Home » ZyXEL Manuals » Networking » ZyXEL ES-2108PWR » Manual Viewer

ZyXEL ES-2108PWR User Guide - Page 165

IP Source Guard

Add to My Manuals
Save this manual to your list of manuals

Page 165 highlights

CHAPTER 21 IP Source Guard Use IP source guard to filter unauthorized ARP packets in your network. 21.1 IP Source Guard Overview IP source guard uses a binding table to distinguish between authorized and unauthorized ARP packets in your network. A binding contains these key attributes: • MAC address • VLAN ID • IP address • Port number When the Switch receives an ARP packet, it looks up the appropriate MAC address, VLAN ID, IP address, and port number in the binding table. If there is a binding, the Switch forwards the packet. If there is not a binding, the Switch discards the packet. The Switch builds from information provided manually by administrators (static bindings). IP source guard consists of the following features: • Static bindings. Use this to create static bindings in the binding table. • ARP inspection. Use this to filter unauthorized ARP packets on the network. 21.1.1 ARP Inspection Overview Use ARP inspection to filter unauthorized ARP packets on the network. This can prevent many kinds of man-in-the-middle attacks, such as the one in the following example. Figure 90 Example: Man-in-the-middle Attack A B X ES-2108 Series User's Guide 165

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	21
List of Tables	25
Introduction	29
Getting to Know Your Switch	31
1.1 Introduction	31
1.1.1 Backbone Application	31
1.1.2 Bridging Example	32
1.1.3 High Performance Switched Example	33
1.1.4 IEEE 802.1Q VLAN Application Examples	33
1.2 Ways to Manage the Switch	34
1.3 Good Habits for Managing the Switch	35
Hardware Installation and Connection	37
2.1 Freestanding Installation	37
2.2 Mounting the Switch on a Rack	38
2.2.1 Rack-mounted Installation Requirements	38
2.2.2 Attaching the Mounting Brackets to the Switch	38
2.2.3 Mounting the Switch on a Rack	39
2.3 Wall-mounting Installation	39
Hardware Overview	41
3.1 Front Panel Connection	41
3.1.1 Console Port	43
3.1.2 Ethernet Ports	43
3.1.3 Fast Ethernet SFP Slot	44
3.1.4 Mini-GBIC Slot	44
3.1.5 100 Base-FX Fiber-Optic Port	45
3.2 Rear Panel	46
3.2.1 Power Connections	46
3.3 LEDs	47
Basic Configuration	49
The Web Configurator	51
4.1 Introduction	51
4.2 System Login	51
4.3 The Status Screen	52
4.3.1 Change Your Password	56
4.4 Saving Your Configuration	57
4.5 Switch Lockout	57
4.6 Resetting the Switch	58
4.6.1 Reload the Factory-default Configuration File	58
4.7 Logging Out of the Web Configurator	59
4.8 Help	59
Initial Setup Example	61
5.1 Overview	61
5.1.1 Creating a VLAN	61
5.1.2 Setting Port VID	63
5.1.3 Configuring the Management IP Address	63
System Status and Port Statistics	65
6.1 Port Status Overview	65
6.1.1 Status: Port Details	66
Basic Setting	71
7.1 Overview	71
7.2 System Information	71
7.3 General Setup	73
7.4 Introduction to VLANs	75
7.5 Switch Setup Screen	76
7.6 IP Setup	78
7.6.1 Management IP Addresses	78
7.7 Port Setup	80
Advanced Setup	85
VLAN	87
8.1 Introduction to IEEE 802.1Q Tagged VLAN	87
8.1.1 Forwarding Tagged and Untagged Frames	87
8.2 Automatic VLAN Registration	88
8.2.1 GARP	88
8.2.2 GVRP	88
8.3 Port VLAN Trunking	89
8.4 Select the VLAN Type	89
8.5 Static VLAN	89
8.5.1 Static VLAN Status	90
8.5.2 Static VLAN Details	90
8.5.3 Configure a Static VLAN	91
8.5.4 Configure VLAN Port Settings	92
8.6 Port Based VLAN Setup	94
8.6.1 Configure a Port-based VLAN	94
Static MAC Forwarding	97
9.1 Overview	97
9.2 Configuring Static MAC Forwarding	97
Filtering	99
10.1 Configure a Filtering Rule	99
Spanning Tree Protocol	101
11.1 STP/RSTP Overview	101
11.1.1 STP Terminology	101
11.1.2 How STP Works	102
11.1.3 STP Port States	103
11.1.4 Multiple STP	103
11.2 Spanning Tree Protocol Status Screen	106
11.3 Spanning Tree Configuration	106
11.4 Configure Rapid Spanning Tree Protocol	107
11.5 Rapid Spanning Tree Protocol Status	108
11.6 Configure Multiple Spanning Tree Protocol	109
11.7 Multiple Spanning Tree Protocol Status	112
Bandwidth Control	115
12.1 Bandwidth Control Setup	115
Broadcast Storm Control	117
13.1 Broadcast Storm Control Setup	117
Mirroring	119
14.1 Port Mirroring Setup	119
Link Aggregation	121
15.1 Link Aggregation Overview	121
15.2 Dynamic Link Aggregation	121
15.2.1 Link Aggregation ID	122
15.3 Link Aggregation Control Protocol Status	122
15.4 Link Aggregation Setup	123
15.5 Link Aggregation Control Protocol	124
15.6 Static Trunking Example	125
Port Authentication	127
16.1 Port Authentication Overview	127
16.1.1 IEEE 802.1x Authentication	127
16.2 Port Authentication Configuration	128
16.2.1 Activate IEEE 802.1x Security	128
Port Security	131
17.1 Port Security Overview	131
17.2 Port Security Setup	131
17.3 Port Security Example	133
Queuing Method	135
18.1 Queuing Method Overview	135
18.1.1 Strict Priority Queuing (SPQ)	135
18.1.2 Weighted Round Robin Scheduling (WRR)	135
18.2 Configuring Queuing Method	136
Multicast	137
19.1 Multicast Overview	137
19.1.1 IP Multicast Addresses	137
19.1.2 IGMP Filtering	137
19.1.3 IGMP Snooping	137
19.1.4 IGMP Snooping and VLANs	138
19.2 Multicast Status	138
19.3 Multicast Setting	138
19.4 IGMP Snooping VLAN	140
19.5 IGMP Filtering Profile	142
19.6 MVR Overview	143
19.6.1 Types of MVR Ports	144
19.6.2 MVR Modes	144
19.6.3 How MVR Works	144
19.7 General MVR Configuration	145
19.8 MVR Group Configuration	146
19.8.1 MVR Configuration Example	148
Authentication & Accounting	151
20.1 Authentication, Authorization and Accounting	151
20.1.1 Local User Accounts	151
20.1.2 RADIUS and TACACS+	152
20.2 Authentication and Accounting Screens	152
20.2.1 RADIUS Server Setup	152
20.2.2 TACACS+ Server Setup	154
20.2.3 Authentication and Accounting Setup	156
20.2.4 Vendor Specific Attribute	159
20.3 Supported RADIUS Attributes	160
20.3.1 Attributes Used for Authentication	161
20.3.2 Attributes Used for Accounting	161
IP Source Guard	165
21.1 IP Source Guard Overview	165
21.1.1 ARP Inspection Overview	165
21.2 IP Source Guard	167
21.3 IP Source Guard Static Binding	167
21.4 ARP Inspection Status	169
21.4.1 ARP Inspection Log Status	169
21.5 ARP Inspection Configure	170
21.5.1 ARP Inspection Port Configure	172
21.5.2 ARP Inspection VLAN Configure	173
Loop Guard	175
22.1 Loop Guard Overview	175
22.2 Loop Guard Setup	177
IP Application	179
Static Route	181
23.1 Static Routing Overview	181
23.2 Configuring Static Routing	181
Differentiated Services	185
24.1 DiffServ Overview	185
24.1.1 DSCP and Per-Hop Behavior	185
24.1.2 DiffServ Network Example	185
24.2 Activating DiffServ	186
24.3 DSCP-to-IEEE802.1p Priority Mapping Settings	187
24.3.1 Configuring DSCP Settings	187
DHCP	189
25.1 DHCP Overview	189
25.1.1 DHCP Modes	189
25.1.2 DHCP Configuration Options	189
25.2 DHCP Status	189
25.3 DHCP Relay	190
25.3.1 DHCP Relay Agent Information	190
25.3.2 Configuring DHCP Global Relay	191
25.3.3 Global DHCP Relay Configuration Example	192
25.4 Configuring DHCP VLAN Settings	192
25.4.1 Example: DHCP Relay for Two VLANs	194
Management	195
Maintenance	197
26.1 The Maintenance Screen	197
26.2 Load Factory Default	198
26.3 Save Configuration	198
26.4 Reboot System	199
26.5 Firmware Upgrade	199
26.6 Restore a Configuration File	199
26.7 Backup Configuration File	200
26.8 FTP Command Line	200
26.8.1 Filename Conventions	201
26.8.2 FTP Command Line Procedure	201
26.8.3 GUI-based FTP Clients	202
26.8.4 FTP Restrictions	202
Access Control	203
27.1 Access Control Overview	203
27.2 The Access Control Main Screen	203
27.3 About SNMP	204
27.3.1 SNMP v3 and Security	205
27.3.2 Supported MIBs	205
27.3.3 SNMP Traps	205
27.3.4 Configuring SNMP	208
27.3.5 Configuring SNMP Trap Group	210
27.4 Setting Up Login Accounts	211
27.5 SSH Overview	213
27.6 How SSH works	213
27.7 SSH Implementation on the Switch	214
27.7.1 Requirements for Using SSH	214
27.7.2 SSH Login Example	215
27.8 Introduction to HTTPS	215
27.9 HTTPS Example	216
27.9.1 Internet Explorer Warning Messages	216
27.9.2 Netscape Navigator Warning Messages	217
27.9.3 The Main Screen	218
27.10 Service Port Access Control	218
27.11 Remote Management	219
Diagnostic	221
28.1 Diagnostic	221
Syslog	223
29.1 Syslog Overview	223
29.2 Syslog Setup	223
29.3 Syslog Server Setup	224
Cluster Management	227
30.1 Clustering Management Status Overview	227
30.2 Clustering Management Status	228
30.2.1 Cluster Member Switch Management	229
30.3 Clustering Management Configuration	230
MAC Table	233
31.1 MAC Table Overview	233
31.2 Viewing the MAC Table	234
ARP Table	235
32.1 ARP Table Overview	235
32.1.1 How ARP Works	235
32.2 Viewing the ARP Table	235
Configure Clone	237
33.1 Configure Clone Settings	237
Troubleshooting and Appendices	239
Troubleshooting	241
34.1 Problems Starting Up the Switch	241
34.2 Problems Accessing the Switch	241
34.2.1 Pop-up Windows, JavaScripts and Java Permissions	242
34.3 Problems with the Password	247
Product Specifications	249
IP Addresses and Subnetting	257
Legal Information	267
Customer Support	271