259
[DeviceB] display user-bind
Total entries found: 2
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.2 N/A N/A Static
0001-0203-0407 192.168.1.2 N/A N/A Static
Host A and Host B can ping each other.
Dynamic IPv4 source guard binding by DHCP snooping
configuration example
Network requirements
As shown in Figure 79, the device connects to the host (client) and the DHCP server through ports
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively.
Enable DHCP and DHCP snooping on the device, so that the host (with the MAC address of 0001-0203-
0406) can obtain an IP address through the DHCP server and the IP address and the MAC address of
the host can be recorded in a DHCP snooping entry.
Enable the dynamic IPv4 source guard binding function on port GigabitEthernet 1/0/1 of the device,
allowing only packets from a client that obtains an IP address through the DHCP server to pass.
NOTE:
For detailed configuration of a DHCP server, see the
Layer 3—IP Services Configuration Guide.
Figure 79 Network diagram for configuring dynamic IPv4 source guard binding by DHCP snooping
Host
MAC:0001-0203-0406
Device DHCP server
GE1/0/2
GE1/0/1
Configuration procedure
1. Configure DHCP snooping
# Configure IP addresses for the interfaces. (details not shown)
# Enable DHCP snooping.
<Device> system-view
[Device] dhcp-snooping
# Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port.
[Device] interface gigabitethernet1/0/2
[Device-GigabitEthernet1/0/2] dhcp-snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Configure the dynamic IPv4 source guard binding function
# Configure the dynamic IPv4 source guard binding function on port GigabitEthernet 1/0/1 to filter
packets based on both the source IP address and MAC address.
[Device] interface gigabitethernet1/0/1
[Device-GigabitEthernet1/0/1] ip check source ip-address mac-address
To Next Page
Loading...
Need help?
General