Configuring ip source guard, Overview, Static ip source guard binding entries – H3C Technologies H3C S6300 Series Switches User Manual
Page 326
311
Configuring IP source guard
Overview
IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate
packets. It drops all packets that do not match the table.
The IP source guard binding table can include the following binding entries:
•
Global binding entries
Only static IP-MAC binding entries are supported. For more information about global static IP
source guard binding entries, see "Static IP source guard binding entries."
•
Interface-specific binding entries
{
IP-interface.
{
MAC-interface.
{
IP-MAC-interface.
{
IP-VLAN-interface.
{
MAC-VLAN-interface.
{
IP-MAC-VLAN-interface.
IP source guard binding entries include static entries that are configured manually and dynamic entries
that are generated based on information from other modules.
As shown in
, IP source guard on the user access interface forwards only the packets that
match one of the IP source guard binding entries.
Figure 101 Diagram for the IP source guard feature
Static IP source guard binding entries
Static IP source guard binding entries are configured manually. They are suitable for scenarios where few
hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a
static IP source guard binding entry on an interface that connects to a server. This binding allows the
interface to receive packets only from the server.
IP source guard can use static IPv4 binding entries on an interface to implement the following functions:
•
Filter incoming IPv4 packets on the interface.
IP network
Invalid host
Valid host
Configure the IP source guard
function on the interface
Binding entries
1.1.1.1
…
1.1.1.1