R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

421

422

423

424

425

426

427

428

429

430

415

Hardware IPv4 source guard function IPv4 binding entries

Configured on

multi

orts

MSR30

Yes on the following models:

• The MSR30 routers installed with

MIM-FSW or DMIM-FSW

modules.

• The MSR30-11E Layer 2 fixed

Ethernet ports.

• The MSR30-11F Layer 2 fixed

Ethernet ports.

Yes.

• MSR30-10 router installed with

XMIM-FSW modules support

only MAC-port bindings.

• MSR30-11F Layer 2 fixed

Ethernet ports does not

support binding VLAN

information.

Yes.

MSR50

Yes on MSR50 routers installed with

FIC-FSW or DFIC-FSW modules.

Yes. Yes.

MSR1000 Yes on Layer 2 fixed Ethernet ports.

Yes.

on Layer 2 fixed Ethernet ports

support only static MAC-port

binding entries.

Yes.

NOTE:

You cannot configure the IP source guard function on a port in an aggregation group, or vice versa.

Enabling IPv4 source guard on a port

The IPv4 source guard function must be enabled on a port before the port can obtain dynamic IPv4

source guard binding entries and use static and dynamic IPv4 source guard binding entries to filter

packets.

• For information about how to configure a static binding entry, see "Configuring a static IPv4 source

ard binding entry."

• On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping to obtain the DHCP

snooping entries dynamically generated during dynamic IP address allocation, and uses the DHCP

snooping entries to generate IP source guard binding entries.

Dynamic IPv4 source guard binding entries can contain such information as the MAC address, IP

address, VLAN tag, ingress port information, and entry type (DHCP snooping), where the MAC address,

IP address, or VLAN tag information might not be included depending on your configuration. IP source

guard applies these entries to the port to filter packets.

Follow these guidelines when you enable IPv4 source guard on a port:

• If you configure the ip verify source command on a port multiple times, the most recent

configuration takes effect.

• To generate IPv4 source guard binding entries dynamically based on DHCP entries, make sure

DHCP snooping is configured and working correctly. For information about DHCP snooping

configuration, see Layer 3—IP Services Configuration Guide.

To enable IPv4 source guard on a port:

Ste

Command

Remarks

1. Enter system view.

system-view N/A