Configuring a static ip source guard entry, Figure 13-1 – H3C Technologies H3C S7500E Series Switches User Manual

13-2

entries are on a per-port basis. After a binding entry is configured on a port, it is effective only

on the port.

Figure 13-1 Diagram for the IP source guard function

IP network

Illegal host

Legal host

Enable the IP source guard function on
the port for user access

An IP source guard binding entry can be static or dynamic, depending on how the entry is

created.

z

A static IP source guard binding entry is configured manually. It is suitable when there are a

few hosts in a LAN or you need to configure a binding entry for a host separately.

z

A dynamic IP source guard binding entry is implemented in cooperation with DHCP

snooping or DHCP Relay. It is suitable when there are many hosts in a LAN, and DHCP is

used to allocate IP addresses to the hosts. Once DHCP allocates an IP address for a user,

the IP source guard function will automatically add a binding entry based on the DHCP

entry to allow the user to access the network. If a user specifies an IP address instead of

getting one through DHCP, the user will not trigger DHCP to allocate an IP address, and

therefore no IP source guard binding will be added for the user to access the network. In

this way, IP address collision and theft are prevented.

You cannot configure the IP source guard function on a port in a service loopback group or an

aggregation group, nor can you add a port configured with IP source guard to an aggregation

group or a service loopback group.

Configuring a Static IP Source Guard Entry

Follow these steps to configure a static IP source guard binding entry:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter interface view

interface interface-type

interface-number

—