User manual

ManualsBrandsZYXEL ManualsNetwork Routers & SwitchesGS2210-48HP Network RJ45/SFP switch 48 + 2 ports PoE

221

222

223

224

225

226

227

228

229

230

Chapter 26 IP Source Guard

GS2210 Series User’s Guide

224

• Use the ARP Inspection VLAN Status screen (Section 26.8 on page 238) to look at various statistics

about ARP packets in each VLAN.

• Use the ARP Inspection Log Status screen (Section 26.9 on page 238) to look at log messages that

were generated by ARP packets and that have not been sent to the syslog server yet.

• Use the ARP Inspection Configure screen (Section 26.10 on page 240) to enable ARP inspection on

the Switch. You can also configure the length of time the Switch stores records of discarded ARP

packets and global settings for the ARP inspection log.

• Use the ARP Inspection Port Configure screen (Section 26.10.1 on page 241) to specify whether ports

are trusted or untrusted ports for ARP inspection.

• Use the ARP Inspection VLAN Configure screen (Section 26.10.2 on page 242) to enable ARP

inspection on each VLAN and to specify when the Switch generates log messages for receiving ARP

packets from each VLAN.

• Use the IPv6 Source Binding Status screen (Section 26.12 on page 244) to look at the current IPv6

dynamic and static bindings and to remove dynamic bindings based on IPv6 address and/or IPv6

prefix.

• Use the IPv6 Static Binding Setup screen (Section 26.13 on page 245) to manually create an IPv6

source guard binding table and manage IPv6 static bindings.

• Use the IPv6 Source Guard Policy Setup screen (Section 26.14 on page 246) to have IPv6 source guard

forward valid IPv6 addresses and/or IPv6 prefixes that are stored in the binding table and allow or

block data traffic from all link-local addresses

• Use the IPv6 Source Guard Port Setup screen (Section 26.15 on page 247) to apply configured IPv6

source guard policies to the ports you specify.

• Use the IPv6 Snooping Policy Setup screen (Section 26.16 on page 248) to dynamically create an IPv6

source guard binding table using a DHCPv6 snooping policy. A DHCPv6 snooping policy lets the

Switch sniff DHCPv6 packets sent from a DHCPv6 server to a DHCPv6 client when it is assigning an IPv6

address.

• Use the IPv6 Snooping VLAN Setup screen (Section 26.17 on page 250) to enable a DHCPv6 snooping

policy on a specific VLAN interface.

• Use the IPv6 DHCP Trust Setup screen (Section 26.18 on page 250) to specify which ports are trusted

and untrusted for DHCP snooping.

26.1.2 What You Need to Know

The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from information

provided manually by administrators (static bindings).

IP source guard consists of the following features:

• Static bindings. Use this to create static bindings in the binding table.

• DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to build the binding

table dynamically.

• ARP inspection. Use this to filter unauthorized ARP packets on the network.

If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation), you

have to enable DHCP snooping before you enable ARP inspection.