Dynamic IPv4 source guard using DHCP snooping
Network requirements
As shown in Figure 110, the device connects to the host (client) and the DHCP server through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, respectively. The host obtains an IP address from the DHCP server.
Enable DHCP snooping on the device to record the DHCP snooping entry of the host. Enable the IPv4 source guard function on the device's port GigabitEthernet 1/0/1 to filter packets based on the DHCP snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to pass.
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Figure 110: Network diagram
Configuration procedure
Configure DHCP snooping:
# Enable DHCP snooping.
<Device> system-view [Device] dhcp-snooping
# Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port.
[Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit
Configure the IPv4 source guard function:
# Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
[Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ip verify source ip-address mac-address [Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Display the IPv4 source guard entries generated on port GigabitEthernet 1/0/1.
[Device] display ip source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 1 GE1/0/1 DHCP-SNP
# Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated on GigabitEthernet 1/0/1.
[Device] display dhcp-snooping DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= D 192.168.0.1 0001-0203-0406 86335 1 GigabitEthernet1/0/1
The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP snooping entry.