ZyXEL Communications MES-2110 CHAPTER 19

MES-2110 User’s Guide 141

CHAPTER 19

IP Source Guard

19.1 Overview

IP source guard uses a binding table to distinguish between authorized and

unauthorized DHCP and ARP frames in your network. A binding contains these key

attributes:

• MAC address

•VLAN ID

• IP address

•Port number

When the MES-2110 receives a DHCP or ARP frame, it looks up the appropriate

MAC address, VLAN ID, IP address, and port number in the binding table. If there

is a binding, the MES-2110 forwards the frame. If there is not a binding, the MES-

2110 discards the frame.

The MES-2110 builds the binding table by snooping DHCP frames (dynamic

bindings) and from information provided manually by administrators (static

bindings).

IP source guard consists of the following features:

• Static bindings. Use this to create static bindings in the binding table.

• DHCP snooping. Use this to filter unauthorized DHCP frames on the network and

to build the binding table dynamically.

• ARP inspection. Use this to filter unauthorized ARP frames on the network.

If you want to use dynamic bindings to filter unauthorized ARP frames (typical

implementation), you have to enable DHCP snooping before you enable ARP

inspection.

Contents

Main MES-2110 Intelligent Layer 2 Switch Page About This User's Guide Customer Support Document Conventions Warnings and Notes Warnings tell you about things that could harm you or your device. Syntax Conventions Page Safety Warnings MES-2110 Users Guide 7 Safety Warnings Page Contents Overview Page Table of Contents Page Page Page Page Page Page Page CHAPTER 1 Introduction 1.1 Overview 1.1.1 Backbone Application Figure 1 Backbone Application 1.1.2 Bridging Example Figure 2 Bridging Application 1.1.3 High Performance Switching Example Figure 3 High Performance Switched Workgroup Application 1.1.4 IEEE 802.1Q VLAN Application Examples 1.1.4.1 Tag-based VLAN Example Page Figure 5 Metro Ethernet 1.2 Ways to Manage the MES-2110 1.3 Good Habits for Managing the MES-2110 CHAPTER 2 Hardware Installation and Connection 2.1 Installation Scenarios 2.2 Desktop Installation Procedure 2.3 Mounting the MES-2110 on a Rack 2.3.1 Rack-mounted Installation Requirements Failure to use the proper screws may damage the unit. 2.3.1.1 Precautions 2.3.2 Attaching the Mounting Brackets to the MES-2110 Figure 7 Attaching the Mounting Brackets Page CHAPTER 3 Hardware Overview 3.1 Front Panel Figure 9 Front Panel 3.1.1 Console Port 3.1.2 Gigabit Ethernet Ports Table 1 Front Panel Connections 3.1.2.1 Default Ethernet Negotiation Settings 3.1.2.2 Auto-crossover 3.1.3 Mini-GBIC Slots To avoid possible eye injury, do not look into an operating fiber- optic modules connectors. 3.1.3.1 Transceiver Installation Figure 10 Transceiver Installation Example Figure 11 Connecting the Fiber Optic Cables 3.1.3.2 Transceiver Removal 3.2 Power Connections Overview 3.2.1 AC Power Connection 3.2.2 DC Power Connection 3.2.3 Powering on the MES-2110 3.3 LEDs Table 2 LED Descriptions Table 2 LED Descriptions (continued) CHAPTER 4 Tutorials 4.1 IGMP Snooping 4.2 RADIUS Configuration Page Page 4.3 MVR Configuration Table 3 MVR Tutorial Values Page Page 4.4 VLAN ID Priority 4.5 Untrusted ARP Inspection Page 4.6 Outgoing Traffic Bandwidth 4.7 Frame Tagging Figure 15 Frame Tagging Example Page Page CHAPTER 5 The Web Configurator 5.1 Introduction 5.2 System Login Page 5.3 The Main Screen A Figure 17 Web Configurator Main Screen Page Chapter 5 The Web Configurator MES-2110 Users Guide 55 The following table lists the various web configurator screens within the sub-links. SYSTEM DETAILS CONFIGURATION MGMT CONFIG SYSTEM Table 5 Web Configurator Screen Sub-links Details RESTART MENU The following table describes the links in the navigation panel. Table 6 Navigation Panel Links LINK DESCRIPTION Chapter 5 The Web Configurator MES-2110 Users Guide 57 Table 6 Navigation Panel Links (continued) LINK DESCRIPTION 5.3.1 Set Up the Administrative Password 5.4 Saving Your Configuration 5.5 Switch Lockout 5.6 Resetting the MES-2110 5.6.1 Reload the Configuration File Figure 19 Resetting the MES-2110: Via the Console Port CHAPTER 6 System Details Chapter 6 System Details 6.3 The Board Information Screen Figure 21 System Details > Board Info. Table 7 System Details > System Info. 6.4 The DHCP Configuration Screen Figure 22 System Details > DHCP Config Table 8 System Details > Board Info. Table 9 System Details > DHCP Config Page CHAPTER 7 Configuration Chapter 7 Configuration The following table describes the labels in this screen. Table 10 Configuration > Port Configuration Note: Due to space limitation, the port name may be truncated in some Web Configurator screens. 7.3 The Port Status Screen Figure 25 Configuration > Port Status Table 10 Configuration > Port Configuration Table 11 Configuration > Port Status 7.4 The RMON Status Screen Figure 26 Configuration > Rmon Status Table 11 Configuration > Port Status (continued) Table 12 Configuration > Rmon Status Chapter 7 Configuration MES-2110 Users Guide 69 Table 12 Configuration > Rmon Status (continued) CHAPTER 8 Loop Detection 8.1 Overview Figure 27 Switch in Loop State AB N 8.2 The Loop Detection Screen Chapter 8 Loop Detection MES-2110 Users Guide 73 The following table describes the labels in this screen. Table 13 Configuration > Loop Detection Page CHAPTER 9 Jumbo Frame 9.1 Overview 9.2 The Jumbo Frame Configuration Screen Figure 30 Configuration > Jumbo Frame Page CHAPTER 10 802.1x 10.1 Overview 10.1.1 IEEE 802.1x Authentication 10.1.2 Guest VLAN 10.2 802.1x Global Configuration Screen Figure 32 Configuration > Global Configuration Table 15 Configuration > Global Configuration 10.3 802.1x Radius Server Configuration Screen Figure 33 Configuration > Radius Server Configuration Table 16 Configuration > Radius Server Configuration 10.4 802.1x Port Configuration Screen Chapter 10 802.1x Table 17 Configuration > Port Configuration (continued) 10.5 802.1x Radius Server Configuration Screen Figure 35 Configuration > 802.1x Status Table 18 Configuration > 802.1x Status 10.6 Technical Reference 10.6.1 RADIUS and TACACS+ 10.6.2 Supported RADIUS Attributes Table 18 Configuration > 802.1x Status (continued) Table 19 RADIUS vs. TACACS+ 10.6.3 Attributes Used for Authentication 10.6.3.1 Attributes Used for Authenticating Privilege Access 10.6.3.2 Attributes Used to Login Users 10.6.3.3 Attributes Used by the IEEE 802.1x Authentication 10.6.4 Attributes Used for Accounting 10.6.4.1 Attributes Used for Accounting System Events 10.6.4.2 Attributes Used for Accounting Exec Events Table 20 RADIUS Attributes - Exec Events via Console Table 21 RADIUS Attributes - Exec Events via Telnet/SSH 10.6.4.3 Attributes Used for Accounting IEEE 802.1x Events The attributes are listed in the following table along with the time of the session they are sent: Table 21 RADIUS Attributes - Exec Events via Telnet/SSH ATTRIBUTE START INTERIM-UPDATE STOP Table 22 RADIUS Attributes-Exec Events via 802.1x Page CHAPTER 11 Bridge 11.1 Overview Note: In this users guide, STP refers to both STP and RSTP. 11.1.1 STP Terminology 11.1.2 How STP Works Table 23 STP Path Costs 11.1.3 STP Port States 11.2 The Bridge Configuration Screen Figure 36 Configuration > Bridge Menu > Bridge Config Table 24 STP Port States Note: The listening state does not exist in RSTP. 11.3 The RSTP System Configuration Screen Figure 37 Configuration > Bridge Menu > RSTP System Config Table 25 Configuration > Bridge Menu > Bridge Config Table 26 Configuration > Bridge Menu > RSTP System Config Note: The listening state does not exist in RSTP. Note: 2 * (Forward Delay - 1) >= Max Age >= 2 * (Hello Time + 1) Table 26 Configuration > Bridge Menu > RSTP System Config 11.4 The Spanning Tree Port Configuration Figure 38 Configuration > Bridge Menu > RSTP Per Port Config Table 27 Configuration > Bridge Menu > RSTP Per Port Config CHAPTER 12 VLAN 12.1 Overview 12.2 Introduction to IEEE 802.1Q Tagged VLANs 12.2.1 Forwarding Tagged and Untagged Frames Table 28 IEEE 802.1Q VLAN Terminology 12.3 The VLAN Type Screen Figure 39 Configuration > VLAN Menu > VLAN Type 12.4 The Port-Based VLAN Screen Table 29 Configuration > VLAN Menu > VLAN Type Figure 40 Configuration > VLAN Menu > Port-Based Table 30 Configuration > VLAN Menu > Port-Based 12.5 The Tag-Based VLAN Screens 12.5.1 VLAN Stacking 12.5.2 VLAN Stacking Example 12.5.3 VLAN Stacking Port Roles 12.5.4 VLAN Tag Format Table 31 VLAN Tag Format 12.5.5 Frame Format Table 32 Single and Double Tagged 802.11Q Frame Format Table 33 802.1Q Frame 12.5.6 The VLAN Stacking Configuration Screen Figure 42 Configuration > VLAN Menu > Tag-Based > VLAN Stacking Table 34 Configuration > VLAN Menu > Tag-Based > VLAN Stacking Chapter 12 VLAN 12.5.7 The Tag-Based Port Information Screen Figure 43 Configuration > VLAN Menu > Tag-Based > Port Info. Table 35 Configuration > VLAN Menu > Tag-Based > Port Info. 12.5.8 The Tag-Based Port Configuration Screen Figure 44 Configuration > VLAN Menu > Tag-Based > Tag-Based info. Table 35 Configuration > VLAN Menu > Tag-Based > Port Info. Table 36 Configuration > VLAN Menu > Tag-Based > Tag-Based info. Chapter 12 VLAN 12.5.9 The Management VLAN Screen Table 36 Configuration > VLAN Menu > Tag-Based > Tag-Based info. Figure 45 Configuration > VLAN Menu > Tag-Based > Management VLAN Table 37 Configuration > VLAN Menu > Tag-Based > Management VLAN CHAPTER 13 Bandwidth Control Chapter 13 Bandwidth Control The following table describes the related labels in this screen. Table 38 Configuration > Bandwidth Control CHAPTER 14 Broadcast Storm Control Figure 47 Configuration > Storm Control 14.1 Overview 14.2 Broadcast Storm Control Setup Table 39 Configuration > Storm Control CHAPTER 15 Port Mirroring Figure 48 Configuration > Port Mirroring 15.1 Overview 15.2 Port Mirroring Setup Table 40 Configuration > Port Mirroring CHAPTER 16 Link Aggregation 16.1 Overview 16.2 Dynamic Link Aggregation 16.2.1 Link Aggregation ID 16.3 Static Trunking Example Figure 49 Trunking Example - Physical Connections B A Table 41 Link Aggregation ID: Local Switch 16.4 Link Aggregation Setting Figure 51 Configuration > Trunk Config > Aggregator Setting 16.5 Link Aggregation Control Protocol Figure 52 Configuration > Trunk Config > LACP Configuration Table 43 Configuration > Trunk Config > Aggregator Setting Table 44 Configuration > Trunk Config > LACP Configuration 16.6 LACP Link Status Figure 53 Configuration > Trunk Config > LACP Link Status Table 44 Configuration > Trunk Config > LACP Configuration (continued) Table 45 Configuration > Trunk Config > LACP Link Status Page CHAPTER 17 IGMP 17.1 Overview 17.1.1 IP Multicast Addresses 17.1.2 IGMP Snooping 17.2 IGMP Configuration Figure 54 Configuration > IGMP Menu > IGMP Config Table 46 Configuration > IGMP Menu > IGMP Config 17.2.1 IGMP VLAN Query Mode Figure 55 Configuration > IGMP Menu > IGMP VLAN Query Mode Table 46 Configuration > IGMP Menu > IGMP Config Table 47 Configuration > IGMP Menu > IGMP VLAN Query Mode 17.3 IGMP Status Figure 56 Configuration > IGMP Menu > IGMP Group Status 17.4 MVR Overview Table 47 Configuration > IGMP Menu > IGMP VLAN Query Mode (continued) Table 48 Configuration > IGMP Menu > IGMP Group Status 17.4.1 Types of MVR Ports 17.4.2 MVR Modes 17.4.3 How MVR Works Figure 58 MVR Multicast Television Example 17.5 General MVR Configuration Note: You can create up to three multicast VLANs and up to 256 multicast rules on the MES-2110. Page Chapter 17 IGMP MES-2110 Users Guide 131 17.6 MVR Group Configuration Table 49 Configuration > IGMP Menu > MVR (continued) Table 50 Configuration > IGMP Menu > MVR > Group Configuration Page Page Page Page CHAPTER 18 DHCP Relay Configuration 18.1 Overview 18.1.1 DHCP Relay Agent Information Table 51 Relay Agent Information 18.2 DHCP Relay Configuration Figure 65 Configuration > DHCP Relay Configuration Table 51 Relay Agent Information Table 52 Configuration > DHCP Relay Configuration Chapter 18 DHCP Relay Configuration Table 52 Configuration > DHCP Relay Configuration (continued) Page CHAPTER 19 IP Source Guard 19.1 Overview 19.1.1 DHCP Snooping Overview 19.1.1.1 Trusted vs. Untrusted Ports Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not succeed. 19.1.1.2 DHCP Snooping Static Binding Table 19.1.1.3 Configuring DHCP Snooping 19.2 DHCP Snooping Configuration Chapter 19 IP Source Guard Table 53 Configuration > IP Source Guard > DHCP > DHCP Snooping Configuration Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not succeed. 19.3 DHCP Binding Table Table 53 Configuration > IP Source Guard > DHCP > DHCP Snooping Configuration (continued) Figure 67 Configuration > DHCP Snooping > DHCP Binding Table Table 54 Configuration > DHCP Snooping > DHCP Binding Table 19.4 The ARP Inspection Screen AXB Figure 68 Example: Man-in-the-middle Attack 19.4.1 Configuring ARP Inspection Figure 69 Configuration > ARP Inspection Table 55 Configuration > ARP Inspection Chapter 19 IP Source Guard MES-2110 Users Guide 149 Page CHAPTER 20 MAC 20.1 Overview 20.2 The MAC Table Status Screen 20.3 The Lock MAC Address Learning Screen Figure 72 Configuration > MAC Menu > Lock Learning MAC Table 56 Configuration > MAC Menu > MAC Table Status 20.4 The MAC Filter Configuration Screen Figure 73 Configuration > MAC Menu > MAC Filter Config Table 57 Configuration > MAC Menu > Lock Learning MAC Chapter 20 MAC MES-2110 Users Guide 155 Table 58 Configuration > MAC Menu > MAC Filter Config 20.5 The MAC Limit Configuration Screen Figure 74 Configuration > MAC Menu > MAC Limit Config Table 59 Configuration > MAC Menu > MAC Limit Config CHAPTER 21 QoS 21.1 Overview 21.2 The QoS Base Configuration Screen All High Before Low Queuing 21.2.1 Configuring the Base Configuration Screen Figure 75 Configuration > QoS Menu > Base Configuration Table 60 Configuration > QoS Menu > Base Configuration Chapter 21 QoS MES-2110 Users Guide 159 21.3 The 802.1p Priority Table Figure 76 Configuration > QoS Menu > 802.1p Priority Table 61 Configuration > QoS Menu > 802.1p Priority 21.4 The Tag Priority Table Figure 77 Configuration > QoS Menu > Tag Priority 21.5 The IP DSCP Priority Table Table 62 Configuration > QoS Menu > Tag Priority Figure 78 Configuration > QoS Menu > IP DSCP Priority Table 63 Configuration > QoS Menu > IP DSCP Priority 21.6 The Priority Override Configuration Screen Figure 79 Configuration > QoS Menu > Priority Override Configuration Table 64 Configuration > QoS Menu > Priority Override Configuration CHAPTER 22 Mgmt Config and System Restart Menu 22.1 Overview 22.2 The Serial Port Configuration Screen Figure 80 Mgmt Config > Serial Port Config 22.3 The SNMP Configuration Screens Figure 81 SNMP Management Model 22.3.1 The SNMP Communities Screen Figure 82 Mgmt Config > SNMP Config > SNMP Communities 22.3.2 The IP Trap Manager Screen Table 65 SNMP Commands Table 66 Mgmt Config > SNMP Config > SNMP Communities 22.4 The SNTP Screen Table 67 Mgmt Config > SNMP Config > IP Trap Manager Chapter 22 Mgmt Config and System Restart Menu MES-2110 Users Guide 169 Click Mgmt Config > SNTP to open the following screen. Figure 84 Mgmt Config > SNTP The following table describes the labels in this screen. Table 68 Mgmt Config > SNTP 22.5 Alarms and Logs Figure 85 Mgmt Config > Email Alarm & SYSLog Config Table 68 Mgmt Config > SNTP Table 69 Mgmt Config > Email Alarm & SYSLog Config 22.6 The User Configuration Screen 22.7 The Cable Test Screen Figure 87 Mgmt Config > Host Denial-of-Service Protection Table 71 Mgmt Config > Host Denial-of-Service Protection 22.8 The Host DoS Protection Figure 88 Mgmt Config > Host Denial-of-Service Protection Table 71 Mgmt Config > Host Denial-of-Service Protection Table 72 Mgmt Config > Host Denial-of-Service Protection 22.9 The Port Abnormal Traffic Detection Screen Figure 89 Mgmt Config > Port Abnormal Traffic Detection Table 73 Mgmt Config > Port Abnormal Traffic Detection 22.10 Upgrading the Firmware Table 73 Mgmt Config > Port Abnormal Traffic Detection Figure 90 Mgmt Config > Firmware Download 22.11 Managing the Configuration File Figure 91 Mgmt Config > Configuration File Page CHAPTER 23 Command Line Interface 23.1 Overview 23.1.1 Console Port Management 23.1.2 Logging in 23.1.3 Using Shortcuts and Getting Help 23.2 Saving Changes Table 74 CLI Shortcuts and Help yz 23.3 Logging Out 23.4 Command Modes Table 75 Exit Command Table 76 Basic Commands 23.5 Basic Commands Table 77 Basic Commands Chapter 23 Command Line Interface MES-2110 Users Guide 183 23.6 Privileged Command Mode config status +n show rmon port +1 all rmon port +1+2+6 Chapter 23 Command Line Interface MES-2110 Users Guide 185 begin end 23.7 Configuration Mode Table 79 Basic Commands Chapter 23 Command Line Interface MES-2110 Users Guide 187 0 10~3600 remote-id ip-address Page Page Page Chapter 23 Command Line Interface MES-2110 Users Guide 191 cr range Note: You cannot change the devices IP address over Telnet. tpid Note: Only for SNMP v2c or lower. 23.7.1 IGMP Snooping Example 23.7.2 RADIUS Configuration Example 23.8 MVR Mode Note: These commands only apply to the MVR ID specified when you enter MVR- Configuration mode. Table 81 MVR-Configuration Mode Commands Note: You must be in Configuration mode for this command to work. 23.8.1 MVR Command Example Table 81 MVR-Configuration Mode Commands 23.9 VLAN Mode Note: These commands only apply to the VLAN ID specified when you enter VLAN Configuration mode. Table 82 VLAN Mode Commands 23.9.1 VLAN ID Priority Example 23.10 Interface Mode Page fallback check secure string Chapter 23 Command Line Interface MES-2110 Users Guide 201 default tag ip ip&tag Page Chapter 23 Command Line Interface MES-2110 Users Guide 203 23.10.1 Untrusted ARP Inspection Example This example sets the outgoing traffic bandwidth limit to 1 Mbps for port 2. 23.10.2 Outgoing Traffic Bandwidth Limit Example 23.10.3 Frame Tagging Examples Figure 93 Frame Tagging Example Page Page CHAPTER 24 Troubleshooting 24.1 Power, Hardware Connections, and LEDs The MES-2110 does not turn on. None of the LEDs turn on. The ALM LED is on. 24.2 MES-2110 Access and Login I forgot the IP address for the MES-2110. I forgot the username and/or password. I cannot see or access the Login screen in the Web Configurator. I can see the Login screen, but I cannot log in to the MES-2110. Pop-up Windows, JavaScript and Java Permissions 24.3 MES-2110 Configuration and Console Im trying to configure MVR but I get an error message. I applied changes in the Web Configurator but they are not taking effect. Page Page Page MES-2110 Users Guide 215 CHAPTER 25 Product Specifications The following tables summarize the MES-2110s hardware and firmware features. Table 84 Hardware Specifications SPECIFICATION DESCRIPTION Table 85 Firmware Specifications FEATURE DESCRIPTION Chapter 25 Product Specifications MES-2110 Users Guide 217 Note: Only upload firmware for your specific model! Table 85 Firmware Specifications FEATURE DESCRIPTION The following list, which is not exhaustive, illustrates the standards supported in the MES-2110. Table 86 Standards Supported STANDARD DESCRIPTION APPENDIX A Changing a Fuse Removing a Fuse Installing a Fuse Page APPENDIX B Common Services Table 87 Commonly Used Services Page Table 87 Commonly Used Services (continued) APPENDIX C Legal Information Copyright Disclaimer Trademarks Page Viewing Certifications ZyXEL Limited Warranty Note Registration Page Index A B C D G H I J L N P Q R S U V W