Overview Host Guard
The Host Guard function is mainly used to the access layer devices, preventing the ARP packets forged by the attacker from damaging the ARP table on the terminal device. The host IP address protected by Host Guard is usually applied to the IP addresses of the gateway device in the network and important server.
In the Host Guard function, there are two concepts:
- Host Guard group: comprises a series of host guard group rules, that is, the set of the protected host IP addresses;
- Host Guard group rule: One protected host IP address
The work principle of the Host Guard function is as follows:
Figure 10–1 The brief diagram of the Host Guard function
As shown in the above figure, Attacker can make use of the IP address 192.168.1.1 of the Server to forge the ARP packet and forward to PC via Device, damaging the ARP table on PC. As a result, PC cannot access Server normally.
On Device, after applying the IP address of Server 192.168.1.1 as one host guard group rule to port te0/2, when the sending IP address in the ARP packet received by Device is the same as the IP address of Server and if the receiving port is te0/2, the packet can be processed normally; if the receiving port is not te0/2, the packet is dropped. That is, the ARP packet sent by Server can only be forwarded via port te0/2.
The ARP packet forged by Attacker is dropped.