Dynamic IPv4 source guard using DHCP snooping configuration example
Network requirements
As shown in Figure 99, the host obtains an IP address from the DHCP server.
Enable DHCP snooping on the device to record the DHCP snooping entry of the host. Enable the IPv4 source guard feature on the device's port Ethernet 1/0/1 to filter packets based on the DHCP snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to pass.
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Figure 99: Network diagram
Configuration procedure
Configure DHCP snooping.
# Enable DHCP snooping.
<Device> system-view [Device] dhcp-snooping
# Configure Ethernet 1/0/2 as a trusted port.
[Device] interface ethernet1/0/2 [Device-Ethernet1/0/2] dhcp-snooping trust [Device-Ethernet1/0/2] quit
Configure the IPv4 source guard feature.
# Configure the IPv4 source guard feature on Ethernet 1/0/1 to filter packets based on both the source IP address and MAC address.
[Device] interface ethernet1/0/1 [Device-Ethernet1/0/1] ip verify source ip-address mac-address [Device-Ethernet1/0/1] quit
Verifying the configuration
# Display the IPv4 source guard binding entries generated on Ethernet 1/0/1.
[Device] display ip source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 1 Eth1/0/1 DHCP-SNP
# Display DHCP snooping entries.
[Device] display dhcp-snooping DHCP snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static , R--Recovering Type IP Address MAC Address Lease VLAN SVLAN Interface ==== =============== ============== ============ ==== ===== ================= D 192.168.0.1 0001-0203-0406 86335 1 N/A Ethernet1/0/1 --- 1 dhcp-snooping item(s) found ---
The output shows that a dynamic IPv4 source guard binding entry has been generated based on the DHCP snooping entry.