Configuring Ip Source Guard; Overview; Static Ip Source Guard Entries - HP 5920 Series Configuration Manual

Configuring IP source guard

Overview

IP source guard is a security feature. It is usually configured on a user access interface to help prevent
spoofing attacks, in which an attacker uses, for example, the IP address of a valid host, to access the
network.
As shown in
packets according to the IP source guard entries, and forwards only the packets that matches one of the
entries.
Figure 63 Diagram for the IP source guard function
Valid host
1.1.1.1
Invalid host
IP source guard can filter packets according to the packet source IP address and source MAC address.
It supports these types of binding entries:
IP-interface binding entry
•
IP-MAC-interface binding entry
•
IP-VLAN-interface binding entry
•
IP-MAC-VLAN-interface binding entry
•
A binding entry for IP source guard can be statically configured or dynamically added.
NOTE:
IP source guard is a per-interface packet filter. The IP source guard function configured on one interface
does not affect packet forwarding on another interface.

Static IP source guard entries

Static binding entries are configured manually. They are suitable for scenarios where few hosts exist on
a LAN and their IP addresses are manually configured. For example, you can configure a static binding
entry on an interface that connects a server, allowing the interface to receive packets only from the server.
IP source guard use static IPv4 binding entries on an interface to filter IPv4 packets received by the
interface or cooperate with the ARP detection feature to check user validity. IP source guard use static
IPv6 binding entries on an interface to filter IPv6 packets received by the interface.
For information about ARP detection, see
Figure 63, after you configure IP source guard on an interface, the interface filters received
Binding entries
1.1.1.1
...
Configure the IP source guard
function on the interface
IP network
"Configuring ARP attack
191
protection."