Configuring IP source guard
Overview
IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate
packets. It drops all packets that do not match the table.
The IP source guard binding table can include the following binding entries:
IP-interface binding entries.
•
•
MAC-interface binding entries.
IP-MAC-interface binding entries.
•
IP-VLAN-interface binding entries.
•
MAC-VLAN-interface binding entries.
•
IP-MAC-VLAN-interface binding entries.
•
IP source guard binding entries include static entries configured manually and dynamic entries that are
obtained from other modules.
As shown in
IP source guard binding entries.
Figure 41 Diagram for the IP source guard function
Valid host
1.1.1.1
Invalid host
NOTE:
IP source guard is a per-interface packet filter. The IP source guard function configured on one interface
does not affect packet forwarding on another interface.
Static IP source guard binding entries
Static IP source guard binding entries are configured manually. They are suitable for scenarios where few
hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a
static IP source guard binding entry on an interface that connects a server, allowing the interface to
receive packets only from the server.
Figure
41, IP source guard on the interface forwards only the packets that match one of the
Binding entries
1.1.1.1
...
Configure the IP source guard
function on the interface
IP network
142