HP FlexFabric 7900 Series Command Reference Manual page 217
Security
Hide thumbs
Also See for FlexFabric 7900 Series:
- Command reference manual (294 pages) ,
- Configuration manual (165 pages) ,
- Installation manual (58 pages)
Table of Contents
Advertisement
Syntax
ip verify source { ip-address | ip-address mac-address | mac-address }
undo ip verify source
Default
The IPv4 source guard function is disabled on an interface.
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters packets by source IPv4 addresses. With this keyword specified, the IP source guard
function on the interface filters a received packet by using source IP addresses of the IPv4 source guard
binding entries. If a match is found, the interface forwards the packet. Otherwise, the interface discards
the packet.
ip-address mac-address: Filters packets by source IPv4 addresses and source MAC addresses. With this
keyword specified, the IP source guard function on the interface filters a received packet by using source
IP addresses and source MAC addresses of dynamic IPv4 source guard binding entries. If both the
source IP address and source MAC address of the packet match an entry, the interface forwards the
packet. Otherwise, the interface discards the packet.
mac-address: Filters packets by source MAC addresses. With this keyword specified, the IP source guard
function on the interface filters a received packet by using source MAC addresses of the IPv4 source
guard binding entries. If a match is found, the interface forwards the packet. Otherwise, the interface
discards the packet.
Usage guidelines
After you enable IPv4 source guard on an interface, IP source guard can perform the following
operations:
Dynamically obtain IPv4 binding entries from other modules.
•
Use static and dynamic IPv4 source guard binding entries to filter IPv4 packets on the interface.
•
If a packet matches a binding entry, IP source guard forwards the packet. Otherwise, it drops the packet.
The modules that provide dynamic binding information for IP source guard include DHCP relay, DHCP
snooping, and DHCP server. IP source guard uses the dynamic binding entries created by DHCP relay
and DHCP snooping to filter packets. The dynamic binding entries that IP source guard learns from DHCP
server modules are not used to filter packets, and they are used by other modules to provide security
services.
The keywords specified in the ip verify source command take effect only to dynamic IPv4 source guard
binding entries. They determine the information according to which the interface uses the dynamic IPv4
source guard binding entries to filter packets. For static IPv4 source guard binding entries, this command
only enables packet filtering on an interface. The interface filters packets according to the static IPv4
source guard binding entries configured by the ip source binding command, instead of the keywords
specified in the ip verify source command.
Examples
# Enable IPv4 source guard on Layer 2 Ethernet interface FortyGigE 1/0/1 to filter packets received on
the port by using source IPv4 and MAC addresses of IPv4 source guard binding entries.
210
Advertisement
Table of Contents
