EasyManua.ls Logo

ELTEX MES3108 - 5.24.4 Client IP address protection (IP-source Guard)

ELTEX MES3108
243 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
MES3000 Ethernet switch series 183
DHCP snooping is globally Enabled
DHCP snooping is configured on following VLANs: 2, 5
DHCP snooping database: Enabled
Relay agent Information option 82 is Enabled
Option 82 on untrusted port is allowed
Verification of hwaddr field is Enabled
DHCP snooping file update frequency is configured to: 1200 secondsInterface
Trusted Rate Limit (pps)
----------- --------- ------------------
gi1/0/1 No 5
gi1/0/5 Yes --
gi1/0/11 Yes --
gi2/0/11 Yes 9
gi3/0/5 No 1781
gi3/0/11 No 7
5.24.4 Client IP address protection (IP-source Guard)
IP address protection (IP Source Guard) allows to filter the traffic received from the interface based
on DHCP Snooping match table and IP Source Guard static matches. Thus, IP Source Guard eliminates IP
address spoofing in packets.
Given that the IP address protection function uses DHCP Snooping match table, it is worth
using this function with DHCP Snooping pre-configured and enabled.
IP Source Guard must be enabled globally and for the interface.
Global configuration mode commands
Command line request in global configuration mode appears as follows:
console(config)#
Table 5.217 Global configuration mode commands
Command
Value
Action
ip source-guard
Function is disabled by
default.
Enable client IP address protection for the whole switch.
no ip source-guard
Disable client IP address protection for the whole switch.
ip source-guard binding
mac_address vlan_id
ip_address
{gigabitethernet gi_port |
tengigabitethernet te_port
| port-channel group}
gi_port: (1..8/0/1..24);
te_port: (1..8/0/1..4);
vlan_id: (1..4094);
group: (1..24)
Create static record in the match table for the client IP address, its
MAC address and VLAN group for the selected interface in the
command.
no ip source-guard binding
mac_address vlan_id
Remove static record from the match table.
ip source-guard tcam
retries-freq {seconds |
never}
(10..600, never)/60
seconds
Specify the device access rate to internal resources for storing the
inactive secured IP addresses into the memory.
- neverdeny storing the inactive secured IP addresses into the
memory
no ip source-guard tcam
retries-freq
Restore the default value.
Ethernet interface configuration mode commands (interface range), port group interface
Command line request in Ethernet interface, port group interface configuration mode appears as
follows:

Table of Contents

Related product manuals