xStack
®
DGS-3600 Series Layer 3 Managed Gigabit Ethernet Switch
Figure 7- 10. IMPB Port Settings window
The following fields can be set or modified:
Parameter Description
Unit
Choose the Switch ID number of the Switch in the switch stack to be modified.
From/To
Select a port or range of ports to set for IP-MAC-port binding.
State
Use the pull-down menu to enable or disable these ports for IP-MAC-port binding. The choices
are:
Enabled (Strict)
– This state provides a stricter method of control. If the user selects this mode,
all packets are blocked by the Switch by default. The Switch will compare all incoming ARP
and IP Packets and attempt to match them against the IMPB white list. If the IP-MAC pair
matches the white list entry, the packets from that MAC address are unblocked. If not, the
MAC address will stay blocked. While the Strict state uses more CPU resources from checking
every incoming ARP and IP packet, it enforces better security and is thus the recommended
setting.
Enabled (Loose)
– This mode provides a looser way of control. If the user selects loose mode,
the Switch will forward all packets by default. However, it will still inspect incoming ARP
packets and compare them with the Switch’s IMPB white list entries. If the IP-MAC pair of a
packet is not found in the white list, the Switch will block the MAC address. A major benefit of
Loose state is that it uses less CPU resources because the Switch only checks incoming ARP
packets. However, it also means that Loose state cannot block users who send only unicast IP
packets. An example of this is that a malicious user can perform DoS attacks by statically
configuring the ARP table on their PC. In this case, the Switch cannot block such attacks
because the PC will not send out ARP packets.
Enabled (IPv6) -
Enable the IPv6 packet checking. All packets are dropped by default until a
legal IP packet is detected.
Enabled (All) –
Enable both IPv6 and IPv4 packet checking. All packets are dropped by default
352