26 ip source guard configuration, Ip source guard overview, Ip source guard configuration – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 287
26-1
26
IP Source Guard Configuration
The term switch in this document refers to a switching device in a generic sense or an access controller
configured with the switching function unless otherwise specified.
When configuring IP Source Guard, go to these sections for information you are interested in:
z
z
Configuring a Static Binding Entry
z
Configuring Dynamic Binding Function
z
z
IP Source Guard Configuration Examples
z
IP Source Guard Overview
By filtering packets on a per-port basis, IP source guard prevents packets with illegal IP addresses and
MAC addresses from traveling through, improving the network security. After receiving a packet, the
port looks up the key attributes (including IP address, MAC address and VLAN tag) of the packet in the
binding entries of the IP source guard. If there is a matching entry, the port will forward the packet.
Otherwise, the port will abandon the packet.
IP source guard filters packets based on the following types of binding entries:
z
IP-port binding entry
z
MAC-port binding entry
z
IP-MAC-port binding entry
You can manually set static binding entries, or use DHCP Snooping to provide dynamic binding entries.
Binding is on a per-port basis. After a binding entry is configured on a port, it is effective only to the port,
instead of other ports.
IP source guard and aggregation group configuration are mutually exclusive.