Chapter 26 IP Source Guard
XGS2210 Series User’s Guide
262
• Use the ARP Inspection VLAN Status screen (Section 26.8 on page 276) to look at various statistics
about ARP packets in each VLAN.
• Use the ARP Inspection Log Status screen (Section 26.9 on page 277) to look at log messages that
were generated by ARP packets and that have not been sent to the syslog server yet.
• Use the ARP Inspection Configure screen (Section 26.10 on page 278) to enable ARP inspection on
the Switch. You can also configure the length of time the Switch stores records of discarded ARP
packets and global settings for the ARP inspection log.
• Use the ARP Inspection Port Configure screen (Section 26.10.1 on page 280) to specify whether ports
are trusted or untrusted ports for ARP inspection.
• Use the ARP Inspection VLAN Configure screen (Section 26.10.2 on page 282) to enable ARP
inspection on each VLAN and to specify when the Switch generates log messages for receiving ARP
packets from each VLAN.
• Use the IPv6 Source Binding Status screen (Section 26.12 on page 283) to look at the current IPv6
dynamic and static bindings and to remove dynamic bindings based on IPv6 address and/or IPv6
prefix.
• Use the IPv6 Static Binding Setup screen (Section 26.13 on page 284) to manually create an IPv6
source guard binding table and manage IPv6 static bindings.
• Use the IPv6 Source Guard Policy Setup screen (Section 26.14 on page 286) to have IPv6 source guard
forward valid IPv6 addresses and/or IPv6 prefixes that are stored in the binding table and allow or
block data traffic from all link-local addresses
• Use the IPv6 Source Guard Port Setup screen (Section 26.15 on page 287) to apply configured IPv6
source guard policies to the ports you specify.
• Use the IPv6 Snooping Policy Setup screen (Section 26.16 on page 289) to dynamically create an IPv6
source guard binding table using a DHCPv6 snooping policy. A DHCPv6 snooping policy lets the
Switch sniff DHCPv6 packets sent from a DHCPv6 server to a DHCPv6 client when it is assigning an IPv6
address.
• Use the IPv6 Snooping VLAN Setup screen (Section 26.17 on page 290) to enable a DHCPv6 snooping
policy on a specific VLAN interface.
• Use the IPv6 DHCP Trust Setup screen (Section 26.18 on page 291) to specify which ports are trusted
and untrusted for DHCP snooping.
26.1.2 What You Need to Know
The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from information
provided manually by administrators (static bindings).
IP source guard consists of the following features:
• Static bindings. Use this to create static bindings in the binding table.
• DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to build the binding
table dynamically.
• ARP inspection. Use this to filter unauthorized ARP packets on the network.
If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation), you
have to enable DHCP snooping before you enable ARP inspection.
To Next Page
Loading...
