For information about ARP detection, see
Dynamic IPv4 source binding entries
IP source guard can automatically obtain user information from other modules to generate IPv4 binding
entries. On interfaces configured with the dynamic IPv4 source guard function, IP source guard
cooperates with different modules to generate IPv4 binding entries dynamically:
On an Ethernet port, IP source guard can cooperate with DHCP snooping, obtain the DHCP
•
snooping entries generated when hosts dynamically obtain IP addresses, and generate IPv4
binding entries accordingly to filter packets.
On a VLAN interface, IP source guard can cooperate with the DHCP relay agent, obtain the DHCP
•
relay entries generated when hosts obtain IP addresses across subnets, and generate IPv4 binding
entries accordingly to filter packets.
•
On a VLAN interface, IP source guard can also cooperate with the DHCP server. It generates
dynamic binding entries according to the user information recorded by the DHCP server during IP
address allocation. Such binding entries do not filter packets directly but help other modules (such
as the ARP detection module) to provide security services.
For information about DHCP snooping, DHCP relay, and DHCP server see Layer 3—IP Services
Configuration Guide.
IP source guard configuration task list
To configure IPv4 source guard, perform the following tasks:
Tasks at a glance
(Required.)
(Optional.)
To configure IPv6 source guard, perform the following tasks:
Tasks at a glance
(Required.)
(Optional.)
Configuring the IPv4 source guard function
You cannot configure the IPv4 source guard function on a service loopback interface. If IPv4 source
guard is enabled on an interface, you cannot assign the interface to a service loopback group.
Enabling IPv4 source guard on an interface
You must first enable the IPv4 source guard function on an interface before the interface can obtain
dynamic IPv4 binding entries and use static and dynamic IPv4 binding entries to filter packets or help
other modules to provide security services.
Enabling IPv4 source guard on an interface
Configuring a static IPv4 source guard binding entry on an interface
Enabling IPv6 source guard on an interface
Configuring a static IPv6 source guard binding entry on an interface
"Configuring ARP attack
203
protection."