IP source guard configuration
IP source guard overview
IP source guard is intended to improve port security by blocking illegal packets. For example, it can
prevent illegal hosts from using a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC address. It
supports these types of binding entries:
IP-port binding entry
•
•
MAC-port binding entry
IP-MAC-port binding entry
•
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address,
source MAC address) of the packet and then looks them up in the IP source guard binding entries. If there
is a match, the port forwards the packet. Otherwise, the port discards the packet, as shown in
Figure 119 Diagram for the IP source guard function
A binding entry can be statically configured or dynamically added.
Static IP source guard binding entries
A static IP source guard binding entry is configured manually. It binds an IP address, MAC address, or
any combination of the two with a port. Such an entry is effective on only the specified port. A port
forwards a packet only when the IP address, and MAC address of the packet all match those in a static
binding entry on the port. All other packets will be dropped. It is suitable for scenarios where few hosts
exist on a LAN and their IP addresses are manually configured. For example, you can configure a static
binding entry on a port that connects a server, allowing the port to receive packets from and send
packets to only the server.
A static IPv4 source guard binding entry filters IPv4 packets received by the port or checks the validity of
users by cooperating with the ARP detection feature. A static IPv6 source guard binding entry filters IPv6
packets received by the port.
NOTE:
•
For information about ARP detection, see the chapter "ARP attack protection configuration."
For information about ND detection, see the chapter "ND attack defense configuration."
•
315
Figure 1
19.