Acl Mode - D-Link xStack DGS-3200-10 User Manual

xStack

ACL Mode

In ACL Mode, a switch performs IP Packet Inspection in addition to ARP Packet Inspection. Essentially, ACL rules will be used
to permit statically configured IMPB entries and deny other IP packets with the incorrect IP-MAC pairs. The distinct advantage of
ACL Mode is that it ensures better security by ch ecking both ARP Packets and IP Packets. However, doing so requires the use of
ACL rules. ACL Mode can be viewed as an enhanced version of ARP Mode because ARP Mode is enabled by default when ACL
Mode is selected.
Strict and Loose State
Other than ACL and ARP mode, users can also configure the state on a port for granular control. There are two states, Strict an d
Loose, and only one state can be selected per port. If a port is set to Stric t state, all packet s sent to the port are denied (dropped)
by default. The switch will c ontinuously compare all IP a nd ARP packets it receives on that port with its IMPB entries. If the IP-
MAC pair in the packet matches the IMPB entry, the MAC address will be unblocked and subsequent packets sent from this client
will be fo rwarded. On the o ther hand, if a port is set to Loose state, all p ackets sen t to th e port are p ermitted (forward ed) b y
default. The switch will c ontinuously compare all ARP packets it receives on that port with its IMPB entries. If the IP-MAC pair
in the ARP packet does not match the IMPB wh ite list, the MAC address will b e blocked and subsequent packets sent from this
client will be dropped.
DHCP Snooping Option
If DHCP snooping is enabled, the switch learns IP-MAC pairs by snooping DHCP packets automatically and then saving them to
the IP-MAC-Port Binding white list. This enables a hassle-free configuration because the administrator does not need to manually
enter each IM PB entry. A prerequisite for t his is that t he valid DHCP server's IP-MAC pair m ust be on the switch's IMPB list;
otherwise the DHCP server packets will
enforces all clients to acquire IP through the DHCP server.
An ex ample o f DH CP sn ooping in which PC-A and PC-B g et th eir I P addresses from a D HCP ser ver is d epicted b elow. The
switch snoops the DHCP conversation between PC-A, PC-B, and the DHCP server. The IP address, MAC address, and connecting
ports of both PC-A and PC-B are learned and stored in the switch's IMPB white list. Therefore, these PCs will be able to connect
to the network. Then there is PC-C, whose IP address is man ually configured by the user. Since this PC's IP-MAC pair does not
match the one on Switch's IMPB white list, traffic from PC-C will be blocked.
Doesn't match the
White List block PC-C
DHCP Server
Address Learning
192.168.1.1
192.168.1.2
The IP-MAC-Port Binding (IMPB) folder contains five windows: IMPB Global Settings, IMPB Port Settings, IMPB Entry
Settings, DHCP Snooping Entries, and MAC Blocked List.
®
DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch
be dropped. DHCP snooping is gene rally cons idered to be m ore secure because it
IMP Binding Enabled
White List
00E0-0211-111 Port 1
00E0-0211-222 Port 2
Figure 5 - 5. Example of DHCP Snooping
PC-A
192.168.1.1
00E0-0211-1111
PC-B 192.168.1.2
(IP assigned by DHCP for
00E0-0211-2222
PC-C 192.168.1.1
00E0-0211-3333
(IP manually configured by user)
124
PC-A and PC-B)