Configuring Ip Source Guard; Overview; Static Ip Source Guard Binding Entries - HP FlexFabric 5930 Series Security Configuration Manual

Configuring IP source guard

Overview

IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate
packets. It drops all packets that do not match the table.
The IP source guard binding table can include the following binding entries:
IP-interface binding entries.
•
• MAC-interface binding entries.
IP-MAC-interface binding entries.
•
IP-VLAN-interface binding entries.
•
MAC-VLAN-interface binding entries.
•
IP-MAC-VLAN-interface binding entries.
•
IP source guard binding entries include static entries configured manually and dynamic entries that are
obtained from other modules.
As shown in
IP source guard binding entries.
Figure 41 Diagram for the IP source guard function
Valid host
1.1.1.1
Invalid host
NOTE:
IP source guard is a per-interface packet filter. The IP source guard function configured on one interface
does not affect packet forwarding on another interface.

Static IP source guard binding entries

Static IP source guard binding entries are configured manually. They are suitable for scenarios where few
hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a
static IP source guard binding entry on an interface that connects a server, allowing the interface to
receive packets only from the server.
Figure 41, IP source guard on the interface forwards only the packets that match one of the
Binding entries
1.1.1.1
...
Configure the IP source guard
function on the interface
IP network
142