Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル
454
|
Chapter 17. Security
NETGEAR 8800 User Manual
Port Circuit-ID Port information string
---- ----------------------------------
1 cutomer-1
2 cutomer-2
3 1003
4 1004
5 1005
6 1006
7 1007
8 1008
9 1009
10 1010
11 1011
12 1012
13 1013
14 1014
15 1015
16 1016
17 1017
18 1018
19 1019
20 1020
21 1021
22 1022
23 1023
24 1024
25 1025
26 1026
Note: The full Circuit ID string has the form '<Vlan Info>-<Port Info>'
* XCM8806.53 #
Source IP Lockdown
Another type of IP security prevents IP address spoofing by automatically placing source IP
address filters on specified ports. This feature, called source IP lockdown, allows only traffic
from a valid DHCP-assigned address obtained by a DHCP snooping-enabled port to enter
the network. In this way, the network is protected from attacks that use random source
addresses for their traffic. With source IP lockdown enabled, end systems that have a DHCP
address assigned by a trusted DHCP server can access the network, but traffic from others,
including those with static IP addresses is dropped at the switch.
address filters on specified ports. This feature, called source IP lockdown, allows only traffic
from a valid DHCP-assigned address obtained by a DHCP snooping-enabled port to enter
the network. In this way, the network is protected from attacks that use random source
addresses for their traffic. With source IP lockdown enabled, end systems that have a DHCP
address assigned by a trusted DHCP server can access the network, but traffic from others,
including those with static IP addresses is dropped at the switch.
Source IP lockdown is linked to the “DHCP snooping” feature. The same DHCP bindings
database created when you enable DHCP snooping is also used by source IP lockdown to
create ACLs that permit traffic from DHCP clients. All other traffic is dropped. In addition, the
DHCP snooping violation action setting determines what action(s) the switch takes when a
rogue DHCP server packet is seen on an untrusted port.
database created when you enable DHCP snooping is also used by source IP lockdown to
create ACLs that permit traffic from DHCP clients. All other traffic is dropped. In addition, the
DHCP snooping violation action setting determines what action(s) the switch takes when a
rogue DHCP server packet is seen on an untrusted port.
When source IP lockdown is enabled on a port, a default ACL is created to deny all IP traffic
on that port. Then an ACL is created to permit DHCP traffic on specified ports. Each time
on that port. Then an ACL is created to permit DHCP traffic on specified ports. Each time