xStack
®
DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch
124
ACL Mode
In ACL Mode, a switch performs IP Packet Inspection in addition to ARP Packet Inspection. Essentially, ACL rules will be used
to permit statically configured IMPB entries and deny other IP packets with the incorrect IP-MAC pairs. The distinct advantage of
ACL Mode is that it ensures better security by ch ecking both ARP Packets and IP Packets. However, doing so requires the use of
ACL rules. ACL Mode can be viewed as an enhanced version of ARP Mode because ARP Mode is enabled by default when ACL
Mode is selected.
Strict and Loose State
Other than ACL and ARP mode, users can also configure the state on a port for granular control. There are two states, Strict an d
Loose, and only one state can be selected per port. If a port is set to Stric t state, all packet s sent to the port are denied (dropped)
by default. The switch will c ontinuously compare all IP and ARP packets it receives on that port with its IMPB entries. If the IP-
MAC pair in the packet matches the IMPB entry, the MAC address will be unblocked and subsequent packets sent from this client
will be fo rwarded. On the o ther hand, if a port is set to Loose state, all p ackets sen t to th e port are p ermitted (forwarded) b y
default. The switch will continuously compare all ARP packets it receives on that port with its IMPB entries. If the IP-MAC pair
in the ARP packet does not match the IMPB wh ite list, the MAC address will b e blocked and subsequent packets sent from this
client will be dropped.
DHCP Snooping Option
If DHCP snooping is enabled, the switch learns IP-MAC pairs by snooping DHCP packets automatically and then saving them to
the IP-MAC-Port Binding white list. This enables a hassle-free configuration because the administrator does not need to manually
enter each IM PB entry. A prerequisite for t his is that t he valid DHCP server’s IP-MAC pair m ust be on the switch’s IMPB list;
otherwise the DHCP server packets will be dropped. DHCP snooping is gene rally cons idered to be m ore secure because it
enforces all clients to acquire IP through the DHCP server.
An ex ample o f DH CP snooping in which PC-A and PC-B g et th eir I P addresses from a D HCP server is d epicted b elow. The
switch snoops the DHCP conversation between PC-A, PC-B, and the DHCP server. The IP address, MAC address, and connecting
ports of both PC-A and PC-B are learned and stored in the switch’s IMPB white list. Therefore, these PCs will be able to connect
to the network. Then there is PC-C, whose IP address is man ually configured by the user. Since this PC’s IP-MAC pair does not
match the one on Switch’s IMPB white list, traffic from PC-C will be blocked.
PC-A
192.168.1.1 00E0-0211-111 Port 1
192.168.1.2 00E0-0211-222 Port 2
Figure 5 - 5. Example of DHCP Snooping
The IP-MAC-Port Binding (IMPB) folder contains five windows: IMPB Global Settings, IMPB Port Settings, IMPB Entry
Settings, DHCP Snooping Entries, and MAC Blocked List.
IMP Binding Enabled
Address Learning
White List
(IP assigned by DHCP for
PC-A and PC-B)
192.168.1.2
00E0-0211-2222
192.168.1.1
00E0-0211-3333
(IP manually configured by user)
DHCP Server
PC-B
PC-C
Doesn’t match the
White List block PC-C
192.168.1.1
00E0-0211-1111
To Next Page
Loading...
