Web Management Guide

Table Of Contents
Chapter 11
| Security Measures
IPv4 Source Guard
– 307
If DHCP snooping is enabled, IPv4 source guard will check the VLAN ID,
source IP address, port number, and source MAC address (for the SIP-MAC
option). If a matching entry is found in the binding table and the entry type
is static IPv4 source guard binding, or dynamic DHCP snooping binding, the
packet will be forwarded.
If IPv4 source guard is enabled on an interface for which IPv4 source
bindings have not yet been configured (neither by static configuration in
the IPv4 source guard binding table nor dynamically learned from DHCP
snooping), the switch will drop all IP traffic on that port, except for DHCP
packets allowed by DHCP snooping.
Parameters
These parameters are displayed:
Filter Type
– Configures the switch to filter inbound traffic based source IP
address, or source IP address and corresponding MAC address. (Default: None)
Disabled
– Disables IPv4 source guard filtering on the port.
SIP
– Enables traffic filtering based on IP addresses stored in the binding
table.
SIP-MAC
– Enables traffic filtering based on IP addresses and
corresponding MAC addresses stored in the binding table.
Filter Table
– Sets the source guard learning model to search for addresses in
the ACL binding table or the MAC address binding table. (Default: ACL binding
table)
Max Binding Entry
– The maximum number of entries that can be bound to an
interface. (ACL Table: 1-16, default: 5; MAC Table: 1-1024, default: 1024)
This parameter sets the maximum number of address entries that can be
mapped to an interface in the binding table, including both dynamic entries
discovered by DHCP snooping (see “DHCP Snooping” on page 318) and static
entries set by IP source guard (see Configuring Static Bindings for IP Source
Guard” on page 308).
The maximum binding for ACL mode restricts the number of “active” entries
per port. If binding entries exceed the maximum number in IPv4 source guard,
only the maximum number of binding entries will be set. Dynamic binding
entries exceeding the maximum number will be created but will not be active.
The maximum binding for MAC mode restricts the number of MAC addresses
learned per port. Authenticated IP traffic with different source MAC addresses
cannot be learned if it would exceed this maximum number.