Operation Manual
Configuration Guide 540
Configuring Network Security Network Security
1
Network Security
1.1 Overview
Network Security provides multiple protection measures for the network. Users can configure
the security functions according to their needs.
1.2 Supported Features
The switch supports multiple network security features, for example, IP-MAC Binding, DHCP
Snooping, ARP Inspection and so on.
IP-MAC Binding
IP-MAC Binding is used to bind the IP address, MAC address, VLAN ID and the connected
port number of the specified host. Based on the IP-MAC binding table, the switch can filter
the illegal ARP packets with the ARP Detection feature, so as to prevent the network from
ARP cheating attacks.
The binding entries can be manually configured, or learned by ARP scanning or DHCP
snooping.
DHCP Snooping
DHCP Snooping supports the basic DHCP security feature and the Option 82 feature.
Basic DHCP Security
During the working process of DHCP, generally there is no authentication mechanism
between the DHCP server and the clients. If there are several DHCP servers on the
network, security problems and network interference will happen. DHCP Snooping resolves
this problem.
As the following figure shows, the port connected to the legal DHCP server is configured
as a trusted port, and other ports are configured as untrusted ports. When receiving the
DHCP discover or DHCP request packets, the switch forwards them to the legal DHCP
server only through the trusted port. When receiving the respond packets, the switch
will determine whether to send or not depending on the type of receiving port: packets
received from the trusted port will be forwarded, otherwise they will be discarded. DHCP
Snooping ensures that users get IP addresses only from the legal DHCP server, enhancing
the network security.