Ip Source Guard Configuration Examples; Static Ip Source Guard Binding Entry Configuration Example - H3C S9500E Series Security Configuration Manual

IP source guard configuration examples

By default, Ethernet, VLAN, and aggregate interfaces are in the state of DOWN. To configure such an
interface, use the undo shutdown command to bring it up first.

Static IP source guard binding entry configuration example

Network requirements
As shown in Figure 52, Host A and Host B are connected to ports GigabitEthernet 3/0/2 and
GigabitEthernet 3/0/1 of Switch B respectively, Host C is connected to port GigabitEthernet
3/0/2 of Switch A, and Switch B is connected to port GigabitEthernet 3/0/1 of Switch A.
Configure static binding entries on Switch A and Switch B to meet the following requirements:
•
On port GigabitEthernet 3/0/2 of Switch A, only IP packets from Host C can pass.
•
On port GigabitEthernet 3/0/1 of Switch A, only IP packets from Host A can pass.
•
On port GigabitEthernet 3/0/2 of Switch B, only IP packets from Host A can pass.
•
On port GigabitEthernet 3/0/1 of Switch B, only IP packets from Host B can pass.
Figure 52 Network diagram for configuring static binding entries
GE3/0/2
Host A
IP: 192.168.0.1/24
MAC: 00-01-02-03-04-06
Configuration procedure
Configure Switch A
1.
Configure the IP addresses of various interfaces (omitted).
Configure port GigabitEthernet 3/0/2 of Switch A to allow only IP packets with the source MAC
address of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 to pass.
<SwitchA> system-view
[SwitchA] interface gigabitethernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-
0203-0405
[SwitchA-GigabitEthernet3/0/2] quit
GE3/0/1
GE3/0/2
Switch A
GE3/0/1
Switch B
Host B
IP: 192.168.0.2/24
MAC: 00-01-02-03-04-07
Host C
IP: 192.168.0.3/24
MAC : 00-01-02-03-04-05
156