Dynamic ip source guard binding entries, Dynamic ipv4 source guard, Dynamic ipv6 source guard – H3C Technologies H3C S6300 Series Switches User Manual
Page 327: Ip source guard configuration task list
312
•
Cooperate with the ARP detection feature to check user validity.
IP source guard can use static IPv6 source guard binding entries on an interface to filter incoming IPv6
packets on the interface.
For information about ARP detection, see "
Configuring ARP attack protection
Static IP source guard binding entries can be global or interface-specific. IP source guard first uses the
interface-specific binding entries to match packets. If no match is found, IP source guard uses the global
binding entries.
•
Global static binding entry—Binds the IP address and MAC address in system view. The binding
entry takes effect on all interfaces to filter packets for user spoofing attack prevention.
•
Interface-specific static binding entry—Binds the IP address, MAC address, VLAN, or any
combination of the items in interface view. The binding entry takes effect only on the interface to
check the validity of users who are attempting to access the interface.
Dynamic IP source guard binding entries
IP source guard automatically obtains user information from other modules to generate dynamic IP
source guard binding entries. The source modules include DHCP relay, DHCP snooping, DHCPv6
snooping, and DHCP server.
DHCP-based dynamic IP source guard is suitable for scenarios where hosts on a LAN obtain IP addresses
through DHCP. IP source guard is configured on the DHCP snooping device or the DHCP relay agent. It
generates dynamic IP source guard binding entries based on the DHCP snooping entries or DHCP relay
entries. IP source guard allows only packets from the DHCP clients to pass through. A user using an IP
address not obtained through DHCP cannot access the network.
Dynamic IPv4 source guard
Dynamic binding entries generated based on different source modules are for different usages:
Interface types Source
modules
Binding entry usage
Layer 2 Ethernet port
DHCP snooping
Packet filtering.
VLAN interface
DHCP relay agent
Packet filtering.
DHCP server
For cooperation with modules (such as the
ARP detection module) to provide security
services.
For information about DHCP snooping, DHCP relay, and DHCP server see Layer 3—IP Services
Configuration Guide.
Dynamic IPv6 source guard
IPv6 source guard on an interface obtains information from DHCPv6 snooping entries to generate IPv6
source guard binding entries for packet filtering.
For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide.
IP source guard configuration task list
To configure IPv4 source guard, perform the following tasks: