IP Source Guard, 141 | ZyXEL Communications MES-2110 instruction

19

IP Source Guard

19.1 Overview

IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and ARP frames in your network. A binding contains these key attributes:

•MAC address

•VLAN ID

•IP address

•Port number

When the MES-2110 receives a DHCP or ARP frame, it looks up the appropriate MAC address, VLAN ID, IP address, and port number in the binding table. If there is a binding, the MES-2110 forwards the frame. If there is not a binding, the MES- 2110 discards the frame.

The MES-2110 builds the binding table by snooping DHCP frames (dynamic bindings) and from information provided manually by administrators (static bindings).

IP source guard consists of the following features:

•Static bindings. Use this to create static bindings in the binding table.

•DHCP snooping. Use this to filter unauthorized DHCP frames on the network and to build the binding table dynamically.

•ARP inspection. Use this to filter unauthorized ARP frames on the network.

If you want to use dynamic bindings to filter unauthorized ARP frames (typical implementation), you have to enable DHCP snooping before you enable ARP inspection.

MES-2110 User’s Guide

141

Image 141

ZyXEL Communications MES-2110 manual IP Source Guard, 141

Contents

MES-2110 Page Intended Audience About This Users Guide Customer Support Syntax Conventions Document Conventions Dslam MES-2110 Computer ServerFirewall Telephone Router Safety Warnings Safety Warnings MES-2110 User’s Guide Contents Overview Contents Overview MES-2110 User’s Guide Table of Contents Chapter System Details 10.1 Igmp 137 Chapter Command Line Interface 179 Index 229 Table of Contents MES-2110 User’s Guide Introduction OverviewBackbone Application Backbone Application Bridging Example Ieee 802.1Q Vlan Application Examples High Performance Switching Example Metro Ethernet Shared Server Using Vlan Example Metro Ethernet Ways to Manage the MES-2110 Good Habits for Managing the MES-2110 Hardware Installation and Connection Installation ScenariosDesktop Installation Procedure Mounting the MES-2110 on a Rack Rack-mounted Installation Requirements Attaching the Mounting Brackets Attaching the Mounting Brackets to the MES-2110 Mounting the MES-2110 on a Rack Mounting the MES-2110 on a Rack Front Panel Hardware Overview Gigabit Ethernet Ports Console PortFront Panel Connections Label Description Mini-GBIC Slots Default Ethernet Negotiation Settings Transceiver Installation Removing the Fiber Optic Cables Power Connections Overview DC Power Connection AC Power Connection LEDs Powering on the MES-2110LED Descriptions LED Color Statu Description Mbps Ethernet network Green Blinking Igmp Snooping Tutorials Set Igmp Query Mode to Auto Radius Configuration Tutorials Tutorials Setting Value MVR ConfigurationMVR Tutorial Values Based802.1q before proceeding Open the Configuration Igmp Menu MVR screen Tutorials Vlan ID Priority For Pri-Overide, select Enable Untrusted ARP Inspection Set Action to Enable and Dhcp Snooping Vlan Mode to All-VLAN Outgoing Traffic Bandwidth Frame Tagging Example Frame Tagging To configure frame tagging Tutorials MES-2110 User’s Guide Web Configurator System LoginIntroduction Web Configurator Login Main Screen Web Configurator Main Screen Navigation Panel Sub-links Overview System Details Configuration Mgmt Config System Restart Menu System Details Configuration Mgmt Config Restart Menu Web Configurator Screen Sub-links DetailsSnmp Sntp Navigation Panel Links Link DescriptionDhcp ARP Saving Your Configuration Set Up the Administrative PasswordMade on the MES-2110 and restart the MES-2110 Switch Lockout Resetting the MES-2110Reload the Configuration File Resetting the MES-2110 Via the Console Port System Information Screen System Details Board Information Screen Address, subnet mask and a default gateway IP address Dhcp Configuration ScreenIP address from a Dhcp server if Dhcp client is enabled Undo Click this to restore your last saved settings Apply System Details Dhcp Config Apply Port Configuration Screen Configuration Auto Truncated in some Web Configurator screens Disabled Duplex This indicates the port’s duplex mode Half or FullPort Status Screen Manage the MES-2110 via that port This shows whether auto-negotiation is On or Off Rmon Status Screen RX+TX Configuration Rmon Status Loop Detection Switch in Loop State Loop detection Probe Frame Loop Detection Screen Feature Snmp traps when it shuts down a port via the loop detectionEnabled, the MES-2110 sends probe frames from this port to Down this port Loop Detection MES-2110 User’s Guide Jumbo Frame Configuration Screen Jumbo FrameFrame Size Jumbo Frame MES-2110 User’s Guide 802.1x Ieee 802.1x Authentication Guest Vlan Ieee 802.1x Authentication Process 10.2 802.1x Global Configuration Screen MES-2110. The key is not sent over the network 10.3 802.1x Radius Server Configuration ScreenServer UDP Port Number 1812 Server Before configuring it on each port 10.4 802.1x Port Configuration Screen Guest Vlan Reauthenticat Clients for port access 10.5 802.1x Radius Server Configuration Screen Radius and TACACS+ Technical ReferenceSupported Radius Attributes Radius vs. TACACS+ Attributes Used for Authenticating Privilege Access Attributes Used for Authentication Attributes Used for Accounting Attribute Start INTERIM-UPDATE StopRadius Attributes Exec Events via Console Radius Attributes Exec Events via Telnet/SSH Radius Attributes-Exec Events via Attributes Used for Accounting Ieee 802.1x Events 802.1x MES-2110 User’s Guide STP Terminology BridgeSTP Path Costs Link Recommended Allowed Speed Value Range Path 16Mbps 40 to Cost 100Mbps 10 to 1Gbps 10Gbps How STP Works STP Port States Bridge Configuration ScreenSTP Port States Port Description State Are done configuring Rstp System Configuration ScreenYou select Rstp 802.1W in the Ring Protocol field Tunnel port receives Bridge Protocol Data Units Bpdu Determines Hello Time, Max Age and Forwarding Delay Same priority, the switch with the lowest MAC address willRoot Bridge Information List box As a general rule Allowed range is 4 to 30 secondsSelected from among the MES-2110 ports attached to Network. The allowed range is 6 to 40 seconds Spanning Tree Port Configuration 255 and the default value isCost 1~65535 Enter the port’s path cost P2P Tpid Introduction to Ieee 802.1Q Tagged VLANsUser Priority CFI Vlan ID Ieee 802.1Q Vlan Terminology Forwarding Tagged and Untagged FramesVlan Term Description Parameter Vlan Vlan Type Screen Port-Based Vlan ScreenVlan Type Use this to set the MES-2110 to Port-Based or Tag Then you cannot access the web configurator from a computer Port-Based Vlan Configuration100 Connected to this port Vlan Stacking Tag-Based Vlan ScreensVlan Stacking Example 101 102 Vlan Stacking Port Roles 103 Vlan Tag FormatVlan Tag Format Type Priority 104 Frame FormatSingle and Double Tagged 802.11Q Frame Format 802.1Q Frame Vlan Stacking Configuration Screen 105SP Tpid Spvid 106 Tag-Based Port Information Screen 107Pvid Enter the Vlan ID from 1-4094 that you want to configure Tag-Based Port Configuration Screen108 Select whether you want to Add or Modify a Vlan ID 109 Management Vlan Screen Unless your current access belongs to the new Vlan 110Management Vlan This is the current management Vlan Bandwidth Control Setup Bandwidth Control111 112 Broadcast Storm Control Setup Broadcast Storm Control113 Storm Control Configuration 114Storm Control Status Port Mirroring Setup Port Mirroring115 Volatile memory when you are done configuring 116Select the monitor port number from the list Link Aggregation Dynamic Link Aggregation117 Link Aggregation ID Peer Switch Link Aggregation ID Local SwitchStatic Trunking Example Link Aggregation ID 119 Link Aggregation Setting Link Aggregation Control Protocol 120Lacp Lacp Link Status 121MAC 122 IP Multicast Addresses Igmp Snooping123 Igmp Configuration Igmp Snooping and VLANs124 Igmp Vlan 125 126 Igmp Vlan Query Mode Igmp Status MVR Overview127 Types of MVR Ports MVR ModesHow MVR Works 128 129 General MVR Configuration Disable to turn this feature off 130Select Dynamic to send Igmp reports to all MVR source ports 131 MVR Group Configuration 132 Group ConfigurationDrop-down list box MVR Group Status 133 MVR Configuration Example 134 135 MVR Group Configuration Example 136 Dhcp Relay Agent Information Dhcp Relay Configuration137 Relay Agent Information 138 Dhcp Relay ConfigurationBytes This is the Vlan that the port belongs to To a Dhcp server Option82 Information 139 140 141 IP Source Guard 142 Dhcp Snooping Overview 143 Dhcp Snooping Configuration Dhcp requests will not succeed 144 Mode VLANs or specific VLANs to Dhcp servers Dhcp Snooping Dhcp Binding Table145 Ddhhmm 146 Configuring ARP Inspection ARP Inspection Screen147 Addresses permanently 148 149 150 151 MAC 152 MAC Table Status Screen MES-2110 or static manually configured Undo Click this to load your last saved settings ApplyLock MAC Address Learning Screen 153 154 MAC Filter Configuration ScreenPort This is the port number Lock To activate MAC address learning on the port 155 Addresses may access port 2 at any one time. a sixth device MAC Limit Configuration Screen156 Aged out. MAC address aging out time can be set in the MAC QoS Base Configuration Screen QoS157 158 Configuring the Base Configuration Screen 159 160 802.1p Priority Table IP Dscp Priority Table Tag Priority Table161 Number This is the Ieee 802.1p priority level Priority 162 Configuration QoS Menu IP Dscp Priority 163 Priority Override Configuration Screen 164 Mgmt Config and System Restart Menu Serial Port Configuration Screen165 166 Snmp Configuration Screens Command Description Snmp CommandsSnmp Communities Screen IP Trap Manager Screen Sntp Screen 168Traps to 169 170 Alarms and Logs Syslog 171 Characters using characters found on a standard keyboard User Configuration ScreenUser Password 172 Cable Test Screen 173PHY RX/TX Host DoS Protection 174Test Port Abnormal Traffic Detection Screen 175Fields below 176 Upgrading the Firmware 177 Managing the Configuration File 178 Restarting the System Setting Default Value Command Line InterfaceConsole Port Management Logging Command / Keys Description Using Shortcuts and Getting HelpSaving Changes 180 Exit Command Command ModesBasic Commands Logging Out 182 Basic Commands Privileged Command Mode Privileged Commands183 184 Command line interface Make while using the MES-2110185 Permanently save any changes you Configuration Mode Commands Configuration Mode186 Ancillary Trigger Description 187 188 189 190 Address over Telnet 191 192 193 Igmp Snooping Example 194 Radius Configuration Example MVR-Configuration Mode Commands MVR ModeThis command to work 195 196 MVR Command Example Vlan Mode Vlan Mode Commands197 Interface Mode Vlan ID Priority Example198 199 Interface Mode Commands 200 201 Port, the port must allow frames 202Bytes 1522 bytes + 4 bytes for Second tag to pass through it Untrusted ARP Inspection Example Sets the service provider Vlan ID of the current PortsOutgoing Traffic Bandwidth Limit Example 203 204 Frame Tagging Examples 205 206 Troubleshooting Power, Hardware Connections, and LEDs207 208 MES-2110 Access and Login Advanced Suggestions 209 Pop-up Windows, JavaScript and Java Permissions 210 211 MES-2110 Configuration and Console 212 My changes in the Web Configurator keep getting overwritten 213 214 Hardware Specifications Product SpecificationsSpecification Description 215 Firmware Specifications Feature Description216 217 218 Standards SupportedStandard Description Installing a Fuse Removing a Fuse219 220 221 Common Services Commonly Used Services 222Name Protocol Ports Description 223 224 Copyright Certifications225 FCC Warning CE Mark Warning 226 227 ZyXEL Limited Warranty 228 229 Index 230 Password 58 path cost 89, 93 port authentication MVR 127 configuration231 TACACS+ 232 Weighted round robin scheduling