Dynamic IP source guard binding entries

IP source guard can automatically obtain user information from other modules to generate IP source guard binding entries.

For more information about 802.1X, see Security Configuration Guide.

For information about DHCP snooping, DHCP relay, DHCPv6 snooping, and ND snooping, see Layer 3IP Services Configuration Guide.

DHCP-based dynamic binding entries

DHCP-based dynamic IP source guard binding entries are generated based on DHCP snooping entries or DHCP relay entries. They are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically adds the entry to allow the client to access the network. A user using an IP address not obtained through DHCP cannot access the network.

802.1X-based dynamic binding entries

When the network is using 802.1X, you can configure IP source guard to use 802.1X security entries to generate IP source guard binding entries. How the 802.1X security entries are generated depends on the clients' support for uploading IP addresses.

In addition, you can enable the 802.1X IP freezing function on the authentication port. The port saves the IP address of an authenticated 802.1X user in the binding entry and does not update the IP address. If the user changes the IP address, the port denies the user to access the network.