R21xx-HP FlexFabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

121

122

123

124

125

126

127

128

129

130

114

For information about ARP detection, see "Configuring ARP attack protection."

Dynamic IP source guard binding entries

IP source guard can automatically obtain user information from other modules to generate binding

entries. Such binding entries are referred to as dynamic binding entries. The modules that provide

dynamic binding information for IP source guard include DHCP relay, DHCP snooping, and DHCP

server.

Dynamic IP source guard is suitable for scenarios where many hosts reside on a LAN and obtain IP

addresses through DHCP. Once DHCP allocates an IP address to a host on the LAN, the DHCP snooping

device or DHCP relay agent generates a DHCP snooping entry or DHCP relay entry. IP source guard

automatically adds an IP source binding entry according to the DHCP snooping or DHCP relay entry to

allow the user to access the network. If a user specifies an IP address manually, no DHCP entry is

generated and IP source guard cannot add a binding entry for the user. Therefore, packets of the user will

be dropped.

On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with

different modules to generate binding entries dynamically:

• On a Layer 2 Ethernet port, IP source guard can cooperate with DHCP snooping. When a host on

the port dynamically obtains an IP address from the DHCP server, IP source guard generates an

IPv4 source guard binding entry according to the recorded DHCP snooping entry on the port.

• On a Layer 3 Ethernet interface or VLAN interface, IP source guard can cooperate with the DHCP

relay agent. When a host on the Layer 3 Ethernet interface or VLAN interface dynamically obtains

an IP address across subnets, IP source guard generates an IPv4 source guard binding entry

according to the recorded DHCP relay entry on the Layer 3 Ethernet interface or VLAN interface.

• On a Layer 3 Ethernet interface or VLAN interface, IP source guard can also cooperate with the

DHCP server. It generates dynamic binding entries according to the user information recorded by

the DHCP server during IP address allocation. Such binding entries do not filter packets directly but

help other modules (such as the ARP detection module) to provide security services.

For information about DHCP snooping, DHCP relay, and DHCP server, see Layer 3—IP Services

Configuration Guide.

NOTE:

The switch supports only IPv4 dynamic source guard binding.

IP source guard configuration task list

To configure IPv4 source guard, perform the following tasks:

Tasks at a

lance

(Required.) Enabling IPv4 source guard on an interface

(Optional.) Configuring a static IPv4 source guard binding entry on an interface

To configure IPv6 source guard, perform the following tasks:

Tasks at a

lance

(Required.) Enabling IPv6 source guard on an interface