1-1
1
IP Source Guard Configuration
When configuring IP Source Guard, go to these sections for information you are interested in:
z
IP Source Guard Overview
z
Configuring a Static Binding Entry
z
Configuring Dynamic Binding Function
z
Displaying and Maintaining IP Source Guard
z
IP Source Guard Configuration Examples
z
Troubleshooting IP Source Guard
IP Source Guard Overview
By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through
the ports, so as to block illegal usages of network resources and improve the network security. For
example, IP source guard can prevent an illegal host from pretending to be a legal user to access the
network. With IP source guard enabled on a port, after receiving a packet, the port looks up the key
attributes (including source IP address, source MAC address and VLAN tag) of the packet in the binding
entries of the IP source guard. If there is a match, the port forwards the packet. Otherwise, the port
discards the packet. IP source guard bindings are on a per-port basis. After a binding entry is configured
on a port, it is effective only on the port.
IP source guard filters packets based on the following types of binding entries:
z
IP-port binding entry
z
MAC-port binding entry
z
IP-MAC-port binding entry
z
IP-VLAN-port binding entry
z
MAC-VLAN-port binding entry
z
IP-MAC-VLAN-port binding entry
An IP source guard binding entry can be static or dynamic, depending on how the entry is created.
z
A static binding is configured manually. It is suitable when there are a few hosts in a LAN or you
need to configure a binding entry for a host separately.
z
A dynamic binding is implemented in cooperation with DHCP snooping or DHCP Relay. It is
suitable when there are many hosts in a LAN, and DHCP is used to allocate IP addresses to the
hosts. Once DHCP allocates an IP address for a user, the IP source guard function will
automatically add a binding entry based on the DHCP entry to allow the user to access the network.
If a user specifies an IP address instead of getting one through DHCP, the user will not trigger
DHCP to allocate an IP address, and therefore no IP source guard binding will be added for the
user to access the network. In this way, IP address collision and theft are prevented.
Enabling IP source guard on a port is mutually exclusive with adding the port to an aggregation group.