Dynamic Ip Source Guard Binding Entries; Configuration Task List - HP 3600 v2 Series Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (441 pages) ,
- Security configuration manual (398 pages)
Table of Contents
Advertisement
For information about ARP detection, see
detection, see
Static IP source guard binding entries can be global or interface-specific.
Global static binding entry—Binds the IP address and MAC address in system view. The binding
•
entry takes effect on all interfaces to filter packets for user spoofing attack prevention.
Interface-specific static binding entry—Binds the IP address, MAC address, or the combination of
•
the items in interface view. The binding entry takes effect only on the interface to check the validity
of users who are attempting to access the interface.
Dynamic IP source guard binding entries
IP source guard can automatically obtain user information from other modules to generate IP source
guard binding entries.
Dynamic IPv4 source guard binding entries can be generated based on 802.1X, DHCP snooping,
•
or DHCP relay entries.
•
Dynamic IPv6 source guard binding entries can be generated based on DHCPv6 snooping or ND
snooping entries.
For more information about 802.1X, see Security Configuration Guide.
For information about DHCP snooping, DHCP relay, DHCPv6 snooping, and ND snooping, see Layer
3—IP Services Configuration Guide.
DHCP-based dynamic binding entries
DHCP-based dynamic IP source guard binding entries are generated based on DHCP snooping entries
or DHCP relay entries. They are suitable for scenarios where hosts on a LAN obtain IP addresses through
DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically adds the entry to
allow the client to access the network. A user using an IP address not obtained through DHCP cannot
access the network.
802.1X-based dynamic binding entries
When the network is using 802.1X, you can configure IP source guard to use 802.1X security entries to
generate IP source guard binding entries. How the 802.1X security entries are generated depends on the
clients' support for uploading IP addresses.
•
If the 802.1X clients support uploading IP addresses, the switch creates 802.1X security entries after
the IP addresses are uploaded.
If the 802.1X clients do not support uploading IP addresses, the switch creates 802.1X security
•
entries based on DHCP snooping. Make sure DHCP snooping is configured on the switch.
In addition, you can enable the 802.1X IP freezing function on the authentication port. The port saves the
IP address of an authenticated 802.1X user in the binding entry and does not update the IP address. If
the user changes the IP address, the port denies the user to access the network.
Configuration task list
Complete the following tasks to configure IPv4 source guard:
"Configuring ND attack
"Configuring ARP attack
defense."
355
protection." For information about ND
Advertisement
Table of Contents
Troubleshooting
