Dynamic IPv4 source guard using DHCP relay configuration example
Network requirements
As shown in Figure 100, DHCP relay is enabled on the switch. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP server through the DHCP relay agent.
Enable the IPv4 source guard feature on the switch's VLAN-interface 100 to filter packets based on the DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to pass.
Figure 100: Network diagram
Configuration procedure
Configure the IPv4 source guard feature:
# Configure the IP addresses of the interfaces. (Details not shown.)
# Configure the IPv4 source guard feature on VLAN-interface 100 to filter packets based on both the source IP address and MAC address.
<Switch> system-view [Switch] vlan 100 [Switch-Vlan100] quit [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit
Configure the DHCP relay agent:
# Enable the DHCP service.
[Switch] dhcp enable
# Configure the IP address of the DHCP server.
[Switch] dhcp relay server-group 1 ip 10.1.1.1
# Configure VLAN-interface 100 to operate in DHCP relay mode.
[Switch] interface vlan-interface 100 [Switch-Vlan-interface100] dhcp select relay
# Correlate VLAN-interface 100 with DHCP server group 1.
[Switch-Vlan-interface100] dhcp relay server-select 1 [Switch-Vlan-interface100] quit
Verifying the configuration
# Display the generated IPv4 source guard binding entries.
[Switch] display ip source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 100 Vlan100 DHCP-RLY