Dynamic IPv4 source guard using DHCP snooping

Network requirements

As shown in Figure 110, the device connects to the host (client) and the DHCP server through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, respectively. The host obtains an IP address from the DHCP server.

Enable DHCP snooping on the device to record the DHCP snooping entry of the host. Enable the IPv4 source guard function on the device's port GigabitEthernet 1/0/1 to filter packets based on the DHCP snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to pass.

For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.

Figure 110: Network diagram

Configuration procedure

  • Configure DHCP snooping:

  • # Enable DHCP snooping.

    <Device> system-view
    [Device] dhcp-snooping
    

    # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port.

    [Device] interface gigabitethernet 1/0/2
    [Device-GigabitEthernet1/0/2] dhcp-snooping trust
    [Device-GigabitEthernet1/0/2] quit
    
  • Configure the IPv4 source guard function:

  • # Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.

    [Device] interface gigabitethernet 1/0/1
    [Device-GigabitEthernet1/0/1] ip verify source ip-address mac-address
    [Device-GigabitEthernet1/0/1] quit
    

    Verifying the configuration

    # Display the IPv4 source guard entries generated on port GigabitEthernet 1/0/1.

    [Device] display ip source binding
    Total entries found: 1
     MAC Address       IP Address       VLAN   Interface            Type
     0001-0203-0406    192.168.0.1      1      GE1/0/1              DHCP-SNP
    

    # Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated on GigabitEthernet 1/0/1.

    [Device] display dhcp-snooping
    DHCP Snooping is enabled.
    The client binding table for all untrusted ports.
    Type : D--Dynamic , S--Static
    Type IP Address      MAC Address    Lease        VLAN Interface
    ==== =============== ============== ============ ==== =================
    D    192.168.0.1     0001-0203-0406 86335        1    GigabitEthernet1/0/1
    

    The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP snooping entry.