Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8806

441

442

443

444

445

446

447

448

449

450

Chapter 17. Security | 447

NETGEAR 8800 User Manual

• Gratuitous ARP Protection on page 458

• ARP Validation on page 460

Figure 31 displays the dependencies of IP security. Any feature that appears directly above

another feature depends on it. For example, to configure ARP validation, you must configure

DHCP snooping and trusted DHCP server.

Figure 31. IP Security Dependencies

Note: IP security features are supported on link aggregation ports with the

exception of DHCP snooping with the

block-mac option and source

IP lockdown. You can enable IP security on pre-existing trunks, but

you cannot make IP security-enabled ports into trunks without first

disabling IP security.

DHCP Snooping and Trusted DHCP Server

A fundamental requirement for most of the IP security features described in this section is to

configure DHCP snooping and trusted DHCP server. DHCP snooping enhances security by

filtering untrusted DHCP messages and by building and maintaining a DHCP bindings

database. Trusted DHCP server also enhances security by forwarding DHCP packets from

only configured trusted servers within your network.

The DHCP bindings database contains the IP address, MAC Address, VLAN ID, and port

number of the untrusted interface or client. If the switch receives a DHCP ACK message and

the IP address does not exist in the DHCP bindings database, the switch creates an entry in

the DHCP bindings database. If the switch receives a DHCP RELEASE, NAK or DECLINE

message and the IP address exists in the DHCP bindings database, the switch removes the

entry.

You can enable DHCP snooping on a per port, per-VLAN basis and trusted DHCP server on

a per-vlan basis. If configured for DHCP snooping, the switch snoops DHCP packets on the

indicated ports and builds a DHCP bindings database of IP address and MAC address

bindings from the received packets. If configured for trusted DHCP server, the switch

forwards only DHCP packets from the trusted servers. The switch drops DHCP packets from

other DHCP snooping-enabled ports.

In addition, to prevent rogue DHCP servers from farming out IP addresses, you can

optionally configure a specific port or set of ports as trusted ports. Trusted ports do not block

traffic; rather, the switch forwards any DHCP server packets that appear on trusted ports.

EX_178

Disable

ARP

learning

DHCP

secured

ARP

validation

Source IP

lockdown

Gratuitous ARP

inspection—protect

hosts and switch

Gratuitous ARP

inspection—

protect only

switch

DHCP snooping and trusted DHCP server