D-Link DGS-3700 CPU Interface Filtering

DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual

205

Counter Enable or disable the counter settings.

Ports Specifies that the access rule will take effect on one port or a ran ge of ports.

VLAN Name Specifies the access rule will take effect on the VLAN Name specified.

VLAN ID Specifies the access rule wil l take effect on the VLAN ID specified.

Click Apply to display the following Access Rule List window.

Figure 6 - 26 Access Rule List (Packet Content)

To view the configurations for previously configured rule click on the corres ponding Show Details Button which will

display the following Access Rule Details window.

Figure 6 - 27 Access Rule Detail Information (Packet Content)

NOTE: Address Resolution Protocol (ARP) is the standard for f inding a

host's hardware address (MAC Address). However, ARP is vulnerable as

it can be easily spoofed and utilized to attack a LAN. For a more detailed

explanation on how ARP works and how to employ D-Link’s advanced

unique Packet Content ACL to prevent ARP spoofing attack , please see

Appendix B, at the end of this manual.

CPU Interface Filtering

Due to a chipset limitation and needed extra switch security, the Switch incorporates CPU Interf ace filtering. This

added feature increases the running security of the Switch by enablin g the user to create a list of ac cess rules for

packets destined for the Switch’s CPU interface. Employed similarly to the Access Pr ofile feature previously

mentioned, CPU interface filtering examines Ethernet, IP and Packet Cont ent Mask packet headers destined for the

CPU and will either forward them or filter them, based on the user’s im plem entation. As an added f eature f or the C PU

Filtering, the Switch allows the CPU filtering m echanism to be enabled or disabled gl obally, permitting the user to

create various lists of rules without immediately enabling them.

Creating an access profile for the CPU is divided into two basic parts. The first is to specify which part or par ts of a

frame the Switch will examine, such as the MAC source address or th e IP destination address. T he second part is

entering the criteria the Switch will use to determine what to do with the f rame. The entire process is described below.

Contents

Main Copyright 2009. All rights reserved User Manual Product Model: DGS-3700 Series Layer 2 Managed Gigabit Ethernet Switch Release 1.00 Page Table of Contents Page Page Page Page Page Page Page Preface Intended Readers Typographical Conventions Notes, Notices, and Cautions Section 1 Web-based Switch Configuration Introduction Login to Web Manager Web-based User Interface Areas of the User Interface Web Pages Page Section 2 Configuration Device Information System Information Serial Port Settings IP Address Page Setting the Swiths IP Address using the Console Interface Interface Settings Page IPv6 Route Settings IPv6 Neighbor Settings Port Configuration Port Settings Port Description Port Error Disabled Static ARP Settings User Accounts Admin, Operator and User Privileges Page System Log Configuration System Log Settings System Log Server Page System Severity Settings DHCP Relay DHCP Relay Global Settings Page The Implementation of DHCP Information Option 82 on the Switch DHCP Relay Interface Settings DHCP Relay Option 60 Default Settings DHCP Relay Option 60 Settings DHCP Relay Option 61 Default Settings DHCP Relay Option 61 Settings Out of Band Management Settings External Alarm Settings DHCP Auto Configuration Settings MAC Addre s s Aging Time Web Settings Telnet Settings Password Encryption Clipaging Settings Firmware Information Dual Configuration Settings Ping Test Local Loopback Ports Settings VLAN Counter Settings SNTP Settings Time Settings TimeZone Settings MAC Notification Settings MAC Notification Global Settings MAC Notification Port Settings SNMP Settings Traps MIBs SNMP Global State Settings SNMP View Table SNMP Group Table SNMP User Table SNMP Community Table SNMP Host Table SNMP v6Host Table SNMP Engine ID SNMP Trap Configuration Time Range Settings sFlow sFlow Global State Settings sFlow Analyzer Server Settings sFlow Flow Sampler Settings sFlow Counter Poller Settings Single IP Management The Upgrade to v1.6 Single IP Settings Topology Page Page Tool Tips Right-Click Group Icon Commander Switch Icon Member Switch Icon Candidate Switch Icon Menu Bar File Group Device View Firmware Upgrade Configuration File Backup/Restore Upload Log File DDM Browse DDM Status List DDM Settings DDM Temperature Threshold Settings DDM Voltage Threshold Settings DDM Bias Current Threshold Settings DDM Tx Power Threshold Settings DDM Rx Power Threshold Settings Page Section 3 L2 Features Jumbo Frame VLANs Understanding IEEE 802.1p Priority VLAN Description Notes About VLANs IEEE 802.1Q VLANs 802.1Q VLAN Tags Port VLAN ID Tagging and Untagging Ingress Filtering Default VLANs Port-based VLANs VLAN Segmentation VLAN and Trunk Groups Double VLANs Regulations for Double VLANs 802.1Q VLAN Page Page Page Subnet VLAN Subnet VLAN Settings VLAN Precedence Settings Q-in-Q Q-in-Q Settings VLAN Translation Settings Q-in-Q and VLAN Translation Rules 802.1v Protocol VLAN 802.1v Protocol Group Settings 802.1v Protocol VLAN Settings RSPAN Settings GVRP Settings GVRP Global Settings MAC-based VLAN Settings PVID Auto Assign Settings Port Trunking Understanding Port Trunk Groups Page LACP Port Settings Traffic Segmentation BPDU Tunneling Settings IGMP Snooping IGMP Snooping Settings Page IGMP Snooping Rate Limit Settings IGMP Snooping Static Group Settings IGMP Multicast Group Profile Settings IGMP Snooping Multicast VLAN Settings IPv4 Multicast Profile Settings IPv4 Limited Multicast Range Settings IPv4 Max Multicast Group Settings MLD Snooping MLD Control Messages MLD Snooping Settings Page MLD Snooping Rate Limit Settings MLD Snooping Static Group Settings MLD Multicast Group Profile Settings MLD Snooping Multicast VLAN Settings IPv6 Multicast Profile Settings IPv6 Limited Multicast Range Settings IPv6 Max Multicast Group Settings Port Mirror Loopback Detection Settings Spanning Tree 802.1w Rapid Spanning Tree Port Transition States Edge Port P2P Port 802.1D and 802.1w Compatibility STP Bridge Global Settings Page STP Port Settings MST Configuration Identification STP Instance Settings MSTP Port Information Forwarding & Filtering Unicast Forwarding Multicast Forwarding Multicast Filtering Mode LLDP LLDP Global Settings LLDP Port Settings LLDP Management Address List LLDP Basic TLVs Settings LLDP Dot1 TLVs Settings LLDP Dot3 TLVs Settings LLDP Statistics System LLDP Local Port Information LLDP Remote Port Information CFM CFM Port Settings CFM CCM PDUs Forwarding Mode CFM MPs Reply LTRs CFM MIPCCM List Connectivity Fault Management Settings CFM Loopback Settings CFM Linktrace Settings Ethernet OAM Ethernet OAM Settings Ethernet OAM Configuration Settings Section 4 QoS Advantages of QoS Understanding QoS Page HOL Blocking Pevention Bandwidth Control Traffic Control Page 802.1p Default Priority 802.1p User Priority QoS Scheduling Mechanism QoS Scheduling In Band Manage Settings SRED SRED Settings Page Page Page 802.1p Map Settings Section 5 Security Safeguard Engine Page Trusted Host IP-MAC-Port Binding IMP Binding Global Settings IMP Binding Port Settings Page IMP Binding Entry Settings DHCP Snooping Entries MAC Block List Port Security Port Security Port Settings Port Security VLAN Settings Port Security Entries DHCP Server Screening Settings DHCP Screening Port Settings DHCP Offer Filtering 802.1X 802.1X Port-Based and Host-Based Access Control Authentication Server Authenticator Client Authentication Process Understanding 802.1X Port-based and Host-based Network Access Control Port-Based Network Access Control Host-Based Network Access Control 802.1X Global Settings 802.1X Port Settings Page 802.1X User Authentication RADIUS Server Initialize Port(s) Reauthenticate Port(s) Guest VLAN Configuration Limitations Using the Guest VLAN Guest VLAN SSL Settings Download Certificate Ciphersuite Page SSH SSH Settings SSH Authmode and Algorithm Settings SSH User Authentication Lists Access Authentication Control Page Authentication Policy Settings Application Authentication Settings Authentication Server Group Authentication Server Login Method Lists Enable Method Lists Local Enable Password Settings RADIUS Accounting Settings MAC-based Access Control Notes About MAC-based Access Control MAC-based Access Control Settings Page MAC-based Access Control Local Settings Web Authentication Conditions and Limitations Web-based Access Control Settings Web-based Access Control User Settings NetBIOS Filtering NetBIOS Filtering Settings Section 6 ACL ACL Configuration Wizard Access Profile List Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page CPU Interface Filtering CPU Access Profile List Page Page Page Page Page Page Page Page Page Page ACL Finder ACL Flow Meter Page Page Section 7 Monitoring Device Status Cable Diagnostic CPU Utilization Port Utilization Packet Size Page Memory Utilization Packets Received (RX) Page UMB_cast (RX) Transmitted (TX) Page Page Errors Received (RX) Transmitted (TX) Page Port Access Control RADIUS Authentication RADIUS Account Client Page Authenticator State Authenticator Statistics Authenticator Session Statistics Authenticator Diagnostics Page Browse ARP Table VLAN Browse VLAN Show VLAN Ports IGMP Snooping Browse IGMP Router Port IGMP Snooping Group IGMP Snooping Forwarding Table Browse IGMP Snooping Counter MLD Snooping Browse MLD Router Port MLD Snooping Group MLD Snooping Forwarding Table Browse MLD Snooping Counter Browse Session Table CFM CFM Packet Counter List CFM Packet Counter CCM List Browse CFM Fault MEP Browse CFM Port MP List MAC Address Table Browse VLAN Counter Statistics Ethernet OAM Browse Ethernet OAM Event Log Browse Ethernet OAM Statistics Page Historical Counter & Utilization Browse Historical Counter Browse Historical Utilization System Log Page Section 8 Save Services and Tools Save Configuration ID 1 Save Configuration ID 2 Save Log Save All Configuration File Backup & Restore Upload Log File Reset Download Firmware Reboot System Appendix A Mitigating ARP Spoofing Attacks Using Packet Content ACL Page Page Page Page Example topology Configuration Page Page Appendix B System Log Entries Page Page Page Page Page Page Page Page DGS-3700 Series Trap List Proprietary Trap List Page Appendix C Glossary Page Appendix D Password Recovery Procedure