Netgear M6100 – Campus Edge and SMB Core Chassis Switches ソフトウェアガイド
Manage Device Security
620
M6100, M5300, and M7100 Series Managed Switches
The following table describes the DHCP snooping statistics.
Configure an IP Source Guard Interface
You can configure IP source guard (IPSG) on each interface. IPSG is a security feature that
filters IP packets based on source ID. This feature helps protect the network from attacks that
use IP address spoofing to compromise or overwhelm the network. The source ID can be
either the source IP address or a source IP address and source MAC address pair. The
DHCP snooping bindings database, along with IPSG entries in the database, identify
authorized source IDs. If you enable IPSG on a port where DHCP snooping is disabled or
where DHCP snooping is enabled but the port is trusted, all IP traffic received on that port is
dropped depending on the admin-configured IPSG entries. Additionally, IPSG interacts with
port security, also known as port MAC locking, to enforce the source MAC address in
received packets. Port security controls source MAC address learning in the Layer 2
forwarding database (the MAC address table). When a frame is received with a previously
unlearned source MAC address, port security queries the IPSG feature to determine whether
the MAC address belongs to a valid binding.
filters IP packets based on source ID. This feature helps protect the network from attacks that
use IP address spoofing to compromise or overwhelm the network. The source ID can be
either the source IP address or a source IP address and source MAC address pair. The
DHCP snooping bindings database, along with IPSG entries in the database, identify
authorized source IDs. If you enable IPSG on a port where DHCP snooping is disabled or
where DHCP snooping is enabled but the port is trusted, all IP traffic received on that port is
dropped depending on the admin-configured IPSG entries. Additionally, IPSG interacts with
port security, also known as port MAC locking, to enforce the source MAC address in
received packets. Port security controls source MAC address learning in the Layer 2
forwarding database (the MAC address table). When a frame is received with a previously
unlearned source MAC address, port security queries the IPSG feature to determine whether
the MAC address belongs to a valid binding.
To configure IP Source Guard Interface settings:
1.
Prepare your computer with a static IP address in the 169.254.100.0 subnet, for
example, 169.254.100.201.
2.
Connect an Ethernet cable from an Ethernet port on your computer to an Ethernet port on
the switch.
3.
Launch a web browser.
4.
Enter the IP address of the switch in the web browser address field.
The default IP address of the switch is 169.254.100.100.
The Login screen displays.
5.
Enter the user name and password.
The default admin user name is admin and the default admin password is blank, that is,
do not enter a password.
do not enter a password.
6.
Click the Login button.
Table 224. DHCP Snooping Statistics
Field
Description
Interface
The untrusted and snooping-enabled interface for which statistics are
to be displayed.
to be displayed.
MAC Verify Failures
Number of packets that were dropped by DHCP snooping because
there is no matching DHCP snooping binding entry found.
there is no matching DHCP snooping binding entry found.
Client Ifc Mismatch
The number of DHCP messages that are dropped based on source
MAC address and client HW address verification.
MAC address and client HW address verification.
DHCP Server Msgs
The number of server messages that are dropped on an untrusted port.