Dynamic IPSG bindings
IPSG automatically obtains user information from other modules to generate dynamic bindings. A dynamic IPSG binding can contain MAC address, IPv4 or IPv6 address, VLAN tag, ingress interface, and binding type. The binding type identifies the source module for the binding, such as DHCP snooping, DHCPv6 snooping, DHCP relay agent, or DHCPv6 relay agent.
For example, DHCP-based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP. IPSG is configured on the DHCP server, the DHCP snooping device, or the DHCP relay agent. It generates dynamic bindings based on the client bindings on the DHCP server, the DHCP snooping entries, or the DHCP relay entries. IPSG allows only packets from the DHCP clients to pass through.
Dynamic IPv4SG
Dynamic bindings generated based on different source modules are for different usages:
Interface types | Source modules | Binding usage |
|---|---|---|
Layer 2 Ethernet interface | DHCP snooping 802.1X | Packet filtering. |
ARP snooping | For cooperation with modules (such as the ARP attack detection module) to provide security services. | |
Layer 3 Ethernet interface VLAN interface | DHCP relay agent | Packet filtering. |
DHCP server | For cooperation with modules (such as the authorized ARP module) to provide security services. | |
ARP flood suppression | Reporting bindings to the controller to provide online and offline user information. |
For more information about 802.1X, see "Configuring 802.1X." For more information about ARP flood suppression, see VXLAN Configuration Guide. For information about ARP snooping, DHCP snooping, DHCP relay, and DHCP server, see Layer 3—IP Services Configuration Guide.
Dynamic IPv6SG
Dynamic IPv6SG bindings generated based on the following source modules are for packet filtering:
Interface types | Source modules | Binding usage |
|---|---|---|
Layer 2 Ethernet interface | DHCPv6 snooping ND snooping 802.1X | Packet filtering. |
Layer 3 Ethernet interface VLAN interface | DHCPv6 relay agent | Packet filtering. |
ND flood suppression | Reporting bindings to the controller to provide online and offline user information. |
For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. For more information about ND snooping, see IPv6 basics configuration in Layer 3—IP Services Configuration Guide. For more information about DHCPv6 relay agent, see Layer 3—IP Services Configuration Guide. For more information about ND flood suppression, see VXLAN Configuration Guide.