R211x-HP Flexfabric 11900 Security Configuration Guide
213
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0406 N/A N/A Static
N/A 0001-0203-0407 XGE1/0/1 N/A Static
Dynamic IPv4 source guard using DHCP snooping
configuration example
Network requirements
As shown in Figure 65, the host (the DHCP client) is connected to Ten-GigabitEthernet 1/0/1 of the
device, and obtains an IP address from the DHCP server. The DHCP server is connected to
Ten-GigabitEthernet 1/0/2 of the device.
Enable DHCP snooping on the device, so that the host can obtain an IPv4 address from the valid DHCP
server and the IPv4 address and the MAC address of the host can be recorded in a DHCP snooping
entry.
Enable dynamic IPv4 source guard on Ten-GigabitEthernet 1/0/1 to filter received packets based on
DHCP snooping entries, allowing only packets from a client that obtains an IP address from the DHCP
server to pass.
Figure 65 Network diagram
Configuration procedure
1. Configure the DHCP server:
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
2. Configure DHCP snooping on the device:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP snooping.
<Switch> system-view
[Switch] dhcp snooping enable
# Configure Ten-GigabitEthernet 1/0/2 as a trusted interface.
[Switch] interface ten-gigabitethernet 1/0/2
[Switch-Ten-GigabitEthernet1/0/2] dhcp snooping trust
[Switch-Ten-GigabitEthernet1/0/2] quit
3. Enable IPv4 source guard on Ten-GigabitEthernet 1/0/1 to filter packets based on both the source
IP address and the MAC address, and enable recording of client information in DHCP snooping
entries on this interface:
[Switch] interface ten-gigabitethernet 1/0/1
[Switch-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address
[Switch-Ten-GigabitEthernet1/0/1] dhcp snooping binding record
[Switch-Ten-GigabitEthernet1/0/1] quit