1-1
1
IP Source Guard Configuration
When configuring IP Source Guard, go to these sections for information you are interested in:
z
z
Configuring a Static Binding Entry
z
Configuring Dynamic Binding Function
z
Displaying and Maintaining IP Source Guard
z
IP Source Guard Configuration Examples
z
Troubleshooting IP Source Guard
IP Source Guard Overview
By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through,
thus improving the network security. After receiving a packet, the port looks up the key attributes
(including IP address, MAC address and VLAN tag) of the packet in the binding entries of the IP source
guard. If there is a match, the port forwards the packet. Otherwise, the port discards the packet.
IP source guard filters packets based on the following types of binding entries:
z
IP-port binding entry
z
MAC-port binding entry
z
IP-MAC-port binding entry
z
IP-VLAN-port binding entry
z
MAC-VLAN-port binding entry
z
IP-MAC-VLAN-port binding entry
You can manually set static binding entries, or use DHCP snooping or DHCP relay to provide dynamic
binding entries. Binding is on a per-port basis. After a binding entry is configured on a port, it is effective
only to the port.
Enabling IP source guard on a port is mutually exclusive with adding the port to an aggregation group.
Configuring a Static Binding Entry
Follow these steps to configure a static binding entry:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Summary of Contents for S5500-SI Series
Page 161: ...3 10 GigabitEthernet1 0 1 2 MANUAL...
Page 220: ...1 7 Clearing ARP entries from the ARP table may cause communication failures...
Page 331: ...1 7 1 1 ms 1 ms 1 ms 1 1 6 1 2 1 ms 1 ms 1 ms 1 1 4 1 3 1 ms 1 ms 1 ms 1 1 2 2 Trace complete...
Page 493: ...2 8...
Page 1111: ...1 10 Installing patches Installation completed and patches will continue to run after reboot...