Dynamic IPv4 source guard using DHCP snooping configuration example

Network requirements

As shown in Figure 99, the host obtains an IP address from the DHCP server.

Enable DHCP snooping on the device to record the DHCP snooping entry of the host. Enable the IPv4 source guard feature on the device's port Ethernet 1/0/1 to filter packets based on the DHCP snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to pass.

For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.

Figure 99: Network diagram

Configuration procedure

  • Configure DHCP snooping.

  • # Enable DHCP snooping.

    <Device> system-view
    [Device] dhcp-snooping
    

    # Configure Ethernet 1/0/2 as a trusted port.

    [Device] interface ethernet1/0/2
    [Device-Ethernet1/0/2] dhcp-snooping trust
    [Device-Ethernet1/0/2] quit
    
  • Configure the IPv4 source guard feature.

  • # Configure the IPv4 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.

    [Device] interface ethernet1/0/1
    [Device-Ethernet1/0/1] ip verify source ip-address mac-address
    [Device-Ethernet1/0/1] quit
    

    Verifying the configuration

    # Display the IPv4 source guard binding entries generated on Ethernet 1/0/1.

    [Device] display ip source binding
    Total entries found: 1
     MAC Address       IP Address       VLAN   Interface            Type
     0001-0203-0406    192.168.0.1      1      Eth1/0/1              DHCP-SNP
    

    # Display DHCP snooping entries.

    [Device] display dhcp-snooping
     DHCP snooping is enabled.
     The client binding table for all untrusted ports.
     Type : D--Dynamic , S--Static , R--Recovering
     Type IP Address      MAC Address    Lease        VLAN SVLAN Interface
     ==== =============== ============== ============ ==== ===== =================
     D    192.168.0.1     0001-0203-0406 86335        1    N/A   Ethernet1/0/1
    ---   1 dhcp-snooping item(s) found   ---
    

    The output shows that a dynamic IPv4 source guard binding entry has been generated based on the DHCP snooping entry.