291
Static IP source guard entries
A static IP source guard entry is configured manually. It is suitable for scenarios where only a few hosts
exist in a LAN and their IP addresses are manually configured. For example, you can configure a static
binding entry on a port that connects a server, allowing the port to receive packets from and send
packets to only the server.
According to the IP version, a static IP source guard entry is an IPv4 or IPv6 entry.
• A static IPv4 source guard entry filters IPv4 packets received by the port or checks the validity of
users by cooperating with the ARP detection feature.
• A static IPv6 source guard entry filters IPv6 packets received by the port or checks the validity of
users by cooperating with the ND detection feature.
NOTE:
• For information about ARP detection, see the chapter "ARP attack protection configuration."
• For information about ND detection, see the chapter "ND attack defense configuration."
Dynamic IP source guard entries
Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP
snooping or DHCP relay agent device. They are suitable for scenarios where many hosts reside in a LAN
and obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard
automatically adds the client entry to allow the client to access the network. A user using an IP address
not obtained through DHCP cannot access the network. Dynamic IPv6 source guard entries can also be
obtained from client entries on the ND snooping device.
• Dynamic IPv4 source guard generates IPv4 source guard entries dynamically based on DHCP
snooping or DHCP relay entries to filter IPv4 packets received on a port.
• Dynamic IPv6 source guard generates IPv6 source guard entries dynamically based on DHCPv6
snooping or ND snooping entries to filter IPv6 packets received on a port.
NOTE:
• For information about DHCP snooping and DHCP relay, see the
Layer 3—IP Services Configuration
Guide
.
• For information about DHCPv6 snooping, see the
Layer 3—IP Services Configuration Guide
.
• For information about ND snooping, see the
Layer 3—IP Services Configuration Guide
.
Configuring IPv4 source guard
NOTE:
You cannot configure the IP source guard function on a port in an a
re
ation
roup, nor can you add a
port configured with IP source guard to an aggregation group.
Configuring static IPv4 source guard
Follow these steps to configure a port-based static IPv4 source guard entry:
To Next Page
Loading...
Need help?
General