The IP Source Guard function is one packet filter function and can filter and control the packets forwarded by the port, preventing the invalid packets from passing the port and improving the port security. The function can be divided to two kinds:
The port IP Source Guard function filters the IP packets received by the specified port. The filter mode includes IP, MAC, and IP+MAC. The specific processing modes are as follows:
- IP mode: If the source IP address and VLAN ID in the packet are the same as the IP address and VLAN ID recorded in the bound entries, the port forwards the packet. Otherwise, drop it.
- MAC mode: If the source MAC in the packet is the same as the MAC address, VLAN number recorded in the binding table, the port will forward the packet. Otherwise, drop it.
- IP+MAC mode: If the source IP address, source MAC address, and VLAN ID in the packet are the same as the IP address, MAC address and VLAN ID recorded in the bound entries, the port forwards the packet. Otherwise, drop the packet.
The setting of the filter type takes effect only for the dynamic binding entry, not affecting the static binding entry.
The bound entries of the port IP Source Guard include two kinds:
- Static bound entries, manual configured port IP Source Guard static bound entries
- Dynamic bound entries, dynamically generated by the valid entries of the DHCP Snooping function.
Global IP Source Guard function filters the packets received by all ports, including ARP and IP packets. The specific filter modes are as follows:
- If the source IP address in the IP packet is the same as the IP address in the global IP Source Guard bound entries, but the source MAC address is different, or the source MAC address in the IP packet is the same as the MAC address in the global IP Source Guard bound entries, but the source IP address id different, drop the packet.
- If the sending IP address in the ARP packet is the same as the IP address in the bound entries, but the source MAC address is different, or the source MAC address in the ARP packet is the same as the MAC address in the bound entries, but the sending IP address is different, drop the packet.