Configure Port IP Source Guard Function
Configuration Condition
None
Configure Port IP Source Guard Function
After enabling the port IP Source Guard function, first write the port bound entry to the chip, including the static bound entry and dynamic bound entry. The static bound entry is first written. And then perform the security control for the IP packets received by the port according to the entries written to the chip, improving the security.
Table 4-3 Configure the port IP Source Guard function
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
config terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Enable the port IP Source Guard function
|
ip verify source
|
Mandatory
By default, the port IP Source Guard function is disabled.
|
-
After enabling the port IP Source Guard function, the bound entries of the port IP Source Guard are written to the chip. The number of the entries written to the chip depends on the available chip entry resources. If the chip entry resources are used up and it is necessary to add bound entries or enable the port IP Source Guard function on the other port, we need to delete the related bound entries of some chip entry resources.
- If some port IP Source Guard bound entries cannot written to the chip because the chip entry resources are not enough, the system automatically try to write the bound entries to the chip again every 60s until all the bound entries are written to the chip or deleted.
- If the port IP Source Guard and global IP Source Guard functions are used at the same time, the IP packet received by the port needs to match the bound entries of the port IP Source Guard and global IP Source Guard so that it can be forwarded. Otherwise, it is dropped.
- Before enabling the port IP Source Guard function and if the terminal device connected to the port is non-DHCP client, or the terminal device is the DHCP client, but the local device does not enable the DHCP Snooping function, we need to configure the MAC address, IP address and the VLAN ID of the terminal device as the port IP Source Guard static bound entry, so as to ensure that after enabling the function, the terminal device communicates normally. For the DHCP Snooping function, refer to the DHCP Snooping chapter of the configuration manual.
Switch
.png){kind=icon}
.png){kind=logo}
