Chapter 62 IP Source Guard
GS1920v2 Series User’s Guide
387
If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation), you
have to enable DHCP snooping before you enable ARP inspection.
The following figure demonstrates a scenario with DHCP snooping and ARP inspection enabled. In this
scenario, we connect an authorized DHCP server (A) and the client devices on the ARP trusted ports (T).
A client device (B) is assigned the IP address 192.168.1.56 by the authorized DHCP server (A). A malicious
host (C) on an untrusted port (UT) puts a wrong MAC address with the IP address 192.168.1.56 in an ARP
reply packet pretending to be client device (B) (192.168.1.56). The Switch snoops DHCP packets sent
from the authorized DHCP server (A) and creates bindings in the binding table. When the Switch
receives ARP packets from an untrusted port (UT), it compares the IP and MAC addresses with the
existing bindings. Since the IP and MAC binding is different from the existing bindings, the Switch blocks
the unauthorized ARP packets sent from the malicious host (C). The malicious host (C) therefore cannot
disguise as client device (B) to build connections with other client devices on your network.
Figure 279 IP Source Guard Example Application
62.1.1 What You Can Do
• Use the IPv4 Source Guard screen (Section 62.2 on page 388) to look at the current bindings for DHCP
snooping and ARP inspection.
• Use the IPv4 Source Guard Static Binding screen (Section 62.3 on page 388) to manage static
bindings for DHCP snooping and ARP inspection.
To Next Page
Loading...
