Static IPv4 source guard configuration example

Network requirements

As shown in Figure 98, all hosts use static IP addresses.

Configure static IPv4 source guard binding entries on Device A and Device B to meet the following requirements:

Ethernet 1/0/2 of Device A allows only IP packets from Host C to pass.
Ethernet 1/0/1 of Device A allows only IP packets from Host A to pass.
Ethernet 1/0/2 of Device B allows only IP packets from Host A to pass.
Ethernet 1/0/1 of Device B allows only IP packets from 192.168.0.2/24 to pass. Host B can communicate with Host A by using this IP address even if it uses another network adapter.

Figure 98: Network diagram

Configuration procedure

Configure Device A:

# Configure the IPv4 source guard feature on Ethernet 1/0/2 to filter packets based on both the source IP address and MAC address.

<DeviceA> system-view
[DeviceA] interface ethernet 1/0/2
[DeviceA-Ethernet1/0/2] ip verify source ip-address mac-address

# Configure Ethernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.

[DeviceA] interface ethernet 1/0/2
[DeviceA-Ethernet1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405
[DeviceA-Ethernet1/0/2] quit

# Configure the IPv4 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.

[DeviceA] interface ethernet 1/0/1
[DeviceA-Ethernet1/0/1] ip verify source ip-address mac-address

# Configure Ethernet 1/0/1 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.

[DeviceA-Ethernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406
[DeviceA-Ethernet1/0/1] quit

Configure Device B:

# Configure the IPv4 source guard feature on Ethernet 1/0/2 to filter packets based on both the source IP address and MAC address.

<DeviceB> system-view
[DeviceB] interface ethernet 1/0/2
[DeviceB-Ethernet1/0/2] ip verify source ip-address mac-address

# Configure Ethernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.

[DeviceB] interface ethernet 1/0/2
[DeviceB-Ethernet1/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406
[DeviceB-Ethernet1/0/2] quit

# Configure the IPv4 source guard feature on Ethernet 1/0/1 to filter packets based on the source IP address.

[DeviceB] interface ethernet 1/0/1
[DeviceB-Ethernet1/0/1] ip verify source ip-address

# Configure Ethernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.

[DeviceB-Ethernet1/0/1] ip source binding ip-address 192.168.0.2
[DeviceB-Ethernet1/0/1] quit

Verifying the configuration

# Display information about static IPv4 source guard binding entries on Device A. The output shows that the static IPv4 source guard binding entries are configured successfully.

[DeviceA] display ip source binding static
Total entries found: 2
 MAC Address       IP Address       VLAN   Interface               Type
 0001-0203-0405    192.168.0.3      N/A    Eth1/0/2                 Static
 0001-0203-0406    192.168.0.1      N/A    Eth1/0/1                 Static

# Display information about static IPv4 source guard binding entries on Device B. The output shows that the static IPv4 source guard binding entries are configured successfully.

[DeviceB] display ip source binding static
Total entries found: 2
 MAC Address       IP Address       VLAN   Interface               Type
 0001-0203-0406    192.168.0.1      N/A    Eth1/0/2                 Static
 N/A               192.168.0.2      N/A    Eth1/0/1                 Static

prev	up	next
IP source guard configuration examples	home	Dynamic IPv4 source guard using DHCP snooping configuration example