26.19.1.4 Configuring DHCP Snooping
Follow t hese st eps t o configure DHCP snooping on t he Swit ch.
1
Enable DHCP snooping on t he Swit ch.
2
Enable DHCP snooping on each VLAN, and configure DHCP relay opt ion 82.
3
Configure t rust ed and unt rust ed port s, and specify t he m axim um num ber of DHCP packet s t hat
each port can receive per second.
4
Configure st at ic bindings.
26.19.2 ARP Inspection Overview
Use ARP inspect ion t o filt er unaut horized ARP packet s on t he net work. This can prevent m any kinds
of m an- in- t he- m iddle at t acks, such as t he one in t he following exam ple.
Figure 177 Exam ple: Man- in- t he- m iddle At t ack
A
I n t his exam ple, com put er B t ries t o est ablish a connect ion wit h com put er A. Com put er X is in t he
sam e broadcast dom ain as com put er A and int ercept s t he ARP request for com put er A. Then,
com put er X does t he following t hings:
•
I t pret ends t o be com put er A and responds t o com put er B.
•
I t pret ends t o be com put er B and sends a m essage t o com put er A.
As a result , all t he com m unicat ion bet ween com put er A and com put er B passes t hrough com put er
X. Com put er X can read and alt er t he inform at ion passed bet ween t hem .
26.19.2.1 ARP Inspection and MAC Address Filters
When t he Swit ch ident ifies an unaut horized ARP packet , it aut om at ically creat es a MAC address
filt er t o block t raffic from t he source MAC address and source VLAN I D of t he unaut horized ARP
packet . You can configure how long t he MAC address filt er rem ains in t he Swit ch.
These MAC address filt ers are different t han regular MAC address filt ers
•
They are st ored only in volat ile m em ory.
•
They do not use t he sam e space in m em ory t hat regu lar MAC address filt ers use.
•
They appear only in t he ARP I n spe ct ion screens and com m ands, not in t he M AC Addr e ss
Filt e r screens and com m ands.
Chapter 26 IP Source Guard
X
GS2210 Series User's Guide
255
B
(Chapt er 12 on page
119) .