ZyXEL Communications GS1510-24 Manual De Usuario

Chapter 18 IP Source Guard

GS1510 Series User’s Guide

IP source guard consists of the following features:

• DHCP snooping. Use this to filter unauthorized DHCP packets on the network 

and to build the binding table dynamically.

• ARP inspection. Use this to filter unauthorized ARP packets on the network.
• Static bindings. Use this to create static bindings in the binding table.

If you want to use dynamic bindings to filter unauthorized ARP packets (typical 
implementation), you have to enable DHCP snooping before you enable ARP 
inspection.

Use DHCP snooping to filter unauthorized DHCP packets on the network and to 
build the binding table dynamically. This can prevent clients from getting IP 
addresses from unauthorized DHCP servers.

Every port is either a trusted port or an untrusted port for DHCP snooping. This 
setting is independent of the trusted/untrusted setting for ARP inspection.

Trusted ports are connected to DHCP servers or other switches. The Switch learns 
dynamic bindings from trusted ports.

Note: The Switch will drop all DHCP requests if you enable DHCP snooping and there 

are no trusted ports.

Untrusted ports are connected to subscribers. The Switch discards DHCP packets 
from untrusted ports in the following situations:

• The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
• The source MAC address and source IP address in the packet do not match any 

of the current bindings.

• The packet is a RELEASE or DECLINE packet, and the source MAC address and 

source port do not match any of the current bindings.

• The rate at which DHCP packets arrive is too high.

The Switch stores the binding table in volatile memory. If the Switch restarts, it 
loads static bindings from permanent memory but loses the dynamic bindings, in 
which case the devices in the network have to send DHCP requests again.