R211x-HP Flexfabric 11900 Security Configuration Guide
205
Configuring IP source guard
Overview
IP source guard is a security feature. It is usually configured on a user access interface to help prevent
spoofing attacks, in which an attacker uses, for example, the IP address of a valid host, to access the
network.
NOTE:
The IP source
g
uard function is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces.
The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port
link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see
Layer 2—LAN
Switching Configuration Guide
).
As shown in Figure 63, after you configure IP source guard on an interface, the interface filters received
packets according to the IP source guard binding entries, and forwards only the packets that matches
one of the entries.
Figure 63 Diagram for the IP source guard function
IP source guard can filter packets according to the packet source IP address, and source MAC address.
It supports these types of binding entries:
• IP-interface
• MAC-interface
• IP-MAC-interface
• IP-VLAN-interface
• MAC-VLAN-interface
• IP-MAC-VLAN-interface
An IP source guard binding entry, which is a binding entry for IP source guard, can be statically
configured or dynamically added.
NOTE:
IP source guard is a per-interface packet filter. The IP source
g
uard function confi
g
ured on one interface
does not affect packet forwarding on another interface.
IP network
Invalid host
Valid host
Configure the IP source guard
function on the interface
Binding entries
1.1.1.1
…
1.1.1.1