IP source guard configuration
This chapter includes these sections:
IP source guard overview
•
Configuring IPv4 source guard
•
Configuring IPv6 source guard
•
•
IP source guard configuration examples
Troubleshooting IP source guard
•
IP source guard overview
IP source guard is intended to work on a user access port. It filters received packets to block illegal access
to network resources, improving the network security. For example, it can prevent illegal hosts from using
a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC address, and
VLAN tag. IP source guard entries fall into the follow types of binding entries:
IP-port binding entry
•
MAC-port binding entry
•
•
IP-MAC-port binding entry
IP-VLAN-port binding entry
•
MAC-VLAN-port binding entry
•
•
IP-MAC-VLAN-port binding entry
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address,
source MAC address and VLAN tag) of the packet and then looks them up in the binding entries of the
IP source guard. If there is a match, the port forwards the packet; otherwise, the port discards the packet,
as shown in
configured on a port, it is effective only on the port.
Figure 99 Diagram for the IP source guard function
IP source guard entries
An IP source guard entry can be statically configured or dynamically obtained.
Figure
104. IP source guard entries are on a per-port basis. After a binding entry is
290