manualshive.com logo in svg

LevelOne GEP-2650, Руководство пользователя, Страница: 95 / 109

Поделиться
Скачать
LevelOne GEP-2650 Скачать руководство пользователя страница 95

 

 

 

14.  Anti-ARP-Spoofing 

14.1. 

Summary 

According to the design of the ARP protocol, in order to reduce the excessive ARP data 

communication in the network, a host, even if received ARP reply is not requested itself, it also can 

insert it into the ARP cache table, but the ARP protocol itself does not check the validity of ARP 

message it received. It will cause attackers using leaky agreement and forged IP address and MAC 

address for ARP spoofing attacks.   

In addition to cause the user privacy disclosure, ARP spoofing can also cause a network failure, 

network impassability,etc.   

Anti-ARP spoofing function will filter the possible ARP spoofing attacks by the establishment of anti 

spoofing sheet, record suspicious attack source.   

14.2. 

Anti-ARP-Spoofing Configuration 

14.2.1.  Enable Anti-ARP-Spoofing 

Please use the following command to configure Anti-ARP-Spoofing in interface configuration mode: 

Command 

Function 

Switch(config-if-GigabitEthernet-0/1)

#

arp-inspection

 

Enable Anti-ARP-Spoofing function of the 

port

 

Switch(config-link-aggregation1)#

arp

-inspection

 

Enable Anti-ARP-Spoofing function of the 

link aggregation group. 

 

 

The following example is to enable Anti-ARP-Spoofing function: 

Switch#configure terminal   

Enter configuration commands, one per line.    End with CTRL+Z. 

Switch(config)#interface gigabitEthernet 0/1 

Switch(config-if-GigabitEthernet-0/1)#

 arp-inspection   

 

Switch#configure terminal   

Enter configuration commands, one per line.    End with CTRL+Z. 

Switch(config)#link-aggregation 1 

Switch(config-link-aggregation1)#

 arp-inspection 

 

14.2.2.  Disable Anti-ARP-Spoofing 

Please use the following command to configure Anti-ARP-Spoofing in interface configuration mode: 

 

Содержание GEP-2650

Страница 1: ...GEP 2650 26 Port Web Smart Gigabit PoE Switch 802 3at PoE 24 PoE Outputs 370W 2 x SFP User Manual V1 0 Digital Data Communications Asia Co Ltd http www level1 com...

Страница 2: ...procedures hardware installation troubleshooting module specifications of equipment as well as the cable and connector specifications and standards Product manual commands This manual does a detailed...

Страница 3: ...the output information screen The user with information from the terminal input information represented by the bold font 3 various types of marks The book also expressed in the operating process shoul...

Страница 4: ...on interface 4 Configure access trunk port 5 Configure Link aggregation Port 6 Configure VLAN 7 Configure MAC address 8 Configuration of POE 9 configuration IGMP Snooping 10 Configure SNMP 11 Configur...

Страница 5: ...enter global configuration mode Use the configuration mode global configuration mode interface configuration mode command will have an impact on the current running configuration If the user to save t...

Страница 6: ...r the interface gigabitEthernet_id command To return to the privileged mode enter the end command or type the Ctrl Z key combination Various interfaces using the mode configuration of network devices...

Страница 7: ...t to abbreviate command only need to enter the command key part of a character as long as this part of the character recognition only enough command keyword For example show running config The command...

Страница 8: ...prompt on the seat under the input of a question mark this mode allows the command key will be displayed 1 5 Use the history command The system provides the user input command records The characterist...

Страница 9: ...scrolling a page the next page content only in the output content does not end use 1 7 Visit CLI Before using CLI users need to use a terminal or PC and network equipment connection To start the netw...

Страница 10: ...ment on time by manual way When you set the clock network equipment network equipment clock will you set the time is running down even if the network equipment network equipment clock continues to run...

Страница 11: ...are not configured for the CLI command prompt then the system name if the system name exceeds 32 characters interception The first 32 characters will be the default command prompt prompt will change w...

Страница 12: ...rminal rate setting must and network equipment console rate 2 5 2 Set console rate On line configuration mode rate you can use the following command to set the console Step 1 2 6 Connection timeout 2...

Страница 13: ...line last line Access to the specified LINE model 2 7 3 Configure user authentication local By default the user can directly through the console port or telnet directly connected to the switch can be...

Страница 14: ...Port interface configuration command a port configured as a Access Port Hybrid Port or Trunk Port Switch Port is used to manage the physical interface and the second related protocols and does not ha...

Страница 15: ...ction between devices can also be used to connect the user s computer The default VLAN Because Trunk Port can belong to more than one VLAN so we need to set up a Native VLAN as the default VLAN when s...

Страница 16: ...terface of the Native VLAN transmission Tagged Frame If the received frame is Trunk port TAG will be in accordance with the following conditions for processing receiving the data frame in sending the...

Страница 17: ...is section describes the type three layer interface and the related definition can be divided into the following types SVI Switch virtual interface The SVI is switched virtual interface to achieve the...

Страница 18: ...nfiguration command only to the physical port Link aggregation Port and the SVI interface is not supported media type setting This configuration command only for media port Configuration for the Link...

Страница 19: ...ow to close the interface 0 1 Switch config terminal Switch config interface gigabitEthernet 0 1 Switch config if gigabitEthernet 0 1 shutdown The following example describes how to enable the interfa...

Страница 20: ...ion of two layer interface are given in the following table Attribute The default settings Working mode L2 swith Switch port mode access port Allow VLAN range VLAN 1 4094 The default VLAN for access p...

Страница 21: ...VLAN Command Function Switch config if GigabitEthernet 0 2 switch trunk native vlan vlan id Configure the trunk port s NATIVE VLAN Below is the example to configure Trunk Port Gigabitethernet 0 2 s Na...

Страница 22: ...ern by using Link aggregation Port Specific configuration process please refer to Configure Link aggregation Port 4 1 3 Clear the port statistics Clear the port statistics by Clear Command in the priv...

Страница 23: ...itch config if vlan1 ip address 192 168 1 1 255 255 255 0 4 2 Show the port configuration and Status This section describles the port s display content and display examples You can chec the port statu...

Страница 24: ...Below is the example to show the port physical attribute Switch show interface gigabitEthernet 0 9 media Gi 0 9 media fiber optical interface Switch show interface gigabitEthernet 0 3 media Gi 0 3 me...

Страница 25: ...bolErrors 0 TotalAlignmetErrors 0 TotalUndersizePkts 0 TotalOversizePkts 0 TotalFragments 0 TotalJabbers 0 TotalCollisions 0 TotalPkts64Octets 43300 TotalPkts65to127Octets 5005 TotalPkts128to255Octets...

Страница 26: ...lance it can assign flow to each link evenly AP realize the linke backup When one of the link in the AP disconnected syestem will assign this link s flow to the other effective links automaticly One b...

Страница 27: ...nput packets source MAC address 5 2 2 Link aggregation Port configuration Instructor AP members ports rate status duplex transmission media must be the same Two layer port can only join two layer AP t...

Страница 28: ...manual mode the port needs to be configured to be manual mode Using the Command no link aggregation ap id to exit a physical port in the port configuration mode Below is the example to configure two l...

Страница 29: ...on Switch show link aggregation group 1 Link Aggregation 1 Mode Manual Description Load balance method mac Number of ports in total 1 Number of ports attached 1 Gi 0 1 DETACHED Gi 0 3 ATTACHED 6 Confi...

Страница 30: ...e same as a phosical network VLAN is connected with a subnet IP A typical example All the hosts in a same IP subnet belong to the same VLAN VLANs must communicate with each other by 3 layers equipment...

Страница 31: ...t be removed You can configure a port s VLAN member type or add rmove a VLAN in port configurationmode 6 2 1 Save VLAN configuration information When you type the Command Write in the privileged mode...

Страница 32: ...thernet 0 1 as Access port to join VLAN20 Switch configure terminal Switch config interface gigabitEthernet 0 1 Switch config if GigabitEthernet 0 1 switch mode access Switch config if GigabitEthernet...

Страница 33: ...hernet 0 1 switch mode access Set a port to be Access mode S t e p 2 Switch config if GigabitEthernet 0 1 switch mode trunk Set a port to be Trunk mode Must assigned a Native VLAN for Trunk port So ca...

Страница 34: ...GigabitEthernet 0 1 end 6 3 4 Configure Native VLAN A Trunk can receive and send TAG or UNTAG 802 1Q frame UNTAGframeusedtotransmit Native VLAN flow Default Native VLAN is VLAN 1 In the port configur...

Страница 35: ...itch config if GigabitEthernet 0 1 no switch hybrid vlan 2 untagged 6 4 4 Configure Native VLAN Native vlan in the hybrid port confirm to recive without vlan marked packet and confirmitis transmitted...

Страница 36: ...7 Configure MAC address Ethernet switches through the MAC address table in the data link layer to forward packets this article is description of configuration method of MAC address 7 1 Understand MAC...

Страница 37: ...only one and message output directly from a table item of the corresponding port Multicast forwarding Ethernet switch can check message s purpose MAC address and tables that is correspond to VLAN ID t...

Страница 38: ...Ethernet switch MAC address table has been in existence UserA s MAC address so the message is in the form of unicast forwarding to Gigabit Ethernet 0 2 ports Ethernet switches at the same time will le...

Страница 39: ...ress of the message that the address will be deleted from the MAC address table when reaching to aging time 7 1 4 Filter addresses Manual configuration of the MAC address table entries for discarded i...

Страница 40: ...4 Dynamic Address Aging Time Configuration 7 4 1 Aging Time Configuration Command Function Switch config mac address agint time 10 893 set the time span of an address kept in dynamic address table af...

Страница 41: ...package forwards to ap id the link aggregation interface that package forwards to drop discarded data package Switch config no mac address static mac address vlan vlan id interface gigabitEthernet por...

Страница 42: ...address or destination address from the specified VLAN of vlan id of the equipment the message will be discarded Switch config no mac address static mac address vlan vlan id drop Delete filtering add...

Страница 43: ...hernet switch respectively through Gi0 1 and Gi0 2 server administrators connected to the Ethernet switch through Gi0 3 other normal users access to the Web server through the Ethernet switch Gi0 5 po...

Страница 44: ...tion Server 00d0 3232 0002 VLAN10 Gi 0 2 Network Administrator 00d0 3232 1000 VLAN10 Gi 0 3 7 7 4 Configuration Steps enter the global configuration mode of the switch Switch en Switch configure termi...

Страница 45: ...generally have internal power supply some products also supports external power supply external power supply is called the RPS PSE PSE Power Sourcing Equipment PSE on PoE interface circuit to find an...

Страница 46: ...owing at the interface mode If you use interface range command batch configuration port PoE function Due to the range command is configuration interfaces one by one a port PoE function were switched o...

Страница 47: ...l output the corresponding message in the configuration Static mode the distribution of power according to the user s configuration each port must be assigned to power supply When switch to static mod...

Страница 48: ...erface are all low Same priority port the new insert port will not affect the already in the state of the power supply of PD equipment power supply Different priority of ports is not affected by this...

Страница 49: ...itch configure terminal Enter configuration commands one per line End with CTRL Z Switch config interface gigabitEthernet 0 1 Switch config if gigabitEthernet 0 1 poe max power 17 Switch config if gig...

Страница 50: ...ation commands one per line End with CTRL Z Switch config interface gigabitEthernet 0 1 Switch config if gigabitEthernet 0 1 poe alloc power 20 Switch config if gigabitEthernet 0 1 poe enable Switch c...

Страница 51: ...mode to retain power it may lead to port under electric has access to electricity 8 2 7 Use hot start uninterrupted power supply function If you need to restart the switch in practical applications su...

Страница 52: ...of the next If the user forgot to save the configuration or to save the configuration and then change the POE configuration system will prompt the user to save the configuration Command Function Switc...

Страница 53: ...onfig if gigabitEthernet 0 1 poe recover auto manual Set the recovery mode Auto Power supply equipment to restore power PD device automatically restore power Manual Power supply equipment to restore p...

Страница 54: ...terface of PD descriptors Switch configure terminal Enter configuration commands one per line End with CTRL Z Switch config interface gigabitEthernet 0 1 Switch config if gigabitEthernet 0 1 poe pd de...

Страница 55: ...Detecting Max power 29 123 W Allocate power 19 124 W Current power 0 W Average power 0 W Peak power 0 W Voltage 0 V Current 0 mA PD class NO PD Devices Trouble cause None Priority Low Trouble Recover...

Страница 56: ...ltage The current voltage of the port Current The current electricity of the port PD class Port s level according to the regulations of the 802 3af 802 3at PD equipment is divided into four levels Tro...

Страница 57: ...W 0W 0W 0mA 0 N A Display all POE port configuration information Switch show poe interfaces configuration Interface Power Power Max Alloc Port Port Control Status Power Power Priority Legacy Gi0 1 Nor...

Страница 58: ...y Display POE power supply state of the whole system Display Item Instructions Powerring Port List Currently in power supply port Power management Power supply management mode auto Automatic mode ener...

Страница 59: ...carried out within the VLAN related port is refers to the internal members of the VLAN Run the IGMP Snooping devices through analyze the IGMP packets received For port and multicast address set up map...

Страница 60: ...he Listener Port Said switch connection port of the IP multicast group side Such as the SwitchA of Gi 0 2 Gi 0 3 and Gi 0 4 port Switch to all members of the ports on the device including dynamic and...

Страница 61: ...membership after receiving the report message Switch it to all routing within a VLAN connection port forwarding to go out From the analysis of the message in the host IP multicast group address to jo...

Страница 62: ...ring using the features 9 2 Configure IGMP Snooping We will from the following sections describe how to configure the IGMP Snooping 9 2 1 Enable IGMP Snooping Step 1 Step 2 Step 3 The following exampl...

Страница 63: ...AN off the IGMP Snooping function can use the following command In the global mode follow these steps to close the IGMP Snooping Command Function Switch config no ip igmp snooping vlan num Close the V...

Страница 64: ...emove the port from the list of member port In the global mode follow these steps to configure the aging timer of member port Command Function Switch config ip igmp snooping timer report port expiry t...

Страница 65: ...face gig port id link aggregation ap id Cancel the interface for static routing connections Step 1 Step 2 Step 3 Step 4 If you want to delete one of the IGMP profile you can use the no IP IGMP profile...

Страница 66: ...ter Vlan SourceAddr Interface 1 0 0 0 0 Gi 0 1 static 9 2 8 Configure port IGMP Filtering In some cases you may need to control a certain ports can only receive a number of specific multicast data flo...

Страница 67: ...how ip igmp snooping Global IGMP Snooping configuration IGMP Snooping Enabled Report Suppression Enabled TCN solicit query Disabled TCN flood query count 2 Last Member Query Interval 1000 IGMP version...

Страница 68: ...on Command Function Switch show ip igmp snooping mrouter Check the IGMP Snooping routing connection information The following example uses theshow ip igmp snooping command to view IGMP Snooping routin...

Страница 69: ...standards RFC1157 Up to now because of many manufacturers support for the deal SNMP has become the de facto standard of network management Network equipment by using SNMP protocol The network administ...

Страница 70: ...ies the network equipment in the A list of Numbers can be used to represent such as 1 3 6 1 2 1 1 this string of Numbers is the management unit of the Object Identifier MIB is a collection of network...

Страница 71: ...ters from Agent under a parameter value Get bulk Operation NMS extracted from Agent batch parameter values Set request Operation NMS set one or more of the parameters of the Agent Get response Operati...

Страница 72: ...view based management The default does not specify a view which allows access to all MIB objects You can specify to use the certification of management IP If not specified were not limiting the use o...

Страница 73: ...ake the initiative to send NMS sends the Trap message The Trap is Agent without request to take the initiative to send messages to the NMS Used to report some urgent and important event The default is...

Страница 74: ...tatus SNMP ON SNMP Trap OFF 10 3 2 View the current state of SNMP In privileged user mode execute show snmp server to view the current state of SNMP Switch show snmp server 0 SNMP packets input 0 Bad...

Страница 75: ...rk monitoring data Place the RMON detector in the network nodes network management platform decided what information these detectors Such as statistical information is monitored collecting historical...

Страница 76: ...torical data for the administrator 10 4 1 3 Alarm group The alarm group is the third groups in the RMON At specified time intervals to monitor a specific MIB Management Information Base object When th...

Страница 77: ...sion only supports Ethernet interface The index value should be an integer between 1 65535 Command Function Switch config if gigabitEthernet 0 1 rmon collection history index owner ownername buckets b...

Страница 78: ...tion and last sampling and upper limit lower limit of difference comparison Value defines the upper limit lower limit value Event number When more than the upper limit or lower limit the triggering ev...

Страница 79: ...conds to check port 6 received on the change of the number of unicast frame If received a unicast frame number than the last time check 30 seconds ago increased by 20 or more than 20 or more than the...

Страница 80: ...rol Switch show rmon history control RMON history control entry index 1 Data source IfIndex 3 Buckets request 500 Buckets granted 1 Interval 600 Owner zhangsan Entry status Valid show rmon statistics...

Страница 81: ...from the source port all input and output message copying a to the port of destination When the image flow of source port more than the destination port s bandwidth For example the 100Mbps destinatio...

Страница 82: ...essage the message of the source MAC destination MAC VLAN ID and TTL changes as well the format of the message copy to the destination port will also change Bidirectional data flow Including the above...

Страница 83: ...t gigabitEthernet 0 1 message to the mirror port gigabitEthernet 0 8 Show monitor session privilege commands are used to confirm the configuration was successful Switch config no monitor session 1 Swi...

Страница 84: ...monitor privileges Switch show monitor session Session 1 Type Local Session Source interface Gi 0 1 BOTH Gi 0 1 Destination interface Gi 0 8 12 Configure the flow control based port 12 1 Storm Control...

Страница 85: ...ol function enable state Switch show storm control interface unicast broadcast multicast action Gi 0 1 enable enable disable none Command Function Switch config if GigabitEthern et 0 1 storm control b...

Страница 86: ...on isolated port can be normal communication When the two protection port to a SPAN port SPAN port to send or receive a frame can still image into the SPAN destination port Equipment support link aggr...

Страница 87: ...he conversion for static configurationIn show running config can be seen in the configuration Save the configuration after the restart without having to learn these dynamic security address And if thi...

Страница 88: ...y In interface configuration mode please configure port security and exception processing mode uses the following commands The following example illustrates the enable port security function interface...

Страница 89: ...rnet 0 1 port security visitor ip address 1 1 1 3 mac address 0000 0000 0002 times 5 Description xxx Tip When the host match permit rule which is to permit the host biggest quantity is full can also a...

Страница 90: ...ng command to check port security information The following example shows the port security of all address table information Switch show port security all IP address MAC address interface name bind co...

Страница 91: ...escription 192 164 1 2 0012 0001 0002 Gi 0 5 VISITOR 50 49 13 Anti illegal DHCP Server 13 1 Summary DHCP is a dynamic protocol to assign IP addresses to the PC client dynamically It can be used for us...

Страница 92: ...ort So we can put an end to the affect to other user that private set up illegal DHCP Server user caused 13 2 DHCP Snooping Configuration 13 2 1 Enabling DHCP Snooping Only after enabling the DHCP Sno...

Страница 93: ...ort The following example is to configure DHCP Snooping trusted port Switch configure terminal Enter configuration commands one per line End with CTRL Z Switch config interface gigabitEthernet 0 1 Swi...

Страница 94: ...ing information in privileged mode Command Function Switch show dhcp snooping Display DHCP Snooping information The following example is to display DHCP Snooping information Switch show dhcp snooping...

Страница 95: ...Anti ARP Spoofing Configuration 14 2 1 Enable Anti ARP Spoofing Please use the following command to configure Anti ARP Spoofing in interface configuration mode Command Function Switch config if Gigabi...

Страница 96: ...config link aggregation 1 Switch config link aggregation1 no arp inspection 14 3 View information of Anti ARP Spoofing Use the following command to view Anti ARP Spoofing information in Privileged mod...

Страница 97: ...ss interface name tbl status 40 0001 7AD2 4D8C 192 168 100 1 Gi 0 4 AFFIRM 40 DDCC BBAA 4B79 0 0 0 1 Gi 0 4 ATTACK 40 0087 2380 9EA7 192 168 1 137 Gi 0 4 AFFIRM 40 C860 00E0 2B80 192 168 100 51 Gi 0 4...

Страница 98: ...Configure the port rate limitation rate Committed Burst size Excess Burst size Below is the example to configure the Upstream Rate limitation Switch configure terminal Enter configuration commands on...

Страница 99: ...itEthernet 0 1 no rate limit Below is the example to close the port Downstream Rate limitation Switch configure terminal Enter configuration commands one per line End with CTRL Z Switch config interfa...

Страница 100: ...he traffic shape is not configured Gi 0 3 The traffic shape is not configured Gi 0 4 The traffic shape is not configured Gi 0 5 The traffic shape is not configured Gi 0 6 The traffic shape is not conf...

Страница 101: ...fig loopback detection errdisable recover 30 Switch configure terminal Enter configuration commands one per line End with CTRL Z Switch config loopback detection enable Switch config loopback detectio...

Страница 102: ...Switch show loopback detection Loopback detection is Runing on Detection interval time is 2 seconds Error Disable recover time is 60 seconds Interface Action State Gi 0 5 WARNING LINK_DOWN Gi 0 6 CON...

Страница 103: ...7 2 configure access control Enter into global mode and configure access control Step 1 Command Function Switch config ip access list standard extended 0 9 10 19 Configuration list of access control S...

Страница 104: ...matching rules of MAC data flow Step 3 Enter into standard IP rule table Switch config ip access list standard 9 and configure Command Function Switch config std ip nacl 0 permit any host sip Rule of...

Страница 105: ...example for configure standard IP extended IP extended MAC Switch configure terminal Enter configuration commands one per line End with CTRL Z Switch config ip access list standard 0 Switch config st...

Страница 106: ...e0 9 10 19 cancel extended IP access control list from table10 19 20 25 cancel extended mac access control list from table 20 25 Enter rule table Switch config ip access list extended 10 and delete ac...

Страница 107: ...ist extended 10 1 deny tcp any any mac access list extended 20 mac access list extended 21 3 deny host 0012 0012 0012 any 18 File system Configuration 18 1 Overview Switch files containing several typ...

Страница 108: ...Switch config fs cd word Enter directory word directory name The following example for input dir the default display Switch configure filesystem Switch config fs dir size date time name 0 JAN 01 1980...

Страница 109: ...The Data of this dir will be lost if OS is deleted the system will hangup Please confirm to continue Yes No y Switch config fs...

Отзывы:

Нет отзывов