TP-Link TL-SL5428E manual ARP Inspection, ¾ Imitating Gateway, ¾ Cheating Gateway

Page 173

LAG:

Displays the LAG to which the port belongs to.

11.2 ARP Inspection

According to the ARP Implementation Procedure stated in 11.1.3 ARP Scanning, it can be found that ARP protocol can facilitate the Hosts in the same network segment to communicate with one another or access to external network via Gateway. However, since ARP protocol is implemented with the premise that all the Hosts and Gateways are trusted, there are high security risks during ARP Implementation Procedure in the actual complex network. Thus, the cheating attacks against ARP, such as imitating Gateway, cheating Gateway, cheating terminal Hosts and ARP Flooding Attack, frequently occur to the network, especially to the large network such as campus network and so on. The following part will simply introduce these ARP attacks.

¾Imitating Gateway

The attacker sends the MAC address of a forged Gateway to Host, and then the Host will automatically update the ARP table after receiving the ARP response packets, which causes that the Host can not access the network normally. The ARP Attack implemented by imitating Gateway is illustrated in the following figure.

Figure 11-9 ARP Attack - Imitating Gateway

As the above figure shown, the attacker sends the fake ARP packets with a forged Gateway address to the normal Host, and then the Host will automatically update the ARP table after receiving the ARP packets. When the Host tries to communicate with Gateway, the Host will encapsulate this false destination MAC address for packets, which results in a breakdown of the normal communication.

¾Cheating Gateway

The attacker sends the wrong IP address-to-MAC address mapping entries of Hosts to the Gateway, which causes that the Gateway can not communicate with the legal terminal Hosts normally. The ARP Attack implemented by cheating Gateway is illustrated in the following figure.

165

Page 172 Page 174
Image 173
Page 172 Page 174
Contents Rev 1910010529 Copyright & Trademarks Contents Gvrp TC Protect 101 11.4.1 Ntdp 11.4.2VII Package Contents Intended Readers About this GuideConventions Overview of This GuidePath Switch, which facilitates you to monitor the Igmp messages Return to Contents Introduction Overview of the SwitchMain Features ¾ LEDs Name Status Indication Appearance DescriptionFront Panel Rear Panel Configuration Login to the SwitchLogin Return to Contents System Info SystemSystem Summary ¾ Port StatusPort ¾ Port InfoType Rate¾ Device Description Device Description¾ Bandwidth Utilization ¾ Time Info ¾ Time ConfigSystem Time System IP User Table User Manage¾ User Info User ConfigPassword Config RestoreConfirm Password Retype the password User ID, Name, Access Level and status Operation¾ Config Backup Config BackupFirmware Upgrade System Reset System RebootAccess Control Access Security¾ Session Config ¾ Access Control ConfigIP Address&Mask MAC Address¾ Access User Number SSL Config¾ Global Config SSH Config¾ Certificate Download ¾ Key DownloadMax Connect Idle TimeoutProtocol Key Type ¾ Configuration ProcedureDownload ¾ Network RequirementsApplication Example 2 for SSH Page Return to Contents Port Config SwitchingPort Port SelectDescription Port MirrorSpeed and Duplex Flow Control¾ Mirrored Port ¾ Mirroring PortIngress Egress¾ Port Security Port SecurityLearned Num Port IsolationMax Learned MAC Forward Portlist Select the port that to be forwarded to ¾ Port Isolation Config¾ Port Isolation List Forward Portlist Display the forwardlistLAG Table LAG¾ LAG Table Aggregate ArithmeticGroup Number MemberStatic LAG ¾ LAG ConfigLAG will delete this LAG Lacp ConfigAdmin Key ¾ Lacp ConfigSystem Priority Port Priority¾ Auto Refresh Traffic MonitorTraffic Summary Traffic Statistics MAC Address Relationship Type Configuration Way Aging outBound Address and the port¾ Address Table ¾ Search OptionStatic Address MAC Address Displays the MAC address learned by the switchDisplays the corresponding Vlan ID of the MAC address ¾ Create Static Address¾ Static Address Table Dynamic Address¾ Dynamic Address Table ¾ Aging ConfigBind Filtering Address¾ Filtering Address Table ¾ Create Filtering AddressVlan implementation Vlan¾ Link Types of ports 802.1Q Vlan¾ Pvid Vlan ConfigVlan ID Select ¾ Vlan TableDescription : Members Operation :Enter the ID number of Vlan ¾ Vlan ConfigIs valid or not ¾ Vlan MembersPort Displays the port number ¾ Vlan Port ConfigRequired. On the VLAN→802.1Q VLAN→VLAN Config Required. On the VLAN→802.1Q VLAN→Port Config page, set¾ Vlan of Port Vlan DescriptionMAC Vlan Optional. On the VLAN→802.1Q VLAN→VLAN ConfigMAC Select Port Enable¾ MAC Vlan Table Protocol Vlan Required. On the VLAN→MAC VLAN→Port EnableProtocol Template Protocol Vlan¾ Create Protocol Vlan ¾ Protocol Vlan Table¾ Protocol Template Table ¾ Create Protocol TemplateApplication Example for 802.1Q Vlan Required. On VLAN→802.1Q VLAN→VLAN Config page, create a Required. On VLAN→802.1Q VLAN→Port Config page, configureApplication Example for MAC Vlan Operation Description¾ Network Diagram ¾ Configuration Procedure Application Example for Protocol Vlan Required. On VLAN→Protocol VLAN→Protocol Template Protocol type Value On VLAN→Protocol VLAN→Protocol Vlan page, create protocol¾ VPN Up-link Ports VPN ConfigVlan Mapping ¾ Vlan Mapping Table ¾ Vlan Mapping ConfigOptional. On the VLAN→VLAN VPN→VPN Config Required. On the VLAN→VLAN VPN→VPN ConfigRequired. On the VLAN→VLAN VPN→Port Enable Required. On the VLAN→VLAN VPN→VLAN Mapping¾ Garp Gvrp¾ Gvrp Select Port Status Registration Mode ¾ Port ConfigPrivate Vlan Configuration Procedure¾ Private Vlan Implementation ¾ Features of Private Vlan¾ The Elements of a Private Vlan Pvid ¾ Packet forwarding in Private Vlan Pvlan ¾ Private Vlan Table ¾ Create Private VlanPrimary Vlan Secondary VlanRequired. On the VLAN→Private VLAN→Port Configure Port Select the desired port for configuration Port Type¾ Private Vlan Port Table Required. On the VLAN→Private VLAN→PVLANApplication Example for Private Vlan Required. On the VLAN→802.1Q VLAN→VLAN Config page, click ¾ STP Elements Spanning Tree¾ Bpdu Comparing Principle in STP mode ¾ STP TimersStep Operation ¾ STP Generation¾ Mstp Elements Tips:¾ Rstp Elements ¾ Port Roles ¾ Port StatesSTP Config STP ConfigVersion Forward DelayHello Time Max AgeSTP Summary STP Summary Port ConfigExtPath PriorityIntPath Edge PortMstp Instance Region ConfigPort Role Port Status¾ Region Config Instance Config¾ Instance Table Instance Port ConfigInstance ClearPath Cost Instance IDPort Protect STP Security¾ Bpdu Filter ¾ TC Protect¾ Bpdu Protect Root Protect Loop ProtectTC Protect Bpdu Protect11 TC Protect TC ProtectOn Spanning Tree→STP Config→Port Config On Spanning Tree→STP Config→STP ConfigApplication Example for STP Function On Spanning Tree→MSTP Instance→InstanceBridge of Instance Configure Switch D ¾ Suggestion for Configuration ¾ Multicast Address Multicast¾ Multicast Overview Multicast IP Port ¾ Multicast Address Table¾ Igmp Snooping Igmp Snooping¾ Igmp Snooping Process ¾ Igmp Messages¾ Igmp Snooping Fundamentals Snooping ConfigDescription Displays Igmp Snooping status Member ¾ Igmp Snooping StatusFast Leave Igmp SnoopingMember Port Time Router Port TimeLeave Time Static Router PortMulticast→IGMP Snooping→VLAN Config Snooping→Snooping Config and Port ConfigMulticast Vlan Router Port¾ Multicast Vlan Application Example for Multicast Vlan On the Multicast→IGMP Snooping→Snooping ConfigVlan Multicast→IGMP Snooping→Multicast VlanSnooping→Port Config ¾ Configuration Procedure Step Operation DescriptionSnooping→Snooping Config Multicast IPStatic Multicast IP Multicast IP Table¾ Static Multicast IP Table ¾ Create Static MulticastIP-Range Multicast FilterPort Filter ¾ Port Filter ConfigMulticast→Multicast Filter→Port Filter Packet StatisticsMulticast→Multicast Filter→IP-Range ¾ Igmp Statistics ¾ QoS ¾ Priority ModeQoS 802.1Q frame ¾ Schedule ModeSP-Mode DiffServ ¾ Port Priority ConfigPort Priority Displays the LAG number which the port belongs to¾ Schedule Mode Config Schedule Mode¾ Priority Level ¾ 802.1P Priority Config3 802.1P Priority Dscp Priority It ranges from 0 to ¾ Dscp Priority ConfigPriority Level Priority levels are labeled as TC0, TC1, TC2 and TC3Rate Limit ¾ Rate Limit ConfigBandwidth Control Egress Ratebps Storm ControlIngress Rate bps Broadcast Rate ¾ Storm Control ConfigBps Multicast RateNumber OUI Address Vendor ¾ Port Voice Vlan ModeVoice Vlan Packet Type Processing Mode ¾ Security Mode of Voice Vlan12 Global Configuration Global Config13 Port Config Port ModeOUI Config Optional. On QoS→Voice VLAN→OUI Config page, you Required. On VLAN→802.1Q VLAN→Port ConfigRequired. On QoS→Voice VLAN→Port Config Required. On QoS→Voice VLAN→Global ConfigTime-Range ACLTime-Range Summary IndexTime-Range Create Holiday Config ACL Config¾ Create Holiday ¾ Holiday TableACL Create ACL Summary¾ Rule Table ¾ Create ACL¾ Create MAC ACL MAC ACLRule ID EtherType¾ Create Standard-IP ACL Standard-IP ACLFragment Mask¾ Create Extend-IP ACL Extend-IP ACLPolicy Summary Policy ConfigAction Create Policy CreateSelect Policy Desired policy, please click the Delete button¾ Create Action 11 Action CreateBinding Table Policy BindingPort Binding ¾ Policy Bind TableEnter the ID of the Vlan you want to bind Vlan BindingDirection Displays the binding direction ¾ VLAN-Bind Table Application Example for ACLOn ACL→ACL Config→ACL Create page, create ACL On ACL→ACL Config→Standard-IP ACL page, select ACL IP-MAC Binding Network SecurityManual Binding Enter the Vlan ID ¾ Manual Binding OptionProtect Type Select the Protect Type for the entry ¾ Manual Binding TableARP Scanning Start IP Address Dhcp SnoopingEnd IP Address Scan¾ Dhcp Working Principle Network diagram for DHCP-snooping implementation¾ Option ¾ Dhcp Cheating Attack Dhcp Cheating Attack Implementation Procedure163 ¾ Port Config Port Select ¾ Option 82 ConfigDecline Threshold Decline Flow Control Customization Circuit ID Remote ID¾ Cheating Gateway ARP Inspection¾ Imitating Gateway ¾ Cheating Terminal Hosts 10 ARP Attack Cheating Gateway¾ Man-In-The-Middle Attack ¾ ARP Flooding Attack ¾ Trusted Port ARP Detect¾ ARP Detect Network Security→ARP ARP DefendRequired. On the Network Security→IP-MAC ¾ ARP Defend ARP StatisticsDefend Speed¾ Illegal ARP Packet IP Source GuardDoS Defend ¾ IP Source Guard ConfigDoS Attack Type Description DoS Detect DoS DefendDetect Time 11.5Detect Attack Type¾ 802.1X Authentication Procedure ¾ The Mechanism of an 802.1X Authentication System178 179 ¾ Guest Vlan ¾ 802.1X Timer802.1X Authentication MethodGuest Vlan Guest Vlan IDRetry Times Supplicant TimeoutServer Timeout Radius Server Control ModeControl Type Authorized802.1X Client Software On the Network Security→802.1X→Global ConfigRequired. On the Network Security→802.1X→Radius Required. On the Network Security→802.1X→Port¾ Snmp Overview Snmp¾ Snmp Management Frame ¾ Snmp Versions¾ MIB Introduction ¾ Snmp Configuration Outline¾ Remote Engine Snmp Config¾ Local Engine MIB Object ID Snmp ViewView Type View NameSnmp Group ¾ Group Config¾ Group Table Snmp UserAuth Password Auth ModePrivacy Mode Privacy PasswordSnmp Community ¾ Community ConfigAccess Required. On the SNMP→SNMP Config→SNMP Required. On the SNMP→SNMP Config→GlobalMIB View ¾ Community TableNotification On the SNMP→SNMP Config→SNMPUDP Port TimeoutUser RetryRmon Group Function Rmon¾ Rmon Group ¾ History Control Table Event ConfigHistory Control ¾ Event Table Alarm ConfigSample Type VariableRising Threshold Rising Event200 ¾ Cluster Role Cluster¾ Introduction to Cluster 13.1 NDPNeighbor Info ¾ Neighbor Info NDP Summary¾ Neighbor NDP ¾ Port Status Displays the port number of the switchAging Time NDP ConfigDetail : Ntdp Port Displays the port number of the switchDevice Table Displays NDP status of the current portNtdp Summary Ntdp Summary Ntdp Hops Ntdp ConfigNtdp Interval Time Cluster Summary EnableCluster ¾ Cluster Config ¾ Global Config Cluster¾ Global Cluster ¾ Member Info11 Cluster Summary for Member Switch Switch¾ Role Change Cluster Config¾ Current Role 14 Cluster Configuration for Commander Switch 16 Cluster Configuration for Individual Switch Member Config¾ Create Member Cluster TopologyDevice Name Member MAC¾ Graphic Show 18 Collect TopologyApplication Example for Cluster Function On Cluster→NTDP→NTDP Config page, enable On Cluster→NDP→NDP Config page, enable NDP220 CPU Monitor MaintenanceSystem Monitor Memory Monitor 14.2 Log Log Table ContentTime ModuleLocal Log ¾ Local Log ConfigRemote Log Log BufferHost IP Backup Log¾ Log Host Device Diagnose ¾ Backup LogCable Test ¾ Cable TestSwitch is available ErrorLoopback LengthNetwork Diagnose ¾ Ping ConfigPing TestTracert ¾ Tracert ConfigConfigure the Hyper Terminal System Maintenance via FTPHardware Installation 232 5Port Settings Download Firmware via bootrom menuTP-LINK upgrade You can only use the port 1 to upgrade TP-LINK ifconfig ip 172.31.70.22 mask 255.255.255.0 gatewayTP-LINK start Start User Access Login Appendix a Specifications Configure TCP/IP component Appendix B Configuring the PCs238 Now Appendix C 802.1X Client Software Installation Guide241 242 Figure C-7 InstallShield Wizard Complete Uninstall SoftwareFigure C-10 Uninstall Complete Configuration245 Figure C-15 Connection Status FAQ Appendix D Glossary Group Attribute Registration Protocol Garp Multicast SwitchingIeee 802.1D Ieee 802.1QRemote Authentication Dial-in User Service Radius Port AuthenticationLink Aggregation Link Aggregation Control Protocol LacpSimple Network Time Protocol Sntp Simple Network Management Protocol SnmpSpanning Tree Algorithm STA Telnet
Related manuals
Manual 32 pages 39.81 Kb
Top Page Image Contents