Edge-Core ECS4510-28P User Manual page 930

| General Security Measures
C 27
HAPTER
IP Source Guard
Table entries include a MAC address, IP address, lease time, entry type
◆
(Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and
port identifier.
Static addresses entered in the source guard binding table with the
◆
source-guard binding
configured with an infinite lease time. Dynamic entries learned via
DHCP snooping are configured by the DHCP server itself.
◆ If the IP source guard is enabled, an inbound packet's IP address (sip
option) or both its IP address and corresponding MAC address (sip-mac
option) will be checked against the binding table. If no matching entry
is found, the packet will be dropped.
Filtering rules are implemented as follows:
◆
If DHCP snooping is disabled (see
■
check the VLAN ID, source IP address, port number, and source
MAC address (for the sip-mac option). If a matching entry is found
in the binding table and the entry type is static IP source guard
binding, the packet will be forwarded.
If the DHCP snooping is enabled, IP source guard will check the
■
VLAN ID, source IP address, port number, and source MAC address
(for the sip-mac option). If a matching entry is found in the binding
table and the entry type is static IP source guard binding, or
dynamic DHCP snooping binding, the packet will be forwarded.
If IP source guard if enabled on an interface for which IP source
■
bindings (dynamically learned via DHCP snooping or manually
configured) are not yet configured, the switch will drop all IP traffic
on that port, except for DHCP packets.
Only unicast addresses are accepted for static bindings.
■
E
XAMPLE
This example enables IP source guard on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip
Console(config-if)#
R C
ELATED OMMANDS
ip source-guard binding (928)
ip dhcp snooping (910)
ip dhcp snooping vlan (915)
– 930 –
command (page 928) are automatically
page 910), IP source guard will
ip