Ip Source Guard Configuration; Ip Source Guard Overview; Introduction To Ip Source Guard; Ip Source Guard Binding - HP 5120 EI Switch Series Configuration Manual

IP source guard configuration

IP source guard overview

Introduction to IP source guard

IP source guard is intended to work on a port connecting users. It filters received packets to block illegal
access to network resources, improving network security. For example, it can prevent illegal hosts from
using a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address, and source MAC address. It
supports these types of binding entries:
IP-port binding entry

MAC-port binding entry

IP-MAC-port binding entry

After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address,
and source MAC address) of the packet and then looks them up in the binding entries of IP source guard.
If there is a match, the port forwards the packet; otherwise, the port discards the packet, as shown in
Figure 75. IP source guard binding entries are on a per-port basis. After a binding entry is configured on
a port, it is effective only on the port.
Figure 75 Diagram for the IP source guard function
Legal host
Illegal host

IP source guard binding

An IP source guard binding entry can be static or dynamic.
Static IP source guard binding
A static IP source guard binding entry is configured manually. It is suitable for scenarios where only few
hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a
static binding entry on a port that connects a server, allowing the port to receive packets from and send
packets to only the server.
Types of static IP source guard binding entries
1.
According to the IP version, a static IP source guard binding entry is an IPv4 or IPv6 entry.
Enable the IP source guard function on
the port for user access
249
IP network