IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled. IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
Use the Security > IP Source Guard > General page to set the filtering type based on source IP address, or source IP address and MAC address pairs. It also specifies lookup within the ACL binding table or the MAC address binding table, as well as the maximum number of allowed binding entries for the lookup tables.
IP Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None)
Disables IP source guard filtering on the port.
Enables traffic filtering based on IP addresses stored in the binding table.
Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table.
Sets the source guard learning model to search for addresses in the ACL binding table or the MAC address binding table. (Default: ACL binding table)
The maximum number of entries that can be bound to an interface. (ACL Table: 1-5, Default: 5; MAC Table: 1-32, Default: 16)
This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by IP source guard.