R0106-HP MSR Router Series Security Configuration Guide(V7)
392
Configuring IP source guard
In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024,
MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080.
Overview
IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate
packets. It drops all packets that do not match the table.
The IP source guard binding table can include the following binding entries:
• IP-interface.
• MAC-interface.
• IP-MAC-interface.
• IP-VLAN-interface.
• MAC-VLAN-interface.
• IP-MAC-VLAN-interface.
IP source guard binding entries include static entries that are configured manually and dynamic entries
that are generated based on information from other modules.
As shown in Figure 115 , I
P source guard on the user access interface forwards only the packets that match
one of the IP source guard binding entries.
Figure 115 Diagram for the IP source guard function
NOTE:
IP source guard is a per-interface packet filter. The IP source
g
uard function confi
g
ured on one interface
does not affect packet forwarding on another interface.
Static IP source guard binding entries
Static IP source guard binding entries are configured manually. They are suitable for scenarios where few
hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a
static IP source guard binding entry on an interface that connects to a server. This binding allows the
interface to receive packets only from the server.
IP network
Invalid host
Valid host
Configure the IP source guard
function on the interface
Binding entries
1.1.1.1
…
1.1.1.1