3-12
# Set the circuit ID sub-option in DHCP packets from VLAN 1 to abcd on GigabitEthernet 1/0/3.
[Switch] interface GigabitEthernet1/0/3
[Switch-GigabitEthernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd
IP Filtering Configuration Example
Network requirements
As shown in Figure 3-7, GigabitEthernet 1/0/1 of the S5100-SI/EI switch is connected to the DHCP
server and GigabitEthernet 1/0/2 is connected to Host A. The IP address and MAC address of Host A
are 1.1.1.1 and 0001-0001-0001 respectively. GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 are
connected to DHCP Client B and Client C.
z Enable DHCP snooping on the switch, and specify GigabitEthernet 1/0/1 as the DHCP snooping
trusted port.
z Enable IP filtering on GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to
prevent attacks to the server from clients using fake source IP addresses.
z Create static binding entries on the switch, so that Host A using a fixed IP address can access
external networks.
Network diagram
Figure 3-7 Network diagram for IP filtering configuration
Switch
DHCP Snooping
Host A
IP:1.1.1.1
MAC:0001-0001-0001
GE1/0/2
Client C
GE1/0/4
GE1/0/1
DHCP Server
Client B
GE1/0/3
Configuration procedure
# Enable DHCP snooping on the switch.
<Switch> system-view
[Switch] dhcp-snooping
# Specify GigabitEthernet 1/0/1 as the trusted port.
[Switch] interface GigabitEthernet1/0/1
[Switch-GigabitEthernet1/0/1] dhcp-snooping trust
[Switch-GigabitEthernet1/0/1] quit
To Next Page
Loading...
