Overview

IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface.

The IPSG bindings fall into the following types:

• IP-interface.

• MAC-interface.

• IP-MAC-interface.

• IP-VLAN-interface.

• MAC-VLAN-interface.

• IP-MAC-VLAN-interface.

IPSG bindings can be static or dynamic.

• Static bindings—Configured manually.

• Dynamic bindings—Generated based on information from other modules. For more information about dynamic bindings, see "Dynamic IPSG bindings."

As shown in Figure 196, IPSG forwards only the packets that match an IPSG binding.