Chapter 26 IP Source Guard
GS1920v2 Series User’s Guide
235
C
HA PTER
2 6
IP So urc e G ua rd
26.1 IP So urc e G ua rd O ve rvie w
Use IPv4 source guard to filter unauthorized DHCP and ARP packets in your network.
IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and
ARP packets in your network. A binding contains these key attributes:
• MAC address
• VLAN ID
• IP address
• Port number
When the Switch receives a DHCP or ARP packet, it looks up the appropriate MAC address, VLAN ID, IP
address, and port number in the binding table. If there is a binding, the Switch forwards the packet. If
there is not a binding, the Switch discards the packet.
26.1.1 Wha t Yo u C a n Do
• Use the
IP So urc e G ua rd
screen (
Section 26.2 on page 236
) to display the links to the configuration
screens where you can configure IPv4 source guard settings.
• Use the
IPv4 So urc e G ua rd Se tup
screen (
Section 26.3 on page 237
) to look at the current bindings for
DHCP snooping and ARP inspection.
• Use the
IP So urc e G ua rd Sta tic Binding
screen (
Section 26.4 on page 237
) to manage static bindings
for DHCP snooping and ARP inspection.
• Use the
DHC P Sno o ping
screen (
Section 26.5 on page 239
) to look at various statistics about the DHCP
snooping database.
• Use this
DHC P Sno o ping C o nfig ure
screen (
Section 26.6 on page 242
) to enable DHCP snooping on
the Switch (not on specific VLAN), specify the VLAN where the default DHCP server is located, and
configure the DHCP snooping database.
• Use the
DHC P Sno o ping Po rt C o nfig ure
screen (
Section 26.6.1 on page 244
) to specify whether ports
are trusted or untrusted ports for DHCP snooping.
• Use the
DHC P Sno o ping VLAN C o nfig ure
screen (
Section 26.6.2 on page 245
) to enable DHCP
snooping on each VLAN and to specify whether or not the Switch adds DHCP relay agent option 82
information to DHCP requests that the Switch relays to a DHCP server for each VLAN.
• Use the
DHC P Sno o ping VLAN Po rt C o nfig ure
screen (
Section 26.6.3 on page 246
) to apply a different
DHCP option 82 profile to certain ports in a VLAN.
• Use the
ARP Inspe c tio n Sta tus
screen (
Section 26.7 on page 248
) to look at the current list of MAC
address filters that were created because the Switch identified an unauthorized ARP packet.