Dynamic IP source guard binding entries
IP source guard can automatically obtain user information from other modules to generate IP source guard binding entries.
Dynamic IPv4 source guard binding entries can be generated based on 802.1X, DHCP snooping, or DHCP relay entries.
Dynamic IPv6 source guard binding entries can be generated based on DHCPv6 snooping or ND snooping entries.
For more information about 802.1X, see Security Configuration Guide.
For information about DHCP snooping, DHCP relay, DHCPv6 snooping, and ND snooping, see Layer 3—IP Services Configuration Guide.
DHCP-based dynamic binding entries
DHCP-based dynamic IP source guard binding entries are generated based on DHCP snooping entries or DHCP relay entries. They are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically adds the entry to allow the client to access the network. A user using an IP address not obtained through DHCP cannot access the network.
802.1X-based dynamic binding entries
When the network is using 802.1X, you can configure IP source guard to use 802.1X security entries to generate IP source guard binding entries. How the 802.1X security entries are generated depends on the clients' support for uploading IP addresses.
If the 802.1X clients support uploading IP addresses, the switch creates 802.1X security entries after the IP addresses are uploaded.
If the 802.1X clients do not support uploading IP addresses, the switch creates 802.1X security entries based on DHCP snooping. Make sure DHCP snooping is configured on the switch.
In addition, you can enable the 802.1X IP freezing function on the authentication port. The port saves the IP address of an authenticated 802.1X user in the binding entry and does not update the IP address. If the user changes the IP address, the port denies the user to access the network.