IP source guard overview

IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network.

IP source guard can filter packets according to the packet source IP address, and source MAC address. It supports these types of binding entries:

After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address, and source MAC address) of the packet and then looks them up in the IP source guard entries. If there is a match, the port forwards the packet. Otherwise, the port discards the packet, as shown in Figure 108.

Figure 108: Diagram for the IP source guard function

A binding entry can be statically configured or dynamically added.