Korenix Technology Co., Ltd.
Industrial
Layer 3 Managed Ethernet Switch
_____________________________________________________________________________
Industrial Layer 3 Managed Ethernet SwitchUser Manual
Page: 519/1246
6.18
IP Source Guard (IPSG) Commands
IP Source Guard (IPSG) is a security feature that filters IP packets based on source ID. The source ID
may be either the source IP address or a {source IP address, source MAC address} pair. The DHCP
snooping binding database and static IPSG entries identify authorized source IDs. You can configure:
Whether enforcement includes the source MAC address.
Static authorized source IDs.
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially,
all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping
process. W hen a client receives a valid IP address from the DHCP server, or when a static IP source
binding is configured by the user, a per-port and VLAN Access Control List is installed on the port. This
process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic
with a source IP address other than that in the IP source binding is filtered out. This filtering limits a
host
’s ability to attack the network by claiming a neighbor host's IP address.
IPSG can be enabled on physical or LAG ports. IPSG is disabled by default. If you enable IPSG on a port
where DHCP snooping is disabled or where DHCP snooping is enabled but the port is trusted, all IP
traffic received on that port is dropped depending on the admin-configured IPSG entries. IPSG cannot
be enabled on a port-based routing interface.