Configuring Ip Source Guard; Binding Entry Types - HP A6600 Configuration Manual

Configuring IP source guard

This feature is supported only when the SAP card is working in Layer 2 mode.
IP source guard is intended to work on a port connecting users. It filters received packets to block illegal
access to network resources, improving the network security. For example, it can prevent illegal hosts
from using a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC address, and
VLAN tag. It supports these types of binding entries:
IP-port binding entry
•
MAC-port binding entry
•
IP-MAC-port binding entry
•
IP-VLAN-port binding entry
•
MAC-VLAN-port binding entry
•
IP-MAC-VLAN-port binding entry
•
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address,
source MAC address, and VLAN tag) of the packet and then looks them up in the binding entries of the
IP source guard. If there is a match, the port forwards the packet. Otherwise, the port discards the
packet, as shown in
entry is configured on a port, it is effective only on the port.
Figure 140 Diagram for the IP source guard function
Legal host
Illegal host

Binding entry types

An IP source guard binding entry can be static or dynamic.
Static IP source guard binding
A static IP source guard binding entry is configured manually. It is suitable for scenarios where only a
few hosts exist in a LAN and their IP addresses are manually configured. For example, configure a static
binding entry on a port that connects a server, allowing the port to receive packets from and send
packets to only the server.
Static IPv4 source guard binding filters IPv4 packets received by the port or checks the validity of
•
users by cooperating with the ARP detection feature.
Figure 140. IP source guard binding entries are on a per-port basis. After a binding
Enable the IP source guard function on
the port for user access
IP network
407