Configuring Ip Source Guard; Overview - HP 5920 Series Configuration Manual

Configuring IP source guard

Overview

IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate
packets. It drops all packets that do not match the table.
The IP source guard binding table can include the following binding entries:
Global binding entries
•
Only IP-MAC bindings are supported. For more information about global static IP source guard
binding entries, see
Interface-specific binding entries
•
IP-interface
MAC-interface
IP-MAC-interface
IP-VLAN-interface
MAC-VLAN-interface
IP-MAC-VLAN-interface
IP source guard binding entries include static entries that are configured manually and dynamic entries
that are generated based on information from other modules.
As shown in
IP source guard binding entries.
Figure 104 Diagram for the IP source guard function
Valid host
1.1.1.1
Invalid host
NOTE:
• IP source guard is a per-interface packet filter. The IP source guard feature configured on one interface
does not affect packet forwarding on another interface.
The IP source guard feature is available on Layer 2 and Layer 3 Ethernet interfaces, Layer 3 aggregate
•
interfaces, and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of
interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer
3 interface (see
"Static IP source guard binding
Figure 104, IP source guard on the interface forwards only the packets that match one of the
Binding entries
1.1.1.1
...
Configure the IP source guard
function on the interface
Layer 2—LAN Switching Configuration Guide
entries."
IP network
).
314