13 ip source guard configuration, Ip source guard overview, Introduction – H3C Technologies H3C S7500E Series Switches User Manual
Page 242: Ip source guard configuration
13-1
13
IP Source Guard Configuration
The S7500E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7500E series can be connected together to form a distributed IRF
device. If an S7500E series is not in any IRF, it operates as a distributed device; if the S7500E
series is in an IRF, it operates as a distributed IRF device. For introduction of IRF, see IRF
Configuration in the IRF Configuration Guide.
When configuring IP Source Guard, go to these sections for information you are interested in:
z
z
Configuring a Static IP Source Guard Entry
z
Configuring the Dynamic IP Source Guard Binding Function
z
Displaying and Maintaining IP Source Guard
z
IP Source Guard Configuration Examples
z
Troubleshooting IP Source Guard
IP Source Guard Overview
Introduction
IP source guard is intended to work on a port connecting users. It filters received packets to
block illegal access to network resources, improving the network security. For example, it can
prevent illegal hosts from using a legal IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC
address, and VLAN tag. It supports these types of binding entries:
z
IP-port binding entry
z
MAC-port binding entry
z
IP-MAC-port binding entry
z
IP-VLAN-port binding entry
z
MAC-VLAN-port binding entry
z
IP-MAC-VLAN-port binding entry
After receiving a packet, an IP source guard enabled port obtains the key attributes (source IP
address, source MAC address and VLAN tag) of the packet and then looks them up in the
binding entries of the IP source guard. If there is a match, the port forwards the packet;
otherwise, the port discards the packet, as shown in
. IP source guard binding