Dynamic Ipv4 Source Guard By Dhcp Snooping Configuration Example - HP 12500 Series Configuration Manual

Dynamic IPv4 source guard by DHCP snooping configuration
example
Network requirements
As shown in
GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. The host obtains an IP address from
the DHCP server.
Enable DHCP snooping on the device to record the DHCP snooping entry of the host. Enable the IPv4
source guard function on the device's port GigabitEthernet 3/0/1 to filter packets based on the DHCP
snooping entry, allowing only packets from clients that obtain IP addresses through the DHCP server to
pass.
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Figure 88 Network diagram
Configuration procedure
Configure DHCP snooping:
1.
# Enable DHCP snooping.
<Device> system-view
[Device] dhcp-snooping
# Configure port GigabitEthernet 3/0/2, which is connected to the DHCP server, as a trusted
port.
[Device] interface gigabitethernet 3/0/2
[Device-GigabitEthernet3/0/2] dhcp-snooping trust
[Device-GigabitEthernet3/0/2] quit
Configure the IPv4 source guard function on port GigabitEthernet 3/0/1 to filter packets based on
2.
both the source IP address and MAC address:
[Device] interface gigabitethernet 3/0/1
[Device-GigabitEthernet3/0/1] ip verify source ip-address mac-address
[Device-GigabitEthernet3/0/1] quit
Verify the configuration:
3.
# Display the IPv4 source guard entries generated on port GigabitEthernet 3/0/1.
[Device] display ip source binding
Total entries found: 1
MAC Address
0001-0203-0406
# Display DHCP snooping entries to see whether they are consistent with the dynamic entries
generated on GigabitEthernet 3/0/1.
[Device] display dhcp-snooping
DHCP Snooping is enabled.
Figure 88, the device connects to the host (client) and the DHCP server through ports
IP Address
192.168.0.1
VLAN Interface
1 GE3/0/1
259
Type
DHCP-SNP