Dynamic Ip Source Guard Binding Entries; Ip Source Guard Configuration Task List - HP FlexFabric 5930 Series Security Configuration Manual

IP source guard use static IPv4 source guard binding entries on an interface to filter IPv4 packets received
by the interface or cooperate with the ARP detection feature to check user validity. IP source guard use
static IPv6 source guard binding entries on an interface to filter IPv6 packets received by the interface.
For more information about ARP detection, see

Dynamic IP source guard binding entries

IP source guard can automatically obtain user information from other modules to generate IP source
guard binding entries. Such IP source guard binding entries are referred to as dynamic IP source guard
binding entries. The modules that provide dynamic binding information for IP source guard include
DHCP relay, DHCP snooping, and DHCP server.
Dynamic IP source guard is suitable for scenarios where many hosts reside on a LAN and obtain IP
addresses through DHCP. Once DHCP allocates an IP address to a host on the LAN, the DHCP snooping
device or DHCP relay agent generates a DHCP snooping entry or DHCP relay entry. IP source guard
automatically adds an IP source guard binding entry according to the DHCP snooping or DHCP relay
entry to allow the user to access the network. If a user specifies an IP address manually, no DHCP entry
is generated and IP source guard cannot add an IP source guard binding entry for the user. Therefore,
packets of the user will be dropped.
On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with
different modules to generate IP source guard binding entries dynamically:
• On a Layer 2 Ethernet port, IP source guard can cooperate with DHCP snooping. When a host on
the port dynamically obtains an IP address from the DHCP server, IP source guard generates an
IPv4 source guard binding entry according to the recorded DHCP snooping entry on the port.
On a Layer 3 Ethernet interface or VLAN interface, IP source guard can cooperate with the DHCP
•
relay agent. When a host on the Layer 3 Ethernet interface or VLAN interface dynamically obtains
an IP address across subnets, IP source guard generates an IPv4 source guard binding entry
according to the recorded DHCP relay entry on the Layer 3 Ethernet interface or VLAN interface.
On a Layer 3 Ethernet interface or VLAN interface, IP source guard can also cooperate with the
•
DHCP server. It generates dynamic IPv4 source guard binding entries according to the user
information recorded by the DHCP server during IP address allocation. Such IPv4 source guard
binding entries do not filter packets directly but help other modules (such as the ARP detection
module) to provide security services.
For more information about DHCP snooping, DHCP relay, and DHCP server, see Layer 3—IP Services
Configuration Guide.

IP source guard configuration task list

To configure IPv4 source guard, perform the following tasks:
Tasks at a glance
(Required.)
(Optional.)
To configure IPv6 source guard, perform the following tasks:
Enabling IPv4 source guard on an interface
Configuring a static IPv4 source guard binding entry
"Configuring ARP attack
143
protection."