H3C Technologies H3C S3600 Series Switches User Manual

4-10

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter Ethernet port view

interface interface-type
interface-number

—

Create a static binding

ip source static binding
ip-address ip-address
[ mac-address mac-address ]

Optional

By default, no IP
static binding entry
is created.

Enable IP filtering
based on the
DHCP-snooping table
and the IP static
binding table

ip check source ip-address
[ mac-address ] [ qos-profile
string ]

Enable IP
filtering

Enable IP filtering
based on
authenticated 802.1x
clients

ip check dot1x enable

Either command is
required

By default, this
function is disabled.

z

For details about 802.1x authentication, refer to 802.1x and System Guard Operation.

z

You are not recommended to configure IP filtering on the ports of an aggregation group.

z

Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering based

on the DHCP-snooping table.

z

To implement IP filtering based on IP-to-MAC bindings of authenticated 802.1x clients, the device

assigns an ACL to each of such bindings. If an ACL fails to be assigned to a binding, the

corresponding authenticated 802.1x client is forced to go offline.

z

IP filtering based on IP-to-MAC bindings of authenticated 802.1x clients requires to be associated

with 802.1x based on MAC address authentication, and requires 802.1x clients to provide IP

addresses; otherwise, the IP addresses of 802.1x clients cannot be obtained. To ensure IP

addresses of DHCP clients can be updated for corresponding IP-to-MAC entries, you are

recommended to enable 802.1x authentication handshake function; otherwise, you need to disable

802.1x authentication triggered by DHCP, ensuring normal receiving and forwarding of multicast

authentication packets.

z

To create a static binding after IP filtering is enabled with the mac-address keyword specified on a

port, the mac-address argument must be specified; otherwise, the packets sent from this IP

address cannot pass the IP filtering.

z

A static entry has a higher priority than the dynamic DHCP snooping entry that has the same IP

address as the static one. That is, if the static entry is configured after the dynamic entry is

recorded, the static entry overwrites the dynamic entry; if the static entry is configured before

DHCP snooping is enabled, no DHCP client can obtain the IP address of the static entry, that is, the

dynamic DHCP snooping entry cannot be generated.

z

The VLAN ID of the IP static binding configured on a port is the VLAN ID of the port.