R3303-HP HSR6800 Routers Security Configuration Guide
23
Configuring IP source guard
This feature is available only for SAP interface modules operating in Layer 2 mode.
Overview
IP source guard is intended to improve port security by blocking illegal packets. For example, it can
prevent invalid hosts from using a valid IP address to access the network.
IP source guard can filter packets according to the packet source IP address, source MAC address, and
VLAN tag. It supports these types of binding entries:
• IP-port binding entry
• MAC-port binding entry
• IP-MAC-port binding entry
• IP-VLAN-port binding entry
• MAC-VLAN-port binding entry
• IP-MAC-VLAN-port binding entry
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address,
source MAC address and VLAN tag) of the packet and then looks them up in the IP source guard entries.
If there is a match, the port forwards the packet. Otherwise, the port discards the packet, as shown
in Figure 133.
Figure 133 Diagram for the IP source g
uard function
A binding entry can be statically configured or dynamically added.
Static IP source guard entries
A static IP source guard entry is configured manually. It is suitable for scenarios where few hosts exist on
a LAN and their IP addresses are manually configured. For example, you can configure a static binding
entry on a port that connects a server, allowing the port to receive packets from and send packets to only
the server.
A static IPv4 source guard entry filters IPv4 packets received by the port or checks the validity of users by
cooperating with the ARP detection feature. For information about ARP detection, see "Configuring ARP
attack protection."