Configuring IP source guard
Overview
IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match
legitimate packets. It drops all packets that do not match the table.
The IPSG binding table can include the following bindings:
•
IP-interface.
•
MAC-interface.
•
IP-MAC-interface.
•
IP-VLAN-interface.
•
MAC-VLAN-interface.
•
IP-MAC-VLAN-interface.
•
IP-MAC.
IPSG bindings include static bindings that are configured manually and dynamic bindings that are
generated based on information from other modules.
NOTE:
Global IPSG supports only static IP-MAC bindings. For more information about global static IPSG
bindings, see
As shown in
bindings.
Figure 116 Diagram for the IPSG feature
Valid host
1.1.1.1
Invalid host
NOTE:
IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet
forwarding on another interface.
Static IPSG bindings
Static IPSG bindings are configured manually. They are suitable for scenarios where few hosts exist
on a LAN and their IP addresses are manually configured. For example, you can configure a static
IPSG binding on an interface that connects to a server. This binding allows the interface to receive
packets only from the server.
Static IPSG bindings on an interface implements the following functions:
"Static IPSG
bindings."
Figure
116, IPSG on the interface forwards only the packets that match one of the IPSG
IPSG bindings
1.1.1.1
...
Configure the IP source guard
feature on the interface
IP network
391