Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
421422423424425426427428429430
30
Configuration procedure
1. Configure DHCP snooping:
# Enable DHCP snooping.
<Router> system-view
[Router] dhcp-snooping
# Configure port GigabitEthernet 3/0/2, which is connected to the DHCP server, as a trusted port.
[Router] interface ethernet1/2
[Router-GigabitEthernet3/0/2] dhcp-snooping trust
[Router-GigabitEthernet3/0/2] quit
2. Enable IPv4 source guard on port GigabitEthernet 3/0/1 to filter packets based on both the
source IP address and MAC address.
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] ip verify source ip-address mac-address
[Router-GigabitEthernet3/0/1] quit
Verifying the configuration
# Display the IPv4 source guard entries generated on port GigabitEthernet 3/0/1.
[Router] display ip source binding
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 1 GE3/0/1 DHCP-SNP
# Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated
on GigabitEthernet 3/0/1.
[Router] display dhcp-snooping
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== ============== ============ ==== =================
D 192.168.0.1 0001-0203-0406 86335 1 GigabitEthernet3/0/1
The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP
snooping entry.
Dynamic IPv4 source guard by DHCP relay
configuration example
Network requirements
As shown in Figure 136, the host and the DHCP server are connected to the router through the router
interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. DHCP relay is enabled on
the router. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP
server through the DHCP relay agent.
Enable the IPv4 source guard function on interface GigabitEthernet 3/0/1 to filter packets based on the
DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to
pass.