315
Static IP source guard binding entries
Static IP source guard binding entries are configured manually. They are suitable for scenarios where few
hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a
static IP source guard binding entry on an interface that connects to a server. This binding allows the
interface to receive packets only from the server.
IP source guard can use static IPv4 binding entries on an interface to implement the following functions:
• Filter incoming IPv4 packets on the interface.
• Cooperate with the ARP detection feature to check user validity.
IP source guard can use static IPv6 binding entries on an interface to filter incoming IPv6 packets on the
interface.
For information about ARP detection, see "Configuring ARP attack protection."
S
t
atic IP source guard binding entries can be global or interface-specific. IP source guard first uses the
interface-specific binding entries to match packets. If no match is found, IP source guard uses the global
binding entries.
• Global static binding entry—Binds the IP address and MAC address in system view. The binding
entry takes effect on all interfaces to filter packets for user spoofing attack prevention.
• Interface-specific static binding entry—Binds the IP address, MAC address, VLAN, or any
combination of the items in interface view. The binding entry takes effect only on the interface to
check the validity of users who are attempting to access the interface.
Dynamic IP source guard binding entries
IP source guard automatically obtains user information from other modules to generate dynamic IP
source guard binding entries. The source modules include DHCP relay, DHCP snooping, DHCPv6
snooping, and DHCP server.
DHCP-based dynamic IP source guard is suitable for scenarios where hosts on a LAN obtain IP addresses
through DHCP. IP source guard is configured on the DHCP snooping device or the DHCP relay agent. It
generates dynamic IP source guard binding entries based on the DHCP snooping entries or DHCP relay
entries. IP source guard allows only packets from the DHCP clients to pass through. A user using an IP
address not obtained through DHCP cannot access the network.
Dynamic IPv4 source guard
Dynamic binding entries generated based on different source modules are for different usages:
Interface t
es Source modules
Bindin
entr
usa
e
Layer 2 Ethernet port DHCP snooping Packet filtering.
Layer 3 Ethernet interface
Layer 3 Ethernet subinterface
Layer 3 aggregate interface
VLAN interface
DHCP relay agent Packet filtering.
DHCP server
For cooperation with modules (such as the
ARP detection module) to provide security
services.
For information about DHCP snooping, DHCP relay, and DHCP server see Layer 3—IP Services
Configuration Guide.
To Next Page
Loading...
Need help?
General
