xStack
®
DGS-3400 Series Layer 2 Gigabit Managed Switch CLI Manual
19
IP–MAC-PORT BINDING (IMPB) COMMANDS
The IP network layer uses a four–byte IP address. The Ethernet link layer uses a six–byte MAC address. Binding these two
address types together allows the transmission of data between the layers. The primary purpose of IP–MAC-Port Binding is to
restrict the access to a switch to a number of authorized users. Only the authorized client can access the Switch’s port by checking
the pair of IP–MAC addresses with the pre–configured white list. If an unauthorized user tries to access an IMPB-enabled port,
the system will block the access by dropping its packet. The maximum number of IP–MAC-Port Binding entries is dependant on
chip capability (e.g. the ARP table size) and storage size of the device. For the xStack
®
DGS–3400 Series, the maximum number
of IP–MAC-Port Binding entries is 511. The creation of authorized IP-MAC pairs can be manually configured by CLI or Web, or
can be leaned automatically when DHCP snooping is enabled. The function is port–based, meaning a user can enable or disable
the function on the individual port.
ACL Mode
Due to some special cases that have arisen with the IP–MAC-Port Binding, this Switch has been equipped with a special ACL
Mode for IP–MAC-Port Binding. When enabled, the Switch will create two entries in the Access Profile Table. The entries may
only be created if there are at least two Profile IDs available on the Switch. If not, when the ACL Mode is enabled, an error
message will be prompted to the user. When the ACL Mode is enabled, the Switch will only accept packets from a created entry
in the IP–MAC-Port Binding Setting window. All others will be discarded. The function is port–based, meaning a user can enable
or disable the function on the individual port.
To configure the ACL mode, the user must first set up IP-MAC-Port binding using the create address_binding ip_mac
ipaddress command to create an entry. Then the user must enable the mode by entering the config address_binding ports
<portlist> mode acl command.
NOTE: When configuring the ACL mode function of the IP–MAC-Port Binding function, please
pay close attention to previously set ACL entries. Since the ACL mode entries will fill the first
two available access profiles and access profile IDs denote the ACL priority, the ACL mode
entries may take precedence over other configured ACL entries. This may render some user–
defined ACL parameters inoperable due to the overlapping of settings combined with the ACL
entry priority (defined by profile ID). For more information on ACL settings, please see
“Configuring the Access Profile” section mentioned previously in this manual.
NOTE: Once ACL profiles have been created by the Switch through the IP–MAC-Port Binding
function, the user cannot modify, delete or add ACL rules to these ACL mode access profile
entries. Any attempt to modify, delete or add ACL rules will result in a configuration error as
seen in the previous figure.
NOTE: When downloading configuration files to the Switch, be aware of the ACL
configurations loaded, as compared to the ACL mode access profile entries set by this
function, which may cause both access profile types to experience problems.
The IP–MAC-Port Binding commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in
the following table.
139
