Configuring ike, Overview, Configuring ip source guard – H3C Technologies H3C S12500-X Series Switches User Manual

205

10B

Configuring IP source guard

125B

Overview

IP source guard is a security feature. It is usually configured on a user access interface to help prevent

spoofing attacks, in which an attacker uses, for example, the IP address of a valid host, to access the
network.
As shown in

906H

Figure 63

, after you configure IP source guard on an interface, the interface filters received

packets according to the IP source guard binding entries, and forwards only the packets that matches

one of the entries.

Figure 63 Diagram for the IP source guard function

IP source guard can filter packets according to the packet source IP address, and source MAC address.

It supports these types of binding entries:

•

IP-interface

•

MAC-interface

•

IP-MAC-interface

•

IP-VLAN-interface

•

MAC-VLAN-interface

•

IP-MAC-VLAN-interface

An IP source guard binding entry, which is a binding entry for IP source guard, can be statically

configured or dynamically added.

NOTE:

IP source guard is a per-interface packet filter. The IP source guard function configured on one interface
does not affect packet forwarding on another interface.

288B

Static IP source guard binding entries

Static IP source guard binding entries are configured manually. They are suitable for scenarios where few

hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a

IP network

Invalid host

Valid host

Configure the IP source guard
function on the interface

Binding entries

1.1.1.1

…

1.1.1.1