R0106-HP MSR Router Series Security Configuration Guide(V7)
393
IP source guard can use static IPv4 binding entries on an interface to implement the following functions:
• Filter incoming IPv4 packets on the interface.
• Cooperate with the ARP detection feature to check user validity.
IP source guard can use static IPv6 binding entries on an interface to implement the following functions:
• Filter incoming IPv6 packets on the interface.
• Cooperate with the ND detection feature to check user validity.
For information about ARP detection, see "Configuring ARP attack protection." For information about ND
detection, see "Configuring ND attack defense."
Dynamic IP source guard binding entries
IP source guard automatically obtains user information from other modules to generate dynamic IP
source guard binding entries. The source modules include 802.1X, DHCP snooping, and DHCPv6
snooping.
DHCP-based dynamic IP source guard is suitable for scenarios where hosts on a LAN obtain IP addresses
through DHCP. IP source guard is configured on the DHCP snooping device. It generates dynamic IP
source guard binding entries based on the DHCP snooping entries. IP source guard allows only packets
from the DHCP clients to pass through. A user using an IP address not obtained through DHCP cannot
access the network.
Dynamic IPv4 source guard
Dynamic binding entries generated based on different source modules are for different usages:
Interface t
yp
es Source modules
Bindin
g
entr
y
usa
g
e
Layer 2 Ethernet port
DHCP snooping Packet filtering.
802.1X
For cooperation with modules (such as the ARP
detection module) to provide security services.
For more information about 802.1X, see "Configuring 802.1X." For information about DHCP snooping,
see Layer 3—IP Services Configuration Guide.
Dynamic IPv6 source guard
IPv6 source guard on an interface obtains information from DHCPv6 snooping entries to generate IPv6
source guard binding entries for packet filtering.
For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide.
Feature and hardware compatibility
This feature is supported on the following hardware:
MSR routers installed with the Layer 2 switching module HMIM-24GSW/24GSWP or HMIM-8GSW.
IP source guard configuration task list
To configure IPv4 source guard, perform the following tasks: