Chapter 26 IP Source Guard
GS2210 Series User’s Guide
223
•Use the ARP Inspection Log Status screen (Section 26.9 on page 238) to look at log messages
that were generated by ARP packets and that have not been sent to the syslog server yet.
•Use the ARP Inspection Configure screen (Section 26.10 on page 240) to enable ARP
inspection on the Switch. You can also configure the length of time the Switch stores records of
discarded ARP packets and global settings for the ARP inspection log.
•Use the ARP Inspection Port Configure screen (Section 26.10.1 on page 241) to specify
whether ports are trusted or untrusted ports for ARP inspection.
•Use the ARP Inspection VLAN Configure screen (Section 26.10.2 on page 243) to enable ARP
inspection on each VLAN and to specify when the Switch generates log messages for receiving
ARP packets from each VLAN.
•Use the IPv6 Source Binding Status screen (Section 26.12 on page 244) to look at the current
IPv6 dynamic and static bindings and to remove dynamic bindings based on IPv6 address and/or
IPv6 prefix.
•Use the IPv6 Static Binding Setup screen (Section 26.13 on page 245) to manually create an
IPv6 source guard binding table and manage IPv6 static bindings.
•Use the IPv6 Source Guard Policy Setup screen (Section 26.14 on page 247) to have IPv6
source guard forward valid IPv6 addresses and/or IPv6 prefixes that are stored in the binding
table and allow or block data traffic from all link-local addresses
•Use the IPv6 Source Guard Port Setup screen (Section 26.15 on page 248) to apply
configured IPv6 source guard policies to the ports you specify.
•Use the IPv6 Snooping Policy Setup screen (Section 26.16 on page 249) to dynamically create
an IPv6 source guard binding table using a DHCPv6 snooping policy. A DHCPv6 snooping policy
lets the Switch sniff DHCPv6 packets sent from a DHCPv6 server to a DHCPv6 client when it is
assigning an IPv6 address.
•Use the IPv6 Snooping VLAN Setup screen (Section 26.17 on page 251) to enable a DHCPv6
snooping policy on a specific VLAN interface.
•Use the IPv6 DHCP Trust Setup screen (Section 26.18 on page 252) to specify which ports are
trusted and untrusted for DHCP snooping.
26.1.2 What You Need to Know
The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from
information provided manually by administrators (static bindings).
IP source guard consists of the following features:
• Static bindings. Use this to create static bindings in the binding table.
• DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to build the
binding table dynamically.
• ARP inspection. Use this to filter unauthorized ARP packets on the network.
If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation),
you have to enable DHCP snooping before you enable ARP inspection.
26.2 IP Source Guard Screen
Use this screen to go to the configuration screens where you can configure IPv4 or IPv6 source
guard settings. Click Advanced Application > IP Source Guard in the navigation panel.
To Next Page
Loading...
