xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
349
46
IP-MAC-PORT BINDING (IMPB) COMMANDS
The IP network layer uses a four-byte address. The Ethernet link layer uses a six-byte MAC address. Binding these two
address types together allows the transmission of data between the layers. The primary purpose of IP-MAC-Port binding
(IMPB) is to restrict the access to a switch to a number of authorized users. Only the authorized client can access the
Switch’s port by checking the pair of IP-MAC addresses with the pre-configured database. If an unauthorized user tries to
access an IMPB-enabled port, the system will block the access by dropping its packet. The maximum number of IP-MAC-
Port binding entries is dependant on chip capability (e.g. the ARP table size) and storage size of the device. For the DGS-
3600 Series, the maximum number of IMPB entries is 511. The creation of authorized users can be manually configured
by CLI or Web. The function is port-based, meaning a user can enable or disable the function on the individual port.
ACL Mode
Due to some special cases that have arisen with IP-MAC-Port binding, this Switch has been equipped with a special ACL
Mode for IMPB, which should alleviate this problem for users. When enabled, the Switch will create one entry in the
Access Profile Table. The entry may only be created if there is at least one Profile ID available on the Switch. If not, when
the ACL Mode is enabled, an error message will be prompted to the user. When the ACL Mode is enabled, the Switch will
only accept packets from a created entry in the IP-MAC-Port binding Setting screen. All others will be discarded.
To configure the ACL mode, the user must first set up IP-MAC-Port binding using the create address_binding ip_mac
ipaddress command to create an entry. Then the user must enable the mode by entering the config address_binding
ports <portlist> mode acl command.
NOTE: When configuring the ACL mode function of the IP-MAC-Port binding function, please pay
close attention to previously set ACL entries. Since the ACL mode entries will fill the first available
access profile and access profile IDs denote the ACL priority, the ACL mode entries may take
precedence over other configured ACL entries. This may render some user-defined ACL
parameters inoperable due to the overlapping of settings combined with the ACL entry priority
(defined by profile ID). For more information on ACL settings, please see “Configuring the Access
Profile” section mentioned previously in this chapter.
NOTE: Once ACL profiles have been created by the Switch through the IP-MAC-Port binding
function, the user cannot modify, delete or add ACL rules to these ACL mode access profile
entries. Any attempt to modify, delete or add ACL rules will result in a configuration error as seen in
the previous figure.
NOTE: When downloading configuration files to the Switch, be aware of the ACL configurations
loaded, as compared to the ACL mode access profile entries set by this function, which may cause
both access profile types to experience problems.
IP-MAC-Port Binding (IMPB) is a security application found on edge switches which are usually directly connected to
hosts. IMPB enables administrators to configure (or snoop) pairs of MAC and IP addresses that are allowed to access
networks through the switch. IMPB binds together the network layer IP address, and the Ethernet link layer MAC address,
and the receiving port, to allow the transmission of data between the layers.
