R21xx-HP FlexFabric 11900 Security Configuration Guide
120
Dynamic IPv4 source guard using DHCP snooping
configuration example
Network requirements
As shown in Figure 41, the host (the DHCP client) obtains an IP address from the DHCP server. The DHCP
server is connected to port Ten-GigabitEthernet 1/0/2 of the switch.
Enable DHCP snooping on the switch, so that the host can obtain an IPv4 address from the valid DHCP
server and the IPv4 address and the MAC address of the host can be recorded in a DHCP snooping
entry.
Enable dynamic IPv4 source guard on port Ten-GigabitEthernet 1/0/1 to filter received packets based
on DHCP snooping entries, allowing only packets from a client that obtains an IP address from the DHCP
server to pass.
Figure 41 Network diagram
Configuration procedure
1. Configure the DHCP server:
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
2. Configure DHCP snooping on the switch:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP snooping.
<Switch> system-view
[Switch] dhcp snooping enable
# Configure port Ten-GigabitEthernet 1/0/2 as a trusted port.
[Switch] interface ten-gigabitethernet 1/0/2
[Switch-Ten-GigabitEthernet1/0/2] dhcp snooping trust
[Switch-Ten-GigabitEthernet1/0/2] quit
3. Enable IPv4 source guard on port Ten-GigabitEthernet 1/0/1 to filter packets based on both the
source IP address and the MAC address:
[Switch] interface ten-gigabitethernet 1/0/1
[Switch-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address
[Switch-Ten-GigabitEthernet1/0/1] quit
4. Verify the configuration:
# Display dynamic IPv4 source guard binding entries obtained from DHCP snooping.
[Switch] display ip source binding dhcp-snooping
Total entries found: 1
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0406 XGE1/0/1 1 DHCP snooping