Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
421422423424425426427428429430
24
A static IPv4 source guard entry binds an IP address, MAC address, VLAN, or any combination of the
three with a port. Such an entry is effective on only the specified port. A port forwards a packet only
when the IP address, MAC address, and VLAN tag (if any) of the packet all match those in a static
binding entry on the port. All other packets will be dropped.
The router does not support static IPv6 source guard entries.
Dynamic IP source guard entries
Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP
snooping device or the DHCP relay agent device. They are applicable in cases where many hosts reside
on a LAN and obtain IP addresses through DHCP.
Once DHCP allocates an IP address to a client, IP source guard automatically adds the client entry to
allow the client to access the network. Users with IP addresses not obtained through DHCP cannot access
the network.
Dynamic IPv4 source guard entries are generated dynamically based on DHCP snooping or DHCP relay
entries to filter incoming IPv4 packets on a port. For information about DHCP snooping and DHCP relay,
see Layer 3—IP Services Configuration Guide.
The router does not support dynamic IPv6 source guard entries.
Configuring IPv4 source guard
To configure IPv4 source guard:
Task Remarks
Enabling IPv4 source guard on a port Required.
Configuring a static IPv4 source guard entry Optional.
Setting the maximum number of IPv4 source guard entries Optional.
Enabling IPv4 source guard on a port
The IPv4 source guard function must be enabled on a port before the port can obtain dynamic IPv4
source guard entries and use static and dynamic IPv4 source guard entries to filter packets.
For information about how to configure a static binding entry, see "Configuring a static IPv4 source
gu
ard entry."
On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains
the DHCP snooping entries generated during dynamic IP address allocation, and generates IP
source guard entries accordingly.
On a VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP
relay entries generated during dynamic IP address allocation across network segments, and
generates IP source guard entries accordingly.
Dynamic IPv4 source guard entries can contain such information as the MAC address, IP address, VLAN
tag, ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address,
IP address, or VLAN tag information may not be included depending on your configuration. IP source
guard applies these entries to the port to filter packets.