Dynamic IPv4 source guard using DHCP relay
Network requirements
As shown in Figure 111, the host and the DHCP server are connected to the switch through interfaces VLAN-interface 100 and VLAN-interface 200, respectively. DHCP relay is enabled on the switch. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP server through DHCP relay.
Enable the IPv4 source guard function on the switch's VLAN-interface 100 to filter packets based on the DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to pass.
Figure 111: Network diagram
Configuration procedure
Configure the IPv4 source guard function:
# Configure IP addresses for the interfaces. (Details not shown.)
# Configure the IPv4 source guard function on VLAN-interface 100 to filter packets based on both the source IP address and MAC address.
<Switch> system-view [Switch] vlan 100 [Switch-Vlan100] quit [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit
Configure the DHCP relay agent:
# Enable DHCP relay.
[Switch] dhcp enable
# Configure the IP address of the DHCP server.
[Switch] dhcp relay server-group 1 ip 10.1.1.1
# Configure VLAN-interface 100 to operate in DHCP relay mode.
[Switch] interface vlan-interface 100 [Switch-Vlan-interface100] dhcp select relay
# Correlate VLAN-interface 100 with DHCP server group 1.
[Switch-Vlan-interface100] dhcp relay server-select 1 [Switch-Vlan-interface100] quit
Verifying the configuration
# Display the generated IPv4 source guard entries.
[Switch] display ip source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 100 Vlan100 DHCP-RLY