10-Security

HomeSupportResource CenterH3C Access Controllers Command References(E5208P03 E5215P01 R5215P01)-6W10210-Security
16-IP source guard commands
Title Size Download
16-IP source guard commands 36.59 KB

IP source guard commands

ip verify source

Use ip verify source to enable the IPSG feature for IPv4.

Use undo ip verify source to restore the default.

Syntax

ip verify source

undo ip verify source

Default

The IPSG feature is disabled for IPv4.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

This feature uses WLAN snooping entries to filter IPv4 packets received by an AP. It drops packets that do not match the entries. A WLAN snooping entry is an IP-MAC binding.

In an IPv4 network, IPSG uses only the WLAN snooping entries obtained through DHCP packets.

Examples

# Enable the IPSG feature for IPv4.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ip verify source

ip verify unknown-ip (only for AC)

Use ip verify unknown-ip to configure the processing method for packets from unknown source IPv4 addresses received on APs.

Use undo ip verify unknown-ip to restore the default.

Syntax

ip verify unknown-ip { deauthenticate | drop }

undo ip verify unknown-ip

Default

An AP drops packets from unknown source IPv4 addresses and sends deauthentication frames to the sources.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

deauthenticate: Drops packets from unknown source IPv4 addresses and sends deauthentication frames to the sources.

drop: Drops packets from unknown source IPv4 addresses only.

Usage guidelines

Unknown source IPv4 addresses refer to the following addresses:

·     IPv4 addresses learned from ARP packets that pass through APs.

·     IPv4 addresses that have not been learned by APs.

This command is configurable only when the WLAN service template is disabled.

This command takes effect only when the IPSG feature is enabled for IPv4.

Examples

# Configure APs to drop packets from unknown source IPv4 addresses.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] ip verify unknown-ip drop

ipv6 verify source

Use ipv6 verify source to enable the IPSG feature for IPv6.

Use undo ipv6 verify source to restore the default.

Syntax

ipv6 verify source

undo ipv6 verify source

Default

The IPSG feature is disabled for IPv6.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

This feature uses WLAN snooping entries to filter IPv6 packets received by an AP. It drops packets that do not match the entries. A WLAN snooping entry is an IP-MAC binding.

Examples

# Enable the IPSG feature for IPv6.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ipv6 verify source