Table of Contents
Advertisement
To prevent users from changing IP addresses and attacking the intranet, enable
IPSG after enabling DHCP snooping on the access switch. ACC1 is used in the
example below.
4
On ACC1, enable IPSG in VLAN 10.
[ACC1] vlan 10
[ACC1-vlan10] ip source check user-bind enable
[ACC1-vlan10] quit
ACC1 matches packets received from VLAN 10 with dynamic binding entries in the
DHCP snooping binding table. If a packet matches an entry, ACC1 forwards the
packet; otherwise, ACC1 discards the packet. To check packets received from a
specified user device instead of all user devices in the VLAN, enable IPSG on the
interface connecting to the device.
If static IP address allocation is configured, bind IP addresses and MAC
addresses to prevent users from changing IP addresses and attacking the
network. For this configuration procedure, see "Example for Configuring
IPSG to Prevent Hosts with Static IP Addresses from Changing Their Own
IP Addresses" in the
For details about how to configure the switch to prevent users from connecting a small
router (bogus DHCP server) to the intranet and changing IP addresses, see
"Configuring Basic Functions of DHCP Snooping", "Configuring IPSG", and
configuration examples in the corresponding
the version of the device.
Typical Configuration Examples.
Configuration Guide – Security
20
//Enable IPSG.
based on
- Quick Links:
- Before You Start
Hide quick links:
Advertisement
Table of Contents
