Hi,
I am not sure if I can explain Comware's IP source guard better than it is explained in the configuration guide, but in two words - it works with DHCP snooping database on the switch and uses the database as a source for valid MAC-IP-Port binding records. If a frame coming to the port with this feature enabled has valid combination of source MAC and source IP, and comes to an expected port, then it is allowed. If any of these parameters doesn't match, the frame is dropped. There is a specific how it works if enabled on VLAN or on a Layer 2 port directly, but everything is in the guide, there is no need to duplicate those details here.
The AOS-CX platform has a feature that works in a similar way, it is called "IP Source Lockdown", you can read more about it in "IP Services" guide for respective platform -
https://www.arubanetworks.com/techdocs/AOS-CX/10.10/PDF/ip_services_4100i-6000-6100.pdf------------------------------
Ivan Bondar
------------------------------
Original Message:
Sent: Dec 30, 2022 03:15 AM
From: Winston Lee
Subject: Aruba 6000 switch Port Security setting to prevent user setting static ip
I also find the IP source guard configuration information in HPE 5120 configurastion document. You could jump to page 1075. I need to fix the syntax string in the original post. The syntax of IP source guard for HPE 5120 is "ip verify source ip-address mac-address"
https://techlibrary.hpe.com/device_help/H3C-Manuals/5120/5120-Configuration-Guide(R2215).pdf
#IP Source Guard
Original Message:
Sent: Dec 30, 2022 03:08 AM
From: Winston Lee
Subject: Aruba 6000 switch Port Security setting to prevent user setting static ip
To archive the purpose of preventing users from using unauthorized static IP addresses to access the switch, the name of the switch ip security feaure is IP source guard. I find the refernce documents from Huawei, Aruba WIFI controller and Cisco IOS switch. If you know if CX6000 has the IP source guard feature , how to configure, please kindly let me know. If CX6000 doesn't have the feature, please also share the information. Thank you.
Here are the reference documents from Huawei, Aruba WIFI controller and Cisco IOS switch.
https://support.huawei.com/enterprise/en/doc/EDOC1000091883/dd13b282/how-to-prevent-users-from-using-unauthorized-static-ip-addresses-to-access-the-switch
https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=68fa4c07-f60d-4f3e-b92a-f18c2506bb21
https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/ipsrcgrd.html
Original Message:
Sent: Dec 29, 2022 06:26 AM
From: Winston Lee
Subject: Aruba 6000 switch Port Security setting to prevent user setting static ip
I saw one setting in HPE 5120 interface as the following. Could you explain the function of the setting?
interface GigabitEthernet1/0/1
ip check source ip-address mac-address
If I want to setup port security in Aruba 6000 to restrict the clients only can use DHCP and cannot use static IP. Does Aruba 6000 have the feature and how to setup? Thanks.
#Aruba 6000
#HPE 5120