Manualshelf

R3303-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG TAA-compliant Router
521522523524525526527528529530
508
Dynamic IPv4 source guard by DHCP snooping
configuration example
Network requirements
As shown in Figure 246, the router connects to the host (client) and the DHCP server through ports
GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. The host obtains an IP address from
the DHCP server.
Enable DHCP snooping on the router to record the DHCP snooping entry of the host. Enable the IPv4
source guard function on the router's port GigabitEthernet 3/0/1 to filter packets based on the DHCP
snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to
pass.
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Figure 246 Network diagram
Configuration procedure
1. Configure DHCP snooping:
# Enable DHCP snooping.
<Router> system-view
[Router] dhcp-snooping
# Configure port GigabitEthernet 3/0/2, which is connected to the DHCP server, as a trusted
port.
[Router] interface ethernet1/2
[Router-GigabitEthernet3/0/2] dhcp-snooping trust
[Router-GigabitEthernet3/0/2] quit
2. Enable IPv4 source guard on port GigabitEthernet 3/0/1 to filter packets based on both the
source IP address and MAC address.
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] ip verify source ip-address mac-address
[Router-GigabitEthernet3/0/1] quit
Verifying the configuration
# Display the IPv4 source guard entries generated on port GigabitEthernet 3/0/1.
[Router] display ip source binding
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 1 GE3/0/1 DHCP-SNP
# Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated
on GigabitEthernet 3/0/1.
[Router] display dhcp-snooping