4-5Introduction to IP FilteringA denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forgedaddress requests with different source IP addresses to the server so that the network cannot worknormally. The specific effects are as follows:z The resources on the server are exhausted, so the server does not respond to other requests.z After receiving such type of packets, a switch needs to send them to the CPU for processing. Toomany request packets cause high CPU usage rate. As a result, the CPU cannot work normally.The switch can filter invalid IP packets through the DHCP-snooping table and , IP static binding table, orIP-to-MAC mappings of authenticated 802.1x clients.DHCP-snooping tableAfter DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It is used to recordIP addresses obtained from the DHCP server, MAC addresses, the number of the port through which aclient is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which theport belongs to. These records are saved as entries in the DHCP-snooping table.IP static binding tableThe DHCP-snooping table only records information about clients that obtains IP address dynamicallythrough DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of theclient cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IPfiltering of the DHCP-snooping table, thus it cannot access external networks.To solve this problem, the switch supports the configuration of static binding table entries, that is, thebinding relationship between IP address, MAC address, and the port connecting to the client, so thatpackets of the client can be correctly forwarded.IP-to-MAC mappings of authenticated 802.1x clientsIf most clients are assigned with static IP addresses, you need to configure an IP static binding for eachclient. The configuration is a heavy workload and causes errors easily.To ensure security, in actual networks, clients are usually connected to networks through 802.1xauthentication. With the authenticated 802.1x client-based IP filtering function enabled, the switch canrecord and query the IP-to-MAC mappings of authenticated 802.1x clients to defend against IP attacks.IP filteringIP filtering can be implemented based on the DHCP-snooping table, IP static binding table, orIP-to-MAC mappings of authenticated 802.1x clients, according to actual network requirements. Theswitch can filter IP packets in the following modes:z Filtering packets based on their source IP addresses. If the source IP address in a packet and thenumber of the port that receives the packet match an entry or mapping, the switch regards thepacket as a valid packet and forwards it; otherwise, the switch drops it directly.z Filtering packets based on their source IP and MAC addresses. If the source IP address andsource MAC address in the packet, and the number of the port that receives the packet match anentry or mapping, the switch regards the packet as a valid packet and forwards it; otherwise, theswitch drops it directly.