Ike negotiation process, Ip source guard configuration task list, Dynamic ip source guard binding entries – H3C Technologies H3C S12500-X Series Switches User Manual
Page 218
206
static IP source guard binding entry on an interface that connects to a server, allowing the interface to
receive packets only from the server.
IP source guard use static IPv4 source guard binding entries on an interface to filter IPv4 packets received
by the interface or cooperate with the ARP detection feature to check user validity. IP source guard use
static IPv6 source guard binding entries on an interface to filter IPv6 packets received by the interface.
For information about ARP detection, see "
907H
Configuring ARP attack protection
."
289B
Dynamic IP source guard binding entries
IP source guard can automatically obtain user information from other modules to generate dynamic IP
source guard binding entries. The modules that provide information for IP source guard include DHCP
relay, DHCP snooping, and DHCP server.
Dynamic IP source guard is suitable for scenarios where many hosts reside on a LAN and obtain IP
addresses through DHCP. After DHCP allocates an IP address to a host, the DHCP snooping device or
DHCP relay agent generates a snooping entry or relay entry. Based on the entry, IP source guard adds
a binding entry automatically. It allows only packets matching the binding entry to pass through. If a user
specifies an IP address manually, no DHCP entry is generated and IP source guard cannot add a binding
entry for the user. Therefore, packets of the user will be dropped.
On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with
different modules to generate IP source guard binding entries dynamically:
•
On a Layer 2 Ethernet interface, IP source guard can cooperate with DHCP snooping. When a host
on the port dynamically obtains an IP address from the DHCP server, IP source guard generates an
IPv4 source guard binding entry according to the recorded DHCP snooping entry on the port.
•
On a Layer 3 Ethernet interface or VLAN interface, IP source guard can cooperate with the DHCP
relay agent. When a host on the Layer 3 Ethernet interface or VLAN interface dynamically obtains
an IP address across subnets, IP source guard generates an IPv4 source guard binding entry
according to the recorded DHCP relay entry on the Layer 3 Ethernet interface or VLAN interface.
•
On a Layer 3 Ethernet interface or VLAN interface, IP source guard can also cooperate with the
DHCP server. It generates dynamic IPv4 source guard binding entries according to the user
information recorded by the DHCP server during IP address allocation. Such IPv4 source guard
binding entries do not filter packets directly but help other modules (such as the ARP detection
module) to provide security services.
For information about DHCP snooping, DHCP relay, and DHCP server see Layer 3—IP Services
Configuration Guide.
NOTE:
The switch does not support dynamic IPv6 source guard in the current release.
126B
IP source guard configuration task list
To configure IPv4 source guard, perform the following tasks:
Tasks at a glance
(Required.)
908H
Enabling IPv4 source guard on an interface
(Optional.)
909H
Configuring a static IPv4 source guard binding entry