R2511-HP MSR Router Series Security Configuration Guide(V5)
420
<Device> system-view
[Device] dhcp-snooping
# Configure port Ethernet 1/2, which is connected to the DHCP server, as a trusted port.
[Device] interface ethernet1/2
[Device-Ethernet1/2] dhcp-snooping trust
[Device-Ethernet1/2] quit
2. Enable IPv4 source guard on port Ethernet 1/1 to filter packets based on both the source IP
address and MAC address.
[Device] interface ethernet1/1
[Device-Ethernet1/1] ip verify source ip-address mac-address
[Device-Ethernet1/1] quit
Verifying the configuration
# Display the IPv4 source guard binding entries generated on port Ethernet 1/1.
[Device] display ip source binding
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 1 Eth1/1 DHCP-SNP
# Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated
on Ethernet 1/1.
[Device] display dhcp-snooping
DHCP snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== ============== ============ ==== =================
D 192.168.0.1 0001-0203-0406 86335 1 Ethernet1/1
The output shows that a dynamic IPv4 source guard binding entry has been generated based on the
DHCP snooping entry.
Troubleshooting IP source guard
Symptom
Failed to configure static IP source guard binding entries and enable IP source guard on a port.
Analysis
IP source guard is not supported on a port in an aggregation group.
Solution
Remove the port from the aggregation group.