beautypg.com

Ike security mechanism, Protocols and standards, Configuring the ipv4 source guard function – H3C Technologies H3C S12500-X Series Switches User Manual

Page 219: Enabling ipv4 source guard on an interface

background image

207

To configure IPv6 source guard, perform the following tasks:

Tasks at a glance

(Required.)

910H

Enabling IPv6 source guard on an interface

(Optional.)

911H

Configuring a static IPv6 source guard binding entry

127B

Configuring the IPv4 source guard function

You cannot configure the IPv4 source guard function on a service loopback interface. If IPv4 source
guard is enabled on an interface, you cannot assign the interface to a service loopback group.

290B

Enabling IPv4 source guard on an interface

You must first enable the IPv4 source guard function on an interface before the interface can provide the
following functions:

Obtain dynamic IPv4 source guard binding entries.

Use static and dynamic IPv4 source guard binding entries to filter packets or help other modules to
provide security services.

All the fields in a static IPv4 source guard binding entry are used by IP source guard to filter packets. For

information about how to configure a static IPv4 source guard binding entry, see "

912H

Configuring a static

IPv4 source guard binding entry

."

Dynamic IPv4 source guard binding entries can include the following information:

MAC addresses.

IPv4 addresses.

VLAN tags.

Ingress interface information.

Entry types (such as DHCP snooping and DHCP relay).

The information in an entry that is used by IP source guard to filter IPv4 packets is determined by the IPv4
source guard configuration on the interface:

If you bind both the source IP address and the source MAC address on the interface, the interface
forwards a received packet only when the packet's source IP address and source MAC address

both match a dynamic IPv4 source guard binding entry. If no match is found, the packet is dropped.

If you bind only the source IP address or only the source MAC address on the interface, the interface
forwards a packet as long as the packet's source IP address or the packet's source MAC address

matches a dynamic IPv4 source guard binding entry. If no match is found, the packet is dropped.

To implement dynamic IPv4 source guard, make sure the DHCP snooping or DHCP relay function

operates correctly on the network.
To enable the IPv4 source guard function on an interface:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: