12 ip source guard – PLANET WGSW-48000 User Manual

Page 110

Advertising
background image

User’s Manual of WGSW-48000

110

Trust Port

Selects Trust Ports Of Dynamic ARP function.

Darp VLAN

Selects Enabled Dynamic VLAN function.

4.7.12 IP Source Guard

I. What is IP Source Guard?

IP Source Guard is a security feature that restricts the client IP traffic to those source IP addresses configured in the DHCP

Snooping Binding Database and in manually configured IP source bindings. For example, IP Source Guard can help prevent

traffic attacks caused when a host tries to use the IP address of its neighbor.

II. How does IP Source Guard work?

IP Source Guard uses Port Access Control List(PACL). When a DHCP Snooping or manually created Source Binding on a port

is added/modified/removed, a corresponding PACL will be created/modified/removed.

When IP Source Guard is enabled, packet transmission is permitted as follows:

-

IPv4 traffic - Only IPv4 traffic with a source IP address that is associated with the specific port is permitted.

-

Non IPv4 traffic - All non-IPv4 traffic is permitted.

III. What is IP Source Guard Database?

IP Source Guard Database displays the detailed information of entries used by IP Source Guard.

IP Source Guard uses Ternary Content Addressable Memory (TCAM) resources, requiring one TCAM rule per IP Source Guard

entry. If the number of IP Source Guard entries exceeds the number of TCAM rules available, new entries may remain inactive.

When this happens, IP Source Guard will show the corresponding reasons to users, the probable values are:

-

No Problem: No error occured.

-

Resource: No more TCAM resources are available right now.

-

Port: IP Source Guard hasn't been enabled on specified port yet.

-

Unknown: Unknown error(s) occured.

IV. What is 'Activate inactive entries'?

IP Source Guard can try to activate inactive entries periodically(1 to 1440 minutes), which also can be done manually.

-

Retry interval: Try to activate inactive entries at a specified interval.

-

Never: Never try to activate inactive entries.

-

Retry Now: Click this button to activate inactive entries immediately.

V. What the users should be aware of?

In common cases, DHCP Snooping must be enabled before you enable IP Source Guard. If not, as the Binding Database is null,

IP Source Guard will drop all IPv4 packets on ports which enabled this feature except DHCP packets.

If DHCP Snooping is disabled before IP Source Guard, IP Source Guard can still work properly, but new entires will be unable to

Advertising
Popular Brands
Popular manuals