xStack
®
DGS-3600 Series Layer 3 Managed Gigabit Ethernet Switch
until a legal IP packet is detected.
Enabled (IPv6) -
Enable the IPv6 packet checking in strict mode. All packets are
dropped by default until a legal IP packet is detected.
Enabled (All) -
Enable both IPv6 and IPv4 packet checking in strict mode. All packets
are dropped by default until a legal IP packet is detected.
Enabled (Loose+IPv6) -
Enable IPv6 packet checking. All packets are dropped by default until
a legal IP packet is detected.
Enabled (Loose+All) -
Enable both IPv6 and IPv4 packet checking. All packets are dropped by
default until a legal IP packet is detected.
Disabled -
Disable the IPv4 packet checking.
Disabled (IPv6) -
Disable the IPv6 packet checking.
Disabled (All) -
Disable both IPv4 and IPv6 packet checking.
Allow Zero IP
Use the pull-down menu to enable or disable this feature. Once
Enabled
, the Switch will allow
ARP packets with a Source IP of 0.0.0.0 to pass through.
This is useful in some scenarios when a client (for example, a wireless Access Point) sends
out an ARP request packet before accepting the IP address from a DHCP server. In this case,
the ARP request packet sent out from the client will contain a Source IP of 0.0.0.0. The Switch
will need to allow such packets to pass, or else the client cannot know if there is another
duplicate IP address in the network.
Forward DHCP PKT
By default, the Switch will forward all DHCP packets. However, if the port state is set to Strict,
all DHCP packets will be dropped. In that case, select
Enabled
so that the port will forward
DHCP packets even under Strict state. Enabling this feature also ensures that DHCP snooping
works properly.
Mode
ARP
– ARP mode is the default mode that applies to IMPB enabled ports. In ARP mode, if the
Switch identifies the host is legal, the host’s MAC will be programed to
L2 FDB with allowed
;
otherwise the host’s MAC will be programmed to
L2 FDB with drop
. ARP mode for security
access control is based on Layer 2 MAC address.
ACL
– ACL mode provides strict security for IP level traffic. If ACL mode is enabled, the static
configured IMPB entries with ACL mode will be applied to hardware ACL table. If the ACL
mode is disabled, the ACL entries will be removed from the hardware ACL table.
Stop Learning
Threshold (0-500)
Whenever a MAC address is blocked by the Switch, it will be recorded in the Switch’s L2
Forwarding Database (FDB) and associated with a particular port. To prevent the Switch FDB
from overloading in case of an ARP DoS attack, the administrator can configure the threshold
when a port should stop learning illegal MAC addresses.
Enter a Stop Learning threshold between
0
and
500
. Entering 500 means the port will enter the
Stop Learning state after 500 illegal MAC entries and will not allow additional MAC entries,
both legal or illegal, to be learned on this port. In the Stop Learning state, the port will also
automatically purge all blocked MAC entries on this port. Traffic from legal MAC entries are still
forwarded.
Entering
0
means no limit has been set and the port will keep learning illegal MAC addresses.
Recover Learning
Use the Normal check box to recover learning. This feature can only be applied when a port is
already in the Stop Learning state. Tick to recover the port back to normal state, under which
the port will start learning both illegal and legal MAC addresses again.
Max Entry (1-50)
Enter the maximum number of IP-MAC-port binding dynamic entries. By default, the per port
maximum dynamic entry is “No Limit.” The maximum dynamic entry threshold is from
1
to
50
.
Tick the No Limit check box to allow no limit. This setting is only for DHCP snooping for IPv4.
ND snooping and DHCP snooping for IPv6 are not supported.
353