354
Configuring IP source guard
Overview
IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate
packets. It drops packets that do not match the table.
The IP source guard binding table can include global and interface-specific binding entries. IP source
guard first uses the interface-specific binding entries to match packets. If no match is found, IP source
guard uses the global binding entries. The binding entries include the following types:
• IP.
• MAC.
• IP-MAC.
IP source guard binding entries can be static or dynamic.
• Static binding entries—Configured manually. Global IP source guard supports only static IP-MAC
binding entries. For more information about global static IP source guard binding entries, see
"Static IP source guard binding entries."
• D
ynamic binding entries—Generated based on information from other modules. For more
information about dynamic binding entries, see "Dynamic IP source guard binding entries."
As sh
own in Figure 108, IP so
urce guard forwards only the packets that match an IP source guard
binding entry.
Figure 108 Diagram for the IP source guard feature
Static IP source guard binding entries
Static IP source guard binding entries are configured manually. They are suitable for scenarios where
several hosts exist on a LAN and their IP addresses are manually configured. For example, you can
configure a static IP source guard binding entry on an interface that connects to a server. This binding
entry allows the interface to receive packets only from the server.
A static IPv4 source guard binding entry filters incoming IPv4 packets on the interface or cooperates with
ARP detection to check the validity of users. A static IPv6 source guard binding entry filters incoming IPv6
packets on the interface or cooperates with the ND detection feature to check the validity of users.
To Next Page
Loading...
Need help?
General