D-Link DSA-3200 Technical Information Seite 146
- Seite / 321
- Inhaltsverzeichnis
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
xStack
®
DGS-3200 Series Layer 2 Managed Gigabit Ethernet Switch Web UI Reference Guide
132
Common IP Management Security Issues
Currently, certain limitations and issues in IP management structures can lead to serious security problems. Auditing mechanisms,
such as syslog, application log, firewall log, etc, are mainly based on client IP information. However, such log information is
meaningless if the client IP address can be easily changed. IP conflict, the most common problem in today’s networks, is another
major security concern. Without IMPB, any user can change an IP address manually and cause conflict with other resources, such
as other PCs, core switches, routers or servers. Not only does this duplicate IP create an auditing issue, it also poses potential risk
to the entire network.
Figure 5 - 8. Illustration of Common IP Security Problems
ARP spoofing attacks in which malicious users intercept traffic or interrupt connections by manipulating ARP packets are another
serious challenge in securing today’s network. Further information on how ARP spoofing attacks work can be found in the
Appendix, "Mitigating ARP Spoofing Attack via Packet Content ACL," located in the back of this manual.
Solutions to Improve IP Management Security
DGS-3200 Series switches have introduced IMPB technology to protect networks from attacks. By using IP-MAC-Port Binding,
all packets are dropped by a switch when the MAC address, IP address, and connected port are not in the IMPB white list. IMPB
allows the user to choose either ARP or ACL mode. In addition, an IMPB white list can be dynamically created with the DHCP
snooping option. DHCP snooping is a global setting and can be enabled on top of ACL or ARP mode. Each option has its
advantages and disadvantages.
ARP Mode
In ARP Mode, a switch performs ARP Packet Inspection in which it checks the IP-MAC pairs in ARP packets and denies
unauthorized ones. An advantage of ARP mode is that it does not consume any ACL rules on the switch. Nonetheless, since the
switch only checks ARP packets, it cannot block unauthorized clients who do not send out ARP packets.
ACL Mode
In ACL Mode, a switch performs IP Packet Inspection in addition to ARP Packet Inspection. Essentially, ACL rules will be used
to permit statically configured IMPB entries and deny other IP packets with the incorrect IP-MAC pairs. The distinct advantage of
ACL Mode is that it ensures better security by checking both ARP Packets and IP Packets. However, doing so requires the use of
ACL rules. ACL Mode can be viewed as an enhanced version of ARP Mode because ARP Mode is enabled by default when ACL
Mode is selected.
Strict and Loose State
Other than ACL and ARP mode, users can also configure the state on a port for granular control. There are two states, Strict and
Loose, and only one state can be selected per port. If a port is set to Strict state, all packets sent to the port are denied (dropped) by
default. The switch will continuously compare all IP and ARP packets it receives on that port with its IMPB entries. If the IP-
MAC pair in the packet matches the IMPB entry, the MAC address will be unblocked and subsequent packets sent from this client
will be forwarded. On the other hand, if a port is set to Loose state, all packets sent to the port are permitted (forwarded) by
default. The switch will continuously compare all ARP packets it receives on that port with its IMPB entries. If the IP-MAC pair
in the ARP packet does not match the IMPB white list, the MAC address will be blocked and subsequent packets sent from this
client will be dropped.
192.168.1.1
00E0-0211-1111
192.168.1.2
00E0-0211-2222
192.168.1.3
00E0-0211-3333
IP Conflict
IP Conflict
Auditing
Problem
- Table of Contents 3
- Intended Readers 11
- Safety Cautions 12
- Lithium Battery Precaution 14
- Section 1 15
- Introduction 15
- Web-based User Interface 16
- Web Pages 17
- Configuration 18
- Device Information 19
- System Information 19
- Serial Port Settings 20
- IP Address 20
- Port Configuration 22
- Port Settings 23
- Port Description Settings 25
- Static ARP Settings 26
- Gratuitous ARP 27
- User Accounts 28
- Command Logging Settings 29
- System Log Configuration 30
- System Severity Settings 31
- MAC Address Aging Time 32
- Web Settings 32
- Telnet Settings 33
- Password Encryption 33
- CLI Paging Settings 33
- Firmware Information 34
- Dual Configuration Settings 35
- Power Saving 37
- Power Saving Settings 38
- Power Saving LED Settings 39
- Power Saving Port Settings 39
- MAC Notification Settings 40
- SNMP Settings 41
- SNMP Global State Settings 42
- SNMP View Table 43
- SNMP Group Table 44
- SNMP User Table 45
- SNMP Community Table 46
- SNMP Host Table 47
- SNMP v6Host Table 48
- SNMP Engine ID 48
- SNMP Trap Configuration 49
- Single IP Management 50
- Upgrade to v1.61 51
- Single IP Settings 52
- Topology 53
- Tool Tips 55
- Right-Click 56
- Group Icon 56
- Commander Switch Icon 57
- Member Switch Icon 58
- Candidate Switch Icon 58
- Firmware Upgrade 60
- Upload Log File 60
- SD Card Backup Settings 62
- SD Card Execute Settings 62
- L2 Features 64
- IEEE 802.1Q VLANs 65
- 802.1Q VLAN Tags 66
- Port VLAN ID 67
- Tagging and Untagging 67
- Ingress Filtering 68
- Default VLANs 68
- Port-based VLANs 68
- VLAN Segmentation 69
- VLAN and Trunk Groups 69
- 802.1v Protocol VLAN 72
- GVRP Settings 74
- MAC-based VLAN Settings 75
- Private VLAN Settings 75
- PVID Auto Assign Settings 78
- Voice VLAN 78
- Voice VLAN Port Settings 79
- Voice VLAN OUI Settings 80
- Voice VLAN Device 80
- VLAN Trunk Settings 81
- Browse VLAN 82
- Egress Filter Settings 83
- L2 Multicast Control 83
- IGMP Snooping 84
- IGMP Router Port 88
- IGMP Snooping Counter 89
- IGMP Host Table 90
- MLD Snooping 91
- MLD Router Port 95
- MLD Snooping Counter 97
- Multicast VLAN 98
- Multicast Filtering 101
- Multicast Filtering Mode 103
- Port Mirroring 104
- Spanning Tree 105
- Port Transition States 106
- Edge Port 106
- P2P Port 106
- STP Bridge Global Settings 107
- STP Port Settings 108
- STP Instance Settings 111
- MSTP Port Information 111
- Link Aggregation 112
- Forwarding & Filtering 115
- Multicast Forwarding 116
- LLDP Global Settings 117
- LLDP Port Settings 118
- LLDP Management Address List 119
- LLDP Basic TLVs Settings 119
- LLDP Dot1 TLVs Settings 120
- LLDP Dot3 TLVs Settings 121
- LLDP Statistics System 122
- LLDP Local Port Information 123
- LLDP Remote Port Information 124
- LLDP-MED 125
- NLB FDB Settings 127
- L3 Features 129
- IPv6 Interface Settings 130
- IPv6 Route Settings 131
- IPv6 Neighbor Settings 131
- Section 5 133
- Understanding QoS 134
- Bandwidth Control 135
- Traffic Control 136
- 802.1p Default Priority 139
- 802.1p User Priority 139
- QoS Scheduling Mechanism 140
- Security 141
- RADIUS Accounting Settings 142
- RADIUS Authentication 143
- RADIUS Account Client 144
- IP-MAC-Port Binding (IMPB) 145
- ARP Mode 146
- ACL Mode 146
- Strict and Loose State 146
- IMPB Global Settings 147
- IMPB Port Settings 148
- IMPB Entry Settings 149
- MAC Block List 150
- DHCP Snooping 151
- ND Snoop 152
- Port Security 153
- Port Lock Entries 154
- DHCP Server Screening 155
- DHCP Offer Filtering 156
- Authentication Server 158
- Authenticator 158
- Authentication Process 159
- 802.1X Global Settings 162
- 802.1X Port Settings 163
- 802.1X User Settings 165
- Guest VLAN Settings 165
- Authenticator State 166
- Authenticator Statistics 166
- Authenticator Diagnostics 168
- SSL Settings 171
- SSL Certification Settings 173
- SSH Settings 174
- SSH User Authentication List 176
- Enable Admin 178
- Authentication Server Group 179
- Login Method Lists Settings 182
- Enable Method Lists Settings 183
- WAC Global Settings 190
- WAC User Settings 191
- WAC Port Settings 192
- WAC Authenticating State 193
- WAC Customize Page 193
- JWAC Global Settings 194
- JWAC Port Settings 196
- JWAC User Settings 197
- JWAC Authentication State 198
- JWAC Customize Page Language 199
- JWAC Customize Page 199
- Compound Authentication 200
- 802.1X & IMPB Mode 201
- IMPB & WAC/JWAC Mode 202
- MAC & IMPB Mode 202
- IGMP Access Control Settings 206
- BPDU Attack Protection 208
- Loopback Detection Settings 209
- Traffic Segmentation 210
- Safeguard Engine Settings 211
- Trusted Host Settings 212
- Section 7 214
- ACL Configuration Wizard 214
- Access Profile List 215
- CPU Access Profile List 229
- Time Range Settings 242
- Network Application 244
- DHCPv6 Relay 247
- DHCP Server 248
- DHCP Server Global Settings 249
- DHCP Server Pool Settings 250
- DHCP Server Manual Binding 251
- DHCP Local Relay Settings 252
- DHCP Option 12 Settings 254
- DNS Resolver 254
- SMTP Settings 257
- SNTP Settings 258
- Ping Test 260
- Section 9 262
- Ethernet OAM 262
- Ethernet OAM Event Log 264
- Ethernet OAM Statistics 264
- DULD Settings 265
- Cable Diagnostics 266
- Cable Diagnostics Notes 267
- Monitoring 268
- DRAM & Flash Utilization 269
- Port Utilization 270
- Packet Size 270
- Packets 272
- UMB_Cast (RX) 274
- Transmitted (TX) 275
- Received (RX) 277
- Browse ARP Table 280
- Browse Router Port 280
- Browse MLD Router Port 281
- Browse Session Table 281
- IGMP Snooping Group 282
- MLD Snooping Group 282
- MAC Address Table 283
- System Log 284
- Save and Tools 285
- Save Configuration 286
- Save Log 286
- Save All 287
- Download Firmware to SD Card 288
- Reboot System 290
- Using Packet Content ACL 291
- Ethernet Header 294
- Example topology 295
- Appendix D – Trap Logs 318
Verwandte Produkte und Handbücher für Vernetzung D-Link DSA-3200
Vernetzung D-Link DHP-306AV Bedienungsanleitung
(56 Seiten)
(56 Seiten)
Vernetzung D-Link DSL-320T Betriebsanweisung
(66 Seiten)
(66 Seiten)
Vernetzung D-Link DSL-320B Bedienungsanleitung
(40 Seiten)
(40 Seiten)
Vernetzung D-Link 707P - DI Router Spezifikationen
(109 Seiten)
(109 Seiten)
Vernetzung D-Link DGE-550SX Betriebsanweisung
(25 Seiten)
(25 Seiten)
Vernetzung D-Link DCM-301 Bedienungsanleitung
(20 Seiten)
(20 Seiten)
Vernetzung D-Link DI-206 Bedienungsanleitung
(15 Seiten)
(15 Seiten)
Vernetzung D-Link DAP-3220 Bedienungsanleitung
(84 Seiten)
(84 Seiten)
Vernetzung D-Link DWR-510 Bedienungsanleitung
(62 Seiten)
(62 Seiten)
© 2020, manymanuals.de. Alle Rechte vorbehalten. | 0.090 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern