352
Global static binding entry
A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all
ports. A port forwards a packet when the packet’s IP address and MAC address both match those of a
global static binding entry or a static binding entry configured on the port.
Global static binding entries are used to protect against host spoofing attacks, which exploit the IP
address or MAC address of a legal user host.
Port-based static binding entry
A port-based static binding entry binds an IP address, MAC address, or any combination of the two with
a port. Such an entry is effective on only the specified port. A port forwards a packet only when the IP
address, MAC address of the packet all match those in a static binding entry on the port or a global static
binding entry. All other packets will be dropped.
Port-based static binding entries are used to check the validity of users who are trying to access a port.
Dynamic IP source guard binding entries
IP source guard can automatically obtain user information from other modules to generate IP source
guard binding entries.
•
Dynamic IPv4 source guard entries can be generated based on 802.1X, DHCP snooping, or DHCP
relay entries.
•
Dynamic IPv6 source guard entries can be generated based on DHCPv6 snooping or ND snooping
entries.
DHCP-based dynamic IP source guard entries are generated according to DHCP snooping entries or
DHCP relay entries. They are suitable for scenarios where many hosts reside on a LAN and obtain IP
addresses through DHCP. Once DHCP allocates an IP address to a client, IP source guard automatically
adds the entry to allow the client to access the network. A user using an IP address not obtained through
DHCP cannot access the network.
When users are using 802.1X, you can configure IP source guard to use 802.1X security entries to
generate IP source guard entries. How the 802.1X security entries are generated depends on the clients'
support for uploading IP addresses.
•
If the 802.1X clients support uploading IP addresses, the switch creates 802.1X security entries after
the IP addresses are uploaded.
•
If the 802.1X clients do not support uploading IP addresses, the switch creates 802.1X security
entries based on DHCP snooping or ARP snooping. Make sure DHCP snooping or ARP snooping
is configured in your network.
In addition, enable the 802.1X IP freezing function on the authentication port. The port saves the IP
address of an authenticated 802.1X user in the binding entry and does not update the IP address. If the
user changes the IP address, the port denies the user to access the network.
For more information about 802.1X, see
Security Configuration Guide
.
For information about DHCP snooping, DHCP relay, DHCPv6 snooping, and ND snooping, see
Layer
3—IP Services Configuration Guide
.
Configuration task list
Complete the following tasks to configure IPv4 source guard: