Configuring The Ipv4 Source Guard Function; Configuring Ipv4 Source Guard On A Port - HP 12500 Series Configuration Manual
Routing
Hide thumbs
Also See for 12500 Series:
- Configuration manual (402 pages) ,
- Network management and monitoring command reference (320 pages) ,
- Command reference manual (157 pages)
Table of Contents
Advertisement
NOTE:
You cannot enable IP source guard on a link aggregation member port. If IP source guard is enabled on
•
a port, you cannot assign the port to a link aggregation group.
•
IP source guard does not take effect if configured on a Layer 3 aggregate interface or Layer 3 aggregate
subinterface.
Configuring the IPv4 source guard function
When an EB card is operating in standard ACL mode, the card does not support MAC-port binding
entries, MAC-VLAN-port binding entries, or IP-MAC-VLAN-port binding entries. For more information
about the standard ACL mode, see ACL and QoS Configuration Guide.
Configuring IPv4 source guard on a port
The IPv4 source guard function must be configured on a port before the port can obtain dynamic IPv4
source guard entries and use static and dynamic IPv4 source guard entries to filter packets.
For how to configure a static binding entry, see
•
On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains
•
the DHCP snooping entries generated during dynamic IP address allocation, and generates IP
source guard entries accordingly.
On a Layer 3 Ethernet interface or VLAN interface, IP source guard cooperates with DHCP relay,
•
dynamically obtains the DHCP relay entries generated during dynamic IP address allocation across
subnets, and generates IP source guard entries accordingly.
Dynamic IPv4 source guard entries can contain such information as MAC address, IP address, VLAN tag,
ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address, IP
address, or VLAN tag information may not be included depending on your configuration. IP source
guard applies these entries to the port to filter packets.
Configuration guidelines
The keyword specified in the ip verify source command is only for instructing the generation of
•
dynamic IPv4 source guard entries. It does not affect static binding entries. When using a static
binding entry, a port does not take the keyword into consideration.
To generate IPv4 binding entries dynamically based on DHCP entries, make sure that DHCP
•
snooping or DHCP relay is configured and working normally. For information about DHCP
snooping configuration and DHCP relay configuration, see Layer 3—IP Services Configuration
Guide.
If you configure the IPv4 source guard function on a port multiple times, the most recent
•
configuration takes effect.
Although dynamic IPv4 source guard entries are generated based on DHCP entries, the number of
•
dynamic IPv4 source guard entries is not necessarily the same as that of the DHCP entries.
Configuration procedure
To configure the IPv4 source guard function on a port:
Step
1.
Enter system view.
"Configuring a static IPv4 source guard
Command
system-view
251
Remarks
N/A
entry."
Advertisement
Table of Contents
Troubleshooting
