Enabling IPv4 source guard on a port
The IPv4 source guard function must be enabled on a port before the port can obtain dynamic IPv4 source guard entries and use static and dynamic IPv4 source guard entries to filter packets.
For information about how to configure a static binding entry, see "Configuring a static IPv4 source guard entry."
On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains the DHCP snooping entries generated during dynamic IP address allocation, and generates IP source guard entries accordingly.
On a VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP relay entries generated during dynamic IP address allocation across network segments, and generates IP source guard entries accordingly.
Dynamic IPv4 source guard entries can contain such information as the MAC address, IP address, VLAN tag, ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address, IP address, or VLAN tag information may not be included, depending on your configuration. IP source guard applies these entries to the port to filter packets.
To generate IPv4 binding entries dynamically based on DHCP entries, make sure DHCP snooping or DHCP relay is configured and working normally. For information about DHCP snooping configuration and DHCP relay configuration, see Layer 3—IP Services Configuration Guide.
If you configure the IPv4 source guard function on a port multiple times, the most recent configuration takes effect.
To configure the IPv4 source guard function on a port:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | Dynamic IPv4 source guard supports the following types of ports and interfaces: Layer 2 Ethernet ports, VLAN interfaces, and port groups. |
3. Enable IPv4 source guard on the port. | ip verify source { ip-address | ip-address mac-address | mac-address } | Disabled by default. The keyword specified in the ip verify source command is only for instructing the generation of dynamic IPv4 source guard entries. It does not affect static binding entries. When using a static binding entry, a port does not take the keyword into consideration. |
NOTE: Although dynamic IPv4 source guard entries are generated based on DHCP entries, the number of dynamic IPv4 source guard entries is not necessarily the same as that of the DHCP entries. | ||