T2600G/Security/IPV4 IMPB: Unterschied zwischen den Versionen

Aus Foxwiki
K Textersetzung - „T2600G:“ durch „T2600G/“
 
(10 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 5: Zeile 5:


==== Binding Table ====
==== Binding Table ====
 
{| class="wikitable sortable options"
; Source
|-
: Select the source of the entry and click '''Search'''.
! Option!!Beschreibung
 
|-
; All
Source || Select the source of the entry and click '''Search'''.
: Displays the entries from all sources.
|-
 
All || Displays the entries from all sources.
; Manual
|-
: Displays the manually bound entries.
Manual || Displays the manually bound entries.
 
|-
; ARP Scanning
ARP Scanning || Displays the binding entries learned from ARP Scanning.
: Displays the binding entries learned from ARP Scanning.
|-
 
DHCP Snooping || Displays the binding entries learned from DHCP Snooping.
; DHCP Snooping
|-
: Displays the binding entries learned from DHCP Snooping.
IP Address || Enter an IP address and click '''Search''' to search the specific entry.
 
|-
; IP Address
Host Name || Enter a host name for identification.
: Enter an IP address and click '''Search''' to search the specific entry.
|-
 
IP Address || Displays the IP address.
; Host Name
|-
: Enter a host name for identification.
MAC Address || Displays the MAC address.
 
|-
; IP Address
VLAN ID || Displays the VLAN ID.
: Displays the IP address.
|-
 
Port || Displays the port number.
; MAC Address
|-
: Displays the MAC address.
Protect Type || Select the protect type for the entry:
 
|-
; VLAN ID
None || This entry will not be applied to any feature.
: Displays the VLAN ID.
|-
 
ARP Detection || This entry will be applied to the ARP Detection feature.
; Port
|-
: Displays the port number.
IP Source Guard || This entry will be applied to the IP Source Guard feature.
 
|-
; Protect Type
Both || This entry will be applied to both the features.
: Select the protect type for the entry:
|-
 
Source || Displays the source of the entry.
; None
|}
: This entry will not be applied to any feature.
 
; ARP Detection
: This entry will be applied to the ARP Detection feature.
 
; IP Source Guard
: This entry will be applied to the IP Source Guard feature.
 
; Both
: This entry will be applied to both the features.
 
; Source
: Displays the source of the entry.


=== Manual Binding ===
=== Manual Binding ===
You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the related information of the hosts on the network.
You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the related information of the hosts on the network.
To configure IP-MAC Binding manually:


Step1:
; Configure IP-MAC Binding manually
    Click Add to load the configuration page.
# Click Add to load the configuration page.
# Enter the IP address, MAC address, VLAN ID and port to create a binding entry, and specify the protect type for this entry.


Step2:
==== Manual Binding Config ====
    Enter the IP address, MAC address, VLAN ID and port to create a binding entry, and specify the protect type for this entry.
{| class="wikitable sortable options"
 
|-
Manual Binding Config
! Option!!Beschreibung
 
|-
Host Name
Host Name || Enter a host name for identification.
    Enter a host name for identification.
|-
 
IP Address || Enter the IP address.
IP Address
|-
    Enter the IP address.
MAC Address || Enter the MAC address.
 
|-
MAC Address
VLAN ID || Enter the VLAN ID.
    Enter the MAC address.
|-
 
Port || Select the port that is connected to this host.
VLAN ID
|-
    Enter the VLAN ID.
Protect Type || Select the protect type for the entry:
 
|-
Port
None || This entry will not be applied to any feature.
    Select the port that is connected to this host.
|-
 
ARP Detection || This entry will be applied to the ARP Detection feature.
Protect Type
|-
    Select the protect type for the entry:
IP Source Guard || This entry will be applied to the IP Source Guard feature.
 
|-
None
Both || This entry will be applied to both the features.
    This entry will not be applied to any feature.
|}
 
ARP Detection
    This entry will be applied to the ARP Detection feature.
 
IP Source Guard
    This entry will be applied to the IP Source Guard feature.
 
Both
    This entry will be applied to both the features.


=== ARP Scanning ===
=== ARP Scanning ===
With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts. Upon receiving the ARP reply packet, the switch can get the IP address, MAC address, VLAN ID and the connected port number of the host.
With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts. Upon receiving the ARP reply packet, the switch can get the IP address, MAC address, VLAN ID and the connected port number of the host.
To configure IP-MAC Binding via ARP scanning:
; Configure IP-MAC Binding via ARP scanning:
# Specify the IP address range and VLAN ID, then click '''Scan''' to scan hosts in the specified range.
# After scanning, select the desired entries in the Scanning Result table and select the protect type, then click '''Bind'''.


Step1:
==== Scanning Option ====
    Specify the IP address range and VLAN ID, then click Scan to scan hosts in the specified range.
; Starting/Ending IP Address
: Specify an IP range by entering a starting and ending IP address.


Step2:
; VLAN ID
    After scanning, select the desired entries in the Scanning Result table and select the protect type, then click Bind.  
: Specify a VLAN ID.
 
Scanning Option


Starting/Ending IP Address
==== Scanning Result ====
    Specify an IP range by entering a starting and ending IP address.
{| class="wikitable sortable options"
 
|-
VLAN ID
! Option!!Beschreibung
    Specify a VLAN ID.
|-
 
Host Name || Enter a host name for identification.
Scanning Result
|-
 
IP Address || Displays the IP address.
Host Name
|-
    Enter a host name for identification.
MAC Address || Displays the MAC address.
 
|-
IP Address
VLAN ID || Displays the VLAN ID.
    Displays the IP address.
|-
 
Port || Displays the port number.
MAC Address
|-
    Displays the MAC address.
Protect Type || Select the protect type for the entry:
 
|-
VLAN ID
None || This entry will not be applied to any feature.
    Displays the VLAN ID.
|-
 
ARP Detection || This entry will be applied to the ARP Detection feature.
Port
|-
    Displays the port number.
IP Source Guard || This entry will be applied to the IP Source Guard feature.
 
|-
Protect Type
Both || This entry will be applied to both the features.
    Select the protect type for the entry:
|}
 
None
    This entry will not be applied to any feature.
 
ARP Detection
    This entry will be applied to the ARP Detection feature.
 
IP Source Guard
    This entry will be applied to the IP Source Guard feature.
 
Both
    This entry will be applied to both the features.


=== DHCP Snooping ===
=== DHCP Snooping ===
With DHCP snooping enabled, the switch can monitor the IP address obtaining process of the DHCP client, and record the IP address, MAC address, VLAN ID and the connected port number of the DHCP client for automatic binding.
With DHCP snooping enabled, the switch can monitor the IP address obtaining process of the DHCP client, and record the IP address, MAC address, VLAN ID and the connected port number of the DHCP client for automatic binding.


To configure IP-MAC Binding via DHCP Snooping:
; Configure IP-MAC Binding via DHCP Snooping
 
# Enable DHCP Snooping globally.
; <nowiki>Step1:</nowiki>
# Enable DHCP Snooping on one or more VLANs.
: Enable DHCP Snooping globally.
# Specify the maximum number of DHCP binding entries a port can learn via DHCP snooping.
 
; <nowiki>Step2:</nowiki>
: Enable DHCP Snooping on one or more VLANs.
 
; <nowiki>Step3:</nowiki>
: Specify the maximum number of DHCP binding entries a port can learn via DHCP snooping.


==== Global Config ====
==== Global Config ====
; DHCP Snooping
; DHCP Snooping
: Enable DHCP snooping function globally.
: Enable DHCP snooping function globally.


==== VLAN Config ====
==== VLAN Config ====
; VLAN ID
; VLAN ID
: Displays the VLAN ID of the existing VLAN.
: Displays the VLAN ID of the existing VLAN.
Zeile 178: Zeile 136:


==== Port Config ====
==== Port Config ====
; Port
; Port
: Select one or more ports to configure.
: Select one or more ports to configure.
Zeile 189: Zeile 146:


== ARP DETECTION ==
== ARP DETECTION ==
=== ARP Detection ===
Based on the predefined IP-MAC Binding entries, the ARP Detection can be configured to detect the ARP packets and filter the illegal ones so as to prevent the network from ARP cheating attacks.
Based on the predefined IP-MAC Binding entries, the ARP Detection can be configured to detect the ARP packets and filter the illegal ones so as to prevent the network from ARP cheating attacks.


To configure ARP Detection:
: Configure ARP Detection
 
# Go to  '''IPv4 IMPB > IP-MAC Binding''' page, create IP-MAC Binding entries and set the Protect Type of the entries as ARP Detection.
; <nowiki>Step1:</nowiki>
# On  this page, enable ARP Detection globally and on the desired VLANs. And configure the other parameters according to your needs.
: Go to  '''IPv4 IMPB > IP-MAC Binding''' page, create IP-MAC Binding entries and set the Protect Type of the entries as ARP Detection.
# Go to  '''IPv4 IMPB > ARP Detection > Port Config''' page, configure the port parameters accoding to your needs.
 
; <nowiki>Step2:</nowiki>
: On  this page, enable ARP Detection globally and on the desired VLANs. And configure the other parameters according to your needs.
 
; <nowiki>Step3:</nowiki>
: Go to  '''IPv4 IMPB > ARP Detection > Port Config''' page, configure the port parameters accoding to your needs.


==== Global Config ====
==== Global Config ====
; ARP Detect
; ARP Detect
: Enable the ARP Detection function.
: Enable the ARP Detection function.
Zeile 219: Zeile 167:


==== VLAN Config ====
==== VLAN Config ====
; VLAN ID
; VLAN ID
: Displays the VLAN ID.
: Displays the VLAN ID.
Zeile 233: Zeile 180:


==== Port Config ====
==== Port Config ====
; Port
; Port
: Select one or more ports to configure
: Select one or more ports to configure
Zeile 268: Zeile 214:


==== Auto Refresh ====
==== Auto Refresh ====
; Auto Refresh
; Auto Refresh
: Enable or disable the Auto Refresh feature.
: Enable or disable the Auto Refresh feature.


==== Illegal ARP Packets ====
==== Illegal ARP Packets ====
; VLAN ID
; VLAN ID
: Displays the VLAN ID.
: Displays the VLAN ID.
Zeile 284: Zeile 228:


== IPV4 SOURCE GUARD ==
== IPV4 SOURCE GUARD ==
=== IPv4 Source Guard ===
The IPv4 Source Guard feature allows the switch to filter the packets that do not match the rules of IPv4-MAC Binding Table.
The IPv4 Source Guard feature allows the switch to filter the packets that do not match the rules of IPv4-MAC Binding Table.


To configure IPv4 Source Guard:
; Configure IPv4 Source Guard
 
# Go to  '''IPv4 IMPB > IP-MAC Binding''' page, create IP-MAC Binding entries and set the Protect Type of the entries as IP Source Guard.
; <nowiki>Step1:</nowiki>
# (Optional) On this page, configure global parameters accoding to your needs.
: Go to  '''IPv4 IMPB > IP-MAC Binding''' page, create IP-MAC Binding entries and set the Protect Type of the entries as IP Source Guard.
# Configure the Security Type for the desired ports.
 
; <nowiki>Step2:</nowiki>
: (Optional) On this page, configure global parameters accoding to your needs.
 
; <nowiki>Step3:</nowiki>
: Configure the Security Type for the desired ports.


==== Global Config ====
==== Global Config ====
; IPv4 Source Guard Log
; IPv4 Source Guard Log
: Enable IPv4 Source Guard Log feature to generate a log when illegal packets are received.
: Enable IPv4 Source Guard Log feature to generate a log when illegal packets are received.


==== Port Config ====
==== Port Config ====
; Port
; Port
: Select one or more ports to configure.
: Select one or more ports to configure.
Zeile 324: Zeile 258:
: Displays the LAG that the port belongs to.
: Displays the LAG that the port belongs to.


[[Kategorie:T2600G:Security]]
[[Kategorie:T2600G/Security]]

Aktuelle Version vom 13. Februar 2023, 14:40 Uhr

IP-MAC BINDING

Binding Table

With IPv4 IMPB (IP-MAC-Port Binding), you can bind IP address, MAC address and port together as an entry. In the Binding Table, you can search and view the specified binding entries which can be used for ARP Inspection and IPv4 Source Guard.

Binding Table

Option Beschreibung
Source Select the source of the entry and click Search.
All Displays the entries from all sources.
Manual Displays the manually bound entries.
ARP Scanning Displays the binding entries learned from ARP Scanning.
DHCP Snooping Displays the binding entries learned from DHCP Snooping.
IP Address Enter an IP address and click Search to search the specific entry.
Host Name Enter a host name for identification.
IP Address Displays the IP address.
MAC Address Displays the MAC address.
VLAN ID Displays the VLAN ID.
Port Displays the port number.
Protect Type Select the protect type for the entry:
None This entry will not be applied to any feature.
ARP Detection This entry will be applied to the ARP Detection feature.
IP Source Guard This entry will be applied to the IP Source Guard feature.
Both This entry will be applied to both the features.
Source Displays the source of the entry.

Manual Binding

You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the related information of the hosts on the network.

Configure IP-MAC Binding manually
  1. Click Add to load the configuration page.
  2. Enter the IP address, MAC address, VLAN ID and port to create a binding entry, and specify the protect type for this entry.

Manual Binding Config

Option Beschreibung
Host Name Enter a host name for identification.
IP Address Enter the IP address.
MAC Address Enter the MAC address.
VLAN ID Enter the VLAN ID.
Port Select the port that is connected to this host.
Protect Type Select the protect type for the entry:
None This entry will not be applied to any feature.
ARP Detection This entry will be applied to the ARP Detection feature.
IP Source Guard This entry will be applied to the IP Source Guard feature.
Both This entry will be applied to both the features.

ARP Scanning

With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts. Upon receiving the ARP reply packet, the switch can get the IP address, MAC address, VLAN ID and the connected port number of the host.

Configure IP-MAC Binding via ARP scanning
  1. Specify the IP address range and VLAN ID, then click Scan to scan hosts in the specified range.
  2. After scanning, select the desired entries in the Scanning Result table and select the protect type, then click Bind.

Scanning Option

Starting/Ending IP Address
Specify an IP range by entering a starting and ending IP address.
VLAN ID
Specify a VLAN ID.

Scanning Result

Option Beschreibung
Host Name Enter a host name for identification.
IP Address Displays the IP address.
MAC Address Displays the MAC address.
VLAN ID Displays the VLAN ID.
Port Displays the port number.
Protect Type Select the protect type for the entry:
None This entry will not be applied to any feature.
ARP Detection This entry will be applied to the ARP Detection feature.
IP Source Guard This entry will be applied to the IP Source Guard feature.
Both This entry will be applied to both the features.

DHCP Snooping

With DHCP snooping enabled, the switch can monitor the IP address obtaining process of the DHCP client, and record the IP address, MAC address, VLAN ID and the connected port number of the DHCP client for automatic binding.

Configure IP-MAC Binding via DHCP Snooping
  1. Enable DHCP Snooping globally.
  2. Enable DHCP Snooping on one or more VLANs.
  3. Specify the maximum number of DHCP binding entries a port can learn via DHCP snooping.

Global Config

DHCP Snooping
Enable DHCP snooping function globally.

VLAN Config

VLAN ID
Displays the VLAN ID of the existing VLAN.
Status
Enable or disable DHCP snooping on a VLAN.

Port Config

Port
Select one or more ports to configure.
Maximum Entry
Configure the maximum number of DHCP binding entries a port can learn via DHCP snooping.
LAG
Displays the LAG that the port belongs to.

ARP DETECTION

Based on the predefined IP-MAC Binding entries, the ARP Detection can be configured to detect the ARP packets and filter the illegal ones so as to prevent the network from ARP cheating attacks.

Configure ARP Detection
  1. Go to IPv4 IMPB > IP-MAC Binding page, create IP-MAC Binding entries and set the Protect Type of the entries as ARP Detection.
  2. On this page, enable ARP Detection globally and on the desired VLANs. And configure the other parameters according to your needs.
  3. Go to IPv4 IMPB > ARP Detection > Port Config page, configure the port parameters accoding to your needs.

Global Config

ARP Detect
Enable the ARP Detection function.
Valid Source MAC
Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded.
Valid Destination MAC
Enable or disable the switch to check whether the destination MAC address and the target MAC address are the same when receiving an ARP reply packet. If not, the ARP packet will be discarded.
Valid IP
Enable or disable the switch to check whether the sender IP address of all ARP packets and the target IP address of ARP reply packets are legal. The illegal packets will be discarded.

VLAN Config

VLAN ID
Displays the VLAN ID.
Status
Enable or disable ARP Detect in a VLAN.
Log Status
Enable Log feature to generate a log when an ARP packet is discarded.

Port Config

The switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood.

Port Config

Port
Select one or more ports to configure
Trust Status
Set whether to make this port a trusted port, on which the ARP packets will be forwarded directly without being checked.
Limit Rate
Specify the maximum number of ARP packets that can be received on the port per second.
Current Speed
Displays the current speed of the received ARP packets.
Burst Interval
Specify a time range. If the speed of received ARP packets always exceeds the limit rate in this time range, the port will be shut down.
Status
Displays the status of the port.
Normal
The transmission speed of the ARP packet is normal.
Down
The transmission speed of the ARP packet exceeds the defined value.
Operation
Click the Recover button to restore the port to the normal status.
LAG
Displays the LAG that the port belongs to.

ARP Statistics

ARP Statistics feature displays the number of the forwarded or dropped ARP packets in each VLAN, which facilitates you to locate the network malfunction and take the related protection measures.

Auto Refresh

Auto Refresh
Enable or disable the Auto Refresh feature.

Illegal ARP Packets

VLAN ID
Displays the VLAN ID.
Forwarded
Displays the number of forwarded ARP packets in this VLAN.
Dropped
Displays the number of dropped ARP packets in this VLAN.

IPV4 SOURCE GUARD

The IPv4 Source Guard feature allows the switch to filter the packets that do not match the rules of IPv4-MAC Binding Table.

Configure IPv4 Source Guard
  1. Go to IPv4 IMPB > IP-MAC Binding page, create IP-MAC Binding entries and set the Protect Type of the entries as IP Source Guard.
  2. (Optional) On this page, configure global parameters accoding to your needs.
  3. Configure the Security Type for the desired ports.

Global Config

IPv4 Source Guard Log
Enable IPv4 Source Guard Log feature to generate a log when illegal packets are received.

Port Config

Port
Select one or more ports to configure.
Security Type
Select Security Type on the port for IPv4 packets. The following options are provided:
Disable
The IP Source Guard feature is disabled on the port.
SIP
Only a packet with its source IP address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded.
SIP+SMAC
Only a packet with its source IP address, source MAC address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded.
LAG
Displays the LAG that the port belongs to.