C
HAPTER
24
| General Security Measures
IPv4 Source Guard
– 912 –
IPV4 SOURCE GUARD
IP Source Guard is a security feature that filters IPv4 traffic on network
interfaces based on manually configured entries in the IPv4 Source Guard
table, or dynamic entries in the DHCPv4 Snooping table when enabled (see
"DHCPv4 Snooping" on page 891). IPv4 source guard can be used to
prevent traffic attacks caused when a host tries to use the IPv4 address of
a neighbor to access the network. This section describes commands used
to configure IPv4 Source Guard.
ip source-guard
binding
This command adds a static address to the source-guard ACL or MAC
address binding table. Use the no form to remove a static entry.
SYNTAX
ip source-guard binding [mode {acl | mac}] mac-address
vlan vlan-id ip-address interface ethernet unit/port
no ip source-guard binding [mode {acl | mac}] mac-address
vlan vlan-id
mode - Specifies the binding mode.
acl - Adds binding to ACL table.
mac - Adds binding to MAC address
mac-address - A valid unicast MAC address.
vlan-id - ID of a configured VLAN (Range: 1-4094)
ip-address - A valid unicast IP address, including classful types A, B
or C.
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Table 94: IPv4 Source Guard Commands
Command Function Mode
ip source-guard binding Adds a static address to the source-guard binding
table
GC
ip source-guard Configures the switch to filter inbound traffic based
on source IP address, or source IP address and
corresponding MAC address
IC
ip source-guard
max-binding
Sets the maximum number of entries that can be
bound to an interface
IC
ip source-guard mode Sets the source-guard learning mode to search for
addresses in the ACL binding table or the MAC
address binding table
IC
clear ip source-guard
binding blocked
Remove all blocked records IC
show ip source-guard Shows whether source guard is enabled or disabled
on each interface
PE
show ip source-guard
binding
Shows the source guard binding table PE, NE
To Next Page
Loading...
Need help?
General
