T2600G/Security/IPV4 IMPB: Unterschied zwischen den Versionen
K Dirkwagner verschob die Seite T2600G:Security:IPV4 IMPB nach T2600G/Security/IPV4 IMPB, ohne dabei eine Weiterleitung anzulegen: Textersetzung - „T2600G:Security:“ durch „T2600G/Security/“ |
|
(kein Unterschied)
|
Version vom 13. Februar 2023, 13:02 Uhr
IP-MAC BINDING
Binding Table
With IPv4 IMPB (IP-MAC-Port Binding), you can bind IP address, MAC address and port together as an entry. In the Binding Table, you can search and view the specified binding entries which can be used for ARP Inspection and IPv4 Source Guard.
Binding Table
Option | Beschreibung |
---|---|
Source | Select the source of the entry and click Search. |
All | Displays the entries from all sources. |
Manual | Displays the manually bound entries. |
ARP Scanning | Displays the binding entries learned from ARP Scanning. |
DHCP Snooping | Displays the binding entries learned from DHCP Snooping. |
IP Address | Enter an IP address and click Search to search the specific entry. |
Host Name | Enter a host name for identification. |
IP Address | Displays the IP address. |
MAC Address | Displays the MAC address. |
VLAN ID | Displays the VLAN ID. |
Port | Displays the port number. |
Protect Type | Select the protect type for the entry: |
None | This entry will not be applied to any feature. |
ARP Detection | This entry will be applied to the ARP Detection feature. |
IP Source Guard | This entry will be applied to the IP Source Guard feature. |
Both | This entry will be applied to both the features. |
Source | Displays the source of the entry. |
Manual Binding
You can manually bind the IP address, MAC address, VLAN ID and the Port number together on the condition that you have got the related information of the hosts on the network.
- Configure IP-MAC Binding manually
- Click Add to load the configuration page.
- Enter the IP address, MAC address, VLAN ID and port to create a binding entry, and specify the protect type for this entry.
Manual Binding Config
Option | Beschreibung |
---|---|
Host Name | Enter a host name for identification. |
IP Address | Enter the IP address. |
MAC Address | Enter the MAC address. |
VLAN ID | Enter the VLAN ID. |
Port | Select the port that is connected to this host. |
Protect Type | Select the protect type for the entry: |
None | This entry will not be applied to any feature. |
ARP Detection | This entry will be applied to the ARP Detection feature. |
IP Source Guard | This entry will be applied to the IP Source Guard feature. |
Both | This entry will be applied to both the features. |
ARP Scanning
With ARP Scanning, the switch sends the ARP request packets of the specified IP field to the hosts. Upon receiving the ARP reply packet, the switch can get the IP address, MAC address, VLAN ID and the connected port number of the host.
- Configure IP-MAC Binding via ARP scanning
- Specify the IP address range and VLAN ID, then click Scan to scan hosts in the specified range.
- After scanning, select the desired entries in the Scanning Result table and select the protect type, then click Bind.
Scanning Option
- Starting/Ending IP Address
- Specify an IP range by entering a starting and ending IP address.
- VLAN ID
- Specify a VLAN ID.
Scanning Result
Option | Beschreibung |
---|---|
Host Name | Enter a host name for identification. |
IP Address | Displays the IP address. |
MAC Address | Displays the MAC address. |
VLAN ID | Displays the VLAN ID. |
Port | Displays the port number. |
Protect Type | Select the protect type for the entry: |
None | This entry will not be applied to any feature. |
ARP Detection | This entry will be applied to the ARP Detection feature. |
IP Source Guard | This entry will be applied to the IP Source Guard feature. |
Both | This entry will be applied to both the features. |
DHCP Snooping
With DHCP snooping enabled, the switch can monitor the IP address obtaining process of the DHCP client, and record the IP address, MAC address, VLAN ID and the connected port number of the DHCP client for automatic binding.
- Configure IP-MAC Binding via DHCP Snooping
- Enable DHCP Snooping globally.
- Enable DHCP Snooping on one or more VLANs.
- Specify the maximum number of DHCP binding entries a port can learn via DHCP snooping.
Global Config
- DHCP Snooping
- Enable DHCP snooping function globally.
VLAN Config
- VLAN ID
- Displays the VLAN ID of the existing VLAN.
- Status
- Enable or disable DHCP snooping on a VLAN.
Port Config
- Port
- Select one or more ports to configure.
- Maximum Entry
- Configure the maximum number of DHCP binding entries a port can learn via DHCP snooping.
- LAG
- Displays the LAG that the port belongs to.
ARP DETECTION
Based on the predefined IP-MAC Binding entries, the ARP Detection can be configured to detect the ARP packets and filter the illegal ones so as to prevent the network from ARP cheating attacks.
- Configure ARP Detection
- Go to IPv4 IMPB > IP-MAC Binding page, create IP-MAC Binding entries and set the Protect Type of the entries as ARP Detection.
- On this page, enable ARP Detection globally and on the desired VLANs. And configure the other parameters according to your needs.
- Go to IPv4 IMPB > ARP Detection > Port Config page, configure the port parameters accoding to your needs.
Global Config
- ARP Detect
- Enable the ARP Detection function.
- Valid Source MAC
- Enable or disable the switch to check whether the source MAC address and the sender MAC address are the same when receiving an ARP packet. If not, the ARP packet will be discarded.
- Valid Destination MAC
- Enable or disable the switch to check whether the destination MAC address and the target MAC address are the same when receiving an ARP reply packet. If not, the ARP packet will be discarded.
- Valid IP
- Enable or disable the switch to check whether the sender IP address of all ARP packets and the target IP address of ARP reply packets are legal. The illegal packets will be discarded.
VLAN Config
- VLAN ID
- Displays the VLAN ID.
- Status
- Enable or disable ARP Detect in a VLAN.
- Log Status
- Enable Log feature to generate a log when an ARP packet is discarded.
Port Config
The switch can terminate receiving the ARP packets for 300 seconds when the transmission speed of the ARP packet on the port exceeds the defined value so as to avoid ARP Attack flood.
Port Config
- Port
- Select one or more ports to configure
- Trust Status
- Set whether to make this port a trusted port, on which the ARP packets will be forwarded directly without being checked.
- Limit Rate
- Specify the maximum number of ARP packets that can be received on the port per second.
- Current Speed
- Displays the current speed of the received ARP packets.
- Burst Interval
- Specify a time range. If the speed of received ARP packets always exceeds the limit rate in this time range, the port will be shut down.
- Status
- Displays the status of the port.
- Normal
- The transmission speed of the ARP packet is normal.
- Down
- The transmission speed of the ARP packet exceeds the defined value.
- Operation
- Click the Recover button to restore the port to the normal status.
- LAG
- Displays the LAG that the port belongs to.
ARP Statistics
ARP Statistics feature displays the number of the forwarded or dropped ARP packets in each VLAN, which facilitates you to locate the network malfunction and take the related protection measures.
Auto Refresh
- Auto Refresh
- Enable or disable the Auto Refresh feature.
Illegal ARP Packets
- VLAN ID
- Displays the VLAN ID.
- Forwarded
- Displays the number of forwarded ARP packets in this VLAN.
- Dropped
- Displays the number of dropped ARP packets in this VLAN.
IPV4 SOURCE GUARD
The IPv4 Source Guard feature allows the switch to filter the packets that do not match the rules of IPv4-MAC Binding Table.
- Configure IPv4 Source Guard
- Go to IPv4 IMPB > IP-MAC Binding page, create IP-MAC Binding entries and set the Protect Type of the entries as IP Source Guard.
- (Optional) On this page, configure global parameters accoding to your needs.
- Configure the Security Type for the desired ports.
Global Config
- IPv4 Source Guard Log
- Enable IPv4 Source Guard Log feature to generate a log when illegal packets are received.
Port Config
- Port
- Select one or more ports to configure.
- Security Type
- Select Security Type on the port for IPv4 packets. The following options are provided:
- Disable
- The IP Source Guard feature is disabled on the port.
- SIP
- Only a packet with its source IP address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded.
- SIP+SMAC
- Only a packet with its source IP address, source MAC address and port number matching the IPv4-MAC binding rules can be processed, otherwise the packet will be discarded.
- LAG
- Displays the LAG that the port belongs to.