Security; Ip Source Guard; Dhcp Snooping - TRENDnet TI-PG1284i User Manual

TRENDnet User's Guide

Security

IP Source Guard

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by
filtering traffic based on the DHCP snooping binding database or manually configured IP
source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof
and use the IP address of another host. Any IP traffic coming into the interface with a
source IP address other than that assigned (via DHCP or static configuration) will be
filtered out on the untrusted Layer 2 ports.
The IP Source Guard feature is enabled in combination with the DHCP snooping feature
on untrusted Layer 2 interfaces. It builds and maintains an IP source binding table that is
learned by DHCP snooping or manually configured (static IP source bindings). An entry in
the IP source binding table contains the IP address and the associated MAC and VLAN
numbers. The IP Source Guard is supported on Layer 2 ports only, including access and
trunk ports.
The IP Source Guard features include below functions:
1.

DHCP Snooping.

2. DHCP Binding table.
3. ARP Inspection.
4. Blacklist Filter. (arp-inspection mac-filter table)
DHCP Snooping
DHCP snooping is a DHCP security feature that provides network security by filtering
untrusted DHCP messages and by building and maintaining a DHCP snooping binding
database, which is also referred to as a DHCP snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You can
use DHCP snooping to differentiate between untrusted interfaces connected to the end
user and trusted interfaces connected to the DHCP server or another switch.
© Copyright 2016 TRENDnet. All Rights Reserved.
The DHCP snooping binding database contains the MAC address, the IP address, the lease
time, the binding type, the VLAN number, and the interface information that corresponds
to the local untrusted interfaces of a switch.
When a switch receives a packet on an untrusted interface and the interface belongs to a
VLAN in which DHCP snooping is enabled, the switch compares the source MAC address
and the DHCP client hardware address. If addresses match (the default), the switch
forwards the packet. If the addresses do not match, the switch drops the packet.
The switch drops a DHCP packet when one of these situations occurs:

A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet, is received from the untrusted port.

A packet is received on an untrusted interface, and the source MAC address
and the DHCP client hardware address do not match any of the current
bindings.
Use DHCP snooping to filter unauthorized DHCP packets on the network and to build the
binding table dynamically. This can prevent clients from getting IP addresses from
unauthorized DHCP servers.
Trusted vs. Untrusted Ports
Every port is either a trusted port or an untrusted port for DHCP snooping. This setting is
independent of the trusted/untrusted setting for ARP inspection. You can also specify the
maximum number for DHCP packets that each port (trusted or untrusted) can receive
each second.
Trusted ports are connected to DHCP servers or other switches. The Switch discards DHCP
packets from trusted ports only if the rate at which DHCP packets arrive is too high. The
Switch learns dynamic bindings from trusted ports.
Note: The Switch will drop all DHCP requests if you enable DHCP snooping and there are
no trusted ports.
Untrusted ports are connected to subscribers. The Switch discards DHCP packets from
untrusted ports in the following situations:

The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).

The source MAC address and source IP address in the packet do not match any of
TI-PG1284i
134