Ip source-guard – LevelOne GTL-2691 User Manual
Page 957
C
HAPTER
29
| General Security Measures
IP Source Guard
– 957 –
E
XAMPLE
This example configures a static source-guard binding on port 5.
Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99
interface ethernet 1/5
Console(config-if)#
R
ELATED
C
OMMANDS
ip source-guard
This command configures the switch to filter inbound traffic based source
IP address, or source IP address and corresponding MAC address. Use the
no form to disable this function.
S
YNTAX
ip source-guard {sip | sip-mac}
no ip source-guard
sip - Filters traffic based on IP addresses stored in the binding
table.
sip-mac - Filters traffic based on IP addresses and corresponding
MAC addresses stored in the binding table.
D
EFAULT
S
ETTING
Disabled
C
OMMAND
M
ODE
Interface Configuration (Ethernet)
C
OMMAND
U
SAGE
◆
Source guard is used to filter traffic on an insecure port which receives
messages from outside the network or fire wall, and therefore may be
subject to traffic attacks caused by a host trying to use the IP address
of a neighbor.
◆
Setting source guard mode to “sip” or “sip-mac” enables this function
on the selected port. Use the “sip” option to check the VLAN ID, source
IP address, and port number against all entries in the binding table.
Use the “sip-mac” option to check these same parameters, plus the
source MAC address. Use the no ip source guard command to disable
this function on the selected port.
◆
When enabled, traffic is filtered based upon dynamic entries learned via
DHCP snooping, or static addresses configured in the source guard
binding table.