R21xx-HP FlexFabric 11900 Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

161

162

163

164

165

166

167

168

169

170

156

You cannot configure static IPv4 source guard binding entries on an interface that is in a service

loopback group.

Examples

# On interface Ten-GigabitEthernet 1/0/1, configure a static IPv4 source binding entry to allow only the

packets whose source IP address is 192.168.0.1 and source MAC address is 0001-0001-0001 to pass.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address

0001-0001-0001

Related commands

display ip source binding

ip verify source

Use ip verify source to enable the IPv4 source guard function.

Use undo ip verify source to restore the default.

Syntax

ip verify source ip-address [ mac-address ]

undo ip verify source

Default

The IPv4 source guard function is disabled on an interface.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view

Predefined user roles

network-admin

Parameters

ip-address: Binds source IPv4 addresses to the interface. With this keyword specified, IP source guard

filters packets received on the interface according to the source IPv4 addresses of the packets.

mac-address: Binds source MAC addresses to the interface. With this keyword specified, IP source guard

also checks the source MAC address of each packet received on the interface, and permits the packet

only when both the source IPv4 and MAC addresses of the packet match a dynamic binding entry.

Usage guidelines

After you enable IPv4 source guard on an interface, IP source guard can dynamically obtain IPv4

binding entries from other modules and use static and dynamic IPv4 source guard binding entries to filter

IPv4 packets on the interface. If a packet matches a binding entry, IP source guard forwards the packet.

Otherwise, it drops the packet.

The modules that provide dynamic binding information for IP source guard include DHCP relay, DHCP

snooping, and DHCP server. IP source guard uses the dynamic binding entries created by DHCP relay

and DHCP snooping to filter packets. The dynamic binding entries that IP source guard learns from DHCP

server modules are not used to filter packets, and they are used by other modules to provide security

services.

You cannot configure dynamic IPv4 source guard on a service loopback interface.