Configuring Ip Source Guard; Overview; Static Ipsg Bindings - HPE FlexFabric 7900 Series Security Configuration Manual

Configuring IP source guard

Overview

IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match
legitimate packets. It drops all packets that do not match the table.
The IPSG binding table can include the following bindings:
•
IP-interface.
•
MAC-interface.
•
IP-MAC-interface.
•
IP-VLAN-interface.
•
MAC-VLAN-interface.
•
IP-MAC-VLAN-interface.
IPSG bindings include static bindings that are configured manually and dynamic bindings that are
generated based on information from other modules.
NOTE:
The IPSG feature is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The
term "interface" in this chapter collectively refers to these types of interfaces. You can use the port
link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer
2—LAN Switching Configuration Guide).
As shown in
Figure 48 Diagram for the IPSG feature
Valid host
1.1.1.1
Invalid host
NOTE:
IPSG is a per-interface packet filter. The feature configured on one interface does not affect packet
forwarding on another interface.

Static IPSG bindings

Static IPSG bindings are configured manually. They are suitable for scenarios where few hosts exist
on a LAN and their IP addresses are manually configured. For example, you can configure a static
IPSG binding on an interface that connects to a server. This binding allows the interface to receive
packets only from the server.
Static IPv4SG bindings on an interface implement the following functions:
Figure 48, IPSG forwards only the packets that match one of the IPSG bindings.
IPSG bindings
1.1.1.1
...
Configure the IP source guard
feature on the interface
IP network
178