Static Ipv4 Source Guard Entry Configuration Example - HP 6600 Security Configuration Manual

Static IPv4 source guard entry configuration
example
Network requirements
As shown in
GigabitEthernet 3/0/1 of Router B respectively, Host C is connected to port GigabitEthernet 3/0/2 of
Router A, and Router B is connected to port GigabitEthernet 3/0/1 of Router A. All hosts use static IP
addresses.
Configure static IPv4 source guard entries on Router A and Router B to meet the following requirements:
On port GigabitEthernet 3/0/2 of Router A, only IP packets from Host C can pass.
•
On port GigabitEthernet 3/0/1 of Router A, only IP packets from Host A can pass.
•
On port GigabitEthernet 3/0/2 of Router B, only IP packets from Host A can pass.
•
• On port GigabitEthernet 3/0/1 of Router B, only IP packets sourced from 192.168.0.2/24 can
pass. Host B can communicate with Host A by using this IP address even if it uses another network
adapter.
Figure 245 Network diagram
Configuration procedure
1. Configure Router A:
# Enable IPv4 source guard on GigabitEthernet 3/0/2 to filter packets based on both the source
IP address and MAC address.
<RouterA> system-view
[RouterA] interface gigabitethernet 3/0/2
[RouterA-GigabitEthernet3/0/2] ip verify source ip-address mac-address
# Configure GigabitEthernet 3/0/2 to allow only IP packets with the source MAC address of
0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
[RouterA] interface gigabitethernet 3/0/2
[RouterA-GigabitEthernet3/0/2] ip source binding ip-address 192.168.0.3 mac-address
0001-0203-0405
[RouterA-GigabitEthernet3/0/2] quit
# Enable IPv4 source guard on GigabitEthernet 3/0/1 to filter packets based on both the source
IP address and MAC address.
[RouterA] interface gigabitethernet 3/0/1
Figure 245, Host A and Host B are connected to ports GigabitEthernet 3/0/2 and
503