Users Guide
68 Switch Feature Overview
IP Source Guard (IPSG)
IP source guard (IPSG) is a security feature that filters IP packets based on
the source ID. The source ID may either be source IP address or a source IP
address source MAC address pair as found in the local DHCP snooping
database. IPSG depends on DHCP Snooping to associate IP address with
MAC addresses.
For information about configuring IPSG, see "Snooping and Inspecting
Traffic" on page 973.
DHCP Snooping
DHCP Snooping is a security feature that monitors DHCP messages between
a DHCP client and DHCP server. It filters harmful DHCP messages and
builds a bindings database of (MAC address, IP address, VLAN ID, port)
tuples that are specified as authorized. DHCP snooping can be enabled
globally and on specific VLANs. Ports within the VLAN can be configured to
be trusted or untrusted. DHCP servers must be reached through trusted ports.
For information about configuring DHCP Snooping, see "Snooping and
Inspecting Traffic" on page 973.
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and
malicious ARP packets. The feature prevents a class of man-in-the-middle
attacks, where an unfriendly station intercepts traffic for other stations by
poisoning the ARP caches of its unsuspecting neighbors. The malicious
station sends ARP requests or responses mapping another station's IP address
to its own MAC address.
Dynamic ARP Inspection relies on DHCP Snooping.
For information about configuring DAI, see "Snooping and Inspecting Traffic"
on page 973.
Protected Ports (Private VLAN Edge)
Private VLAN Edge (PVE) ports are a layer-2 security feature that provides
port-based security between ports that are members of the same VLAN. It is
an extension of the common VLAN. Traffic from protected ports is sent only
to the uplink ports and cannot be sent to other ports within the VLAN.