Loading ...
Loading ...
Loading ...
Chapter 74 IP Source Guard
XGS2220 Series User’s Guide
546
CHAPTER 74
IP Source Guard
74.1 IP Source Guard Overview
IP source guard consists of the following features:
• DHCP snooping. Use this to filter unauthorized DHCP server packets on the network and to build a
binding table dynamically.
• ARP inspection. Use this to filter unauthorized ARP packets on the network.
• Static IP bindings. Use this to create static bindings in the binding table.
The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from information
provided manually by administrators (static bindings).
Binding Table
IP source guard uses a binding table to distinguish between authorized and unauthorized ARP packets
in your network. A binding contains these key attributes:
• MAC address
• VLAN ID
• IP address
• Port number
The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from information
provided manually by administrators (static bindings).
DHCP Snooping
The Switch only allows an authorized DHCP server on a trusted port to assign IP addresses. Unauthorized
DHCP servers will not be able to assign IP addresses to network clients. When the Switch receives a DHCP
server packet from an authorized DHCP server, it inspects the packet and records the DHCP information
in a binding table. The binding records are used in ARP inspection to filter unauthorized ARP packets.
See Section 75.1 on page 551 for more DHCP snooping information.
ARP Inspection
When the Switch receives an ARP packet, it looks up the appropriate MAC address, VLAN ID, IP address,
and port number in the binding table. If there is a binding, the Switch forwards the packet. Otherwise,
the Switch discards the packet.
Loading ...
Loading ...
Loading ...