Configuring Ip Source Guard; Configuring Global And Port Settings For Ip Source Guard; Command Usage - AMX NXA-ENET8-2POE Instruction Manual

Gigabit poe ethernet switch

Hide thumbs Also See for NXA-ENET8-2POE:

Operation/reference manual (204 pages)

Installation manual (2 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

Table of Contents

Conf iguring IP Source Guard

IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP

Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see the Conf iguring DHCP Snooping section on

page 69. IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to

access the network.

Conf iguring Global and Port Settings For IP Source Guard

Use the IP Source Guard Conf iguration page to filter traffic on an insecure port which receives messages from outside the network

or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.

IP Source Guard filters traffic type based on the source IP address and MAC address pairs found in the DHCP Snooping table, or

based upon static entries configured in the IP Source Guard Table.

IP Source Guard Configuration

FIG. 58

IP Source Guard Conf iguration parameters

• Port

• VLAN ID

• IP Address

• MAC Address

Command Usage

When IP Source Guard is enabled globally and on a port, the switch checks the VLAN ID, source IP address, and port



number against all entries in the DHCP Snooping binding table and IP Source Guard Static Table. If no matching entry is

found, the packet is dropped.

NOTE: Multicast addresses cannot be used by IP Source Guard.

When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see "Configuring DHCP



Snooping"), or static addresses configured in the source guard binding table.

If IP source guard is enabled, an inbound packet's IP address will be checked against the binding table. If no matching entry



is found, the packet will be dropped.

Filtering rules are implemented as follows:



Click Conf iguration, Security, Network, IP Source Guard, Conf iguration.

Enable or disable IP Source Guard globally and for any given ports.

Set the maximum number of dynamic clients for any port.

Click Save.

NXA-ENET8-2POE - Instruction Manual

The port to which a static entry is bound.

ID of a configured VLAN (Range: 1-4095)

A valid unicast IP address, including class types A, B or C.

A valid unicast MAC address.

If DHCP snooping is disabled (see page 99), IP source guard will check the VLAN ID, source IP address, and port

number. If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet

will be forwarded.

If DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, and port number. If a matching

entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping

binding, the packet will be forwarded.

If IP source guard if enabled on an interface for which IP source bindings have not yet been configured (neither by

static configuration in the IP source guard binding table nor dynamically learned from DHCP snooping), the switch will

drop all IP traffic on that port, except for DHCP packets.

Configuring the NXA-ENET8-2POE

Table of Contents

Configuring Ip Source Guard; Configuring Global And Port Settings For Ip Source Guard; Command Usage - AMX NXA-ENET8-2POE Instruction Manual

Command Usage

Related Manuals for AMX NXA-ENET8-2POE

Related Content for AMX NXA-ENET8-2POE

Table of Contents