Chapter 26 IP Source Guard
GS2220 Series User’s Guide
258
C HAPTER 26
IP So urc e G ua rd
26.1 IP So urc e G ua rd O ve rvie w
IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and
ARP packets in your network. A binding contains these key attributes:
• MAC address
• VLAN ID
• IP address
• Port number
When the Switch receives a DHCP or ARP packet, it looks up the appropriate MAC address, VLAN ID, IP
address, and port number in the binding table. If there is a binding, the Switch forwards the packet. If
there is not a binding, the Switch discards the packet.
The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from information
provided manually by administrators (static bindings).
IP source guard consists of the following features:
• Static bindings. Use this to create static bindings in the binding table.
• DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to build the binding
table dynamically.
• ARP inspection. Use this to filter unauthorized ARP packets on the network.
If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation), you
have to enable DHCP snooping before you enable ARP inspection.
26.1.1 Wha t You C a n Do
• Use the IP Sourc e G ua rd screen (
Section 26.3 on page 260) to look at the current bindings for DHCP
snooping and ARP inspection.
• Use the IP Sourc e G ua rd Sta tic Binding screen (Section 26.4 on page 260) to manage static bindings
for DHCP snooping and ARP inspection.
26.1.2 Wha t You Ne e d to Kno w
The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from information
provided manually by administrators (static bindings).
IP source guard consists of the following features:
To Next Page
Loading...
