HP 6125XLG Command Reference Manual page 210

Blade switch security command reference
Table of Contents

Advertisement

Syntax
ip verify source ip-address [ mac-address ]
undo ip verify source
Default
The IPv4 source guard function is disabled on an interface.
Views
Ethernet interface view, VLAN interface view
Predefined user roles
network-admin
Parameters
ip-address: Binds source IPv4 addresses to the interface. With this keyword specified, IP source guard
filters packets received on the interface according to the source IPv4 addresses of the packets.
mac-address: Binds source MAC addresses to the interface. With this keyword specified, IP source guard
also checks the source MAC address of each packet received on the interface, and permits the packet
only when both the source IPv4 and MAC addresses of the packet match a dynamic binding entry.
Usage guidelines
After you enable IPv4 source guard on an interface, IP source guard can dynamically obtain IPv4
binding entries from other modules and use static and dynamic IPv4 source guard binding entries to filter
IPv4 packets on the interface. If a packet matches a binding entry, IP source guard forwards the packet.
Otherwise, it drops the packet.
The modules that provide dynamic binding information for IP source guard include DHCP relay, DHCP
snooping, and DHCP server. IP source guard uses the dynamic binding entries created by DHCP relay
and DHCP snooping to filter packets. The dynamic binding entries that IP source guard learns from the
DHCP server module are not used to filter packets, and they are used by other modules to provide
security services.
You cannot configure dynamic IPv4 source guard on a service loopback interface.
The keywords specified in the ip verify source command take effect only to dynamic IPv4 source guard
binding entries. They determine the information according to which the interface uses the dynamic IPv4
source guard binding entries to filter packets. For static IPv4 source guard binding entries, this command
only enables packet filtering on an interface. The interface filters packets according to the static IPv4
source guard binding entries configured by the ip source binding command, instead of the keywords
specified in the ip verify source command.
Examples
# Enable IPv4 source guard on Ethernet port Ten-GigabitEthernet 1/1/5 to filter packets received on the
port based on the source IPv4 and MAC addresses.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/1/5
[Sysname-Ten-GigabitEthernet1/1/5] ip verify source ip-address mac-address
# Enable IPv4 source guard on VLAN-interface 100 to filter packets received on the interface based on
the source IPv4 and MAC addresses.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] ip verify source ip-address mac-address
201

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents