Ike security mechanism, Protocols and standards, Configuring the ipv4 source guard function – H3C Technologies H3C S12500-X Series Switches User Manual
Page 219: Enabling ipv4 source guard on an interface
207
To configure IPv6 source guard, perform the following tasks:
Tasks at a glance
(Required.)
910H
Enabling IPv6 source guard on an interface
(Optional.)
911H
Configuring a static IPv6 source guard binding entry
127B
Configuring the IPv4 source guard function
You cannot configure the IPv4 source guard function on a service loopback interface. If IPv4 source
guard is enabled on an interface, you cannot assign the interface to a service loopback group.
290B
Enabling IPv4 source guard on an interface
You must first enable the IPv4 source guard function on an interface before the interface can provide the
following functions:
•
Obtain dynamic IPv4 source guard binding entries.
•
Use static and dynamic IPv4 source guard binding entries to filter packets or help other modules to
provide security services.
All the fields in a static IPv4 source guard binding entry are used by IP source guard to filter packets. For
information about how to configure a static IPv4 source guard binding entry, see "
912H
Configuring a static
IPv4 source guard binding entry
."
Dynamic IPv4 source guard binding entries can include the following information:
•
MAC addresses.
•
IPv4 addresses.
•
VLAN tags.
•
Ingress interface information.
•
Entry types (such as DHCP snooping and DHCP relay).
The information in an entry that is used by IP source guard to filter IPv4 packets is determined by the IPv4
source guard configuration on the interface:
•
If you bind both the source IP address and the source MAC address on the interface, the interface
forwards a received packet only when the packet's source IP address and source MAC address
both match a dynamic IPv4 source guard binding entry. If no match is found, the packet is dropped.
•
If you bind only the source IP address or only the source MAC address on the interface, the interface
forwards a packet as long as the packet's source IP address or the packet's source MAC address
matches a dynamic IPv4 source guard binding entry. If no match is found, the packet is dropped.
To implement dynamic IPv4 source guard, make sure the DHCP snooping or DHCP relay function
operates correctly on the network.
To enable the IPv4 source guard function on an interface:
Step Command
Remarks
1.
Enter system view.
system-view
N/A