Ip-Mac-Port Binding (Impb) Commands - D-Link xStack DES-3528 Series Cli Reference Manual

xStack® DES-3528/DES-3552 Series Layer 2 Managed Stackable Fast Ethernet Switch CLI Reference Guide
IP–MAC-Port Binding (IMPB) Commands
IMPB is a security application found on edge Switches which are usually directly connected to hosts. IMPB enables
administrators to configure (or snoop) pairs of MAC and IP addresses that are allowed to access networks through the
Switch. IMPB binds together the network layer IP address, and the Ethernet link layer MAC address, and the receiving
port, to allow the transmission of data between the layers.
The IP network layer uses a 4byte IP address. The Ethernet link layer uses a 6byte MAC address. Binding these two
address types together allows the transmission of data between the layers. The primary purpose of IP–MAC–Port
Binding is to restrict the access to a Switch to a number of authorized users. Only the authorized client can access the
Switch's port by checking the pair of IP–MAC addresses with the pre–configured white list. If an unauthorized user
tries to access an IMPB-enabled port, the system will block the access by dropping its packet. For this Switch, the
maximum number of IP-MAC Binding entries is 511. The creation of authorized IP-MAC pairs can be manually
configured by the CLI or Web, or can be leaned automatically when DHCP snooping is enabled. The function is port–
based, meaning a user can enable or disable the function on the individual port.
ACL Mode
Due to some special cases that have arisen with the IP–MAC–Port Binding, this Switch has been equipped with a
special ACL mode for IP–MAC–Port Binding. When enabled, the Switch will create one entry in the Access Profile
Table. The entry may only be created if there are at least a Profile ID available on the Switch. If not, when the ACL
mode is enabled, an error message will be prompted to the user. When the ACL Mode is enabled, the Switch will only
accept packets from a created entry in the IP–MAC–Port Binding Setting window. All others will be discarded. The
function is port–based, meaning a user can enable or disable the function on the individual port.
NOTE: When configuring the ACL mode function of the IP–MAC–Port Binding function, please pay
close attention to previously set ACL entries. Since the ACL mode is enabled, it adds the last available
access profile ID to the ACL table, and the first ACL mode entry takes precedence over later
entries.This may render some user–defined ACL parameters inoperable due to the overlapping of
settings combined with the ACL entry priority (defined by profile ID). For more information on ACL
settings, please refer to
NOTE: Once ACL profiles have been created by the Switch through the IP–MAC–Port Binding
function, the user cannot modify, delete or add ACL rules to these ACL mode access profile entries.
Any attempt to modify, delete or add ACL rules will result in a configuration error as seen in the
previous figure.
NOTE: When downloading configuration files to the Switch, be aware of the ACL configurations
loaded, as compared to the ACL mode access profile entries set by this function, which may cause
both access profile types to experience problems.
The IP–MAC–Port Binding commands in the Command Line Interface (CLI) are listed (along with the appropriate
parameters) in the following table.
Command
create address_binding ip_mac ipaddress
config address_binding ip_mac ipaddress
create address_binding ip_mac ipv6address
config address_binding ip_mac ipv6address
"Access Control List (ACL)
Parameters
<ipaddr> mac_address <macaddr> {ports [<portlist> | all] | mode
[arp | acl]}
<ipaddr> mac_address <macaddr> {ports [<portlist> | all] | mode
[arp | acl]}
<ipv6addr> mac_address <macaddr> {ports [ <portlist>| all ]}
<ipv6addr> mac_address <macaddr> {ports [ <portlist>| all ]}
156
Commands" section in this manual.