Table of Contents
Advertisement
You can configure this setting for each source VLAN. This setting is independent of the DHCP relay
settings
(Chapter 42 on page
26.19.1.4 Configuring DHCP Snooping
Follow these steps to configure DHCP snooping on the Switch.
Enable DHCP snooping on the Switch.
1
Enable DHCP snooping on each VLAN, and configure DHCP relay option 82.
2
Configure trusted and untrusted ports, and specify the maximum number of DHCP packets that each
3
port can receive per second.
Configure static bindings.
4
26.19.2 ARP Inspection Overview
Use ARP inspection to filter unauthorized ARP packets on the network. This can prevent many kinds of
man-in-the-middle attacks, such as the one in the following example.
Figure 223 Example: Man-in-the-middle Attack
In this example, computer B tries to establish a connection with computer A. Computer X is in the same
broadcast domain as computer A and intercepts the ARP request for computer A. Then, computer X
does the following things:
• It pretends to be computer A and responds to computer B.
• It pretends to be computer B and sends a message to computer A.
As a result, all the communication between computer A and computer B passes through computer X.
Computer X can read and alter the information passed between them.
26.19.2.1 ARP Inspection and MAC Address Filters
When the Switch identifies an unauthorized ARP packet, it automatically creates a MAC address filter to
block traffic from the source MAC address and source VLAN ID of the unauthorized ARP packet. You
can configure how long the MAC address filter remains in the Switch.
These MAC address filters are different than regular MAC address filters
• They are stored only in volatile memory.
Chapter 26 IP Source Guard
405).
XGS2210 Series User's Guide
295
(Chapter 12 on page
138).
- Quick Links:
- The Web Configurator
- Resetting the Switch
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
