Static Ip Source Guard Binding Entries; Dynamic Ip Source Guard Binding Entries - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
Static IP source guard binding entries
Static IP source guard binding entries are configured manually. They are suitable for scenarios where few
hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a
static IP source guard binding entry on an interface that connects to a server. This binding allows the
interface to receive packets only from the server.
IP source guard can use static IPv4 binding entries on an interface to implement the following functions:
Filter incoming IPv4 packets on the interface.
•
•
Cooperate with the ARP detection feature to check user validity.
IP source guard can use static IPv6 binding entries on an interface to filter incoming IPv6 packets on the
interface.
For information about ARP detection, see
Static IP source guard binding entries can be global or interface-specific. IP source guard first uses the
interface-specific binding entries to match packets. If no match is found, IP source guard uses the global
binding entries.
Global static binding entry—Binds the IP address and MAC address in system view. The binding
•
entry takes effect on all interfaces to filter packets for user spoofing attack prevention.
Interface-specific static binding entry—Binds the IP address, MAC address, VLAN, or any
•
combination of the items in interface view. The binding entry takes effect only on the interface to
check the validity of users who are attempting to access the interface.
Dynamic IP source guard binding entries
IP source guard automatically obtains user information from other modules to generate dynamic IP
source guard binding entries. The source modules include DHCP relay, DHCP snooping, DHCPv6
snooping, and DHCP server.
DHCP-based dynamic IP source guard is suitable for scenarios where hosts on a LAN obtain IP addresses
through DHCP. IP source guard is configured on the DHCP snooping device or the DHCP relay agent. It
generates dynamic IP source guard binding entries based on the DHCP snooping entries or DHCP relay
entries. IP source guard allows only packets from the DHCP clients to pass through. A user using an IP
address not obtained through DHCP cannot access the network.
Dynamic IPv4 source guard
Dynamic binding entries generated based on different source modules are for different usages:
Interface types
Layer 2 Ethernet port
Layer 3 Ethernet interface
Layer 3 Ethernet subinterface
Layer 3 aggregate interface
VLAN interface
For information about DHCP snooping, DHCP relay, and DHCP server see Layer 3—IP Services
Configuration Guide.
"Configuring ARP attack
Source modules
DHCP snooping
DHCP relay agent
DHCP server
315
protection."
Binding entry usage
Packet filtering.
Packet filtering.
For cooperation with modules (such as the
ARP detection module) to provide security
services.
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
