3com S7906E Installationsanweisungen
1-1
1
IP Source Guard Configuration
The S7900E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7900E series can be connected together to form a distributed IRF device. If an
S7900E series is not in any IRF, it operates as a distributed device; if the S7900E series is in an IRF, it
operates as a distributed IRF device. For introduction of IRF, refer to IRF Configuration in the System
Volume.
When configuring IP Source Guard, go to these sections for information you are interested in:
z
z
z
z
z
z
IP Source Guard Overview
By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through
the ports, so as to block illegal usages of network resources and improve the network security. For
example, IP source guard can prevent an illegal host from pretending to be a legal user to access the
network. With IP source guard enabled on a port, after receiving a packet, the port looks up the key
attributes (including source IP address, source MAC address and VLAN tag) of the packet in the binding
entries of the IP source guard. If there is a match, the port forwards the packet. Otherwise, the port
discards the packet. IP source guard bindings are on a per-port basis. After a binding entry is configured
on a port, it is effective only on the port.
IP source guard filters packets based on the following types of binding entries:
z
IP-port binding entry
z
MAC-port binding entry
z
IP-MAC-port binding entry
z
IP-VLAN-port binding entry
z
MAC-VLAN-port binding entry
z
IP-MAC-VLAN-port binding entry
An IP source guard binding entry can be static or dynamic, depending on how the entry is created.
z
A static binding is configured manually. It is suitable when there are a few hosts in a LAN or you
need to configure a binding entry for a host separately.