ZyXEL Communications MES3500-24F 用户手册

MES3500-24/24F User’s Guide

Use IP source guard to filter unauthorized DHCP and ARP packets in your network.

IP source guard uses a binding table to distinguish between authorized and unauthorized DHCP and 
ARP packets in your network. A binding contains these key attributes:

• MAC  address
• VLAN  ID
• IP  address
• Port number

When the Switch receives a DHCP or ARP packet, it looks up the appropriate MAC address, VLAN ID, 
IP address, and port number in the binding table. If there is a binding, the Switch forwards the 
packet. If there is not a binding, the Switch discards the packet.

The Switch builds the binding table by snooping DHCP packets (dynamic bindings) and from 
information provided manually by administrators (static bindings).

IP source guard consists of the following features:

• Static bindings. Use this to create static bindings in the binding table.
• DHCP snooping. Use this to filter unauthorized DHCP packets on the network and to build the 

binding table dynamically.

• ARP inspection. Use this to filter unauthorized ARP packets on the network.

If you want to use dynamic bindings to filter unauthorized ARP packets (typical implementation), 
you have to enable DHCP snooping before you enable ARP inspection.

Use DHCP snooping to filter unauthorized DHCP packets on the network and to build the binding 
table dynamically. This can prevent clients from getting IP addresses from unauthorized DHCP 
servers.

Every port is either a trusted port or an untrusted port for DHCP snooping. This setting is 
independent of the trusted/untrusted setting for ARP inspection. You can also specify the maximum 
number for DHCP packets that each port (trusted or untrusted) can receive each second.