T2600G/Security/IPV4 IMPB

Aus Foxwiki

IP-MAC BINDING

Binding Table

With IPv4 IMPB (IP-MAC-Port Binding), you can bind IP address, MAC address and port together as an entry. In the Binding Table, you can search and view the specified binding entries which can be used for ARP Inspection and IPv4 Source Guard.

Binding Table

Option Beschreibung
Source Select the source of the entry and click Search.
All Displays the entries from all sources.
Manual Displays the manually bound entries.
ARP Scanning Displays the binding entries learned from ARP Scanning.
DHCP Snooping Displays the binding entries learned from DHCP Snooping.
IP Address Enter an IP address and click Search to search the specific entry.
Host Name Enter a host name for identification.
IP Address Displays the IP address.
MAC Address Displays the MAC address.
VLAN ID Displays the VLAN ID.
Port Displays the port number.
Protect Type Select the protect type for the entry:
None This entry will not be applied to any feature.
ARP Detection This entry will be applied to the ARP Detection feature.
IP Source Guard This entry will be applied to the IP Source Guard feature.
Both This entry will be applied to both the features.
Source Displays the source of the entry.

Manual Binding

You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the related information of the hosts on the network.

Configure IP-MAC Binding manually
  1. Click Add to load the configuration page.
  2. Enter the IP address, MAC address, VLAN ID and port to create a binding entry, and specify the protect type for this entry.

Manual Binding Config

Option Beschreibung
Host Name Enter a host name for identification.
IP Address Enter the IP address.
MAC Address Enter the MAC address.
VLAN ID Enter the VLAN ID.
Port Select the port that is connected to this host.
Protect Type Select the protect type for the entry:
None This entry will not be applied to any feature.
ARP Detection This entry will be applied to the ARP Detection feature.
IP Source Guard This entry will be applied to the IP Source Guard feature.
Both This entry will be applied to both the features.

ARP Scanning

With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts. Upon receiving the ARP reply packet, the switch can get the IP address, MAC address, VLAN ID and the connected port number of the host.

Configure IP-MAC Binding via ARP scanning
  1. Specify the IP address range and VLAN ID, then click Scan to scan hosts in the specified range.
  2. After scanning, select the desired entries in the Scanning Result table and select the protect type, then click Bind.

Scanning Option

Starting/Ending IP Address
Specify an IP range by entering a starting and ending IP address.
VLAN ID
Specify a VLAN ID.

Scanning Result

Option Beschreibung
Host Name Enter a host name for identification.
IP Address Displays the IP address.
MAC Address Displays the MAC address.
VLAN ID Displays the VLAN ID.
Port Displays the port number.
Protect Type Select the protect type for the entry:
None This entry will not be applied to any feature.
ARP Detection This entry will be applied to the ARP Detection feature.
IP Source Guard This entry will be applied to the IP Source Guard feature.
Both This entry will be applied to both the features.

DHCP Snooping

With DHCP snooping enabled, the switch can monitor the IP address obtaining process of the DHCP client, and record the IP address, MAC address, VLAN ID and the connected port number of the DHCP client for automatic binding.

Configure IP-MAC Binding via DHCP Snooping
  1. Enable DHCP Snooping globally.
  2. Enable DHCP Snooping on one or more VLANs.
  3. Specify the maximum number of DHCP binding entries a port can learn via DHCP snooping.

Global Config

DHCP Snooping
Enable DHCP snooping function globally.

VLAN Config

VLAN ID
Displays the VLAN ID of the existing VLAN.
Status
Enable or disable DHCP snooping on a VLAN.

Port Config

Port
Select one or more ports to configure.
Maximum Entry
Configure the maximum number of DHCP binding entries a port can learn via DHCP snooping.
LAG
Displays the LAG that the port belongs to.

ARP DETECTION

Based on the predefined IP-MAC Binding entries, the ARP Detection can be configured to detect the ARP packets and filter the illegal ones so as to prevent the network from ARP cheating attacks.

Configure ARP Detection
  1. Go to IPv4 IMPB > IP-MAC Binding page, create IP-MAC Binding entries and set the Protect Type of the entries as ARP Detection.
  2. On this page, enable ARP Detection globally and on the desired VLANs. And configure the other parameters according to your needs.
  3. Go to IPv4 IMPB > ARP Detection > Port Config page, configure the port parameters accoding to your needs.

Global Config

ARP Detect
Enable the ARP Detection function.
Valid Source MAC
Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded.
Valid Destination MAC
Enable or disable the switch to check whether the destination MAC address and the target MAC address are the same when receiving an ARP reply packet. If not, the ARP packet will be discarded.
Valid IP
Enable or disable the switch to check whether the sender IP address of all ARP packets and the target IP address of ARP reply packets are legal. The illegal packets will be discarded.

VLAN Config

VLAN ID
Displays the VLAN ID.
Status
Enable or disable ARP Detect in a VLAN.
Log Status
Enable Log feature to generate a log when an ARP packet is discarded.

Port Config

The switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood.

Port Config

Port
Select one or more ports to configure
Trust Status
Set whether to make this port a trusted port, on which the ARP packets will be forwarded directly without being checked.
Limit Rate
Specify the maximum number of ARP packets that can be received on the port per second.
Current Speed
Displays the current speed of the received ARP packets.
Burst Interval
Specify a time range. If the speed of received ARP packets always exceeds the limit rate in this time range, the port will be shut down.
Status
Displays the status of the port.
Normal
The transmission speed of the ARP packet is normal.
Down
The transmission speed of the ARP packet exceeds the defined value.
Operation
Click the Recover button to restore the port to the normal status.
LAG
Displays the LAG that the port belongs to.

ARP Statistics

ARP Statistics feature displays the number of the forwarded or dropped ARP packets in each VLAN, which facilitates you to locate the network malfunction and take the related protection measures.

Auto Refresh

Auto Refresh
Enable or disable the Auto Refresh feature.

Illegal ARP Packets

VLAN ID
Displays the VLAN ID.
Forwarded
Displays the number of forwarded ARP packets in this VLAN.
Dropped
Displays the number of dropped ARP packets in this VLAN.

IPV4 SOURCE GUARD

The IPv4 Source Guard feature allows the switch to filter the packets that do not match the rules of IPv4-MAC Binding Table.

Configure IPv4 Source Guard
  1. Go to IPv4 IMPB > IP-MAC Binding page, create IP-MAC Binding entries and set the Protect Type of the entries as IP Source Guard.
  2. (Optional) On this page, configure global parameters accoding to your needs.
  3. Configure the Security Type for the desired ports.

Global Config

IPv4 Source Guard Log
Enable IPv4 Source Guard Log feature to generate a log when illegal packets are received.

Port Config

Port
Select one or more ports to configure.
Security Type
Select Security Type on the port for IPv4 packets. The following options are provided:
Disable
The IP Source Guard feature is disabled on the port.
SIP
Only a packet with its source IP address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded.
SIP+SMAC
Only a packet with its source IP address, source MAC address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded.
LAG
Displays the LAG that the port belongs to.