Configuring LoopBack Detection on D-Link Switches

For example, I will use the D-Link DES-3200 switch, on other models the setting for LoopBack Detection is essentially the same.

Activation of the LoopBack Detection (LBD) function on the switch:

enable loopdetect

Enabling LoopBack Detection on ports 1 through 16:

config loopdetect ports 1-16 state enable

Setting recover_timer (time in seconds for which the port will be disabled if a loop is detected), interval (interval between sending loop detection packets), mode (port-based — port is blocked or vlan-based — vlan traffic is blocked in which a loop is detected):

config loopdetect recover_timer 300 interval 10 mode port-based

Let us configure that it is written to the log that a loop was detected and the traps were not sent:

config loopdetect log state enable
config loopdetect trap none

In the web interface, you can configure this feature in the “L2 Features” – “Loopback Detection Settings”.

Configuring the switch D-Link DES-3200

For example, I will take the D-Link DES-3200-18 C1 switch with firmware 4.36.B012. Commands are similar for switches with a different number of ports, they can differ slightly only with different firmware versions and revisions.

Create an administrator account:

create account admin NAME
config admin local_enable

Storing the administrator password in encrypted form:

enable password encryption

Enabling password recovery:

enable password_recovery

Serial port parameters:

config serial_port baud_rate 115200 auto_logout never

Enable access via the web interface:

enable web 80

Disable switch management over SSH:

disable ssh

Enable telnet access:

enable telnet 23

Setting the terminal window width and displaying information in page mode:

config terminal width 80
enable clipaging

Setting the number of displayed lines of the terminal:

config terminal_line default

Disabling logging of input commands:

disable command logging

Delete default VLAN:

config vlan default delete 1-18
config vlan default advertisement enable

Creating a separate VLAN to manage the switch (17 – uplink):

create vlan core tag 50
config vlan core add tagged 17 advertisement disable

Creating a VLAN for users:

create vlan local_smart tag 51
config vlan local_smart add tagged 17
config vlan local_smart add untagged 1-16,18 advertisement disable

Disabling the encapsulation of VLAN tags in L2 VLAN tags:

disable qinq

Disabling auto VLAN configuration and assigning all ports to a PVID client VLAN:

disable gvrp
config port_vlan 1-18 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 51

Enable automatic assignment of PVID ports (enabled by default):

enable pvid auto_assign

Assigning an IP address to a switch in a VLAN to manage:

config ipif System ipaddress 192.168.1.100/24 vlan core
config ipif System dhcp_option12 state disable
disable autoconfig 
config autoconfig timeout 50

Add default gateway:

create iproute default 192.168.1.1 1 primary

Enable restriction of broadcast traffic for all ports except uplink:

config traffic control 1-16,18 broadcast enable multicast disable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control auto_recover_time 0
config traffic trap none
config traffic control log state enable

Just in case, disable port mirroring:

disable mirror

Setting logs:

config log_save_timing on_demand
disable syslog
config system_severity trap information
config system_severity log information

Resolution of large jumbo frame packets and an example of port configuration:

enable jumbo_frame
config ports 1-16 speed auto flow_control disable learning enable state enable mdix auto
config ports 17 medium_type copper speed auto flow_control disable learning enable state enable mdix auto
config ports 17 medium_type fiber speed auto flow_control disable learning enable state enable
config ports 18 speed auto flow_control disable learning enable state enable

Let us manage the switch only from the specified IP addresses:

create trusted_host network 192.168.1.1/24 snmp telnet ssh http https ping
create trusted_host network 172.16.100.100/32 snmp telnet ssh http https ping

Configure snmp traps:

disable snmp traps
disable snmp authenticate_traps 
disable snmp linkchange_traps
config snmp linkchange_traps ports 1-18 disable
config snmp coldstart_traps enable
config snmp warmstart_traps enable
config rmon trap rising_alarm enable
config rmon trap falling_alarm enable

Enable and sample SNMP settings (where TEXT specify the desired password):

enable snmp
config snmp system_contact admin@ixnfo.com
delete snmp community public
delete snmp community private
delete snmp user initial
delete snmp group initial
create snmp group public v1 read_view CommunityView notify_view CommunityView 
create snmp group public v2c read_view CommunityView notify_view CommunityView 
create snmp community public view CommunityView read_only
create snmp group TEXT v2c read_view CommunityView write_view CommunityView notify_view CommunityView 
create snmp community TEXT view CommunityView read_write
disable community_encryption

Disable IGMP MULTICAST VLAN:

disable igmp_snooping multicast_vlan
config igmp_snooping multicast_vlan forward_unmatched disable

Setting and disabling PORT SECURITY:

config port_security system max_learning_addr no_limit
disable port_security trap_log
config port_security ports 1-18 admin_state disable max_learning_addr 32 lock_address_mode deleteonreset

Storage time (s) mac addresses in the table:

config fdb aging_time 300
config block tx ports 1-18 unicast disable

Let’s solve zero IP for a bunch of mac + ip addresses:

config address_binding ip_mac ports 1-18 allow_zeroip enable

You can enable NetBios filtering on ports, so to speak, to prohibit access to shared drives:

config filter netbios 1-18 state enable
config filter extensive_netbios 1-18 state enable

Configure filtering of harmful DoS packets:

config dos_prevention dos_type land_attack action drop state enable 
config dos_prevention dos_type blat_attack action drop state enable 
config dos_prevention dos_type tcp_null_scan action drop state enable 
config dos_prevention dos_type tcp_xmasscan action drop state enable 
config dos_prevention dos_type tcp_synfin action drop state enable 
config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state enable 
config dos_prevention dos_type ping_death_attack action drop state enable 
config dos_prevention dos_type tcp_tiny_frag_attack action drop state enable 
config dos_prevention trap disable
config dos_prevention log disable

Blocking of third-party DHCP servers on all ports except incoming:

config filter dhcp_server ports all state disable
config filter dhcp_server ports 1-16,18 state enable
config filter dhcp_server illegal_server_log_suppress_duration 30min
config filter dhcp_server trap_log enable

BPDU flood protection:

enable bpdu_protection
config bpdu_protection recovery_timer 300
config bpdu_protection trap none
config bpdu_protection log attack_detected
config bpdu_protection ports 1-16,18 state enable  
config bpdu_protection ports 1-18 mode drop

Enabling SAFEGUARD ENGINE:

config safeguard_engine state enable utilization rising 98 falling 90 trap_log enable mode fuzzy

Disable sending emails via SMTP:

disable smtp

Configure SNTP time settings:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 40000
config dst disable

Disable management of multicast traffic and some standard parameters:

disable igmp_snooping
disable mld_snooping

ARP options:

config arp_aging time 20
config gratuitous_arp send ipif_status_up enable
config gratuitous_arp send dup_ip_detected enable
config gratuitous_arp learning enable

Setting temperature notifications:

config temperature threshold high 79
config temperature threshold low 11
config temperature trap state disable
config temperature log state enable

Saving configuration:

save all

See also my articles:
Configuring Traffic Segmentation
Configuring LoopBack Detection