314
Configuring IP source guard
Overview
IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate
packets. It drops all packets that do not match the table.
The IP source guard binding table can include the following binding entries:
• Global binding entries
Only IP-MAC bindings are supported. For more information about global static IP source guard
binding entries, see "Static IP source guard binding entries."
• In
terface-specific binding entries
{ IP-interface
{ MAC-interface
{ IP-MAC-interface
{ IP-VLAN-interface
{ MAC-VLAN-interface
{ IP-MAC-VLAN-interface
IP source guard binding entries include static entries that are configured manually and dynamic entries
that are generated based on information from other modules.
As shown in Figure 104, I
P
source guard on the interface forwards only the packets that match one of the
IP source guard binding entries.
Figure 104 Diagram for the IP source guard function
NOTE:
• IP source guard is a per-interface packet filter. The IP source guard feature confi
ured on one interface
does not affect packet forwarding on another interface.
• The IP source guard feature is available on Layer 2 and Layer 3 Ethernet interfaces, Layer 3 a
re
ate
interfaces, and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of
interfaces. You can use the port link-mode command to confi
ure an Ethernet port as a Layer 2 or Layer
3 interface (see
Layer 2—LAN Switching Configuration Guide
).
IP network
Invalid host
Valid host
Configure the IP source guard
function on the interface
Binding entries
1.1.1.1
…
1.1.1.1
To Next Page
Loading...
