1-11 IP Source Guard ConfigurationThe S7900E Series Ethernet Switches are distributed devices supporting Intelligent ResilientFramework (IRF). Two S7900E series can be connected together to form a distributed IRF device. If anS7900E series is not in any IRF, it operates as a distributed device; if the S7900E series is in an IRF, itoperates as a distributed IRF device. For introduction of IRF, refer to IRF Configuration in the SystemVolume.When configuring IP Source Guard, go to these sections for information you are interested in:z IP Source Guard Overviewz Configuring a Static Binding Entryz Configuring the Dynamic Binding Functionz Displaying and Maintaining IP Source Guardz IP Source Guard Configuration Examplesz Troubleshooting IP Source GuardIP Source Guard OverviewBy filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling throughthe ports, so as to block illegal usages of network resources and improve the network security. Forexample, IP source guard can prevent an illegal host from pretending to be a legal user to access thenetwork. With IP source guard enabled on a port, after receiving a packet, the port looks up the keyattributes (including source IP address, source MAC address and VLAN tag) of the packet in the bindingentries of the IP source guard. If there is a match, the port forwards the packet. Otherwise, the portdiscards the packet. IP source guard bindings are on a per-port basis. After a binding entry is configuredon a port, it is effective only on the port.IP source guard filters packets based on the following types of binding entries:z IP-port binding entryz MAC-port binding entryz IP-MAC-port binding entryz IP-VLAN-port binding entryz MAC-VLAN-port binding entryz IP-MAC-VLAN-port binding entryAn IP source guard binding entry can be static or dynamic, depending on how the entry is created.z A static binding is configured manually. It is suitable when there are a few hosts in a LAN or youneed to configure a binding entry for a host separately.