A10E/A28E/A28F Configuration Guide
IP Source Guard binding entry
IP Source Guard is used to match packet characteristics, including source IP address, source
MAC address, and VLAN tags, and can support the interface to combine with the following
characteristics (hereinafter referred to as binding entries):
Interface+IP
Interface+IP+MAC
Interface+IP+VLAN
Interface+IP+MAC+VLAN
According to the generation mode of binding entries, IP Source Guard can be divided into
static binding and dynamic binding:
Static binding: configure binding information manually and generate binding entry to
complete the interface control, which fits for the case where the number of hosts is small
or where you need to perform separate binding on a single host.
Dynamic binding: obtain binding information automatically from DHCP Snooping to
complete the interface control, which fits for the case where there are many hosts and
you need to adopt DHCP to perform dynamic host configurations. Dynamic binding can
effectively prevent IP address conflict and embezzlement.
IP Source Guard principle
The basic principle of IP Source Guard is to build an IP source binding table within the
A10E/A28E. The IP source binding table is taken as the basis for each interface to test
received data packets. Figure 6-9 shows IP Source Guard principle.
If the received IP packets meet the relationship of Port/IP/MAC/VLAN binding entries
in IP source binding table, forward these packets.
If the received IP packets are DHCP data packets, forward these packets.
Otherwise, discard these packets.
Figure 6-9 IP Source Guard principle
Before forwarding IP packets, the A10E/A28E compares the source IP address, source MAC
address, interface ID, and VLAN ID of the IP packets with binding table information. If the
information matches, it indicates that the user is legal and the packets are permitted to forward
normally. Otherwise, the user is an attacker and the IP packets are discarded.
To Next Page
Loading...