Configuration Guide 540
Configuring Network Security
Network Security
1
Network Security
1.1 Overview
Network Security provides multiple protection measures for the network. Users can configure
the security functions according to their needs.
1.2 Supported Features
The switch supports multiple network security features, for example, IP-MAC Binding, DHCP
Snooping, ARP Inspection and so on.
IP-MAC Binding
IP-MAC Binding is used to bind the IP address, MAC address, VLAN ID and the connected
port number of the specified host. Basing on the IP-MAC binding table, the switch can
prevent the ARP cheating attacks with the ARP Detection feature and filter the packets that
don’t match the binding entries with the IP Source Guard feature.
The binding entries can be manually configured, or learned by ARP scanning or DHCP
snooping.
DHCP Snooping
DHCP Snooping supports the basic DHCP security feature and the Option 82 feature.
Basic DHCP Security
During the working process of DHCP, generally there is no authentication mechanism
between the DHCP server and the clients. If there are several DHCP servers on the
network, security problems and network interference will happen. DHCP Snooping resolves
this problem.
As the following figure shows, the port connected to the legal DHCP server should be
configured as a trusted port, and other ports should be configured as untrusted ports.
When receiving the DHCP discover or DHCP request packets, the switch forwards them to
the legal DHCP server only through the trusted port. When receiving the respond packets,
the switch will determine whether to send or not depending on the type of receiving port:
packets received from the trusted port will be forwarded, otherwise they will be discarded.
DHCP Snooping ensures that users get IP addresses only from the legal DHCP server,
enhancing the network security.