Configure Global IP Source Guard Function
Configuration Condition
None
Configure Global IP Source Guard Function
To protect the security of the user IP address and prevent other user from using its own IP address, we can configure the global IP Source Guard function to bind the user IP address and MAC address. The global IP Source Guard bound entries of the configured user IP address and MAC address are directly written to the chip, so as to filter the invalid IP and ARP packets.
When enabling the global Dynamic ARP Inspection function, the configured global IP Source Guard bound entries serve as the basis of the validity detection of the global Dynamic ARP Inspection function for the ARP packets.
Table 4-6 Configure the global IP Source Guard function
Step
|
Command
|
Description
|
Enter global configuration mode
|
config terminal
|
-
|
Configure the global IP Source Guard function
|
source binding mac-address ip-address
|
Mandatory
By default, there is no global IP Source Guard bound entry and the function is disabled.
The command enables the global IP Source Guard function. Meanwhile, one global IP Source Guard bound entry is configured.
|
-
If Hybrid extended ACL is applied to the global (all ports) ingress, we need to cancel the application so that the global IP Source Guard function can be configured. Otherwise, the configuration fails. Refer to the ACL chapter of the configuration manual.
- The global IP Source Guard bound entries support 40 at most. After exceeding 40, the configuration fails.
- The configured global IP Source Guard bound entries are directly written to the chip. The number of the bound entries written to the chip depends on the available chip entry resources. If the chip entry resources are used up and it is necessary to add the global IP Source Guard bound entries, we need to delete the related bound entries of some chip entry resources.
- If the port IP Source Guard and global IP Source Guard functions are used at the same time, the IP packet received by the port needs to match the bound entries of the port IP Source Guard and global IP Source Guard so that it can be forwarded. Otherwise, it is dropped.
- For the port Dynamic ARP Inspection function, refer to the Dynamic ARP Inspection chapter of the configuration manual.