Overview

IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface.

The IPSG binding table can include global and interface-specific bindings. IPSG first uses the interface-specific bindings to match packets. If no match is found, IPSG uses the global bindings. The IPSG bindings fall into the following types:

• IP.

• MAC.

• IP-MAC.

• IP-VLAN.

• MAC-VLAN.

• IP-MAC-VLAN.

IPSG bindings can be static or dynamic.

• Static bindings—Configured manually. Global IPSG supports only static IP-MAC bindings. For more information about global static IPSG bindings, see "Static IPSG bindings."

• Dynamic bindings—Generated based on information from other modules. For more information about dynamic bindings, see "Dynamic IPSG bindings."

As shown in Figure 127, IPSG forwards only the packets that match an IPSG binding.