Table of Contents
Advertisement
1
Introduction
DHCP Option 82 – DHCP server can insert information into DHCP requests. The
DHCP information is used to assign IP addresses to network interfaces.
IP Source Address Guard – IP source guard stops malignant network users from
using unallocated network IP addresses. IP Source Guard ensures that only packets
with an IP address stored in the DHCP Database are forwarded. IP address stored
in the DHCP Snooping Database are either statically configured by the network
administrator or are retrieved using DHCP. IP source guard can be enabled only on
DHCP snooping untrusted interface.
Dynamic ARP Inspection – ARP Inspection eliminates man-in-the-middle attacks,
where false ARP packets are inserted into the subnet. ARP requests and responses
are inspected, and their MAC Address to IP Address binding is checked. Packets
with invalid ARP Inspection Bindings are logged and dropped. Packets are classified
as:
• Trusted — Indicates that the interface IP and MAC address are recognized, and
recorded in the ARP Inspec-tion List. Trusted packets are forward without ARP
Inspection.
• Untrusted — Indicates that the packet arrived from an interface that does not have
a recognized IP and MAC addresses. The packet is checked for:
• Source MAC — Compares the packet's source MAC address against the
sender's MAC address in the ARP request. This check is performed on both
ARP requests and responses.
• Destination MAC — Compares the packet's destination MAC address against
the destination interface's MAC address. This check is performed for ARP
responses.
• IP Addresses — Compares the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast
addresses. If the packet's IP address was not found in the ARP Inspection
List, and DHCP snooping is enabled for a VLAN, a search of the DHCP
Snooping Database is performed. If the IP address is found the packet is valid,
and is forwarded. ARP inspection is performed only on untrusted interfaces.
LLDP - The Link Layer Discovery Protocol (LLDP) allows network managers to
troubleshoot and enhance network management by discovering and maintaining
network topologies over multi-vendor environments. LLDP discovers network
neighbors by standardizing methods for network devices to advertise themselves to
other system, and to store discovered information. Device discovery information
includes:
• Device Identification
• Device Capabilities
• Device Configuration
The advertising device transmits multiple advertisement message sets in a single
LAN packet. The multiple advertisement sets are sent in the packet Type Length
Value (TLV) field. LLDP devices must support chassis and port ID advertisement, as
well as system name, system ID, system description, and system capability
6
Hide quick links:
Advertisement
Table of Contents
