Example: Configuring DHCP snooping-based dynamic IPv4SG
Network configuration
As shown in Figure 152, the host (the DHCP client) obtains an IP address from the DHCP server. Perform the following tasks:
Enable DHCP snooping on the device to make sure the DHCP client obtains an IP address from the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable recording of client information in DHCP snooping entries.
Enable dynamic IPv4SG on HundredGigE 1/0/1 to filter incoming packets by using the IPv4SG bindings generated based on DHCP snooping entries. Only packets from the DHCP client are allowed to pass.
Figure 152: Network diagram
Procedure
Configure the DHCP server.
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Configure the device:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP snooping.
<Device> system-view [Device] dhcp snooping enable
# Configure HundredGigE 1/0/2 as a trusted interface.
[Device] interface hundredgige 1/0/2 [Device-HundredGigE1/0/2] dhcp snooping trust [Device-HundredGigE1/0/2] quit
# Enable IPv4SG on HundredGigE 1/0/1 and verify the source IP address and MAC address for dynamic IPSG.
[Device] interface hundredgige 1/0/1 [Device-HundredGigE1/0/1] ip verify source ip-address mac-address
# Enable recording of client information in DHCP snooping entries on HundredGigE 1/0/1.
[Device-HundredGigE1/0/1] dhcp snooping binding record [Device-HundredGigE1/0/1] quit
Verifying the configuration
# Display dynamic IPSGv4 bindings generated based on DHCP snooping entries.
[Device] display ip source binding dhcp-snooping Total entries found: 1 IP Address MAC Address Interface VLAN Type 192.168.0.1 0001-0203-0406 HGE1/0/1 1 DHCP snooping
HundredGigE 1/0/1 will filter packets based on the IPSGv4 binding.