protocol	128
Spanning Tree Protocol (STP) Concepts	128
Rapid Spanning Tree Protocol (RSTP) Concepts	132
Multiple Spanning Tree Protocol Concepts	133
STP Configuration Commands	134
Configuring a Single Spanning Tree Instance	139
Configuring Multiple Spanning Tree Instances	142
Configuring Optional Features	147
Configuration Examples	149
RSTP Configuration example	149
MSTP Configuration Example	152
List of Constants and Default Settings	157
Link Aggregation	158
Chapter Overview	158
An Introduction to Port Channel Groups and LACP	158
Load Balancing	159
Load Balance Hash Algorithm	159
Port and System Priority	160
Link Aggregation Configuration Commands	160
Configuration Examples	163
Link Aggregation Configuration Example	163
Relations with Other Modules	165
List of Constants and Default Settings	165
Proxy ARP	166
Chapter Overview	166
An Introduction to Proxy ARP	166
Operation Concept	166
Parameters	166
Per Interface parameter	167
Sanity checks for ARP request	167
Acceptable route	167
Proxy ARP Configuration Commands	167
Super VLAN	169
Chapter Overview	169
An Introduction to Super VLAN Overview	169
Super VLAN Configuration Commands	170
Configuration Examples	171
Super VLAN Configuration Examples	171
List of Constraints & restrictions	173
List of Constants	173
Voice VLAN	174
Chapter Overview	174
An Introduction to Voice VLAN	174
Voice VLAN Configuration commands	178
Configuration Examples	180
Voice VLAN Configuration Example	180
Ethernet Ring Protection Switching (ERPS)	182
Chapter Overview	182
An Introduction to ERPS	182
Configuration Example	186
ERPS Configuration Example	186
Relationship with other modules	191
Part 4- Layer 3 Configurations	193
IPv4 Basics	194
Chapter Overview	194
An Introduction to IPv4	194
IPv4 Basics	194
Subnet Masks	195
IPv4 Address Assignment on the DGS-6600 Series Switch	195
IPv4 Basic Configuration Commands	196
Configuration Example	197
Basic Routing (IPV4) Configuration Example	197
IPv4 Static Route Configuration	199
Chapter Overview	199
An Introduction to IPv4 Static Routing	199
IPv4 Static Routing Configuration Commands	199
Configuration Example	201
Static Routing (IPV4) Configuration Example	201
Routing Information Protocol (RIP)	204
Chapter Overview	204
An Introduction to RIP	204
RIP Configuration Commands	205
Configuration Examples	213
RIP Configuration Example	213
List of Constants and Default Settings	216
Open Shortest Path First (OSPF)	217
Chapter Overview	217
An Introduction to OSPF	217
OSPF Configuration Commands	218
Basic Commands and Functions	218
Generating a Default Route	226
Redistributing Routes to OSPF	227
Displaying Border Routers	230
Restarting OSPF	238
Configuration Examples	239
OSPFv2 Configuration (Basic) Example	239
OSPFv2 Configuration Example 2	241
List of Constants and Default Settings	247
ECMP	248
Chapter Overview	248
An Introduction to ECMP	248
ECMP Overview	248
Configuring ECMP	249
IPv6 Basics	250
Chapter Overview	250
An introduction to Internet Protocol Version 6 (IPv6) Basics	250
IPv6 Configuration Commands	253
IPv6 Static Route Configuration	256
Chapter Overview	256
An Introduction to IPv6 Static Route Configuration	256
IPv6 Static Route Configuration Commands	257
Configuration Example	258
IPv6 Static Route Configuration Example	258
Routing Information Protocol Next Generation (RIPng)	261
Chapter Overview	261
An Introduction to RIPng	261
RIPng Configuration Commands	266
Configuration Examples	267
RIPng Configuration Example	267
Limitations	269
Open Shortest Path First Version 3 (OSPFv3)	271
Chapter Overview	271
An Introduction to OSPFv3	271
OSPFv3 Configuration Commands	279
Configuration Examples	280
OSPFv3 Configuration Example	280
Limitations	283
Behavior	283
IPv6 Tunneling	285
Chapter Overview	285
An Introduction to IPv6 Tunneling	285
Operation concept	285
IPv6 Tunneling Configuration Commands	287
Configuration Examples	287
IPv6 tunneling manual Configuration Example	287
IPv6 tunneling 6to4 Configuration Example	289
IPv6 tunneling ISATAP Configuration Example	291
Border Gateway Protocol (BGP)	293
Chapter Overview	293
An Introduction to BGP	293
BGP Configuration commands	294
Configuration Examples	324
BGP Configuration Example	324
Policy Based Route Map (PBR)	331
Chapter Overview	331
An Introduction to Policy Based Route Map	331
PBR Configuration Commands	333
Usage Guideline	334
Configuration example	335
PBR Configuration Example	335
Virtual Router Redundancy Protocol (VRRP)	339
Chapter Overview	339
An introduction to VRRP	339
VRRP Configuration Commands	343
Configuration Example	344
VRRP Configuration Example	344
Part 5- Multiprotocol Label Switching (MPLS)	349
Multiprotocol Label Switching (MPLS)	350
Chapter Overview	350
An Introduction to MPLS Authentication	350
MPLS Operation	350
MPLS Configuration Commands	351
Configuration Examples	354
MPLS, LDP (Dynamic Label) Configuration Example	354
MPLS (Static Label) Configuration Example	358
MPLS QoS Configuration Example	362
Configuration Restrictions	367
Virtual Private Wire Service (VPWS)	368
Chapter Overview	368
An Introduction to VPWS (Virtual Pseudo Wire Service)	368
VPWS Configuration Commands	369
Configuration examples	370
Configuring a VPWS	370
Configuration Restrictions and constants	372
Virtual Private Lan Services (VPLS)	373
Chapter Overview	373
An Introduction to VPLS	373
VPLS Configuration Commands	375
Configuration Examples	377
MPLS - VPLS Configuration Example	377
Configuration Restrictions and Constants	381
Part 6- Quality of Service (QoS)	382
Quality of Service (QoS)	383
Chapter Overview	383
An Introduction to QoS	383
Policing and Color Markers	384
QoS Configuration Commands	384
Scheduling	387
Defining the Policing	388
Configuration Examples	393
Configuring QoS Examples	393
QOS Strict Mode Configuration Example	394
QOS WRR Mode Configuration Example	396
Part 7- Multicast Configurations	398
Multicast Configuration	399
Chapter Overview	399
An Introduction to Multicast	399
Multicast Filter Mode Configuration Commands	400
PIM	401
Configuration Examples	403
PIM-DM configuration Examples	403
PIM-SM Configuration Example	405
DVMRP Configuration Example	408
IGMP Snooping Configuration Example	411
Part 8- Security & Authentication	413
Access Control Lists (ACL)	414
Chapter Overview	414
An Introduction to Access Control Lists	414
Configuration Overview	415
ACL Configuration Commands	417
Configuring Access Control Lists	418
Applying Access Control Lists to Interfaces	423
Configuration Examples	425
ACL Configuration Example	425
List of Constants and Default Settings	427
Authentication, Authorization and Accounting (AAA) Configuration	428
Chapter Overview	428
An Introduction to AAA Configuration	428
AAA Configuration Commands	429
Configuring AAA Server Groups	429
List of Constants and Default Settings	432
802.1X Authentication	433
Chapter Overview	433
An Introduction to 802.1X Authentication	434
Port-based and Host-based Access Control	435
802.1X Configuration Commands	435
Configuring 802.1X Authentication	435
Displaying 802.1X Configuration and Status	443
Configuration Examples	446
802.1x Guest VLAN Configuration Example	446
Relations with Other Modules	448
List of Constants and Default Settings	449
DoS Protection	450
Chapter Overview	450
An Introduction to DoS Protection	450
DoS Prevention Overview	450
Architecture	450
Operation Concepts	451
Mechanism	451
Actions	451
Attack Types	451
Configuration Commands	452
Configuration Examples	453
Parameters	454
Dynamic ARP Inspection	455
Chapter Overview	455
An Introduction to Dynamic ARP Inspection	455
Dynamic ARP Inspection Configuration Commands	456
DHCP Server Screening	458
Chapter Overview	458
An introduction to DHCP Server Screening Configuration	458
DHCP Server Screening	459
DHCP Server Screening Operating Concept	459
DHCP Server Screening/Client Filtering Configuration Commands	460
Configuring DHCP Server Screening/Client Filtering	460
DHCP Server Screening Default Settings	463
DHCP Server Screening Limitation	463
DHCP Snooping Configuration	464
Chapter Overview	464
An Introduction to DHCP Snooping	464
DHCP Operation concept	465
DHCP Snooping Configuration Commands	465
Port Security	469
Chapter Overview	469
An Introduction to Port Security Configuration	469
Port Security Configuration Commands	470
Relations with Other Modules	470
List of Constants and Default Settings	471
IP Source Guard	472
Chapter Overview	472
An Introduction to IP Source Guard	472
IP Source Guard Configuration Commands	473
Safeguard Engine Settings	475
Chapter Overview	475
An Introduction to Safeguard Engine Settings	475
Configuration Commands	477
Configuration Command Examples	477
Traffic Segmentation Configuration	479
Chapter Overview	479
An Introduction to Traffic Segmentation	479
Traffic Segmentation Configuration Commands	479
Configuring Traffic Segmentation	479
Configuration Examples	480
Traffic Segmentation Configuration Example	480
Relations with Other Modules	482
List of Constants and Default Settings	482
Part 9- Network Application	483
DHCP Server Configuration	484
Chapter Overview	484
An Introduction to DHCP SERVER	484
Architecture	485
Operation concept	485
Selecting IP address pool	486
DHCP DISCOVER/REQUEST with 'requested IP address	486
Choosing IP address in address pool	487
Responding DHCP DISCOVER/REQUEST packet	487
Receiving DHCP DECLINE	487
Sending back DHCP packet to client	487
PING operation	487
Behavior under multi-netting	487
DHCP server and DHCP relay agent global mode	488
High availability in DHCP server	488
DHCP Server Configuration Commands	488
Configuring a DHCP Address Pool	489
Limitations	497
DHCP Relay Configuration	498
Chapter Overview	498
An Introduction to DHCP Relay Agent Operation	498
DHCP Relay Configuration Commands	500
Configuring the Relay Agent Information Option	501
Configuring Trusted Interfaces	503
List of Constants and Default Settings	505
DHCPv6 Client Configuration	506
Chapter Overview	506
An Introduction to the DHCPv6 Client	506
Operation concept	506
Protocol and Addressing	507
Basic Message Format	508
Message Types	509
Prefix Delegation	511
Restrictions	512
Rapid Commit	512
Address Information Refresh	512
DHCPv6 Configurations Commands	513
Default Settings	519
Restriction/Limitation	519
sFlow	521
Chapter Overview	521
An Introduction to sFlow	521
sFlow Design Overview	522
Configuration Commands	524
Configuration Command Examples	524
sFlow Configuration Example	525
Part 10- Network Management	527
Simple Network Management Protocol (SNMP)	528
Chapter Overview	528
An Introduction to SNMP Overview	528
User-based Security Model	529
View-based Access Control Model	529
SNMP Configuring Commands	529
Configuration Examples	537
SNMPv2 With Trap Configuration Example	537
SNMP v3 with trap Configuration Example	538
List of Constants and Default Settings	541
RMON	542
Chapter Overview	542
An Introduction to RMON	542
RMON Overview	542
Configuring rmon statistics	544
Configuration Examples	544

Match case Limit results 1 per page

Volume 8-Security & Authentication / Chapter 46-IP Source Guard

Chapter Overview

DGS-6600 Configuration Guide

472

IP Source Guard

Chapter Overview

The following topics are included in this chapter, please go to the topic for more detailed information:

•

Chapter Overview

•

An Introduction to IP Source Guard

•

IP Source Guard Configuration Commands

•

ip verify source vlan dhcp-snooping port-security

•

ip source binding

An Introduction to IP Source Guard

IP Source Guard is a security application used on edge switches are usually directly connected to

hosts. IP Source Guard provides administrators to configure pairs of MAC and IP addresses that are

allowed to access networks through the switch. IP Source Guard binds together the network layer,

which uses an IP address, and the Ethernet link layer, which uses a MAC address, to authenticate

packets from host.

The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to

hosts on untrusted Layer 2 access ports.

In IP Source Guard, all IP packets will be drop by default ACL rule if enable IP Source Guard. While

user enables IP Source Guard will use ACL rules to authorize IP packet. After a client receives an IP

address from the DHCP server, or after static IP source binding is configured by the administrator,

all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied.

All L2 packets will be drop before IP packet with same MAC address authorized by IP source guard.

The key of IP Source Guard database is MAC address and VLAN.

When user configures (IP, MAC, VLAN, Port) in IP Source Guard will add a ACL permit rule. The IP

packets received by switch not match the IP Source Guard database will be blocked by the ACL

deny rule and the non-IP packets will be passed. If the IP Source Guard is disabled, all ACL deny

and permit rules which configure by user will be removed from the hardware ACL table. Each permit

and deny rule of ACL will use a double wide slice (two single wide slices) to add rules. So if ACL has

no enough slices even has enough entries to enable IP source guard or config static IP source

guard entry, config will be failed and prompt warning message under this situation.

While user configures an IP Source guard static entry then FDB will add a dynamic entry. If user

config a static FDB entry and the MAC address is conflict with IP source guard entry before this

dynamic FDB entry age out, then static FDB entry will not be add and prompt message. If the

dynamic FDB entry that IP source guard is age out, then static FDB entry will be add success. If

user configure a static entry of IP source guard and conflict with static FDB will log and prompt error

message then this configure will fail.

If user config a static ARP entry confilict with the IP address of IP source guard entry, then static

ARP entry will be replease the entry that IP source guard configure. If user configure a static entry of

IP source guard and conflict with the IP address of static ARP will log and prompt error message

then this configure will fail.

If the sender of the packet is an authorized client, the packets sent from this client will be forwarded.

While user configures a static entry to IP Source Guard, if the HW ACL table has no enough entry or

Chapter 46