Dynamic IPv4SG using DHCP snooping configuration example

As shown in Figure 198, the host (the DHCP client) obtains an IP address from the DHCP server. Perform the following tasks:

• Enable DHCP snooping on the device to make sure the DHCP clients obtain IP addresses from the authorized DHCP server. To generate DHCP snooping entries for the DHCP clients, enable recording of client information in DHCP snooping entries.

• Enable dynamic IPv4SG on GigabitEthernet 1/0/1 to filter incoming packets by using the IPv4SG bindings generated based on DHCP snooping entries. Only packets from the DHCP client are allowed to pass.

1. Configure the DHCP server.

   For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.

2. Configure the device:

   # Configure IP addresses for the interfaces. (Details not shown.)

   # Enable DHCP snooping.

   <Device> system-view
   [Device] dhcp snooping enable
   

   # Configure GigabitEthernet 1/0/2 as a trusted interface.

   [Device] interface gigabitethernet 1/0/2
   [Device-GigabitEthernet1/0/2] dhcp snooping trust
   [Device-GigabitEthernet1/0/2] quit
   

   # Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPSG.

   [Device] interface gigabitethernet 1/0/1
   [Device-GigabitEthernet1/0/1] ip verify source ip-address mac-address
   

   # Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.

   [Device-GigabitEthernet1/0/1] dhcp snooping binding record
   [Device-GigabitEthernet1/0/1] quit
   

# Verify that a dynamic IPv4SG binding is generated based on a DHCP snooping entry.

[Device] display ip source binding dhcp-snooping
Total entries found: 1
IP Address      MAC Address    Interface                VLAN Type
192.168.0.1     0001-0203-0406 GE1/0/1                  1    DHCP snooping