Home » ZyXEL Manuals » Hubs & Switches » ZyXEL GS1920 Series » Manual Viewer

ZyXEL GS1920 Series User Guide - Page 201

IP Source Guard

View all ZyXEL GS1920 Series manuals

Add to My Manuals
Save this manual to your list of manuals

Page 201 highlights

Chapter 25 IP Source Guard • Use the ARP Inspection Configure screen (Section 25.9 on page 215) to enable ARP inspection on the Switch. You can also configure the length of time the Switch stores records of discarded ARP packets and global settings for the ARP inspection log. • Use the ARP Inspection Port Configure screen (Section 25.9.1 on page 216) to specify whether ports are trusted or untrusted ports for ARP inspection. • Use the ARP Inspection VLAN Configure screen (Section 25.9.2 on page 218) to enable ARP inspection on each VLAN and to specify when the Switch generates log messages for receiving ARP packets from each VLAN. 25.1.2 What You Need to Know The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from information provided manually by administrators (static bindings). IP source guard consists of the following features: • Static bindings. Use this to create static bindings in the binding table. • DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to build the binding table dynamically. • ARP inspection. Use this to filter unauthorized ARP packets on the network. If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation), you have to enable DHCP snooping before you enable ARP inspection. 25.2 IP Source Guard Use this screen to look at the current bindings for DHCP snooping and ARP inspection. Bindings are used by DHCP snooping and ARP inspection to distinguish between authorized and unauthorized packets in the network. The Switch learns the bindings by snooping DHCP packets (dynamic bindings) and from information provided manually by administrators (static bindings). To open this screen, click Advanced Application > IP Source Guard. Figure 146 Advanced Application > IP Source Guard The following table describes the labels in this screen. Table 89 Advanced Application > IP Source Guard LABEL DESCRIPTION Index This field displays a sequential number for each binding. MAC Address This field displays the source MAC address in the binding. IP Address This field displays the IP address assigned to the MAC address in the binding. Lease This field displays how many days, hours, minutes, and seconds the binding is valid; for example, 2d3h4m5s means the binding is still valid for 2 days, 3 hours, 4 minutes, and 5 seconds. This field displays infinity if the binding is always valid (for example, a static binding). GS1920 Series User's Guide 201

Section	Page
GS1920 Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	17
Getting to Know Your Switch	18
1.1 Introduction	18
1.1.1 Backbone Application	19
1.1.2 Bridging Example	19
1.1.3 High Performance Switching Example	20
1.1.4 IEEE 802.1Q VLAN Application Examples	20
1.2 Ways to Manage the Switch	21
1.3 Good Habits for Managing the Switch	21
Hardware Installation and Connection	23
2.1 Installation Scenarios	23
2.2 Desktop Installation Procedure	23
2.3 Mounting the Switch on a Rack	23
2.3.1 Rack-mounted Installation Requirements	23
2.3.2 Attaching the Mounting Brackets to the Switch	24
2.3.3 Mounting the Switch on a Rack	24
Hardware Panels	26
3.1 Front Panel	26
3.1.1 Gigabit Ethernet Ports	26
3.1.2 Mini-GBIC Slots	27
3.1.3 LED Mode (only available for GS1920-48HP)	29
3.2 Rear Panel	29
3.2.1 Power Connector	29
3.3 LEDs	30
3.4 Reset to Factory Defaults	30
3.4.1 Side Panels	31
Technical Reference	32
The Web Configurator	33
4.1 Overview	33
4.2 System Login	33
4.3 The Status Screen	34
4.3.1 Change Your Password	37
4.4 Saving Your Configuration	38
4.5 Switch Lockout	38
4.6 Resetting the Switch	39
4.7 Logging Out of the Web Configurator	39
4.8 Help	39
Initial Setup Example	40
5.1 Overview	40
5.1.1 Creating a VLAN	40
5.1.2 Setting Port VID	41
5.2 Configuring Switch Management IP Address	42
Tutorials	44
6.1 Overview	44
6.2 How to Use DHCP Snooping on the Switch	44
6.3 How to Use DHCP Relay on the Switch	48
6.3.1 DHCP Relay Tutorial Introduction	48
6.3.2 Creating a VLAN	48
6.3.3 Configuring DHCP Relay	50
6.3.4 Troubleshooting	51
ZON Utility, ZON Neighbor Management and Port Status	52
7.1 Overview	52
7.1.1 What You Can Do	52
7.2 ZyXEL One Network (ZON) Utility Screen	52
7.3 Neighbor screen	53
7.4 Port Status Summary	54
7.4.1 Status: Port Details	56
Basic Setting	59
8.1 Overview	59
8.1.1 What You Can Do	59
8.2 System Information	59
8.3 General Setup	61
8.4 Introduction to VLANs	63
8.5 Switch Setup Screen	64
8.6 IP Setup	65
8.6.1 Management IP Addresses	65
8.7 Port Setup	67
8.8 PoE Status	69
8.8.1 PoE Setup	71
8.9 Interface Setup	72
8.10 IPv6	73
8.10.1 IPv6 Interface Status	74
8.10.2 IPv6 Configuration	77
8.10.3 IPv6 Global Setup	77
8.10.4 IPv6 Interface Setup	78
8.10.5 IPv6 Link-Local Address Setup	79
8.10.6 IPv6 Global Address Setup	80
8.10.7 IPv6 Neighbor Discovery Setup	81
8.10.8 IPv6 Neighbor Setup	82
8.10.9 DHCPv6 Client Setup	83
VLAN	85
9.1 Overview	85
9.1.1 What You Can Do	85
9.1.2 What You Need to Know	85
9.2 VLAN Status	88
9.2.1 VLAN Details	89
9.3 VLAN Configuration	90
9.4 Configure a Static VLAN	90
9.5 Configure VLAN Port Settings	92
9.6 Subnet Based VLANs	93
9.6.1 Configuring Subnet Based VLAN	94
9.7 Protocol Based VLANs	95
9.7.1 Configuring Protocol Based VLAN	96
9.8 Port-based VLAN Setup	97
9.8.1 Configure a Port-based VLAN	98
9.9 Voice VLAN	100
9.10 MAC-based VLAN	102
9.11 Technical Reference	103
9.11.1 Create an IP-based VLAN Example	103
Static MAC Forward Setup	105
10.1 Overview	105
10.1.1 What You Can Do	105
10.2 Configuring Static MAC Forwarding	105
Static Multicast Forward Setup	107
11.1 Static Multicast Forward Setup Overview	107
11.1.1 What You Can Do	107
11.1.2 What You Need To Know	107
11.2 Configuring Static Multicast Forwarding	108
Filtering	110
12.1 Filtering Overview	110
12.1.1 What You Can Do	110
12.2 Configure a Filtering Rule	110
Spanning Tree Protocol	112
13.1 Spanning Tree Protocol Overview	112
13.1.1 What You Can Do	112
13.1.2 What You Need to Know	112
13.2 Spanning Tree Protocol Status Screen	115
13.3 Spanning Tree Configuration	115
13.4 Configure Rapid Spanning Tree Protocol	116
13.5 Rapid Spanning Tree Protocol Status	118
13.6 Configure Multiple Rapid Spanning Tree Protocol	119
13.7 Multiple Rapid Spanning Tree Protocol Status	121
13.8 Configure Multiple Spanning Tree Protocol	122
13.9 Multiple Spanning Tree Port Configuration	125
13.10 Multiple Spanning Tree Protocol Status	126
13.11 Technical Reference	128
13.11.1 MSTP Network Example	128
13.11.2 MST Region	129
13.11.3 MST Instance	130
13.11.4 Common and Internal Spanning Tree (CIST)	130
Bandwidth Control	131
14.1 Overview	131
14.1.1 What You Can Do	131
14.2 Bandwidth Control Setup	131
Broadcast Storm Control	133
15.1 Broadcast Storm Control Overview	133
15.1.1 What You Can Do	133
15.2 Broadcast Storm Control Setup	133
Mirroring	135
16.1 Mirroring Overview	135
16.1.1 What You Can Do	135
16.2 Port Mirroring Setup	135
Link Aggregation	137
17.1 Overview	137
17.1.1 What You Can Do	137
17.1.2 What You Need to Know	137
17.2 Link Aggregation Status	138
17.3 Link Aggregation Setting	139
17.4 Link Aggregation Control Protocol	141
17.5 Technical Reference	142
17.5.1 Static Trunking Example	142
Port Authentication	144
18.1 Port Authentication Overview	144
18.1.1 What You Can Do	144
18.1.2 What You Need to Know	144
18.2 Port Authentication Configuration	145
18.3 Activate IEEE 802.1x Security	145
18.3.1 Guest VLAN	147
Port Security	150
19.1 Port Security Overview	150
19.1.1 What You Can Do	150
19.2 Port Security Setup	150
Classifier	153
20.1 Overview	153
20.1.1 What You Can Do	153
20.1.2 What You Need to Know	153
20.2 Configuring the Classifier	153
20.2.1 Viewing and Editing Classifier Configuration	155
20.3 Classifier Example	157
Policy Rule	158
21.1 Policy Rules Overview	158
21.1.1 What You Can Do	158
21.2 Configuring Policy Rules	158
21.2.1 Viewing and Editing Policy Configuration	161
21.3 Policy Example	161
Queuing Method	162
22.1 Queuing Method Overview	162
22.1.1 What You Can Do	162
22.1.2 What You Need to Know	162
22.2 Configuring Queuing	163
Multicast	165
23.1 Multicast Overview	165
23.1.1 What You Can Do	165
23.1.2 What You Need to Know	165
23.2 Multicast Setup	169
23.3 IPv4 Multicast Status	169
23.3.1 IGMP Snooping	170
23.4 IGMP Snooping VLAN	172
23.4.1 IGMP Filtering Profile	174
23.5 IPv6 Multicast Status	175
23.5.1 MLD Snooping-proxy	176
23.5.2 MLD Snooping-proxy VLAN	176
23.5.3 MLD Snooping-proxy VLAN Port Role Setting	178
23.5.4 MLD Snooping-proxy VLAN Filtering	180
23.5.5 MLD Snooping-proxy VLAN Filtering Profile	182
23.6 General MVR Configuration	183
23.6.1 MVR Group Configuration	185
23.6.2 MVR Configuration Example	187
AAA	189
24.1 AAA Overview	189
24.1.1 What You Can Do	189
24.1.2 What You Need to Know	189
24.2 AAA Screens	190
24.3 RADIUS Server Setup	190
24.4 TACACS+ Server Setup	192
24.5 AAA Setup	194
24.6 Technical Reference	196
24.6.1 Vendor Specific Attribute	196
24.6.2 Supported RADIUS Attributes	198
24.6.3 Attributes Used for Authentication	198
IP Source Guard	200
25.1 Overview	200
25.1.1 What You Can Do	200
25.1.2 What You Need to Know	201
25.2 IP Source Guard	201
25.3 IP Source Guard Static Binding	202
25.4 DHCP Snooping	203
25.5 DHCP Snooping Configure	206
25.5.1 DHCP Snooping Port Configure	208
25.5.2 DHCP Snooping VLAN Configure	209
25.5.3 DHCP Snooping VLAN Port Configure	210
25.6 ARP Inspection Status	211
25.7 ARP Inspection VLAN Status	212
25.8 ARP Inspection Log Status	213
25.9 ARP Inspection Configure	215
25.9.1 ARP Inspection Port Configure	216
25.9.2 ARP Inspection VLAN Configure	218
25.10 Technical Reference	219
25.10.1 DHCP Snooping Overview	219
25.10.2 ARP Inspection Overview	221
Loop Guard	223
26.1 Loop Guard Overview	223
26.1.1 What You Can Do	223
26.1.2 What You Need to Know	223
26.2 Loop Guard Setup	225
Layer 2 Protocol Tunneling	227
27.1 Layer 2 Protocol Tunneling Overview	227
27.1.1 What You Can Do	227
27.1.2 What You Need to Know	227
27.2 Configuring Layer 2 Protocol Tunneling	228
PPPoE	231
28.1 PPPoE Intermediate Agent Overview	231
28.1.1 What You Can Do	231
28.1.2 What You Need to Know	231
28.2 The PPPoE Screen	234
28.3 PPPoE Intermediate Agent	234
28.3.1 PPPoE IA Per-Port	235
28.3.2 PPPoE IA Per-Port Per-VLAN	237
28.3.3 PPPoE IA for VLAN	238
Error Disable	240
29.1 Error Disable Overview	240
29.2 The Error Disable Screens Overview	240
29.3 Error-Disable Status	240
29.4 CPU Protection Configuration	242
29.5 Error-Disable Detect Configuration	243
29.6 Error-Disable Recovery Configuration	244
Private VLAN	246
30.1 Private VLAN Overview	246
30.2 Configuring Private VLAN	246
Green Ethernet	248
31.1 Green Ethernet Overview	248
31.2 Configuring Green Ethernet	248
Link Layer Discovery Protocol (LLDP)	250
32.1 LLDP Overview	250
32.2 LLDP-MED Overview	251
32.3 LLDP Screens	252
32.4 LLDP Local Status	253
32.4.1 LLDP Local Port Status Detail	254
32.5 LLDP Remote Status	258
32.5.1 LLDP Remote Port Status Detail	259
32.6 LLDP Configuration	265
32.6.1 LLDP Configuration Basic TLV Setting	267
32.6.2 LLDP Configuraion Basic Org-specific TLV Setting	268
32.7 LLDP-MED Configuration	269
32.8 LLDP-MED Network Policy	270
32.9 LLDP-MED Location	271
Static Route	274
33.1 Static Route Overview	274
33.1.1 What You Can Do	274
33.2 Static Routing	274
33.3 Configuring Static Routing	274
Differentiated Services	277
34.1 Differentiated Services Overview	277
34.1.1 What You Can Do	277
34.1.2 What You Need to Know	277
34.2 Activating DiffServ	278
34.3 DSCP-to-IEEE 802.1p Priority Settings	279
34.3.1 Configuring DSCP Settings	280
DHCP	281
35.1 DHCP Overview	281
35.1.1 What You Can Do	281
35.1.2 What You Need to Know	281
35.2 DHCP Configuration	282
35.3 DHCPv4 Status	283
35.4 DHCPv4 Relay	283
35.4.1 DHCPv4 Relay Agent Information	283
35.4.2 DHCPv4 Option 82 Profile	284
35.4.3 Configuring DHCPv4 Global Relay	286
35.4.4 DHCPv4 Global Relay Port Configure	287
35.4.5 Global DHCP Relay Configuration Example	288
35.5 Configuring DHCPv4 VLAN Settings	289
35.5.1 DHCPv4 VLAN Port Configure	291
35.5.2 Example: DHCP Relay for Two VLANs	292
35.6 DHCPv6 Relay	293
ARP Setup	295
36.1 ARP Overview	295
36.1.1 What You Can Do	295
36.1.2 What You Need to Know	295
36.2 ARP Setup	297
36.2.1 ARP Learning	297
Maintenance	299
37.1 Overview	299
37.1.1 What You Can Do	299
37.2 The Maintenance Screen	299
37.2.1 Load Factory Default	300
37.2.2 Save Configuration	300
37.2.3 Reboot System	301
37.3 Firmware Upgrade	301
37.4 Restore a Configuration File	302
37.5 Backup a Configuration File	303
37.6 Tech-Support	303
37.7 Technical Reference	305
37.7.1 FTP Command Line	305
37.7.2 Filename Conventions	305
37.7.3 FTP Command Line Procedure	306
37.7.4 GUI-based FTP Clients	306
37.7.5 FTP Restrictions	307
Access Control	308
38.1 Access Control Overview	308
38.1.1 What You Can Do	308
38.2 The Access Control Main Screen	308
38.3 Configuring SNMP	309
38.3.1 Configuring SNMP Trap Group	310
38.3.2 Enabling/Disabling Sending of SNMP Traps on a Port	311
38.3.3 Configuring SNMP User	312
38.4 Setting Up Login Accounts	314
38.5 Service Port Access Control	315
38.6 Remote Management	316
38.7 Technical Reference	318
38.7.1 About SNMP	318
38.7.2 Introduction to HTTPS	320
Diagnostic	326
39.1 Overview	326
39.2 Diagnostic	326
Syslog	328
40.1 Syslog Overview	328
40.1.1 What You Can Do	328
40.2 Syslog Setup	328
40.3 Syslog Server Setup	329
Cluster Management	331
41.1 Cluster Management Overview	331
41.1.1 What You Can Do	332
41.2 Cluster Management Status	332
41.3 Clustering Management Configuration	333
41.4 Technical Reference	335
41.4.1 Cluster Member Switch Management	335
MAC Table	337
42.1 MAC Table Overview	337
42.1.1 What You Can Do	337
42.1.2 What You Need to Know	337
42.2 Viewing the MAC Table	338
ARP Table	340
43.1 Overview	340
43.1.1 What You Can Do	340
43.1.2 What You Need to Know	340
43.2 Viewing the ARP Table	340
Path MTU Table	342
44.1 Path MTU Overview	342
44.2 Viewing the Path MTU Table	342
Configure Clone	343
45.1 Overview	343
45.2 Configure Clone	343
Neighbor Table	346
46.1 IPv6 Neighbor Table Overview	346
46.2 Viewing the IPv6 Neighbor Table	346
Troubleshooting	348
47.1 Power, Hardware Connections, and LEDs	348
47.2 Switch Access and Login	349
47.3 Switch Configuration	351
Customer Support	353
Common Services	359
IPv6	362
Legal Information	370

Match case Limit results 1 per page

Chapter 25 IP Source Guard

GS1920 Series User’s Guide

201

•

Use the

ARP Inspection Configure

screen (Section 25.9 on page 215) to enable ARP inspection

on the Switch. You can also configure the length of time the Switch stores records of discarded

ARP packets and global settings for the ARP inspection log.

•

Use the

ARP Inspection Port Configure

screen (Section 25.9.1 on page 216) to specify

whether ports are trusted or untrusted ports for ARP inspection.

•

Use the

ARP Inspection VLAN Configure

screen (Section 25.9.2 on page 218) to enable ARP

inspection on each VLAN and to specify when the Switch generates log messages for receiving

ARP packets from each VLAN.

25.1.2

What You Need to Know

The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from

information provided manually by administrators (static bindings).

IP source guard consists of the following features:

•

Static bindings. Use this to create static bindings in the binding table.

•

DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to build the

binding table dynamically.

•

ARP inspection. Use this to filter unauthorized ARP packets on the network.

If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation),

you have to enable DHCP snooping before you enable ARP inspection.

25.2

IP Source Guard

Use this screen to look at the current bindings for DHCP snooping and ARP inspection. Bindings are

used by DHCP snooping and ARP inspection to distinguish between authorized and unauthorized

packets in the network. The Switch learns the bindings by snooping DHCP packets (dynamic

bindings) and from information provided manually by administrators (static bindings).

To open this

screen, click

Advanced Application > IP Source Guard

Figure 146

Advanced Application > IP Source Guard

The following table describes the labels in this screen.

Table 89

Advanced Application > IP Source Guard

LABEL

DESCRIPTION

Index

This field displays a sequential number for each binding.

MAC Address

This field displays the source MAC address in the binding.

IP Address

This field displays the IP address assigned to the MAC address in the binding.

Lease

This field displays how many days, hours, minutes, and seconds the binding is valid; for

example,

2d3h4m5s

means the binding is still valid for 2 days, 3 hours, 4 minutes, and

5 seconds. This field displays

infinity

if the binding is always valid (for example, a static

binding).