Basic Concepts

Some attackers forge IP addresses of authorized users to obtain network access rights and access networks. As a result authorized users are unable to access networks or sensitive information may be intercepted. IP source guard provides a mechanism to effectively defend against IP address spoofing attacks.
IPSG checks IP packets on Layer 2 interfaces against a binding table that contains the binding of source IP addresses, source MAC addresses, VLAN IDs and inbound interfaces. Binding tables include static and dynamic DHCP snooping binding tables.

Networking Description

As shown in the figure PCs are configured with static IP addresses for unified management. IPSG is configured on the access switch to prevent hosts from changing their own IP addresses to access the network.
.Configure a static binding table.
.Enable IPSG and configure the alarm function.

Step 1: Configure a static binding table on the access switch.

*******************************************ACC_1 
system-view
sysname ACC_1

vlan 10
interface Ethernet 0/0/1
 port link-type access
 port default vlan 10 
 #
interface Ethernet 0/0/2
 port link-type access
 port default vlan 10 
 #
user-bind static mac-address 5489-98DB-29BD ip-address 10.1.1.1 
user-bind static ip-address 10.1.1.10 mac-address 5489-9896-2D5B vlan 10

Step 2: Enable IPSG and configure the alarm function of IP Packet check on the interfaces.

*******************************************ACC_1 
interface Ethernet0/0/1
 ip source check user-bind enable
 ip source check user-bind alarm enable
 ip source check user-bind alarm threshold 120
 #
interface Ethernet0/0/2
 ip source check user-bind enable
 ip source check user-bind alarm enable
 ip source check user-bind alarm threshold 120

Step 2: Check the static binding table on the switch.

PC1 and PC2 can access the internet using the statically configured IP addresses, and cannot access the internet after changing their IP addresses.