Filter
Top Products
xStack DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
140
18
IP-MAC BINDING
The IP network layer uses a four-byte address. The Ethernet link layer uses a six-byte MAC address. Binding these two address types
together allows the transmission of data between the layers. The primary purpose of IP-MAC binding is to restrict the access to a
switch to a number of authorized users. Only the authorized client can access the Switch’s port by checking the pair of IP-MAC
addresses with the pre-configured database. If an unauthorized user tries to access an IP-MAC binding enabled port, the system will
block the access by dropping its packet. The maximum number of IP-MAC binding entries is dependant on chip capability (e.g. the
ARP table size) and storage size of the device. For the DGS-3600 series, the maximum number of IP-MAC Binding entries is 500.
The creation of authorized users can be manually configured by CLI or Web. The function is port-based, meaning a user can enable or
disable the function on the individual port.
ACL Mode
Due to some special cases that have arisen with the IP-MAC binding, this Switch has been equipped with a special ACL Mode for
IP-MAC Binding, which should alleviate this problem for users. When enabled, the Switch will create two entries in the Access
Profile Table. The entries may only be created if there are at least two Profile IDs available on the Switch. If not, when the ACL
Mode is enabled, an error message will be prompted to the user. When the ACL Mode is enabled, the Switch will only accept packets
from a created entry in the IP-MAC Binding Setting window. All others will be discarded.
To configure the ACL mode, the user must first create an IP-MAC binding using the create address_binding ip_mac ipaddress
command and select the mode as acl. Then the user must enable the mode by entering the enable address_binding acl_mode
command. If an IP-MAC binding entry is created and the user wishes to change it to an ACL mode entry, the user may use the config
address_binding ip_mac ipaddress command and select the mode as acl.
NOTE: When configuring the ACL mode function of the IP-MAC binding function, please pay
close attention to previously set ACL entries. Since the ACL mode entries will fill the first two
available access profiles and access profile IDs denote the ACL priority, the ACL mode entries
may take precedence over other configured ACL entries. This may render some user-defined
ACL parameters inoperable due to the overlapping of settings combined with the ACL entry
priority (defined by profile ID). For more information on ACL settings, please see “Configuring
the Access Profile” section mentioned previously in this chapter.
NOTE: Once ACL profiles have been created by the Switch through the IP-MAC binding
function, the user cannot modify, delete or add ACL rules to these ACL mode access profile
entries. Any attempt to modify, delete or add ACL rules will result in a configuration error as
seen in the previous figure.
NOTE: When downloading configuration files to the Switch, be aware of the ACL
configurations loaded, as compared to the ACL mode access profile entries set by this
function, which may cause both access profile types to experience problems.
The IP-MAC Binding commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in the
following table.
Command Parameters
create address_binding ip_mac ipaddress <ipaddr> mac_address <macaddr> {ports [<portlist> | all] |
mode [arp | acl]}
config address_binding ip_mac ipaddress <ipaddr> mac_address <macaddr> {ports [<portlist> | all] |
mode {arp | acl]}
config address_binding ip_mac ports [<portlist> | all] state [enable | disable]
show address_binding [ip_mac {[all | ipaddress <ipaddr> mac_address <macaddr>]}
| blocked {[all | vlan_name <vlan_name> mac_address
<macaddr>]} | ports]