Dynamic IPv4SG using DHCP snooping configuration example

As shown in Figure 129, the host (the DHCP client) obtains an IP address from the DHCP server. Perform the following tasks:

• Enable DHCP snooping on the device to make sure the DHCP client obtains an IP address from the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable recording of client information in DHCP snooping entries.

• Enable dynamic IPv4SG on GigabitEthernet 1/0/1 to filter incoming packets by using the IPv4SG bindings generated based on DHCP snooping entries. Only packets from the DHCP client are allowed to pass.

1. Configure DHCP snooping:

   # Configure IP addresses for the interfaces. (Details not shown.)

   # Enable DHCP snooping.

   <Device> system-view
   [Device] dhcp snooping enable
   

   # Configure GigabitEthernet 1/0/2 as a trusted interface.

   [Device] interface gigabitethernet 1/0/2
   [Device-GigabitEthernet1/0/2] dhcp snooping trust
   [Device-GigabitEthernet1/0/2] quit
   

2. Configure IPv4SG on GigabitEthernet 1/0/1:

   # Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPSG.

   [Device] interface gigabitethernet 1/0/1
   [Device-GigabitEthernet1/0/1] ip verify source ip-address mac-address
   

   # Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.

   [Device-GigabitEthernet1/0/1] dhcp snooping binding record
   [Device-GigabitEthernet1/0/1] quit
   

# Verify that a dynamic IPv4SG binding is generated based on a DHCP snooping entry.

[Device] display ip source binding dhcp-snooping
Total entries found: 1
IP Address      MAC Address    Interface                VLAN Type
192.168.0.1     0001-0203-0406 GE1/0/1                  1    DHCP snooping