Related Manuals for LevelOne GTL-2890
Summary of Contents for LevelOne GTL-2890
- Page 1 Layer 3 Forward and ARP Configuration Content GTL-2890 / GTL-5260 Layer 3 Forward and ARP Configuration http://www.level1.com...
-
Page 2: Table Of Contents
Layer 3 Forward and ARP Configuration Content Content CHAPTER 1 LAYER 3 MANAGEMENT CONFIGURATION ..1-1 1.1 L ............1-1 AYER ANAGEMENT NTERFACE 1.1.1 Introduction to Layer 3 Management Interface ........1-1 1.1.2 Layer 3 Interface Configuration Task List ..........1-1 1.2 IP C ................ - Page 3 Layer 3 Forward and ARP Configuration Content 3.1.3 How to prevent void ARP Spoofing ............3-1 3.2 P ARP S ........... 3-2 REVENT POOFING CONFIGURATION 3.3 P ARP S ............. 3-3 REVENT POOFING XAMPLE CHAPTER 4 ARP GUARD CONFIGURATION ......4-1 4.1 I ARP GUARD ............
-
Page 4: Chapter 1 Layer 3 Management Configuration
Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration Chapter 1 Layer 3 Management Configuration Switch only support Layer 2 forwarding, but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP protocol. 1.1 Layer 3 Management Interface 1.1.1 Introduction to Layer 3 Management Interface Only one layer 3 management interface can be created on switch. -
Page 5: Ip Configuration
Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration no description The no command will cancel the description information of VLAN interface. 1.2 IP Configuration 1.2.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol. The practice has proved that IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with various protocols of upper and lower layers. - Page 6 Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration solution at present. First of all, the 128 bits addressing scheme of IPv6 Protocol can guarantee to provide enough globally unique IP addresses for global IP network nodes in the range of time and space.
-
Page 7: Ip Configuration
Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration becomes unnecessary, thus the problems and system cost caused by NAT deployment are solved naturally. Support extensively deployed Routing Protocol. IPv6 has kept and extended the supports for existing Internal Gateway Protocols (IGP for short), and Exterior Gateway Protocols (EGP for short). - Page 8 Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration (4) Delete all entries in IPv6 neighbor table 1. IPv6 Basic Configuration (1) Configure interface IPv6 address Command Explanation Interface Configuration Mode Configure IPv6 address, including ipv6 address aggregatable global unicast...
-
Page 9: Ipv6 Troubleshooting
Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration Command Explanation Admin Mode clear ipv6 neighbors Clear all static neighbor table entries. 1.2.3 IPv6 Troubleshooting If the connected PC has not obtained IPv6 address, you should check the RA announcement switch (the default is turned off) 1.3 Static Route 1.3.1 Introduction to Static Route... -
Page 10: Static Route Configuration Task List
Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration 1.3.3 Static Route Configuration Task List 1. Static route configuration 1. Static route configuration Command Explanation Global mode Set static routing; the no ip route {<ip-prefix> <mask> route {<ip-prefix> <mask> | <ip-prefix>/<prefix-length>} {<gateway-address>... -
Page 11: Arp
Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration Switch#config Switch (config) #ip route 10.1.5.0 255.255.255.0 10.1.2.2 Configuration of layer3 SwitchC Switch#config Next hop use the partner IP address Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of layer3 SwitchB Switch#config... - Page 12 Layer 3 Forward and ARP Configuration Chapter 1 Layer 3 Management Configuration If ARP has not been learned, then enabled ARP debugging information and view the sending/receiving condition of ARP packets. Defective cable is a common cause of ARP problems and may disable ARP learning.
-
Page 13: Chapter 2 Arp Scanning Prevention Function
Layer 3 Forward and ARP Configuration Chapter 2 ARP Scanning Prevention Function Configuration Chapter 2 ARP Scanning Prevention Function Configuration 2.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. - Page 14 Layer 3 Forward and ARP Configuration Chapter 2 ARP Scanning Prevention Function Configuration Prevention 3. Configure trusted ports 4. Configure trusted IP 5. Configure automatic recovery time 6. Display relative information of debug information and ARP scanning 1. Enable the ARP Scanning Prevention function. Command Explanation Global configuration mode...
- Page 15 Layer 3 Forward and ARP Configuration Chapter 2 ARP Scanning Prevention Function Configuration anti-arpscan trust ip <ip-address> [<netmask>] Set the trust attributes of IP. no anti-arpscan trust ip <ip-address> [<netmask>] 5. Configure automatic recovery time Command Explanation Global configuration mode anti-arpscan recovery enable Enable disable...
-
Page 16: Arp Scanning Prevention Typical Examples
Layer 3 Forward and ARP Configuration Chapter 2 ARP Scanning Prevention Function Configuration 2.3 ARP Scanning Prevention Typical Examples SWITCH B E1/0/1 E1/0/19 SWITCH A E1/0/2 E1/0/2 Server 192.168.1.100/24 Fig 2-1 ARP scanning prevention typical configuration example In the network topology above, port E1/0/1 of SWITCH B is connected to port E1/0/19 of SWITCH A, the port E1/0/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC. -
Page 17: Arp Scanning Prevention Troubleshooting Help
Layer 3 Forward and ARP Configuration Chapter 2 ARP Scanning Prevention Function Configuration 2.4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information. -
Page 18: Chapter 3 Prevent Arp Spoofing Configuration
Layer 3 Forward and ARP Configuration Chapter 3 Prevent ARP Spoofing Configuration Chapter 3 Prevent ARP Spoofing Configuration 3.1 Overview 3.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-03-0F-FD-1D-2B. -
Page 19: Prevent Arp Spoofing Configuration
Layer 3 Forward and ARP Configuration Chapter 3 Prevent ARP Spoofing Configuration counterfeiting legal IP address firstly, and sends a great deal of counterfeited ARP application packets to switches, after switches learn these packets, they will cover previously corrected IP, mapping of MAC address, and then some corrected IP, MAC address mapping are modified to correspondence relationship configured by attack packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network. -
Page 20: Prevent Arp Spoofing Example
Layer 3 Forward and ARP Configuration Chapter 3 Prevent ARP Spoofing Configuration Global Mode and Port Mode ip arp-security convert Change dynamic ARP to static ARP. 3.3 Prevent ARP Spoofing Example Switch Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; mac: 00-00-00-00-00-04 IP:192.168.2.1;... - Page 21 Layer 3 Forward and ARP Configuration Chapter 3 Prevent ARP Spoofing Configuration Switch(config)#interface vlan 1 Switch(config-if-vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface ethernet 1/0/1 Switch(config-if-vlan1)#arp 192.168.2.2 00-00-00-00-00-02 interface ethernet 1/0/2 Switch(config-if-vlan1)#arp 192.168.2.3 00-00-00-00-00-03 interface ethernet 1/0/3 Switch(Config-If-Vlan3)#exit Switch(Config)#ip arp-security learnprotect Switch(Config)# Switch(config)#ip arp-security convert If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing.
-
Page 22: Chapter 4 Arp Guard Configuration
Layer 3 Forward and ARP Configuration Chapter 4 ARP GUARD Configuration Chapter 4 ARP GUARD Configuration 4.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. -
Page 23: Arp Guard Configuration Task List
Layer 3 Forward and ARP Configuration Chapter 4 ARP GUARD Configuration scheme. Please refer to relative documents for details. 4.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip <addr> Configure/delete ARP GUARD address no arp-guard ip <addr>... -
Page 24: Chapter 5 Gratuitous Arp Configuration
Layer 3 Forward and ARP Configuration Chapter 5 Gratuitous ARP Configuration Chapter 5 Gratuitous ARP Configuration 5.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. -
Page 25: Gratuitous Arp Configuration Example
Layer 3 Forward and ARP Configuration Chapter 5 Gratuitous ARP Configuration Command Explanation Admin Mode and Configuration Mode show ip gratuitous-arp [interface vlan To display configurations about gratuitous <1-4094>] ARP. 5.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 Fig 5-1 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch... -
Page 26: Gratuitous Arp Troubleshooting
Layer 3 Forward and ARP Configuration Chapter 5 Gratuitous ARP Configuration 5.4 Gratuitous ARP Troubleshooting Gratuitous ARP is disabled by default. And when gratuitous ARP is enabled, the debugging information about ARP packets can be retrieved through the command debug ARP send. -
Page 27: Chapter 6 Dynamic Arp Inspection Configuration
Layer 3 Forward and ARP Configuration Chapter 6 Dynamic ARP Inspection Configuration Chapter 6 Dynamic ARP Inspection Configuration 6.1 Introduction to Dynamic ARP Inspection Configuration DAI (Dynamic ARP Inspection) is a kind of security property that it can verificate the ARP data packets in the network. -
Page 28: Dynamic Arp Inspection Configuration Example
Layer 3 Forward and ARP Configuration Chapter 6 Dynamic ARP Inspection Configuration configures the untrusted port. 3. Configure the rate for the untrusted ARP packet Command Explanation Port Mode Limit the ARP packet rate of the untrusted ip arp inspection limit-rate <rate> port. - Page 29 Layer 3 Forward and ARP Configuration Chapter 6 Dynamic ARP Inspection Configuration ip arp inspection limit-rate 50 Interface Ethernet1/0/2 description connect to Other Server switchport access vlan 10 ip arp inspection limit-rate 50 Interface Ethernet1/0/3 description connect to PC switchport access vlan 10 ip arp inspection limit-rate 50 interface Vlan10 ip address 192.168.10.1 255.255.255.0...