User manual
C
HAPTER
4
| Configuring the Switch
Configuring Security
– 114 –
◆ IP Address – A valid unicast IP address, including classful types A, B
or C.
◆ IP Mask – This mask specifies the address bits used to identify the
subnet and host. (Default: 255.255.255.0).
WEB INTERFACE
To configure static bindings for IP Source Guard:
1. Click Advanced Configuration, Security, Network, IP Source Guard,
Static Table.
2. Click “Add new entry.”
3. Enter the required bindings for a given port.
4. Click Save.
Figure 38: Configuring Static Bindings for IP Source Guard
CONFIGURING ARP
INSPECTION
ARP Inspection is a security feature that validates the MAC Address
bindings for Address Resolution Protocol packets. It provides protection
against ARP traffic with invalid MAC-to-IP address bindings, which forms
the basis for certain “man-in-the-middle” attacks. This is accomplished by
intercepting all ARP requests and responses and verifying each of these
packets before the local ARP cache is updated or the packet is forwarded to
the appropriate destination. Invalid ARP packets are dropped.
ARP Inspection determines the validity of an ARP packet based on valid
IP-to-MAC address bindings stored in a trusted database – the DHCP
snooping binding database (see "Configuring DHCP Snooping"). This
database is built by DHCP snooping if it is enabled globally on the switch
and on the required ports. ARP Inspection can also validate ARP packets
against statically configured addresses.
COMMAND USAGE
Enabling & Disabling ARP Inspection
◆ ARP Inspection is controlled on a global and port basis.