HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1998
333
Task Command Remarks
Display current TCP connection state. display tcp status [ | { begin | exclude |
include } regular-expression ] Available in any view](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1997.png "Page 1998
333
Task Command Remarks
Display current TCP connection state. display tcp status [ | { begin | exclude |
include } regular-expression ] Available in any view")
336
Configuring the IPv4 source guard function
You cannot enable IPv4 source guard on a link a ggregation member port or a service loopback group.
If IPv4 source guard is enabled on a port, you cannot assign the port to a link aggregation group or a
service loopback group.
Configuring IPv4 source guard on a port
The IPv4 source guard function must be configured on a port before the port can obtain dynamic IPv4
source guard entries and use static and dynamic IPv4 source guard entries to filter packets.
• For how to configure a static binding entry, see Configuring a static IPv4 source guard entry.
• On a L
ayer 2 Ethernet port, IP source guard coop erates with DHCP snooping, dynamically obtains
the DHCP snooping entries generated during dynamic IP address allocation, and generates IP
source guard entries accordingly.
• O n a V L A N i n t e r f a c e, I P s o u rc e g u a rd c o o p e ra t e s wi t h D H C P re l ay, dyn a m i c a l l y o b t a i n s t h e D H C P
relay entries generated during dynamic IP address allocation across network segments, and
generates IP source guard entries accordingly.
Dynamic IPv4 source guard entries can contain such information as the MAC address, IP address, VLAN
tag, ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address,
IP address, or VLAN tag information may not be included depending on your configuration. IP source
guard applies these entries to the port to filter packets.
To g e n e r a t e I P v 4 b i n d i n g e n t r i e s d yn a m i c a l l y b a s e d o n D H C P e n t r i e s , m a ke s u re t h a t D H C P s n o o p i n g o r
DHCP relay is configured and working normally. For information about DHCP snooping configuration
and DHCP relay configuration, see Layer 3—IP Services Configuration Guide .
If you repeatedly configure the IPv4 source guard function on a port, only the last configuration takes
effect.
To configure the IPv4 source guard function on a port:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number The term interface
collectively
refers to the following types of
ports and interfaces: Bridge mode
(Layer 2) Ethernet ports, VLAN
interfaces, and port groups.
3. Configure IPv4 source guard
on the port. ip verify source
{ ip-address |
ip-address mac-address |
mac-address } Not configured by default.
NOTE:
Although dynamic IPv4 source guard entries are genera ted based on DHCP entries, the number of
dynamic IPv4 source guard entries is not necessa rily the same as that of the DHCP entries.
337
Configuring a static IPv4 source guard entry
Static IPv4 binding entries take effect only on the ports configured with the IPv4 source guard function
(see Configuring IPv4 source guard on a port )
.
Port-based static IPv4 source guard entries and dyna mic IPv4 source guard entries take precedence over
global static IPv4 source guard entries. A port matc hes a packet against global static binding entries only
when the packet does not match any port-based static binding entry or dynamic binding entry on the
port.
Configuring global static IPv4 binding entries
A global static binding entry defines the IP address and MAC address of the packets that can be
forwarded by ports. It takes effect on all ports of the device.
To configure a global static IPv4 binding entry:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure a global static IPv4
binding entry. ip source binding ip-address
ip-address mac-address
mac-address
No glob a l sta ti c IP v4 b ind ing entry
is configured by default.
Configuring port-based static IPv4 binding entries
Follow these guidelines to configure port-b ased static IPv4 source guard entries:
• You cannot repeatedly configure the same static binding entry on one port, but you can configure
the same static entry on different ports.
• IP source guard does not use the VLAN information (if specified) in static IPv4 binding entries to
filter packets.
• When the ARP detection function is configured, be sure to specify the VLAN where ARP detection
is configured in static IPv4 binding entries. Otherwise, ARP packets are discarded because they
cannot match any static IPv4 binding entry.
• If a static binding entry to be added denotes the sa me binding as an existing dynamic binding entry,
the new static binding entry overwrites the dynamic binding entry.
To configure a static IPv4 binding entry on a port:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 interface view. interface
interface-type
interface-number N/A
3. Configure a static IPv4 source
guard entry on the port. ip source binding
{ ip-address
ip-address | ip-address ip-address
mac-address mac-address |
mac-address mac-address } [ vlan
vlan-id ]
By default, no static IPv4 binding
entry is configured on a port.
338 Setting the maximum number of IPv4 source guard entries The maximum number of IPv4 source guard entries is us ed to limit the total number of static and dynamic IPv4 source guard entries on a port. When the numb er of IPv4 binding entries on a port reaches the maximum, the port does not allowed new IPv4 binding entries any more. If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing IPv4 binding entries on the port, the maximum number can be configured successfully, and the existing entries are not affected. New IPv4 binding entries, however, cannot be added until the number of IPv4 binding entries on the port drops below the configured maximum. To configure the maximum number of IPv4 binding entries allowed on a port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3. Configure the maximum number of IPv4 binding entries allowed on the port. ip verify source max-entries number Optional. By default, the maximum number is 1500 on the HP 5500 EI series and 640 on the HP 5500 SI series. Configuring the IPv6 source guard function You cannot enable IPv6 source guard on a link aggr egation member port or a service loopback port. If IPv6 source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group. Configuring IPv6 source guard on a port The IPv6 source guard function must be configured on a port before the port can obtain dynamic IPv6 source guard entries and use static and dynamic IPv6 source guard entries to filter packets. • For how to configure a static IPv6 static binding entry, see Configuring a static IPv6 source guard entr y . • Cooperating with DHCPv6 snooping, IP source guard dynamically generates IP source guard entries based on the DHCPv6 sn ooping entries that are generated during dynamic IP address allocation. • Cooperating with ND snooping, IP source guard dynamically generates IP source guard entries based on dynamic ND snooping entries. Dynamic IPv6 source guard entries can contain such information as the MAC address, IPv6 address, VLAN tag, ingress port information and entry ty pe (DHCPv6 snooping or ND snooping), where the MAC address, IPv6 address, and/or VLAN tag informat ion may not be included depending on your configuration. IP source guard applies these entries to the port, so that the port can filter packets accordingly. Follow these guidelines when you configure IPv6 source guard: • If you repeatedly configure the IPv6 source guard function, only the last configuration takes effect.
339
• To o b t a i n dyn a m ic I P v 6 s o u rc e g u a rd e n t ri e s, m a ke s u re t h a t D H C P v 6 s n o o pi n g o r N D s n o o pi n g i s
configured and works normally. For DHCPv6 an d ND snooping configuration information, see
Layer 3—IP Services Configuration Guide .
• If you configure both ND snooping and DHCPv6 snooping on the device, IPv6 source guard uses
the type of entries that generated first. Because DHCPv6 snooping entries are usually generated first
in such a case, IPv6 source guard usually uses th e DHCPv6 snooping entries to filter packets on a
port.
To configure the IPv6 source guard function on a port:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 Ethernet
interface view, port group
view. interface
interface-type
interface-number N/A
3.
Configure the IPv6 source
guard function on the port. ipv6 verify source
{ ipv6-address |
ipv6-address mac-address |
mac-address } Not configured by default.
The keyword specified in the
ipv6
verify source command is only for
instructing the generation of
dynamic IPv6 source guard entries.
It does not affect static binding
entries. When using a static
binding entry, a port does not
consider the keyword into
consideration.
NOTE:
Although dynamic IPv6 source guard entries are genera ted based on DHCPv6 entries, the number of
dynamic IPv6 source guard entries is not necessarily the same as that of the DHCPv6 entries.
Configuring a static IPv6 source guard entry
Static IPv6 binding entries take effect only on ports configured with the IPv6 source guard function (see
Configuring the IPv6 source guard function )
.
Port-based static IPv6 source guard entries and dyna mic IPv6 source guard entries take precedence over
global static IPv6 source guard entries. A port matc hes a packet against global static binding entries only
when the packet does not match any port-based static binding entry or dynamic binding entry on the
port.
Configuring global static IPv6 binding entries
A global static IPv6 binding entry defines the IPv6 address and MAC address of the packets that can be
forwarded by ports. It takes effect on all ports of the device.
To configure a global static IPv6 binding entry:
Step Command Remarks
1. Enter system view.
system-view N/A
340
Step Command Remarks
2. Configure a global static IPv6
binding entry. ipv6 source binding ipv6-address
ipv6-address mac-address
mac-address
No glob a l sta ti c IP v6 b ind ing entry
is configured by default.
Configuring port-based static IPv6 binding entries
Follow these guidelines to configure port-b ased static IPv6 source guard entries:
• You cannot configure the same static binding entr y on one port repeatedly, but you can configure
the same static binding entry on different ports.
• In an IPv6 source guard entry, the MAC address cannot be all 0s, all Fs (a broadcast MAC address),
or a multicast address, and the IPv6 address must be a unicast address and cannot be all 0s, all Fs,
or a loopback address.
• IP source guard does not use the VLAN information (if specified) in static IPv6 binding entries to
filter packets.
• When the ND detection function is configured, be sure to specif y the VL AN where ND detection is
configured in static binding entries. Otherwise, ND packets will be discarded because they cannot
match any static IPv6 binding entry.
• If a static binding entry to be added denotes the sa me binding as an existing dynamic binding entry,
the new static binding entry overwrites the dynamic binding entry.
To configure a static IPv6 source guard entry on a port:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 interface view. interface
interface-type
interface-number N/A
3.
Configure a static IPv6
binding entry on a port. ipv6 source binding
{ ipv6-address
ipv6-address | ipv6-address
ipv6-address mac-address
mac-address | mac-address
mac-address } [ vlan vlan-id ] By default, no static IPv6 binding
entry is configured on a port.
Setting the maximum number of
IPv6 source guard entries
The maximum number of IPv6 source guard entries is us ed to limit the total number of static and dynamic
IPv6 source guard entries on a port. When the numb er of IPv6 binding entries on a port reaches the
maximum, the port does not allow new IPv6 binding entries any more.
If the maximum number of IPv6 binding entries to be configured is smaller than the number of existing
IPv6 binding entries on the port, the maximum number can be configured successfully, and the existing
entries are not affected. New IPv6 binding entries, however, cannot be added until the number of IPv6
binding entries on the port drops below the configured maximum.
To configure the maximum number of IPv6 binding entries allowed on a port:
Step Command Remarks
1. Enter system view.
system-view N/A
341
Step Command Remarks
2. Enter Layer 2 Ethernet
interface view. interface
interface-type
interface-number N/A
3.
Configure the maximum
number of IPv6 binding
entries allowed on the port. ipv6 verify source max-entries
number
Optional.
By default, the maximum number is
1500 on the HP 5500 EI series
and 640 on the HP 5500 SI series.
Displaying and maintaining IP source guard
For IPv4 source guard:
Task Command Remarks
Display static IPv4 source guard
entries. display ip source binding static
[ interface
interface-type interface-number |
ip-address ip-address | mac-address
mac-address ] [ slot slot-number ] [ | { begin
| exclude | include } regular-expression ] Available in any view
Display IPv4 source guard entries. display ip source binding
[ interface
interface-type interface-number |
ip-address ip-address | mac-address
mac-address ] [ slot slot-number ] [ | { begin
| exclude | include } regular-expression ] Available in any view
For IPv6 source guard:
Task Command Remarks
Display static IPv6 source guard
entries. display ipv6 source binding static
[ interface
interface-type interface-number |
ipv6-address ipv6-address | mac-address
mac-address ] [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Display IPv6 source guard entries. display ipv6 source binding [ interface
interface-type interface-number
|
ipv6-address ipv6-address | mac-address
mac-address ] [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
IP source guard configuration examples
Static IPv4 source guard configuration example
Network requirements
As shown in Figure 120 , Host A and Host B are connected to ports GigabitEthernet 1/0/2 and
GigabitEthernet 1/0/1 of Device B respectively, Host C is connected to port GigabitEthernet 1/0/2 of
342 Device A, and Device B is connected to port GigabitEthernet 1/0/1 of Device A. All hosts use static IP addresses. Configure static IPv4 source guard entries on Device A and Device B to meet the following requirements: • On port GigabitEthernet 1/0/2 of Device A, only IP packets from Host C can pass. • On port GigabitEthernet 1/0/1 of Device A, only IP packets from Host A can pass. • On port GigabitEthernet 1/0/2 of Device B, only IP packets from Host A can pass. • On port GigabitEthernet 1/0/1 of Device B, only IP packets sourced from 192.168.0.2/24 can pass. Host B can communicate with Host A by using this IP address even if it uses another network adapter. Figure 120 Network diagram Configuration procedure 1. Configure Device A: # Configure the IPv4 source guard function on Gi gabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address. system-view [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the so urce IP address of 192.168.0.3 to pass. [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [DeviceA-GigabitEthernet1/0/2] quit # Configure the IPv4 source guard function on Gi gabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] ip verify source ip-address mac-address # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source MAC address of 0001-0203-0406 and the so urce IP address of 192.168.0.1 to pass. [DeviceA-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceA-GigabitEthernet1/0/1] quit 2. Configure Device B:
343 # Configure the IPv4 source guard function on Gi gabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address. [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0406 and the so urce IP address of 192.168.0.1 to pass. [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceB-GigabitEthernet1/0/2] quit # Configure the IPv4 source guard function on Gi gabitEthernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass. [DeviceB-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.2 \ [DeviceB-GigabitEthernet1/0/1] quit Verifying the configuration # On Device A, display information about static IPv4 source guard entries. The output shows that the static IPv4 source guard entries are configured successfully. [DeviceA] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type \ 0001-0203-0405 192.168.0.3 N/A GE1/0/2 Stati\ c 0001-0203-0406 192.168.0.1 N/A GE1/0/1 Stati\ c # On Device B, display information about static IPv4 source guard entries. The output shows that the static IPv4 source guard entries are configured successfully. [DeviceB] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type \ 0001-0203-0406 192.168.0.1 N/A GE1/0/2 Stati\ c N/A 192.168.0.2 N/A GE1/0/1 Stati\ c Dynamic IPv4 source guard using DHCP snooping configuration example Network requirements As shown in Figure 121 , the device connects to the host (client) and the DHCP server through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. The host obtains an IP address from the DHCP server. Enable DHCP snooping on the device to record the DHCP snooping entry of the host. Enable the IPv4 source guard function on the device’s port GigabitEthernet 1/0/1 to filter packets based on the DHCP snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to pass.
344 For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. Figure 121 Network diagram Configuration procedure 1. Configure DHCP snooping. # Enable DHCP snooping. system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit 2. Configure the IPv4 source guard function. # Configure the IPv4 source guard function on po rt GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. [Device] interface gigabitethernet1/0/1 [Device-GigabitEthernet1/0/1] ip verify source ip-address mac-address [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Display the IPv4 source guard entries generated on port GigabitEthernet 1/0/1. [Device] display ip source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 1 GE1/0/1 DHCP-SNP\ # Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated on GigabitEthernet 1/0/1. [Device] display dhcp-snooping DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static , R--Recovering Type IP Address MAC Address Lease VLAN SVLAN Interface ==== =============== ============== ============ ==== ===== ===========\ ====== D 192.168.0.1 0001-0203-0406 86335 1 N/A GigabitEthe\ rnet1/0/1 --- 1 dhcp-snooping item(s) found --- The output shows that a dynamic IPv4 source gu ard entry has been generated based on the DHCP snooping entry.
345 Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 122 , the host and the DHCP server are connected to the switch through interfaces VLAN-interface 100 and VLAN-interface 200 respectively. DHCP relay is enabled on the switch. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP server through the DHCP relay agent. Enable the IPv4 source guard function on the switch’s VLAN-interface 100 to filter packets based on the DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to pass. Figure 122 Network diagram Configuration procedure 1. Configure the IPv4 source guard function: # Configure the IP addresses of the interfaces. (Details not shown.) # Configure the IPv4 source guard function on VLAN -interface 100 to filter packets based on both the source IP address and MAC address. system-view [Switch] vlan 100 [Switch-Vlan100] quit [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit 2. Configure the DHCP relay agent: # Enable the DHCP service. [Switch] dhcp enable # Configure the IP address of the DHCP server. [Switch] dhcp relay server-group 1 ip 10.1.1.1 # Configure VLAN-interface 100 to operate in DHCP relay mode. [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] dhcp select relay # Correlate VLAN-interface 100 with DHCP server group 1. [Switch-Vlan-interface100] dhcp relay server-select 1 [Switch-Vlan-interface100] quit Verifying the configuration # Display the generated IPv4 source guard entries. [Switch] display ip source binding