1 ip source guard configuration, Ip source guard overview, Configuring a static binding entry – H3C Technologies H3C S5120 Series Switches User Manual

1-1

1

IP Source Guard Configuration

When configuring IP Source Guard, go to these sections for information you are interested in:

z

IP Source Guard Overview

z

Configuring a Static Binding Entry

z

Configuring Dynamic Binding Function

z

Displaying and Maintaining IP Source Guard

z

IP Source Guard Configuration Examples

z

Troubleshooting IP Source Guard

IP Source Guard Overview

By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through,

thus improving the network security. After receiving a packet, the port looks up the key attributes

(including IP address, MAC address and VLAN tag) of the packet in the binding entries of the IP source

guard. If there is a match, the port forwards the packet. Otherwise, the port discards the packet.

IP source guard filters packets based on the following types of binding entries:

z

IP-port binding entry

z

MAC-port binding entry

z

IP-MAC-port binding entry

z

IP-VLAN-port binding entry

z

MAC-VLAN-port binding entry

z

IP-MAC-VLAN-port binding entry

You can manually set static binding entries, or use DHCP snooping to provide dynamic binding entries.

Binding is on a per-port basis. After a binding entry is configured on a port, it is effective only to the port.

Enabling IP source guard on a port is mutually exclusive with adding the port to an aggregation group

and adding the port to a service loopback group.

Configuring a Static Binding Entry

Follow these steps to configure a static binding entry:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter interface view

interface interface-type
interface-number

—