2 ip source guard overview – PLANET WGSW-28040P User Manual

User’s Manual of WGSW-28040 / 28040P / 28040P4

179



If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP

packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP

snooping entry is also added to the binding table.



If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the

port is not trusted, it is processed as follows:



If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages),

the packet is dropped.



If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the

packet only if the corresponding entry is found in the binding table.



If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE or

RELEASE message, the packet is forwarded if MAC address verification is disabled. However, if MAC

address verification is enabled, then the packet will only be forwarded if the client’s hardware address

stored in the DHCP packet is the same as the source MAC address in the Ethernet header.



If the DHCP packet is not a recognizable type, it is dropped.

• If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.

• If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the

same VLAN.

• If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.



Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a

client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry

for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends

out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a

DHCP server, any packets received from untrusted ports are dropped.

4.10.2 IP Source Guard Overview

IP Source Guard is a secure feature used to restrict IP traffic on DHCP snooping untrusted ports by filtering traffic based on the

DHCP Snooping Table or manually configured IP Source Bindings. It helps prevent IP spoofing attacks when a host tries to

spoof and use the IP address of another host.

After receiving a packet, the port looks up the key attributes (including IP address, MAC address and VLAN tag) of the packet in

the binding entries of the IP source guard. If there is a matching entry, the port will forward the packet. Otherwise, the port will

abandon the packet.

IP source guard filters packets based on the following types of binding entries:



IP-port binding entry



MAC-port binding entry



IP-MAC-port binding entry