Configuring Ip Source Guard; Overview; Static Ip Source Guard Entries - H3C S5120-HI Security Configuration Manual

Configuring IP source guard

Overview

IP source guard is intended to improve port security by blocking illegal packets. For example, it can
prevent illegal hosts from using a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC address. IP
source guard entries fall into the following types:
• IP-port binding entry
MAC-port binding entry
•
IP-MAC-port binding entry
•
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address,
source MAC address) of the packet and then looks them up in the IP source guard entries. If there is a
match, the port forwards the packet. Otherwise, the port discards the packet, as shown in
Figure 81 Diagram for the IP source guard function
A binding entry can be statically configured or dynamically added.

Static IP source guard entries

A static IP source guard entry is configured manually. It is suitable for scenarios where few hosts exist on
a LAN and their IP addresses are manually configured. For example, you can configure a static binding
entry on a port that connects a server, allowing the port to receive packets from and send packets to only
the server.
A static IPv4 source guard entry filters IPv4 packets received by the port or cooperates with ARP detection
to check the validity of users. A static IPv6 source guard entry filters IPv6 packets received by the port
cooperates with the ND detection feature to check the validity of users.
For information about ARP detection, see
detection, see
A static IP source guard entry can be a global or port-based static binding entry.
"Configuring ND attack
"Configuring ARP attack
defense."
301
protection." For information about ND
Figure 81.