Configuring IPv4 source guard on an interface
The IPv4 source guard feature must be configured on an interface before the interface can obtain dynamic IPv4 source guard binding entries and use static and dynamic IPv4 source guard binding entries to filter packets.
For how to configure a static binding entry, see "Configuring a static IPv4 source guard binding entry."
On a Layer 2 Ethernet port, IP source guard can cooperate with DHCP snooping and 802.1X to generate IP source guard binding entries.
On a VLAN interface, IP source guard can cooperate with DHCP relay to generate IP source guard binding entries.
Dynamic IPv4 source guard binding entries can contain such information as the MAC address, IP address, VLAN tag, ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address, IP address, or VLAN tag information might not be included depending on your configuration. IP source guard applies these entries to the interface to filter packets.
To generate IPv4 binding entries dynamically based on DHCP entries, make sure that DHCP snooping or DHCP relay is configured and operating correctly. For information about DHCP snooping configuration and DHCP relay configuration, see Layer 3—IP Services Configuration Guide.
If you configure the IPv4 source guard feature multiple times on an interface, only the most recent configuration takes effect.
To configure the IPv4 source guard feature on an interface:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable 802.1X globally. | dot1x | Optional. By default, 802.1X is disabled globally. |
3. Enter interface view. | interface interface-type interface-number | The term "interface" collectively refers to the following types of ports and interfaces: Bridge mode (Layer 2) Ethernet ports, VLAN interfaces, and port groups. |
4. Enable 802.1X on the interface. | dot1x | Optional. By default, 802.1X is disabled on the interface. |
5. Enable the 802.1X IP freezing function. | dot1x user-ip freeze | Optional. By default, this function is disabled. A port saves the IP addresses of 802.1X users and updates the IP addresses if 802.1X users change their IP addresses. |
6. Enable the interface to generate 802.1X-based dynamic IPv4 source guard binding entries. | ip verify source dot1x | Optional. By default, an interface does not generate 802.1X-based dynamic IPv4 source guard binding entries. |
7. Configure IPv4 source guard on the interface. | ip verify source { ip-address | ip-address mac-address | mac-address } | Not configured by default. |
![[NOTE: ]](images/note.png) | NOTE: Although dynamic IPv4 source guard binding entries are generated based on DHCP entries, the number of dynamic IPv4 source guard binding entries is not necessarily the same as that of the DHCP entries. | |