Static IPv4 source guard entry configuration

Network requirements

As shown in Figure 109, Host A and Host B are connected to ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/1 of Device B, Host C is connected to port GigabitEthernet 1/0/2 of Device A, and Device B is connected to port GigabitEthernet 1/0/1 of Device A. All hosts use static IP addresses.

Configure static IPv4 source guard entries on Device A and Device B to meet the following requirements:

Figure 109: Network diagram

Configuration procedure

  • Configure Device A:

  • # Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address.

    <DeviceA> system-view
    [DeviceA] interface gigabitethernet 1/0/2
    [DeviceA-GigabitEthernet1/0/2] ip verify source ip-address mac-address
    

    # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.

    [DeviceA] interface gigabitethernet 1/0/2
    [DeviceA-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405
    [DeviceA-GigabitEthernet1/0/2] quit
    

    # Configure the IPv4 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.

    [DeviceA] interface gigabitethernet 1/0/1
    [DeviceA-GigabitEthernet1/0/1] ip verify source ip-address mac-address
    

    # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.

    [DeviceA-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406
    [DeviceA-GigabitEthernet1/0/1] quit
    
  • Configure Device B:

  • # Enable the IPv4 source guard function on GigabitEthernet 1/0/2.

    <DeviceB> system-view
    [DeviceB] interface gigabitethernet 1/0/2
    [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
    

    # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.

    [DeviceB] interface gigabitethernet 1/0/2
    [DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406
    [DeviceB-GigabitEthernet1/0/2] quit
    

    # Enable the IPv4 source guard function on GigabitEthernet 1/0/1.

    [DeviceB] interface gigabitethernet 1/0/1
    [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address
    

    # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.

    [DeviceB-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.2
    [DeviceB-GigabitEthernet1/0/1] quit
    

    Verifying the configuration

    # On Device A, display information about static IPv4 source guard entries. The output shows that the static IPv4 source guard entries are configured successfully.

    [DeviceA] display ip source binding static
    Total entries found: 2
     MAC Address       IP Address       VLAN   Interface               Type
     0001-0203-0405    192.168.0.3      N/A    GE1/0/2                 Static
     0001-0203-0406    192.168.0.1      N/A    GE1/0/1                 Static
    

    # On Device B, display information about static IPv4 source guard entries. The output shows that the static IPv4 source guard entries are configured successfully.

    [DeviceB] display ip source binding static
    Total entries found: 2
     MAC Address       IP Address       VLAN   Interface               Type
     0001-0203-0406    192.168.0.1      N/A    GE1/0/2                 Static
     N/A               192.168.0.2      N/A    GE1/0/1                 Static