Today's switch/routers can support dynamic host configuration protocol (DHCP) snooping and internet protocol (IP) source guard. With DHCP snooping, a switch can learn and keep the “binding” of fields, such as {media access control (MAC) source address, receive port, receive virtual local area network (VLAN)}, and validate DHCP messages. IP source guard can check that packets coming from a particular port have a valid IP address assigned by DHCP, thus protecting against IP address snooping.
However, for stronger detection of mis-configuration and/or potential network attacks, the entire address binding consisting of {MAC source address, IP source address, receive port, receive VLAN} should be checked. Such a stronger check can ensure that a packet received from a port and VLAN contains expected IP and MAC addresses. Further, the entire address binding should be checked for cases where multiple hosts exist in a system (e.g., due to a hub or another switch between the host and the switch) to ensure a full binding check.