D-Link DGS-3612 Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

D-Link

DGS-3612

Page 351 / 757 Scroll up to view Page 346 - 350

xStack

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

347

config route_map sequence set

Parameters

<map_name 16>

- The route map name.

- Specifies the sequence number for the rule.

This is the number that indicates the position a new route map will have in the list of route

maps already configured with the same name. Default: 10.

set next_hop

- Set the next hop attribute.

This will take effect for both the ingress and egress direction.

When set next_hop to peer address, for ingress direction, the next hop will be set to the

neighbor peer address. For egress direction, the next hop associated with the route in the

packet will be the neighbor peer address.

set metric

- Specifies to set the metric.

BGP router will not send metrics associated with a route by default unless the metric is

egress set in the route map.

If BGP route receive a route with a metric, then this metric will be used in best path selection.

This can be overwritten by the metric that is ingress set for the route. If the received route

has neither metric attribute nor metric ingress metric set, then the default metric (0) will be

associated with the route for the best path selection. If med-missing-as-worst is enabled for

the router, then a value of infinite will be associated with the route.

This will take effect for both ingress and egress direction.

set local_preference

- Specifies to set the local preference for the matched route.

By default,

BGP router will send the default local preference with the routes. It can be overwritten by the

local preference set by the route map. For the received route, the local preference sent with

the route will be used in the best path selection. This local preference will be overwritten if

local preference is ingress set by the route map.

For the local routes, the default local preference will be used for them in the best path

selection.

This will take effect for both ingress and egress direction.

set weight

- Set the weight for the matched routes.

It will overwrite the weight specified by the neighbor weight command for the routes received

from the neighbor.

If weight is neither specified by the neighbor weight command nor set by the route map, then

routes learned through another BGP peer have a default weight of 0.

The weight of local routes is always 32768.

This will only take effect for ingress egress direction.

set as_path

- Specifies an AS path list which is used to prepend the AS list. A format

example is:100, 200, 300.

set community

- Specifies a community to be used or to be appended to the original

communities of the route.

internet

- Routes with this community will be sent to all peers either internal or external.

local_as

- Routes with this community will be sent to peers in the same AS, but will not be

sent to peers in other sub ASs in the same confederation and to the external peers.

no_advertise

- Routes with this community will not be advertised to any peer either internal or

external.

no_export

- Routes with this community will be sent to peers in the same AS or in other sub

autonomous systems within a confederation, but will not be sent to an external BGP (eBGP)

peer.

<community_set 80>

- A community is 4 bytes long, including the 2 byte’s autonomous

system number and 2 bytes’ network number This value is configured with two 2-byte

numbers separated by a colon. The valid range of both numbers is from 1 to 65535.

A community list can be formed by multiple communities, separated by comma.

An example of a community string is 200:1024, 300:1025, 400:1026.

additive

- If this keyword is specified, the specified community string will be appended to the

original community string.

If not specified, the specified community string will replace the original community string.

set origin

- Set the origin for the route. It can be one of the following three values, EGP, IGP,

Page 352 / 757

xStack

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

348

config route_map sequence set

or incomplete.

dampening

- The dampening timer and parameter.

Restrictions

Only Administrator and Operator-level users can issue this command.

Example usage:

To configure the route map match access list “ac_list1” and set the metric to 50:

DGS-3627:admin# config route_map map1 sequence 10 match add ip address ac_list1

Command:4# config route_map map1 sequence 10 match add ip address ac_list1

DGS-3627:admin# config route_map map1 sequence 10 set add metric 50

Command:4# config route_map map1 sequence 10 set add metric 50

Success.

DGS-3627:admin#

debug routefilter show

Purpose

This command is used to show route filter information in kernel, including prefix list, access

list, and route map.

Syntax

debug routefilter show [prefix_list | access_list | route_map]

Description

This command is used to show route filter information in kernel, including prefix list, access

list, and route map.

Parameters

enable

- Enable the routefilter debug function

disable

- Disable the routefilter debug function

Restrictions

Only Administrator level users can issue this command.

Example usage:

To show route filter information in kernel.

DGS-3627:admin# debug routefilter show route_map

Command:4# debug routefilter show route_map

route-map map1,r_id:1,permit

Sequence 10

Match clauses:

ip address (access-lists): ac_list1

Set clauses:

metric 50

Sequence 20

Match clauses:

Set clauses:

Success.

Page 353 / 757

xStack

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

349

IP-MAC-PORT BINDING (IMPB) COMMANDS

The IP network layer uses a four-byte address. The Ethernet link layer uses a six-byte MAC address. Binding these two

address types together allows the transmission of data between the layers. The primary purpose of IP-MAC-Port binding

(IMPB) is to restrict the access to a switch to a number of authorized users. Only the authorized client can access the

Switch’s port by checking the pair of IP-MAC addresses with the pre-configured database. If an unauthorized user tries to

access an IMPB-enabled port, the system will block the access by dropping its packet. The maximum number of IP-MAC-

Port binding entries is dependant on chip capability (e.g. the ARP table size) and storage size of the device. For the DGS-

3600 Series, the maximum number of IMPB entries is 511. The creation of authorized users can be manually configured

by CLI or Web. The function is port-based, meaning a user can enable or disable the function on the individual port.

ACL Mode

Due to some special cases that have arisen with IP-MAC-Port binding, this Switch has been equipped with a special ACL

Mode for IMPB, which should alleviate this problem for users. When enabled, the Switch will create one entry in the

Access Profile Table. The entry may only be created if there is at least one Profile ID available on the Switch. If not, when

the ACL Mode is enabled, an error message will be prompted to the user. When the ACL Mode is enabled, the Switch will

only accept packets from a created entry in the IP-MAC-Port binding Setting screen. All others will be discarded.

To configure the ACL mode, the user must first set up IP-MAC-Port binding using the

create address_binding ip_mac

ipaddress

command to create an entry

Then the user must enable the mode by entering the

config address_binding

ports <portlist> mode acl

command.

NOTE:

When configuring the ACL mode function of the IP-MAC-Port binding function, please pay

close attention to previously set ACL entries. Since the ACL mode entries will fill the first available

access profile and access profile IDs denote the ACL priority, the ACL mode entries may take

precedence over other configured ACL entries. This may render some user-defined ACL

parameters inoperable due to the overlapping of settings combined with the ACL entry priority

(defined by profile ID). For more information on ACL settings, please see “Configuring the Access

Profile” section mentioned previously in this chapter.

NOTE:

Once ACL profiles have been created by the Switch through the IP-MAC-Port binding

function, the user cannot modify, delete or add ACL rules to these ACL mode access profile

entries. Any attempt to modify, delete or add ACL rules will result in a configuration error as seen in

the previous figure.

NOTE:

When downloading configuration files to the Switch, be aware of the ACL configurations

loaded, as compared to the ACL mode access profile entries set by this function, which may cause

both access profile types to experience problems.

IP-MAC-Port Binding (IMPB) is a security application found on edge switches which are usually directly connected to

hosts. IMPB enables administrators to configure (or snoop) pairs of MAC and IP addresses that are allowed to access

networks through the switch. IMPB binds together the network layer IP address, and the Ethernet link layer MAC address,

and the receiving port, to allow the transmission of data between the layers.

Page 354 / 757

xStack

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

350

The IP-MAC-Port Binding (IMPB) commands in the Command Line Interface (CLI) are listed (along with the appropriate

parameters) in the following table.

Command

Parameters

config address_binding ip_mac ports

[<portlist> | all ] { state [enable {[strict | loose] | [ipv6 | all ]} | disable {[ ipv6 | all ]}]

| acl ] | stop_learning_threshold<int 0-500>} (1)

create address_binding ip_mac

[ipaddress < ipaddr > | ipv6address <ipv6addr>] mac_address < macaddr > {

ports [ portlist | all]}

delete address_binding

[ip_mac [[ipaddress < ipaddr > | ipv6address <ipv6addr>] mac_address <

macaddr > | all] | blocked [ all | vlan_name < vlan_name > mac_address <

macaddr >]]

config address_binding ip_mac

[ipaddress < ipaddr > | ipv6address <ipv6addr>] mac_address < macaddr >

{ports [ portlist | all]}

show address_binding

{[ip_mac [all | [ipaddress <ipaddr> | ipv6address <ipv6addr>] mac_address

<macaddr>] | blocked [all | vlan_name <vlan_name> mac_address <macaddr>] |

ports {<portlist>}]}

enable address_binding dhcp_snoop

{[ipv6 | all]}

disable address_binding dhcp_snoop

{[ipv6 | all]}

clear address_binding dhcp_snoop

binding_entry ports

[ <portlist>|all ] {[ipv6 | all]}

show address_binding dhcp_snoop

{[max_entry { ports <portlist>} | binding_entry {port <port>}]}

config address_binding dhcp_snoop

max_entry ports

[<portlist> | all] limit [<value 1-50> | no_limit]

enable address_binding trap_log

disable address_binding trap_log

config address_binding

recover_learning ports

[<portlist> | all]

enable address_binding nd_snoop

disable address_binding nd_snoop

show address_binding nd_snoop

binding_entry

{port <port>}

clear address_binding nd_snoop

binding_entry ports

[<portlist> | all]

debug address_binding

[event | dhcp | all]

no debug address_binding

Each command is listed, in detail, in the following sections.

config address_binding ip_mac ports

Purpose

Used to configure the state of IMPB on the switch for each port.

Syntax

config address_binding ip_mac ports [<portlist> | all ] { state [enable {[strict | loose] |

[ipv6 | all ]} | disable {[ ipv6 | all ]}] | allow_zeroip [enable | disable] | forward_dhcppkt

[enable | disable] | mode [arp | acl ] | stop_learning_threshold<int 0-500>} (1)

Description

Used to configure the per port state of IMPB on the switch.

If a port has been configured as group member of an aggregated link, then the IMPB function

Page 355 / 757

xStack

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

351

config address_binding ip_mac ports

cannot be enabled.

When the binding check state is enabled for IP packets and ARP packets received by this

port, the switch will check whether the IP address and MAC address matches the binding

entry. If the packet does not match it will be dropped.

For this function, the switch can operate in ACL mode or ARP mode. In ARP mode, only ARP

packets are checked for binding. In ACL mode, both ARP packets and IP packets are

checked for binding. Therefore, the ACL mode provides more strict checks for packets.

Parameters

state

- This parameter configures the IMPB port state to be enabled or disabled. When the

state is enabled, the port will perform the binding check.

ipv6

- For “state enable ipv6”, only the IPv6 filter table applied to the driver.

For “state enable” without specifying “ipv6”, only the IPv4 filtering table is applied to driver.

For “state enable all”, both IPv4 and IPv6 filtering tables are applied to the driver.

For example, if IPv6 is enabled, but IPv4 is disabled, only the IPv6 Snooping entry is used to

create a HW filtering table, if the FDB is used as the HW filtering table, and one IPv6 entry is

allowed to be forwarded, all IPv4 packets get forwarded.

strict

- Used to implement a mode of strict control. When strict control is used, all ARP and IP

broadcast packets are sent to the CPU and checked for IMPB before forwarding. Packets

with MAC addresses that match IMPB entries are set to dynamic state while MAC addresses

with no match are set to block. All other packets are dropped.

loose

- Used to implement a more loose or less strict mode of control.

In loose mode, ARP and IP broadcast packets are sent to the CPU for IMPB checking.

Packets are forwarded unless the check finds a specified source MAC address that is

blocked. Packets with MAC addresses that match IMPB entries are set to dynamic state

while MAC addresses with no match are set to block. All other packets are bypassed.

allow_zeroip

- Specify whether to allow ARP packets with a source IP address of 0.0.0.0. If

the IP address 0.0.0.0 is not configured in the binding list and this setting is enabled, ARP

packets with the source IP address of 0.0.0.0 will be allowed; If the IP address 0.0.0.0 is not

configured in the binding list and this setting is disabled, ARP packets with the source IP

address of 0.0.0.0 will not be allowed. This option does not affect the IMPB ACL Mode.

forward_dhcppkt

- By default, DHCP packets with a broadcast DA will be flooded.

When set to disabled, the broadcast DHCP packet received by the specified port will not be

forwarded.

This setting is effective when DHCP Snooping is enabled, in this case DHCP packets trapped

by the CPU must be forwarded by the software.

This setting controls the forwarding behavior in this situation.

mode

- When configuring the mode of the port to be ACL mode, the switch will create an ACL

access entry corresponding to the entries of the port. If the port changes to ARP mode, all

ACL access entries are deleted automatically. The default mode for a port is ARP mode.

stop_learning_threshold

- When the number of blocked entries exceeds the threshold, the

port will stop learning new addresses. Packets with a new address will be dropped. The

range is 0-500. 0 means no limit.

Restrictions

Only Administrator and Operator-level users can issue this command.

Example usage:

To enable IMPB on port 1:

Rate

Popular D-Link Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share