GS2210 Series User’s Guide
203
C
H A P T E R
2 5
IP Source Guard
25.1 Overview
Use IP source guard to filter unauthorized DHCP and ARP packets in your network.
IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and
ARP packets in your network. A binding contains these key attributes:
• MAC address
• VLAN ID
• IP address
• Port number
When the Switch receives a DHCP or ARP packet, it looks up the appropriate MAC address, VLAN ID,
IP address, and port number in the binding table. If there is a binding, the Switch forwards the
packet. If there is not a binding, the Switch discards the packet.
25.1.1 What You Can Do
• Use the IP Source Guard screen (
) to look at the current bindings for
DHCP snooping and ARP inspection.
• Use the IP Source Guard Static Binding screen (
) to manage static
bindings for DHCP snooping and ARP inspection.
• Use the DHCP Snooping screen (
) to look at various statistics about
the DHCP snooping database.
• Use this DHCP Snooping Configure screen (
) to enable DHCP
snooping on the Switch (not on specific VLAN), specify the VLAN where the default DHCP server
is located, and configure the DHCP snooping database.
• Use the DHCP Snooping Port Configure screen (
) to specify
whether ports are trusted or untrusted ports for DHCP snooping.
• Use the DHCP VLAN Configure screen (
) to enable DHCP snooping
on each VLAN and to specify whether or not the Switch adds DHCP relay agent option 82
information to DHCP requests that the Switch relays to a DHCP server for each VLAN.
• Use the DHCP Snooping VLAN Port Configure screen (
) to apply a
different DHCP option 82 profile to certain ports in a VLAN.
• Use the ARP Inspection Status screen (
) to look at the current list of
MAC address filters that were created because the Switch identified an unauthorized ARP packet.
• Use the ARP Inspection VLAN Status screen (
) to look at various
statistics about ARP packets in each VLAN.
• Use the ARP Inspection Log Status screen (
) to look at log messages
that were generated by ARP packets and that have not been sent to the syslog server yet.