Configuring Ip Source Guard; Ip Source Guard Overview; Static Ip Source Guard Entries - HP 10500 Series Configuration Manual

Configuring IP source guard

This chapter describes how to configure IP source guard.

IP source guard overview

IP source guard is intended to improve port security by blocking illegal packets. For example, it can
prevent invalid hosts from using a valid IP address to access the network.
IP source guard can filter packets according to the packet source IP address and source MAC address.
It supports these types of binding entries:
IP-port binding entry
•
MAC-port binding entry
•
• IP-MAC-port binding entry
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address
and source MAC address) of the packet and then looks them up in the IP source guard entries. If there is
a match, the port forwards the packet. Otherwise, the port discards the packet, as shown in
Figure 92 Diagram for the IP source guard function
A binding entry can be statically configured or dynamically added.

Static IP source guard entries

A static IP source guard entry is configured manually. IP source guard entries are suitable for a LAN that
has only a few hosts and the hosts use statically configured IP addresses. For example, you can configure
an IP source guard entry on a port connecting a server, permitting only the packets exchanged with the
server to pass the port.
Static IPv4 source guard entries—Filter IPv4 packets received by the port or cooperate with the ARP
detection feature to check user validity.
Static IPv6 source guard entries—Filter IPv6 packets received by the port.
For more information about the ARP detection feature, see
A static IP source guard entry can be a global or port-based static binding entry.
"Configuring ARP attack
236
Figure 92.
protection."