R0106-HP MSR Router Series Security Configuration Guide(V7)
394
Tasks at a
g
lance
(Required.) Enabling IPv4 source guard on an interface
(Optional.) Configuring a static IPv4 source guard binding entry on an interface
To configure IPv6 source guard, perform the following tasks:
Tasks at a
g
lance
(Required.) Enabling IPv6 source guard on an interface
(Optional.) Configuring a static IPv6 source guard binding entry on an interface
Configuring the IPv4 source guard function
Enabling IPv4 source guard on an interface
You must first enable the IPv4 source guard function on an interface for the IP source guard to take effect.
All matching criteria in a static IPv4 source guard binding entry are used by IP source guard to filter
packets. For information about static binding entry configuration, see "Configuring a static IPv4 source
gu
ard binding entry."
A dynamic IPv4 source guard binding entry can include MAC address, IPv4 address, VLAN tag, ingress
interface, and entry type. The entry type identifies the source module for the binding entry, such as DHCP
snooping. Dynamic IP source guard uses the entries to filter incoming IPv4 packets based on the
matching criteria specified in the ip verify source command. If a match is found, the packet is forwarded.
To implement dynamic IPv4 source guard, make sure the DHCP snooping function operates correctly on
the network.
To enable the IPv4 source guard function on an interface:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
Only Layer 2 Ethernet ports are supported.
3. Enable the IPv4 source
guard function.
ip verify source { ip-address |
ip-address mac-address |
mac-address }
By default, the function is disabled on an
interface.
If you configure this command on an
interface multiple times, the most recent
configuration takes effect.
Configuring a static IPv4 source guard binding entry on an
interface
When you configure a static IPv4 source guard binding entry on an interface, follow these guidelines:
• To configure a static binding entry for the ARP detection function, the vlan vlan-id option must be
specified, and ARP detection must be enabled for the specified VLAN.