beautypg.com

Brocade 6910 Ethernet Access Switch Configuration Guide (Supporting R2.2.0.0) User Manual

Page 978

background image

922

Brocade 6910 Ethernet Access Switch Configuration Guide

53-1002651-02

42

IP Source Guard

When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see

“DHCP Snooping”

on page 926), or static addresses configured in the source guard binding

table.

If IP source guard is enabled, an inbound packet’s IP address (SIP option) or both its IP address
and corresponding MAC address (SIP-MAC option) will be checked against the binding table. If
no matching entry is found, the packet will be dropped.

Filtering rules are implemented as follows:

If DHCP snooping is disabled (see

“DHCP Snooping Configuration”

on page 927), IP source

guard will check the VLAN ID, source IP address, port number, and source MAC address
(for the SIP-MAC option). If a matching entry is found in the binding table and the entry
type is static IP source guard binding, the packet will be forwarded.

If DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address,
port number, and source MAC address (for the SIP-MAC option). If a matching entry is
found in the binding table and the entry type is static IP source guard binding, or dynamic
DHCP snooping binding, the packet will be forwarded.

If IP source guard if enabled on an interface for which IP source bindings have not yet been
configured (neither by static configuration in the IP source guard binding table nor
dynamically learned from DHCP snooping), the switch will drop all IP traffic on that port,
except for DHCP packets.

Parameters
These parameters are displayed:

Filter Type – Configures the switch to filter inbound traffic based source IP address, or source
IP address and corresponding MAC address. (Default: None)

None – Disables IP source guard filtering on the port.

SIP – Enables traffic filtering based on IP addresses stored in the binding table.

SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC
addresses stored in the binding table.

Max Binding Entry – The maximum number of entries that can be bound to an interface.
(Range: 1-5; Default: 5)
This parameter sets the maximum number of address entries that can be mapped to an
interface in the binding table, including both dynamic entries discovered by DHCP snooping
(see

“DHCP Snooping”

on page 926) and static entries set by IP source guard (see

“Configuring Static Bindings for IP Source Guard”

on page 923).

Interface
To set the IP Source Guard filter for ports:

1. Click Security, IP Source Guard, Port Configuration.

2. Set the required filtering type for each port.

3. Click Apply