208
Configuring IP source guard
IP source guard is intended to improve port security by blocking illegal packets. For example, it can
prevent illegal hosts from using a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address and source MAC address. It
supports these types of binding entries:
• IP-port binding entry
• MAC-port binding entry
• IP-MAC-port binding entry
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address
and source MAC address) of the packet and then looks them up in the IP source guard binding entries. If
there is a match, the port forwards the packet. Otherwise, the port discards the packet, as shown in
Figure 66.
Figure 66 Diagram for the IP source g
uard function
IP network
Illegal host
Legal host
Enable the IP source guard function on
the port for user access
A binding entry can be statically configured or dynamically added.
Static IP source guard binding entries
A static IP source guard binding entry is configured manually. It is suitable for scenarios where few hosts
exist on a LAN and their IP addresses are manually configured. For example, you can configure a static
binding entry on a port that connects a server, allowing the port to receive packets from and send
packets to only the server.
A static IPv4 source guard binding entry filters IPv4 packets received by the port or checks the validity of
users by cooperating with the ARP detection feature. A static IPv6 source guard binding entry filters IPv6
packets received by the port or checks the validity of users by cooperating with the ND detection
feature.
For information about ARP detection, see "Configuring ARP attack protection."
For information about ND detection, see "Configuring ND attack defense."
A port-based static
binding entry binds an IP address, MAC address, VLAN, or any combination of the
three with a port. Such an entry is effective only on the specified port. A port forwards a packet only
when the IP address, MAC address, and VLAN tag (if any) of the packet all match those in a static
binding entry on the port or a global static binding entry. All other packets are dropped.
To Next Page
Loading...
Need help?
General