R3303-HP HSR6800 Routers Security Configuration Guide
29
# Enable IPv4 source guard on GigabitEthernet 3/0/1 to filter packets based on the source IP
address.
[RouterB] interface gigabitethernet 3/0/1
[RouterB-GigabitEthernet3/0/1] ip verify source ip-address
# Configure GigabitEthernet 3/0/1 to allow only IP packets with the source IP address of
192.168.0.2 to pass.
[RouterB-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.2
[RouterB-GigabitEthernet3/0/1] quit
Verifying the configuration
# On Router A, display information about static IPv4 source guard entries. The output shows that the
static IPv4 source guard entries are configured successfully.
[RouterA] display ip source binding static
Total entries found: 2
MAC Address IP Address VLAN Interface Type
0001-0203-0405 192.168.0.3 N/A GE3/0/2 Static
0001-0203-0406 192.168.0.1 N/A GE3/0/1 Static
# On Router B, display information about static IPv4 source guard entries. The output shows that the static
IPv4 source guard entries are configured successfully.
[RouterB] display ip source binding static
Total entries found: 2
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 N/A GE3/0/2 Static
N/A 192.168.0.2 N/A GE3/0/1 Static
Dynamic IPv4 source guard by DHCP snooping
configuration example
Network requirements
As shown in Figure 135, the router connects to the host (client) and the DHCP server through ports
GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. The host obtains an IP address from
the DHCP server.
Enable DHCP snooping on the router to record the DHCP snooping entry of the host. Enable the IPv4
source guard function on the router's port GigabitEthernet 3/0/1 to filter packets based on the DHCP
snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to
pass.
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Figure 135 Network diagram