DES-7200 Configuration Guide Chapter 9 DHCP Snooping Configuration
9-4
Security White Paper and Security Function Depolyment White Paper.
9.1.5 Understanding
DHCP
Snooping and
IP Source
Guard
The IP Source Guard function maintains an IP source address database. By setting the user
information of the database (IP and MAC) to be the hardware filtering entry, it allows the
corresponding users to access the network. For details, refer to IP Source Guard
Configuration.
By snooping the DHCP process, the DHCP Snooping maintains a user IP address database
and offers it to the IP Source Guide funciton for filtering so that only the users dynamically
obtaining IP address can access the network.
Furthermore, the DHCP binding filters IP packets rather than ARP messages. To enhance
security and prevent from ARP Spoofing, check the ARP validity of DHCP bound users. For
more information, refer to DAI Configuration.
9.1.6 Understanding
DHCP
Snooping and
ARP Inspection
ARP Inspection checks all the ARP messages travelling through the switch. DHCP Snooping
needs to offer the database information for ARP Inspection to use. After receiving an ARP
message, the DAI-enabled swtich queries the database bound by the DHCP Snooping. The
ARP message is learned and forwarded only when its source MAC, source IP and port are
matched or otherwise it is dropped.
9.1.7 Understanding
DHCP
Snooping and
ARP Check
As with ARP Inspection, ARP Check checks all the ARP messages travelling through the
switch. DHCP Snooping needs to offer the database information for ARP Check to use. After
receiving an ARP message, the ARP Check-enabled swtich queries the database bound by
the DHCP Snooping. The ARP message is learned and forwarded only when its source MAC,
source IP and port are matched or otherwise it is dropped.