Configuration Guide Configuring IP Source Guard
 Enable DHCP Snooping on S to realize DHCP monitoring.
 Set all downlink ports on S as DHCP untrusted ports.
 Enable IP Source Guard on S to realize IP packet filtering.
 Enable IP–MAC match mode for IP Source Guard on S, filtering IP packets based on IP and MAC addresses.
9.3 Features
Basic Concepts
 Source IP Address
Indicate the source IP address field of an IP packet.
 Source MAC Address
Indicate the source MAC address field of an IP packet.
 IP-based Filtering
Indicate a policy of IP packet filtering, where only the source IP addresses of all IP packets (except DHCP packets) passing
through a port are checked. It is the default filtering policy of IP Source Guard.
 IP-MAC based Filtering
A policy of IP packet filtering, where both the source IP addresses and source MAC addresses of all IP packets are checked,
and only those user packets with these IP addresses and MAC addresses existing in the binding database are permitted.
 Address Binding Database
As the basis of security control of the IP Source Guard function, the data in the address binding database comes from two
ways: the DHCP Snooping binding database and static configuration. When IP Source Guard is enabled, the data of the
DHCP Snooping binding database is synchronized to the address binding database of IP Source Guard, so that IP packets
can be filtered strictly through IP Source Guard on a device with DHCP Snooping enabled.
 Excluded VLAN
By default, when IP Source Guard is enabled on a port, it is effective to all the VLANs under the port. Users may specify
excluded VLANs, within which IP packets are not checked and filtered, which means that such IP packets are not controlled
by IP Source Guard. At most 32 excluded VLANs can be specified for a port.
Overview
Checking Source Address
Fields of Packets
Filter the IP packets passing through ports by IP-based or IP-MAC based filtering.
To Next Page
Loading...
Need help?
General
