ARP Inspection Screen, 147 | ZyXEL Communications MES-2110 specification

Chapter 19 IP Source Guard

19.4 The ARP Inspection Screen

Use ARP inspection to filter unauthorized ARP frames on the network. This can prevent many kinds of man-in-the-middle attacks, such as the one in the following example.

Figure 68 Example: Man-in-the-middle Attack

AB

X

In this example, computer B tries to establish a connection with computer A. Computer X is in the same broadcast domain as computer A and intercepts the ARP request for computer A. Then, computer X does the following things:

•It pretends to be computer A and responds to computer B.

•It pretends to be computer B and sends a message to computer A.

As a result, all the communication between computer A and computer B passes through computer X. Computer X can read and alter the information passed between them.

19.4.1 Configuring ARP Inspection

Follow these steps to configure ARP inspection on the MES-2110.

1Configure DHCP snooping. See Section 19.1.1.3 on page 142.

Note: It is recommended you enable DHCP snooping at least one day before you enable ARP inspection so that the MES-2110 has enough time to build the binding table.

2Enable ARP inspection on the MES-2110. See Section 19.4 on page 147 for more details about turning on this feature.

MES-2110 User’s Guide

147

Image 147

ZyXEL Communications MES-2110 manual ARP Inspection Screen, Configuring ARP Inspection, 147

Contents

MES-2110 Page Intended Audience About This Users Guide Customer Support Syntax Conventions Document Conventions Telephone Router MES-2110 Computer ServerDslam Firewall Safety Warnings Safety Warnings MES-2110 User’s Guide Contents Overview Contents Overview MES-2110 User’s Guide Table of Contents Chapter System Details 10.1 Igmp 137 Chapter Command Line Interface 179 Index 229 Table of Contents MES-2110 User’s Guide Introduction OverviewBackbone Application Backbone Application Bridging Example Ieee 802.1Q Vlan Application Examples High Performance Switching Example Metro Ethernet Shared Server Using Vlan Example Metro Ethernet Ways to Manage the MES-2110 Good Habits for Managing the MES-2110 Hardware Installation and Connection Installation ScenariosDesktop Installation Procedure Mounting the MES-2110 on a Rack Rack-mounted Installation Requirements Attaching the Mounting Brackets Attaching the Mounting Brackets to the MES-2110 Mounting the MES-2110 on a Rack Mounting the MES-2110 on a Rack Front Panel Hardware Overview Label Description Console PortGigabit Ethernet Ports Front Panel Connections Mini-GBIC Slots Default Ethernet Negotiation Settings Transceiver Installation Removing the Fiber Optic Cables Power Connections Overview DC Power Connection AC Power Connection LED Color Statu Description Powering on the MES-2110LEDs LED Descriptions Mbps Ethernet network Green Blinking Igmp Snooping Tutorials Set Igmp Query Mode to Auto Radius Configuration Tutorials Tutorials Based802.1q before proceeding MVR ConfigurationSetting Value MVR Tutorial Values Open the Configuration Igmp Menu MVR screen Tutorials Vlan ID Priority For Pri-Overide, select Enable Untrusted ARP Inspection Set Action to Enable and Dhcp Snooping Vlan Mode to All-VLAN Outgoing Traffic Bandwidth Frame Tagging Example Frame Tagging To configure frame tagging Tutorials MES-2110 User’s Guide Web Configurator System LoginIntroduction Web Configurator Login Main Screen Web Configurator Main Screen Navigation Panel Sub-links Overview System Details Configuration Mgmt Config System Restart Menu Sntp Web Configurator Screen Sub-links DetailsSystem Details Configuration Mgmt Config Restart Menu Snmp Navigation Panel Links Link DescriptionDhcp ARP Saving Your Configuration Set Up the Administrative PasswordMade on the MES-2110 and restart the MES-2110 Switch Lockout Resetting the MES-2110Reload the Configuration File Resetting the MES-2110 Via the Console Port System Information Screen System Details Board Information Screen Undo Click this to restore your last saved settings Apply Dhcp Configuration ScreenAddress, subnet mask and a default gateway IP address IP address from a Dhcp server if Dhcp client is enabled System Details Dhcp Config Apply Port Configuration Screen Configuration Auto Truncated in some Web Configurator screens Manage the MES-2110 via that port Duplex This indicates the port’s duplex mode Half or FullDisabled Port Status Screen This shows whether auto-negotiation is On or Off Rmon Status Screen RX+TX Configuration Rmon Status Loop Detection Switch in Loop State Loop detection Probe Frame Loop Detection Screen Down this port Snmp traps when it shuts down a port via the loop detectionFeature Enabled, the MES-2110 sends probe frames from this port to Loop Detection MES-2110 User’s Guide Jumbo Frame Configuration Screen Jumbo FrameFrame Size Jumbo Frame MES-2110 User’s Guide 802.1x Ieee 802.1x Authentication Guest Vlan Ieee 802.1x Authentication Process 10.2 802.1x Global Configuration Screen Port Number 1812 Server 10.3 802.1x Radius Server Configuration ScreenMES-2110. The key is not sent over the network Server UDP Before configuring it on each port 10.4 802.1x Port Configuration Screen Guest Vlan Reauthenticat Clients for port access 10.5 802.1x Radius Server Configuration Screen Radius vs. TACACS+ Technical ReferenceRadius and TACACS+ Supported Radius Attributes Attributes Used for Authenticating Privilege Access Attributes Used for Authentication Radius Attributes Exec Events via Telnet/SSH Attribute Start INTERIM-UPDATE StopAttributes Used for Accounting Radius Attributes Exec Events via Console Radius Attributes-Exec Events via Attributes Used for Accounting Ieee 802.1x Events 802.1x MES-2110 User’s Guide Link Recommended Allowed Speed Value Range BridgeSTP Terminology STP Path Costs Path 16Mbps 40 to Cost 100Mbps 10 to 1Gbps 10Gbps How STP Works Port Description State Bridge Configuration ScreenSTP Port States STP Port States Tunnel port receives Bridge Protocol Data Units Bpdu Rstp System Configuration ScreenAre done configuring You select Rstp 802.1W in the Ring Protocol field List box Same priority, the switch with the lowest MAC address willDetermines Hello Time, Max Age and Forwarding Delay Root Bridge Information Network. The allowed range is 6 to 40 seconds Allowed range is 4 to 30 secondsAs a general rule Selected from among the MES-2110 ports attached to Spanning Tree Port Configuration 255 and the default value isCost 1~65535 Enter the port’s path cost P2P CFI Vlan ID Introduction to Ieee 802.1Q Tagged VLANsTpid User Priority Vlan Forwarding Tagged and Untagged FramesIeee 802.1Q Vlan Terminology Vlan Term Description Parameter Vlan Type Screen Port-Based Vlan ScreenVlan Type Use this to set the MES-2110 to Port-Based or Tag Connected to this port Port-Based Vlan ConfigurationThen you cannot access the web configurator from a computer 100 101 Tag-Based Vlan ScreensVlan Stacking Vlan Stacking Example 102 Vlan Stacking Port Roles Type Priority Vlan Tag Format103 Vlan Tag Format 802.1Q Frame Frame Format104 Single and Double Tagged 802.11Q Frame Format Vlan Stacking Configuration Screen 105SP Tpid Spvid 106 Tag-Based Port Information Screen 107Pvid Select whether you want to Add or Modify a Vlan ID Tag-Based Port Configuration ScreenEnter the Vlan ID from 1-4094 that you want to configure 108 109 Management Vlan Screen Unless your current access belongs to the new Vlan 110Management Vlan This is the current management Vlan Bandwidth Control Setup Bandwidth Control111 112 Broadcast Storm Control Setup Broadcast Storm Control113 Storm Control Configuration 114Storm Control Status Port Mirroring Setup Port Mirroring115 Volatile memory when you are done configuring 116Select the monitor port number from the list Link Aggregation Dynamic Link Aggregation117 Link Aggregation ID Link Aggregation ID Local SwitchLink Aggregation ID Peer Switch Static Trunking Example 119 Link Aggregation Setting Link Aggregation Control Protocol 120Lacp Lacp Link Status 121MAC 122 IP Multicast Addresses Igmp Snooping123 Igmp Configuration Igmp Snooping and VLANs124 Igmp Vlan 125 126 Igmp Vlan Query Mode Igmp Status MVR Overview127 Types of MVR Ports MVR ModesHow MVR Works 128 129 General MVR Configuration Disable to turn this feature off 130Select Dynamic to send Igmp reports to all MVR source ports 131 MVR Group Configuration MVR Group Status Group Configuration132 Drop-down list box 133 MVR Configuration Example 134 135 MVR Group Configuration Example 136 Relay Agent Information Dhcp Relay ConfigurationDhcp Relay Agent Information 137 To a Dhcp server Dhcp Relay Configuration138 Bytes This is the Vlan that the port belongs to Option82 Information 139 140 141 IP Source Guard 142 Dhcp Snooping Overview 143 Dhcp Snooping Configuration Dhcp requests will not succeed 144 Mode VLANs or specific VLANs to Dhcp servers Dhcp Snooping Dhcp Binding Table145 Ddhhmm 146 Configuring ARP Inspection ARP Inspection Screen147 Addresses permanently 148 149 150 151 MAC 152 MAC Table Status Screen 153 Undo Click this to load your last saved settings ApplyMES-2110 or static manually configured Lock MAC Address Learning Screen To activate MAC address learning on the port MAC Filter Configuration Screen154 Port This is the port number Lock 155 Aged out. MAC address aging out time can be set in the MAC MAC Limit Configuration ScreenAddresses may access port 2 at any one time. a sixth device 156 QoS Base Configuration Screen QoS157 158 Configuring the Base Configuration Screen 159 160 802.1p Priority Table Number This is the Ieee 802.1p priority level Priority Tag Priority TableIP Dscp Priority Table 161 162 Configuration QoS Menu IP Dscp Priority 163 Priority Override Configuration Screen 164 Mgmt Config and System Restart Menu Serial Port Configuration Screen165 166 Snmp Configuration Screens IP Trap Manager Screen Snmp CommandsCommand Description Snmp Communities Screen Sntp Screen 168Traps to 169 170 Alarms and Logs Syslog 171 172 User Configuration ScreenCharacters using characters found on a standard keyboard User Password Cable Test Screen 173PHY RX/TX Host DoS Protection 174Test Port Abnormal Traffic Detection Screen 175Fields below 176 Upgrading the Firmware 177 Managing the Configuration File 178 Restarting the System Logging Command Line InterfaceSetting Default Value Console Port Management 180 Using Shortcuts and Getting HelpCommand / Keys Description Saving Changes Logging Out Command ModesExit Command Basic Commands 182 Basic Commands Privileged Command Mode Privileged Commands183 184 Permanently save any changes you Make while using the MES-2110Command line interface 185 Ancillary Trigger Description Configuration ModeConfiguration Mode Commands 186 187 188 189 190 Address over Telnet 191 192 193 Igmp Snooping Example 194 Radius Configuration Example 195 MVR ModeMVR-Configuration Mode Commands This command to work 196 MVR Command Example Vlan Mode Vlan Mode Commands197 Interface Mode Vlan ID Priority Example198 199 Interface Mode Commands 200 201 Second tag to pass through it 202Port, the port must allow frames Bytes 1522 bytes + 4 bytes for 203 Sets the service provider Vlan ID of the current PortsUntrusted ARP Inspection Example Outgoing Traffic Bandwidth Limit Example 204 Frame Tagging Examples 205 206 Troubleshooting Power, Hardware Connections, and LEDs207 208 MES-2110 Access and Login Advanced Suggestions 209 Pop-up Windows, JavaScript and Java Permissions 210 211 MES-2110 Configuration and Console 212 My changes in the Web Configurator keep getting overwritten 213 214 215 Product SpecificationsHardware Specifications Specification Description Firmware Specifications Feature Description216 217 218 Standards SupportedStandard Description Installing a Fuse Removing a Fuse219 220 221 Common Services Commonly Used Services 222Name Protocol Ports Description 223 224 Copyright Certifications225 FCC Warning CE Mark Warning 226 227 ZyXEL Limited Warranty 228 229 Index 230 TACACS+ MVR 127 configurationPassword 58 path cost 89, 93 port authentication 231 232 Weighted round robin scheduling