R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

531

532

533

534

535

536

537

538

539

540

518

Dynamic IP source guard obtains user information from other modules to generate dynamic binding

entries, and uses the entries to filter incoming packets based on the matching criteria. The matching

criteria specified in the ip verify source command takes effect on only dynamic IP source guard.

Static IPv4 source guard filters incoming packets by all matching criteria in a static binding entry. To

configure a static IPv4 source guard binding, use the ip source binding command.

If a packet matches a binding entry, IP source guard forwards the packet. Otherwise, it drops the packet.

The modules that provide user information for dynamic binding entries include 802.1X and DHCP

snooping. Binding entries from different source modules are for different usages:

• Dynamic binding entries based on DHCP snooping are used for packet filtering.

• Dynamic binding entries based on 802.1X are not for packet filtering. They are used by other

modules to provide security services. For example, ARP detection uses the dynamic binding entries

based on 802.1X to check validity of user ARP packets.

Examples

# Enable IPv4 source guard on Layer 2 Ethernet interface GigabitEthernet 2/1/1 and verify the source

IPv4 address and MAC address for dynamic IP source guard.

<Sysname> system-view

[Sysname] interface gigabitethernet 2/1/1

[Sysname-GigabitEthernet2/1/1] ip verify source ip-address mac-address

Related commands

display ip source binding

ipv6 source binding (interface view)

Use ipv6 source binding to configure a static IPv6 source guard binding entry.

Use undo ipv6 source binding to delete the static IPv6 source guard binding entries configured on the

interface.

Syntax

ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address |

mac-address mac-address } [ vlan vlan-id ]

undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address

mac-address | mac-address mac-address } [ vlan vlan-id ]

Default

No static IPv6 source guard binding entry is configured on an interface.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

all: Removes all the static IPv6 source guard binding entries on the interface.

ip-address ipv6-address: Specifies an IPv6 address for the static binding entry. The IPv6 address cannot

be an all-zero address, a multicast address, or a loopback address.