IP source guard

FastDPI BRAS allows you to control the correspondence of VLAN tags and IP addresses for subscribers. When assigning IP addresses using DHCP the fastDPI BRAS stores VLAN/QinQ subscriber tags in its UDR database and and then uses this data to control whether the source IP address and VLAN tag match.

To enable IP source guard mode you should set the value of bras_ip_source_guard option in the fastdpi.conf:

• 0 – IP source guard is disabled. It is the default value.
• 1 – IP source guard is enabled and is only applicable to active sessions. If the session resides in unknown state (after the fastDPI is restarted), then the IP source guard will not be used,so a packet will be forwarded.

The packet will be forwarded in the following cases:

• bras_ip_source_guard=1: conditions are met
  • Session is active and packet VLAN tags are the same as registered in DHCP request ones
  • Session state is unknown

If the conditions are not met the package will be dropped.

IP source guard is used just in case of outbound traffic (from LAN to WAN).

Stingray Service Gateway 7.4+: the AS termination mode is added. The IP source guard is used only to those source IPs, where AS is marked as term .