Configuring IP source guard
In this chapter, EB cards refer to the cards suffixed with EB.
Overview
IP source guard is intended to improve port security by blocking illegal packets. It can, for example,
prevent invalid hosts from using a valid IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC address, and
VLAN tag. It supports these types of binding entries:
IP-port binding entry
•
•
MAC-port binding entry
IP-MAC-port binding entry
•
IP-VLAN-port binding entry
•
MAC-VLAN-port binding entry
•
IP-MAC-VLAN-port binding entry
•
A binding entry can be statically configured or dynamically added.
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address,
source MAC address and VLAN tag) of the packet and then looks them up in the IP source guard entries.
If there is a match, the port forwards the packet; otherwise, the port discards the packet, as shown
in
Figure
86.
Figure 86 Diagram for the IP source guard function
NOTE:
IP source guard entries configured on a port take effect only on that port.
Static IP source guard entries
A static IP source guard entry is configured manually. It is suitable for scenarios where only a few hosts
exist in a LAN and their IP addresses are manually configured. For example, you can configure a static
binding entry on a port that connects a server, allowing the port to receive packets from and send
packets to only the server.
249