ZyXEL GS2200-48 User Guide - Page 213
ARP Inspection Overview
View all ZyXEL GS2200-48 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 213 highlights
Chapter 25 IP Source Guard 25.10.1.4 Configuring DHCP Snooping Follow these steps to configure DHCP snooping on the Switch. 1 Enable DHCP snooping on the Switch. 2 Enable DHCP snooping on each VLAN, and configure DHCP relay option 82. 3 Configure trusted and untrusted ports, and specify the maximum number of DHCP packets that each port can receive per second. 4 Configure static bindings. 25.10.2 ARP Inspection Overview Use ARP inspection to filter unauthorized ARP packets on the network. This can prevent many kinds of man-in-the-middle attacks, such as the one in the following example. Figure 133 Example: Man-in-the-middle Attack A B X In this example, computer B tries to establish a connection with computer A. Computer X is in the same broadcast domain as computer A and intercepts the ARP request for computer A. Then, computer X does the following things: • It pretends to be computer A and responds to computer B. • It pretends to be computer B and sends a message to computer A. As a result, all the communication between computer A and computer B passes through computer X. Computer X can read and alter the information passed between them. 25.10.2.1 ARP Inspection and MAC Address Filters When the Switch identifies an unauthorized ARP packet, it automatically creates a MAC address filter to block traffic from the source MAC address and source VLAN ID of the unauthorized ARP packet. You can configure how long the MAC address filter remains in the Switch. These MAC address filters are different than regular MAC address filters (Chapter 12 on page 107). • They are stored only in volatile memory. • They do not use the same space in memory that regular MAC address filters use. • They appear only in the ARP Inspection screens and commands, not in the MAC Address Filter screens and commands. GS2200-8/24 User's Guide 213