No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSG Overview

IPSG Overview

IP Source Guard (IPSG) defends against source address spoofing attacks.

Some attacks on networks aim at source IP addresses by accessing and using network resources through spoofing IP addresses, stealing users' information or blocking authorized users from accessing networks. IPSG can prevent source address spoofing attacks.

IPSG enables the device to check IP packets against dynamic and static DHCP entries. Before the device forwards an IP packet, it compares the source IP address, source Media Access Control (MAC) address, interface, and Virtual Local Area Network (VLAN) information in the IP packet with entries in the binding table. If an entry is matched, the device takes the IP packet as a valid packet and forwards an IP packet. Otherwise, the device takes the IP packet as an attack packet and discards the packet.

As shown in Figure 12-52, an attacker sends bogus packets to modify the outbound interface in the MAC address table on the Switch Module. Then replies are sent from the server to the attacker.

Figure 12-52 IP/MAC address spoofing attack

To prevent these attacks, you can configure IPSG on the Switch Module to check incoming IP packets against the binding entries. IP packets that match the binding entries are forwarded, and IP packets that do not match the binding entries are discarded.

Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59724

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next