Configuring The Ipv4 Source Guard Function; Enabling Ipv4 Source Guard On A Port - HP 10500 Series Configuration Manual
Security configuration guide
Hide thumbs
Also See for 10500 Series:
- Security configuration manual (596 pages) ,
- Configuration manual (512 pages) ,
- Specifications (42 pages)
Table of Contents
Advertisement
Configuring the IPv4 source guard function
You cannot enable IPv4 source guard on a link aggregation member port or a service loopback port. If
IPv4 source guard is enabled on a port, you cannot assign the port to a link aggregation group or a
service loopback group.
Enabling IPv4 source guard on a port
The IPv4 source guard function must be enabled on a port before the port can obtain dynamic IPv4
source guard entries and use static and dynamic IPv4 source guard entries to filter packets.
For information about how to configure a static binding entry, see
•
guard
On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains
•
the DHCP snooping entries generated during dynamic IP address allocation, and generates IP
source guard entries accordingly.
•
On a VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP
relay entries generated during dynamic IP address allocation across network segments, and
generates IP source guard entries accordingly.
Dynamic IPv4 source guard entries can contain such information as the MAC address, IP address, VLAN
tag, ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address,
IP address, or VLAN tag information may not be included, depending on your configuration. IP source
guard applies these entries to the port to filter packets.
To generate IPv4 binding entries dynamically based on DHCP entries, make sure DHCP snooping or
DHCP relay is configured and working normally. For information about DHCP snooping configuration
and DHCP relay configuration, see Layer 3—IP Services Configuration Guide.
If you configure the IPv4 source guard function on a port multiple times, the most recent configuration
takes effect.
To configure the IPv4 source guard function on a port:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Enable IPv4 source guard on
the port.
entry."
Command
system-view
interface interface-type
interface-number
ip verify source { ip-address |
ip-address mac-address |
mac-address }
238
"Configuring a static IPv4 source
Remarks
N/A
Dynamic IPv4 source guard
supports the following types of
ports and interfaces: Layer 2
Ethernet ports, VLAN interfaces,
and port groups.
Disabled by default.
The keyword specified in the ip
verify source command is only for
instructing the generation of
dynamic IPv4 source guard entries.
It does not affect static binding
entries. When using a static
binding entry, a port does not take
the keyword into consideration.
Advertisement
Table of Contents
Troubleshooting
