xStack® DES-3528/DES-3552 Series Layer 2 Managed Stackable Fast Ethernet Switch CLI Reference Guide
160
config address_binding ip_mac ports
Purpose
Used to configure IMPB settings for specified ports.
Syntax config address_binding ip_mac ports [<portlist> | all] {state [enable {[strict | loose]
| [ipv6 | all]} | disable {[ipv6 | all]}] | mode [arp | acl] | allow_zeroip [enable | disable]
| forward_dhcppkt [enable | disable] | stop_learning_threshold <int 0-500>}
Description
This command is used to configure the per-port state of IP-MAC binding on the Switch. If
a port has been configured as a group member of an aggregated link, then it cannot
enable the IP-MAC binding function.
When IMPB is enabled on a port, IP packets and ARP packets received by this port will
be checked depending on the setting. The packet will be dropped if its IP-MAC pair does
not match the IMPB white list.
Due to some special cases that have arisen with the IP–MAC–Port Binding, this Switch
has been equipped with a special ACL Mode for IP–MAC–Port Binding. When enabled,
the Switch will create one entry in the Access Profile Table. The entry may only be
created if there are at least a Profile ID available on the Switch. If not, when the ACL
Mode is enabled, an error message will be prompted to the user. When the ACL Mode is
enabled, the Switch will only accept packets from a created entry in the IP MAC-Port
Binding Setting window. All others will be discarded. The function is port–based, meaning
a user can enable or disable the function on the individual port.
An advantage of ARP mode is that it does not consume any ACL rules on the Switch
There are also two port states: Strict and Loose, and only one state can be selected per
port. If a port is set to Strict state, all packets sent to the port are denied (dropped) by
default. The Switch will continuously compare all IP and ARP packets it receives on that
port with its IMPB entries. If the IP-MAC pair in the packet matches the IMPB entry, the
MAC address will be unblocked and subsequent packets sent from this client will be
forwarded. On the other hand, if a port is set to Loose state, all packets entering the port
are permitted (forwarded) by default. The Switch will continuously compare all ARP
packets it receives on that port with its IMPB entries. If the IP-MAC pair in the ARP packet
does not match the IMPB white list, the MAC address will be blocked and subsequent
packets sent from this client will be dropped.
Parameters state – Configures the address binding port state to enable or disable. When the state is
enabled, the port will perform the binding check.
strict – This state provides a stricter method of control. If the user selects this mode, all
packets are blocked by the Switch by default. The Switch will compare all incoming ARP
and IP Packets and attempt to match them against the IMPB white list. If the IP-MAC pair
matches the white list entry, the packets from that MAC address are unblocked. If not, the
MAC address will stay blocked. While the Strict state uses more CPU resources from
checking every incoming ARP and IP packet, it enforces better security and is thus the
recommended setting.
The packet isn't found by the entry, the MAC will be set to block. Other packets will be
dropped. The default mode is strict if not specified.
loose – This mode provides a looser way of control. If the user selects loose mode, the
Switch will forward all packets by default. However, it will still inspect incoming ARP
packets and compare them with the Switch’s IMPB white list entries. If the IP-MAC pair of
a packet is not found in the white list, the Switch will block the MAC address. A major
benefit of Loose state is that it uses less CPU resources because the Switch only checks
incoming ARP packets. However, it also means that Loose state cannot block users who
send only unicast IP packets. An example of this is that a malicious user can perform
DoS attacks by statically configuring the ARP table on their PC. In this case, the Switch
cannot block such attacks because the PC will not send out ARP packets.
ipv6 - For “state enable ipv6”, only the IPv6 filter table applied to the driver.
For “state enable” without specifying “ipv6”, only the IPv4 filtering table is applied to
driver.
For “state enable all”, both IPv4 and IPv6 filtering tables are applied to the driver.
For example, if IPv6 is enabled, but IPv4 is disabled, only the IPv6 Snooping entry is
used to create a HW filtering table, if the FDB is used as the HW filtering table, and one
IPv6 entry is allowed to be forwarded, all IPv4 packets get forwarded.
To Next Page
Loading...
Need help?
General