Static IP source guard entries
A static IP source guard entry is configured manually. It is suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a static binding entry on a port that connects a server, allowing the port to receive packets from and send packets only to the server.
A static IPv4 source guard entry filters IPv4 packets received by the port or cooperates with the ARP detection feature to check user validity. A static IPv6 source guard entry filters IPv6 packets received by the port or checks the validity of users by cooperating with the ND detection feature. For information about ARP detection, see "Configuring ARP attack protection." For information about ND detection, see "Configuring ND attack defense."
A static IP source guard entry can be a global or port-based static binding entry.
Global static binding entry
A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all ports. A port forwards a packet when the packet's IP address and MAC address both match those of a global static binding entry or a static binding entry configured on the port.
Global static binding entries are used to protect against host spoofing attacks, which exploit the IP address or MAC address of a legal user host.
Port-based static binding entry
A port-based static binding entry binds an IP address, MAC address, or any combination of the two with a port. Such an entry is effective on only the specified port. A port forwards a packet only when the IP address and MAC address of the packet all match those in a static binding entry on the port or a global static binding entry. All other packets are dropped.
Port-based static binding entries are used to check the validity of users who are trying to access a port.