Overview

IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate packets. It drops packets that do not match the table.

The IP source guard binding table can include global and interface-specific binding entries. IP source guard first uses the interface-specific binding entries to match packets. If no match is found, IP source guard uses the global binding entries. The binding entries include the following types:

• IP.

• MAC.

• IP-MAC.

IP source guard binding entries can be static or dynamic.

• Static binding entries—Configured manually. Global IP source guard supports only static IP-MAC binding entries. For more information about global static IP source guard binding entries, see "Static IP source guard binding entries."

• Dynamic binding entries—Generated based on information from other modules. For more information about dynamic binding entries, see "Dynamic IP source guard binding entries."

As shown in Figure 97, IP source guard forwards only the packets that match an IP source guard binding entry.