HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

$Page 256 246 To do… Use the command… Remarks Create an SSL client policy and enter its view ssl client-policy policy-name Required Specify a PKI domain for the SSL client policy pki-domain domain-name Optional No PKI domain is configured by default. Specify the preferred cipher suite for the SSL client policy prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } Optional rsa_rc4_128_md5 by default Specify the...$

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 261 to Favourites

image text

Enable zoom

							 
251 
Figure 76 Network diagram for excluded port application in IP source guard global static binding 
 
 
 NOTE: 
After you configure IPv4 or IPv6 global static binding entries on a switch, configure the uplink port of 
the switch as an excluded port of global static binding to ensure packet forwarding between VLANs.  
Dynamic IP source guard binding 
Dynamic  IP  source  guard entries  are  generated  dynamically  according  to client  entries  on  the  DHCP 
snooping or DHCP relay agent device. They are suitable for scenarios where many hosts reside on a LAN 
and obtain  IP  addresses  through DHCP. Once  DHCP  allocates  an  IP  address  to  a  client,  IP  source  guard 
automatically  adds  the  client  entry  to  allow  the  client  to  access  the  network.  A  user  using  an  IP  address 
not  obtained  through  DHCP  cannot  access  the  network. Dynamic  IPv6  source  guard entries can  also  be 
obtained from client entries on the ND snooping device. 
 Dynamic IPv4 source guard binding generates IPv4 source guard binding entries dynamically based 
on DHCP snooping or DHCP relay entries to filter IPv4 packets received on a port. 
 Dynamic IPv6 source guard binding generates IPv6 source guard binding entries dynamically based 
on DHCPv6 snooping or ND snooping entries to filter IPv6 packets received on a port.  
 NOTE: 
 For information about DHCP snooping and DHCP relay, see the Layer 3—IP Services Configuration Guide.  
 For information about DHCPv6 snooping, see the Layer 3—IP Services Configuration Guide.  
 For information about ND snooping, see the Layer 3—IP Services Configuration Guide.  
Configuring IPv4 source guard binding 
 
 NOTE: 
You cannot configure the IP source guard function on a port in an aggregation group, nor can you add 
a port configured with IP source guard to an aggregation group.  GE1/0/1
Device A
Device B
IP: 192.168.0.2/24MAC: 0001-0203-0406Gateway: 192.168.0.1/24
Host AIP: 192.168.1.2/24MAC: 0001-0203-0407Gateway: 192.168.1.1/24
Host B
Vlan-int10 192.168.0.1/24
VLAN 10
Vlan-int20 192.168.1.1/24
VLAN 20
Global static binding entires
192.168.0.2
192.168.1.2
IP
0001-0203-0407
0001-0203-0406
MAC0001-0203-0406
Src MAC
192.168.0.2
Src IP
0001-0202-0202
Src MAC
192.168.0.2
Src IP

Add page 262 to Favourites

image text

Enable zoom

							 
252 
Configuring a static IPv4 source guard binding entry 
Follow these steps to configure a global static IPv4 source guard entry: 
To do… Use the command… Remarks 
Enter system view system-view — 
Configure a global static IPv4 
source guard binding entry 
user-bind ip-address ip-address mac-
address mac-address 
Required 
No global static binding 
entry exists by default. 
Enter Layer 2 Ethernet port view interface interface-type interface-number — 
Specify the uplink port as an 
excluded port of the global static 
binding entry 
user-bind uplink  
Optional 
By default, a port is not an 
excluded port. When you 
configure global static 
binding entries on a switch, 
specify the uplink port of 
the switch as an excluded 
port of the global static 
binding entries. 
 
Follow these steps to configure a port-based static IPv4 source guard binding entry: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Configure a static IPv4 source 
guard binding entry for the port 
user-bind { ip-address ip-address 
| ip-address ip-address mac-
address mac-address | mac-
address mac-address } [ vlan vlan-
id ] 
Required 
No static IPv4 source guard 
binding entry exists on a port by 
default. 
The switch does not support the 
vlan vlan-id option. 
 
 NOTE: 
 You cannot configure the same static binding entry on one port for multiple times, but you can configure the 
same static entry on different ports. 
 In an IPv4 source guard binding entry, the MAC address cannot be all 0s, all Fs (a broadcast address), or a 
multicast address, and the IPv4 address can only be a Class A, Class B, or Class C address and can be neither 
127.x.x.x nor 0.0.0.0.  
Configuring the dynamic IPv4 source guard binding function 
After the dynamic IPv4 source guard binding function is enabled on a port, IP source guard will generate 
binding entries dynamically through cooperation with DHCP protocols: 
 On  a  Layer  2  Ethernet  port, IP  source  guard  cooperates with  DHCP  snooping,  dynamically  obtains 
the  DHCP  snooping  entries  generated during  dynamic  IP  address  allocation,  and  generates  IP 
source guard entries accordingly.

Add page 263 to Favourites

image text

Enable zoom

							 
253 
 On a  VLAN interface, IP  source  guard cooperates with DHCP relay,  dynamically  obtains  the  DHCP 
relay  entries  generated during  dynamic  IP  address  allocation  across network  segments, and 
generates IP source guard entries accordingly. 
Dynamic IPv4 source guard entries can contain such information as the MAC address, IP address, VLAN 
tag,  ingress  port  information,  and  entry  type (DHCP  snooping  or  DHCP  relay),  where  the MAC  address, 
IP  address, or VLAN  tag information  may  not  be  included  depending  on  your  configuration. IP  source 
guard applies these entries to the port to filter packets. 
Follow these steps to configure the dynamic IPv4 source guard binding function: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter interface view interface interface-type interface-
number — 
Configure the dynamic IPv4 
source guard binding function 
ip check source { ip-address | ip-
address mac-address | mac-
address } 
Required 
Not configured by default 
 
 NOTE: 
 To implement dynamic IPv4 source guard binding in IP source guard, make sure that DHCP snooping or DHCP 
relay is configured and works normally. For DHCP configuration information, see the Layer 3—IP Services 
Configuration Guide. 
 If you configure dynamic IPv4 source guard binding on a port for multiple times, the last configuration will 
overwrite the previous configuration on the port.  
Configuring IPv6 source guard binding 
 
 NOTE: 
You cannot configure the IP source guard function on a port in an aggregation group, nor can you add 
a port configured with IP source guard to an aggregation group.  
Configuring a static IPv6 source guard binding entry 
Follow these steps to configure a global static IPv6 source guard entry: 
To do… Use the command… Remarks 
Enter system view system-view — 
Configure a global static IPv6 
source guard binding entry 
user-bind ipv6 ip-address ip-address 
mac-address mac-address 
Required 
No global static binding 
entry exists by default. 
Enter Layer 2 Ethernet port view interface interface-type interface-number —

Add page 264 to Favourites

image text

Enable zoom

							 
254 
To do… Use the command… Remarks 
Specify the uplink port as an 
excluded port of the global static 
binding entry 
user-bind uplink  
Optional 
By default, a port is not an 
excluded port. When you 
configure global static 
binding entries on a switch, 
specify the uplink port of 
the switch as an excluded 
port of the global static 
binding entries. 
 
Follow the steps to configure a port-based static IPv6 source guard binding entry: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type interface-
number — 
Configure a static IPv6 source 
guard binding entry for the port 
user-bind ipv6 { ip-address ipv6-
address | ip-address ipv6-
address mac-address mac-address 
| mac-address mac-address } [ 
vlan vlan-id ] 
Required 
No static IPv6 source guard 
binding entry exists on a port by 
default. 
The switch does not support the 
vlan vlan-id option. 
 
 NOTE: 
 You cannot configure the same static binding entry on one port repeatedly, but you can configure the same static 
binding entry on different ports. 
 In an IPv6 source guard binding entry, the MAC address cannot be all 0s, all Fs (a broadcast MAC address), or 
a multicast address, and the IPv6 address must be a unicast address and cannot be all 0s, all Fs, or a loopback 
address.  
Configuring the dynamic IPv6 source guard binding function 
With the dynamic IPv6 source  guard binding  function  enabled  on  a Layer  2 port,  IP  source  guard 
dynamically generates IP  source  guard entries  through  cooperation with  DHCP  snooping  or  ND 
snooping. 
 Cooperating with DHCPv6 snooping, IP source guard dynamically generates IP source guard entries 
based on the DHCPv6 snooping entries that are generated during dynamic IP address allocation. 
 Cooperating  with  ND  snooping, IP  source  guard dynamically generates IP  source  guard  entries 
based on dynamic ND snooping entries. 
Dynamic  IPv6  source  guard  entries  can contain  such  information  as the MAC  address,  IPv6  address, 
VLAN tag, ingress port information and entry type (DHCPv6 snooping or ND snooping), where the MAC 
address,  IPv6 address, and/or VLAN  tag information  may  not  be  included  depending  on  your 
configuration. IP source guard applies these entries to the port, so that the port can filter packets. 
Follow these steps to configure the dynamic IPv6 source guard binding function:

Add page 265 to Favourites

image text

Enable zoom

							 
255 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter interface view interface interface-type interface-
number — 
Configure dynamic IPv6 source 
guard binding function 
ip check source ipv6 { ip-address 
| ip-address mac-address | mac-
address } 
Required 
Not configured by default 
 
 NOTE: 
 To implement dynamic IPv6 source guard binding, make sure that DHCPv6 snooping or ND snooping is 
configured and works normally. For DHCPv6 and ND snooping configuration information, see the Layer 3—IP 
Services Configuration Guide. 
 If you configure dynamic IPv6 source guard binding on a port for multiple times, the last configuration will 
overwrite the previous configuration on the port. 
 If you configure both ND snooping and DHCPv6 snooping on the device, IP source guard generates IP source 
guard entries based on the DHCPv6 snooping entries, which are usually generated first, to filter packets on a 
port.  
Displaying and maintaining IP source guard 
For IPv4:  
To do… Use the command… Remarks 
Display static IP source guard 
binding entries 
display user-bind [ interface interface-type 
interface-number | ip-address ip-address | 
mac-address mac-address ] [ slot slot-
number ] [ | { begin | exclude | include } 
regular-expression ] 
Available in any view 
Display dynamic IP source guard 
binding entries 
display ip check source [ interface 
interface-type interface-number | ip-
address ip-address | mac-address mac-
address ] [ slot slot-number ] [ | { begin | 
exclude | include } regular-expression ] 
Available in any view 
 
For IPv6: 
To do… Use the command… Remarks 
Display static IPv6 source guard 
binding entries 
display user-bind ipv6 [ interface interface-
type interface-number | ip-address ip-
address | mac-address mac-address ] [ slot 
slot-number ] [ | { begin | exclude | include 
} regular-expression ] 
Available in any view 
Display dynamic IPv6 source 
guard binding entries 
display ip check source ipv6 [ interface 
interface-type interface-number | ip-address 
ip-address | mac-address mac-address ] [ 
slot slot-number ] [ | { begin | exclude | 
include } regular-expression ] 
Available in any view

Add page 266 to Favourites

image text

Enable zoom

256
IP source guard configuration examples
Static IPv4 source guard binding entry configuration example
Network requirements
As shown in Figure 77, Host A and Host B are connected to ports GigabitEthernet 1/0/2 and
GigabitEthernet 1/0/1 of Device B respectively, Host C is connected to port GigabitEthernet 1/0/2 of
Device A, and Device B is connected to port GigabitEthernet 1/0/1 of Device A.
Configure static IPv4 source guard binding entries on Device A and Device B to meet the following
requirements:
 On port GigabitEthernet 1/0/2 of Device A, only IP packets from Host C can pass.
 On port GigabitEthernet 1/0/1 of Device A, only IP packets from Host A can pass.
 On port GigabitEthernet 1/0/2 of Device B, only IP packets from Host A can pass.
 On port GigabitEthernet 1/0/1 of Device B, only IP packets from Host B can pass.
Figure 77 Network diagram for configuring static IPv4 source guard binding entries

Configuration procedure
1. Configure Device A
# Configure the IP addresses of the interfaces (omitted).
# Configure port GigabitEthernet 1/0/2 of Device A to allow only IP packets with the source MAC
address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
system-view
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-
0405
[DeviceA-GigabitEthernet1/0/2] quit
# Configure port GigabitEthernet 1/0/1 of Device A to allow only IP packets with the source MAC
address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-
0406
2. Configure Device B
# Configure the IP addresses of the interfaces (omitted). IP: 192.168.0.3/24MAC : 0001-0203-0405
IP: 192.168.0.1/24MAC: 0001-0203-0406
Host AIP: 192.168.0.2/24MAC: 0001-0203-0407
Host B
Host C
GE1/0/2GE1/0/1
GE1/0/2GE1/0/1
Device A
Device B

Add page 267 to Favourites

image text

Enable zoom

							 
257 
#  Configure  port GigabitEthernet  1/0/2 of Device B  to  allow  only  IP  packets  with  the  source  MAC 
address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. 
 system-view 
[DeviceB] interface gigabitethernet 1/2 
[DeviceB-GigabitEthernet1/0/2]  user-bind  ip-address 192.168.0.1 mac-address 0001-0203-
0406 
[DeviceB-GigabitEthernet1/0/2] quit 
#  Configure  port GigabitEthernet  1/0/1  of Device B  to  allow  only  IP  packets  with  the  source  MAC 
address of 0001-0203-0407 and the source IP address of 192.168.0.2 to pass. 
[DeviceB] interface gigabitethernet 1/0/1 
[DeviceB-GigabitEthernet1/0/1]  user-bind  ip-address 192.168.0.2 mac-address 0001-0203-
0407 
Verification 
# On Device A, display information about static IPv4 source guard binding entries. The output shows that 
the static IPv4 source guard binding entries are configured successfully. 
 display user-bind 
Total entries found: 2 
 MAC Address       IP Address       VLAN   Interface                Type 
 0001-0203-0405    192.168.0.3      N/A    GE1/0/2                  Static 
 0001-0203-0406    192.168.0.1      N/A    GE1/0/1                  Static 
# On Device B, display information about static IPv4 source guard binding entries. The output shows that 
the static IPv4 source guard binding entries are configured successfully. 
 display user-bind 
Total entries found: 2 
 MAC Address       IP Address       VLAN   Interface                Type 
 0001-0203-0406    192.168.0.1      N/A    GE1/0/2                  Static 
 0001-0203-0407    192.168.0.2      N/A    GE1/0/1                  Static 
Global static binding excluded port configuration example 
Network requirements 
As  shown  in Figure  78, Host  A  and  Host  B  connect  to  access  switch  Device  B,  and  Device  B connects  to 
distribution  switch  Device  A.  Host  A  is  in  VLAN  10,  and  its  gateway  IP  address  is  192.168.0.1,  which  is 
the  IP address  of  VLAN  interface  1  on  Device  A.  Host  B  is  in  VLAN  20,  and  its  gateway  IP  address  is 
192.168.1.1,  which  is  the  IP  address  of  VLAN  interface  2  on  Device  A.  Device  B  has  VLANs  but  not  IP 
addresses configured. Host A and Host B communicate with each other through Device A. 
Configure Device B to satisfy the following requirements: 
 Device B can filter IP packets from any host that spoofs Host A or Host B. 
 Device B forwards packets between Host A and Host B.

Add page 268 to Favourites

image text

Enable zoom

							 
258 
Figure 78 Network diagram for configuring global static binding excluded port 
 
Configuration procedure 
Configure Device B 
# Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10. 
 system-view 
[DeviceB] vlan 10 
[DeviceB-vlan10] port gigabitethernet 1/0/2 
[DeviceB-vlan10] quit 
# Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20. 
[DeviceB] vlan 20 
[DeviceB-vlan20] port gigabitethernet 1/0/3 
[DeviceB-vlan20] quit 
#  Specify  port  GigabitEthernet 1/0/1  as  a  trunk  port,  and  configure  the  port  to  permit  the  packets  of 
VLAN 10 and VLAN 20 to pass. 
[DeviceB] interface gigabitethernet 1/0/1 
[DeviceB-GigabitEthernet1/0/1] port link-type trunk 
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 10 20 
[DeviceB-GigabitEthernet1/0/1] quit 
# Configure global static bindings to filter IP packets from any host spoofs Host A  or Host B by using the 
IP or MAC address of Host A or Host B. 
 system-view 
[DeviceB] user-bind ip-address 192.168.0.2 mac-address 0001-0203-0406 
[DeviceB] user-bind ip-address 192.168.1.2 mac-address 0001-0203-0407 
# Specify GigabitEthernet 1/0/1 as a global static binding excluded port. 
[DeviceB] interface gigabitethernet 1/0/1 
[DeviceB-GigabitEthernet1/0/1] user-bind uplink 
[DeviceB-GigabitEthernet1/0/1] quit 
Verify the configuration 
# Display the IP source guard bindings on Device B.  GE1/0/2
GE1/0/1
Device A
Device B
IP: 192.168.0.2/24MAC: 0001-0203-0406Gateway: 192.168.0.1/24
Host AIP: 192.168.1.2/24MAC: 0001-0203-0407Gateway: 192.168.1.1/24
Host B
GE1/0/3
Vlan-int10 192.168.0.1/24
VLAN 10VLAN 20
Vlan-int20 192.168.1.1/24
VLAN 10VLAN 20

Add page 269 to Favourites

image text

Enable zoom

							 
259 
[DeviceB] display user-bind 
Total entries found: 2 
 MAC Address       IP Address       VLAN   Interface            Type 
 0001-0203-0406    192.168.0.2      N/A    N/A                  Static 
 0001-0203-0407    192.168.1.2      N/A    N/A                  Static 
Host A and Host B can ping each other. 
Dynamic IPv4 source guard binding by DHCP snooping 
configuration example 
Network requirements 
As  shown  in Figure  79,  the  device connects to the  host (client) and  the  DHCP server through  ports 
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively.  
Enable DHCP and DHCP snooping on the device, so that the host (with the MAC address of 0001-0203-
0406) can obtain an IP  address  through  the  DHCP server and  the  IP  address  and the MAC  address  of 
the host can be recorded in a DHCP snooping entry.  
Enable  the  dynamic  IPv4  source  guard  binding  function on  port GigabitEthernet  1/0/1  of the  device, 
allowing only packets from a client that obtains an IP address through the DHCP server to pass.  
 NOTE: 
For detailed configuration of a DHCP server, see the Layer 3—IP Services Configuration Guide.   
Figure 79 Network diagram for configuring dynamic IPv4 source guard binding by DHCP snooping 
 
 
Configuration procedure 
1. Configure DHCP snooping 
# Configure IP addresses for the interfaces. (details not shown) 
# Enable DHCP snooping. 
 system-view 
[Device] dhcp-snooping 
# Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. 
[Device] interface gigabitethernet1/0/2 
[Device-GigabitEthernet1/0/2] dhcp-snooping trust 
[Device-GigabitEthernet1/0/2] quit 
2. Configure the dynamic IPv4 source guard binding function 
#  Configure  the dynamic IPv4  source  guard binding  function  on  port GigabitEthernet  1/0/1 to  filter 
packets based on both the source IP address and MAC address. 
[Device] interface gigabitethernet1/0/1 
[Device-GigabitEthernet1/0/1] ip check source ip-address mac-address HostMAC:0001-0203-0406DeviceDHCP server
GE1/0/2GE1/0/1

Add page 270 to Favourites

image text

Enable zoom

							 
260 
[Device-GigabitEthernet1/0/1] quit 
Verification 
# Display the dynamic IPv4 source guard binding entries generated on port GigabitEthernet 1/0/1. 
[Device-GigabitEthernet1/0/1] display ip check source 
Total entries found: 1 
 MAC Address       IP Address       VLAN   Interface             Type 
 0001-0203-0406    192.168.0.1      1      GE1/0/1               DHCP-SNP 
#  Display  DHCP snooping  entries to  see  whether they  are consistent with  the  dynamic  entries  generated 
on GigabitEthernet 1/0/1. 
[Device-GigabitEthernet1/0/1] display dhcp-snooping 
DHCP Snooping is enabled. 
The client binding table for all untrusted ports. 
Type : D--Dynamic , S--Static 
Type IP Address      MAC Address    Lease        VLAN Interface 
==== =============== ============== ============ ==== ================= 
D    192.168.0.1     0001-0203-0406 86335        1    GigabitEthernet1/0/1 
The  output  shows  that a  dynamic IPv4  source  guard entry has  been  generated based  on  the DHCP 
snooping entry. 
Dynamic IPv4 source guard binding by DHCP relay 
configuration example 
Network requirements 
As  shown  in Figure  80,  the  switch connects the  host and  the  DHCP server through interfaces  VLAN-
interface  100  and  VLAN-interface  200 respectively.  DHCP relay is  enabled  on the  switch. The  host (with 
the MAC address 0001-0203-0406) obtains an IP address from the DHCP server through the DHCP relay 
agent.  
Enable the dynamic  IPv4 source  guard binding  function on interface VLAN-interface  100 to filter  packets 
based on DHCP relay entries. 
Figure 80 Network diagram for configuring dynamic IPv4 source guard binding through DHCP relay 
 
 
Configuration procedure 
1. Configure the dynamic IPv4 source guard binding function 
# Configure the IP addresses of the interfaces. (details not shown) 
#  Configure the  dynamic IPv4  source  guard binding  function  on VLAN-interface  100 to  filter  packets 
based on both the source IP address and MAC address. 
 system-view 
[Switch] vlan 100 Switch 
Vlan-int 100Vlan-int 200
10.1.1.1/24HostMAC: 0001-0203-0406
DHCP serverDHCP relay agentDHCP client

All HP manuals Comments (0)

Related Manuals for HP A 5120 Manual

HP 18108 Instruction Manual
71 pages | HP Switch
HP A 5120 Manual
1464 pages | HP Switch