R0106-HP MSR Router Series Security Configuration Guide(V7)
398
[DeviceA-GigabitEthernet2/1/1] ip source binding ip-address 192.168.0.1 mac-address
0001-0203-0406
[DeviceA-GigabitEthernet2/1/1] quit
2. Configure Device B:
# Configure an IP address for each interface. (Details not shown.)
# Enable IPv4 source guard on GigabitEthernet 2/1/2.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 2/1/2
[DeviceB-GigabitEthernet2/1/2] ip verify source ip-address mac-address
[DeviceB-GigabitEthernet2/1/2] quit
# Enable IPv4 source guard on GigabitEthernet 2/1/1.
[DeviceB] interface gigabitethernet 2/1/1
[DeviceB-GigabitEthernet2/1/1] ip verify source ip-address mac-address
# On GigabitEthernet 2/1/1, configure a static IPv4 source guard binding entry for Host B.
[DeviceB] interface gigabitethernet 2/1/1
[DeviceB-GigabitEthernet2/1/1] ip source binding mac-address 0001-0203-0407
[DeviceB-GigabitEthernet2/1/1] quit
Verifying the configuration
# Display static IPv4 source guard binding entries on Device A. The output shows that the static IPv4
source guard binding entries are configured successfully.
<DeviceA> display ip source binding static
Total entries found: 2
IP Address MAC Address Interface VLAN Type
192.168.0.1 0001-0203-0405 GE2/1/2 N/A Static
192.168.0.3 0001-0203-0406 GE2/1/1 N/A Static
# Display static IPv4 source guard binding entries on Device B. The output shows that the static IPv4
source guard binding entries are configured successfully.
<DeviceB> display ip source binding static
Total entries found: 2
IP Address MAC Address Interface VLAN Type
N/A 0001-0203-0407 GE2/1/1 N/A Static
Dynamic IPv4 source guard using DHCP snooping
configuration example
Network requirements
As shown in Figure 117, the host (the DHCP client) obtains an IP address from the DHCP server.
Enable DHCP snooping on the device to record the IPv4 address and the MAC address of the host in a
DHCP snooping entry.
Enable dynamic IPv4 source guard on GigabitEthernet 2/1/1 to filter received packets based on DHCP
snooping entries. Only packets from the client that obtains an IP address from the DHCP server are
allowed to pass.