Impb Global Settings - D-Link DGS-3427 - xStack Switch - Stackable Product Manual

x Stack
When the user configures strict mode and enables IMPB on a port, ARP inspection is enabled. For an ARP inspection active port:
All ARP packets should be captured to the CPU (including broadcast ARP and unicast ARP packets) and the CPU will make the
decision to either forward or drop.
The switch will validate the ARP packets by retrieving the sender's MAC/ IP address from the ARP packet payload and sender
hardware address. If the IP/ MAC address are in the IMPB forwarding list, the ARP packets will be forwarded. Otherwise, the
ARP packet will be discarded.
Strict Mode Behavior Change
As the figure below shows, in a mixed network (both IPv4 and IPv6 used), if illegal IPv4-A packets are detected and there are
write-blocked FDB entries, then IPv6-Global also cannot access the network. To avoid this case, do not write-block FDB. Not
write-blocking FDB can also avoid netcut attacks and recover attacks.
When enabling Strict mode, the Switch will stop writing dropped FDB entries on these ports. If the Switch detects legal packets,
the Switch will need to create the FDB forwarding entries. ACL mode always run under strict mode. When a user enables ACL
mode on some ports, these ports will change from Loose mode to Strict mode and the configuration will also change to Strict
mode. For compound authentication AND mode (IMPB+1X, IMPB+WAC, IMPB+JWAC), the ports always run in Strict mode.

IMPB Global Settings

This window is used to enable or disable the global IMPB settings: Trap Log State and DHCP Snoop state, on the Switch.
The Trap/Log field will enable and disable the sending of trap / log messages for IMPB. When enabled, the Switch will send
traps and log messages when an ARP packet is received that doesn't match the IP-MAC binding entries configured on the Switch.
®
DGS-3400 Series Layer 2 Gigabit Ethernet M anaged Sw itch
Figure 6 - 7 ARP Cache Poisoning
Figure 6 - 8 IPv4 and IPv6 Sharing
282