Ike negotiation process, Ip source guard configuration task list, Dynamic ip source guard binding entries – H3C Technologies H3C S12500-X Series Switches User Manual

206

static IP source guard binding entry on an interface that connects to a server, allowing the interface to

receive packets only from the server.
IP source guard use static IPv4 source guard binding entries on an interface to filter IPv4 packets received

by the interface or cooperate with the ARP detection feature to check user validity. IP source guard use

static IPv6 source guard binding entries on an interface to filter IPv6 packets received by the interface.
For information about ARP detection, see "

907H

Configuring ARP attack protection

."

289B

Dynamic IP source guard binding entries

IP source guard can automatically obtain user information from other modules to generate dynamic IP

source guard binding entries. The modules that provide information for IP source guard include DHCP
relay, DHCP snooping, and DHCP server.
Dynamic IP source guard is suitable for scenarios where many hosts reside on a LAN and obtain IP

addresses through DHCP. After DHCP allocates an IP address to a host, the DHCP snooping device or

DHCP relay agent generates a snooping entry or relay entry. Based on the entry, IP source guard adds
a binding entry automatically. It allows only packets matching the binding entry to pass through. If a user

specifies an IP address manually, no DHCP entry is generated and IP source guard cannot add a binding

entry for the user. Therefore, packets of the user will be dropped.
On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with
different modules to generate IP source guard binding entries dynamically:

•

On a Layer 2 Ethernet interface, IP source guard can cooperate with DHCP snooping. When a host
on the port dynamically obtains an IP address from the DHCP server, IP source guard generates an

IPv4 source guard binding entry according to the recorded DHCP snooping entry on the port.

•

On a Layer 3 Ethernet interface or VLAN interface, IP source guard can cooperate with the DHCP
relay agent. When a host on the Layer 3 Ethernet interface or VLAN interface dynamically obtains

an IP address across subnets, IP source guard generates an IPv4 source guard binding entry
according to the recorded DHCP relay entry on the Layer 3 Ethernet interface or VLAN interface.

•

On a Layer 3 Ethernet interface or VLAN interface, IP source guard can also cooperate with the
DHCP server. It generates dynamic IPv4 source guard binding entries according to the user

information recorded by the DHCP server during IP address allocation. Such IPv4 source guard

binding entries do not filter packets directly but help other modules (such as the ARP detection

module) to provide security services.

For information about DHCP snooping, DHCP relay, and DHCP server see Layer 3—IP Services

Configuration Guide.

NOTE:

The switch does not support dynamic IPv6 source guard in the current release.

126B

IP source guard configuration task list

To configure IPv4 source guard, perform the following tasks:

Tasks at a glance

(Required.)

908H

Enabling IPv4 source guard on an interface

(Optional.)

909H

Configuring a static IPv4 source guard binding entry