R3303-HP 6600/HSR6600 Routers Security Configuration Guide
509
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== ============== ============ ==== =================
D 192.168.0.1 0001-0203-0406 86335 1 GigabitEthernet3/0/1
The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP
snooping entry.
Dynamic IPv4 source guard by DHCP relay
configuration example
Network requirements
As shown in Figure 247, the host and the DHCP server are connected to the router through the router
interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. DHCP relay is enabled on
the router. The host (with the MAC address of 0001-0203-0406) obtains an IP address from the DHCP
server through the DHCP relay agent.
Enable the IPv4 source guard function on interface GigabitEthernet 3/0/1 to filter packets based on the
DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to
pass.
Figure 247 Network diagram
Configuration procedure
1. Configure the DHCP relay agent:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP relay.
<Router> system-view
[Router] dhcp enable
# Configure the IP address of the DHCP server.
[Router] dhcp relay server-group 1 ip 10.1.1.1
# Configure GigabitEthernet 3/0/1 to operate in DHCP relay mode.
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] dhcp select relay
# Correlate GigabitEthernet 3/0/1 with DHCP server group 1.
[Router-GigabitEthernet3/0/1] dhcp relay server-select 1
[Router-GigabitEthernet3/0/1] quit
2. Enable IPv4 source guard on GigabitEthernet 3/0/1 to filter packets based on both the source IP
address and MAC address.
Host
MAC: 0001-0203-0406
Router
DHCP server
GE3/0/1
GE3/0/2
DHCP relay agent
10.1.1.1/24
DHCP client