365
[Device] dhcp-snooping
# Configure Ethernet 1/0/2 as a trusted port.
[Device] interface ethernet1/0/2
[Device-Ethernet1/0/2] dhcp-snooping trust
[Device-Ethernet1/0/2] quit
2. Configure the IPv4 source guard feature.
# Configure the IPv4 source guard feature on Ethernet 1/0/1 to filter packets based on both the
source IP address and MAC address.
[Device] interface ethernet1/0/1
[Device-Ethernet1/0/1] ip verify source ip-address mac-address
[Device-Ethernet1/0/1] quit
Verifying the configuration
# Display the IPv4 source guard binding entries generated on Ethernet 1/0/1.
[Device] display ip source binding
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 1 Eth1/0/1 DHCP-SNP
# Display DHCP snooping entries.
[Device] display dhcp-snooping
DHCP snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static , R--Recovering
Type IP Address MAC Address Lease VLAN SVLAN Interface
==== =============== ============== ============ ==== ===== =================
D 192.168.0.1 0001-0203-0406 86335 1 N/A Ethernet1/0/1
--- 1 dhcp-snooping item(s) found ---
The output shows that a dynamic IPv4 source guard binding entry has been generated based on the
DHCP snooping entry.
Dynamic IPv4 source guard using DHCP relay configuration
example
Network requirements
As shown in Figure 111, DHCP relay is enabled on the switch. The host (with the MAC address of
0001-0203-0406) obtains an IP address from the DHCP server through the DHCP relay agent.
Enable the IPv4 source guard feature on the switch's VLAN-interface 100 to filter packets based on the
DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to
pass.
To Next Page
Loading...
Need help?
General