H3C S9500E Series Security Configuration Manual page 166
Routing switches
Hide thumbs
Also See for S9500E Series:
- Configuration manual (459 pages) ,
- Command reference manual (225 pages) ,
- Installation manual (154 pages)
Table of Contents
Advertisement
•
On Switch A, create a DHCP snooping entry for Client A.
•
On port GigabitEthernet 3/0/1 of Switch A, enable dynamic binding function to prevent
attackers from using forged IP addresses to attack the server.
For detailed configuration of a DHCP server, see DHCP in the Layer 3 – IP Services Configuration Guide.
Figure 57
Network diagram for configuring dynamic binding function
Configuration procedure
Configure Switch A
1.
Configure dynamic binding function on port GigabitEthernet 3/0/1 to filter packets based on
both the source IP address and MAC address.
<SwitchA> system-view
[SwitchA] interface gigabitethernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] ip check source ip-address mac-address
[SwitchA-GigabitEthernet3/0/1] quit
Enable DHCP snooping.
[SwitchA] dhcp-snooping
Configure the port connecting to the DHCP server as a trusted port.
[SwitchA] interface gigabitethernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] dhcp-snooping trust
[SwitchA-GigabitEthernet3/0/2] quit
Verify the configuration
2.
Display the dynamic binding entries that port GigabitEthernet 3/0/1 has obtained from DHCP
snooping.
[SwitchA] display ip check source
Total entries found: 1
MAC
0001-0203-0406
Display the dynamic entries of DHCP snooping and check it is identical with the dynamic entries
that port GigabitEthernet 3/0/1 has obtained.
[SwitchA] display dhcp-snooping
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address
==== =============== ============== ============ ==== =================
D
192.168.0.1
IP
Vlan
192.168.0.1
1
MAC Address
Lease
0001-0203-0406 86335
166
Port
GigabitEthernet3/0/1
VLAN Interface
1
GigabitEthernet3/0/1
Status
DHCP-SNP
Advertisement
Table of Contents
Troubleshooting
