ZyXEL Communications GS-4012 Switch User Manual


 
GS-4012F/4024 User’s Guide
199
CHAPTER 24
IP Source Guard
Use IP source guard to filter unauthorized DHCP and ARP packets in your network.
24.1 IP Source Guard Overview
IP source guard uses a binding table to distinguish between authorized and unauthorized
DHCP and ARP packets in your network. A binding contains these key attributes:
MAC address
VLAN ID
IP address
Port number
When the Switch receives a DHCP or ARP packet, it looks up the appropriate MAC address,
VLAN ID, IP address, and port number in the binding table. If there is a binding, the Switch
forwards the packet. If there is not a binding, the Switch discards the packet.
The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from
information provided manually by administrators (static bindings).
IP source guard consists of the following features:
Static bindings. Use this to create static bindings in the binding table.
DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to
build the binding table dynamically.
ARP inspection. Use this to filter unauthorized ARP packets on the network.
If you want to use dynamic bindings to filter unauthorized ARP packets (typical
implementation), you have to enable DHCP snooping before you enable ARP inspection.
24.1.1 DHCP Snooping Overview
Use DHCP snooping to filter unauthorized DHCP packets on the network and to build the
binding table dynamically. This can prevent clients from getting IP addresses from
unauthorized DHCP servers.
24.1.1.1 Trusted vs. Untrusted Ports
Every port is either a trusted port or an untrusted port for DHCP snooping. This setting is
independent of the trusted/untrusted setting for ARP inspection. You can also specify the
maximum number for DHCP packets that each port (trusted or untrusted) can receive each
second.