Static IPv4 source guard entry configuration
Network requirements
As shown in Figure 109, Host A and Host B are connected to ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/1 of Device B, Host C is connected to port GigabitEthernet 1/0/2 of Device A, and Device B is connected to port GigabitEthernet 1/0/1 of Device A. All hosts use static IP addresses.
Configure static IPv4 source guard entries on Device A and Device B to meet the following requirements:
On port GigabitEthernet 1/0/2 of Device A, only IP packets from Host C can pass.
On port GigabitEthernet 1/0/1 of Device A, only IP packets from Host A can pass.
On port GigabitEthernet 1/0/2 of Device B, only IP packets from Host A can pass.
On port GigabitEthernet 1/0/1 of Device B, only IP packets sourced from 192.168.0.2/24 can pass. Host B can communicate with Host A by using this IP address even if it uses another network adapter.
Figure 109: Network diagram
Configuration procedure
Configure Device A:
# Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address.
<DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] ip verify source ip-address mac-address
# Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
[DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [DeviceA-GigabitEthernet1/0/2] quit
# Configure the IPv4 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
[DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] ip verify source ip-address mac-address
# Configure GigabitEthernet 1/0/1 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
[DeviceA-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceA-GigabitEthernet1/0/1] quit
Configure Device B:
# Enable the IPv4 source guard function on GigabitEthernet 1/0/2.
<DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
# Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
[DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceB-GigabitEthernet1/0/2] quit
# Enable the IPv4 source guard function on GigabitEthernet 1/0/1.
[DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address
# Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.
[DeviceB-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.2 [DeviceB-GigabitEthernet1/0/1] quit
Verifying the configuration
# On Device A, display information about static IPv4 source guard entries. The output shows that the static IPv4 source guard entries are configured successfully.
[DeviceA] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0405 192.168.0.3 N/A GE1/0/2 Static 0001-0203-0406 192.168.0.1 N/A GE1/0/1 Static
# On Device B, display information about static IPv4 source guard entries. The output shows that the static IPv4 source guard entries are configured successfully.
[DeviceB] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 N/A GE1/0/2 Static N/A 192.168.0.2 N/A GE1/0/1 Static