Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example - HPE FlexNetwork 7500 Series Security Configuration Manual

Dynamic IPv4SG using DHCP snooping configuration
example
Network requirements
As shown in
Perform the following tasks:
•
Enable DHCP snooping on the device to make sure the DHCP client obtains an IP address from
the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable
recording of client information in DHCP snooping entries.
•
Enable dynamic IPv4SG on GigabitEthernet 1/0/1 to filter incoming packets by using the
IPv4SG bindings generated based on DHCP snooping entries. Only packets from the DHCP
client are allowed to pass.
Figure 116 Network diagram
DHCP client
Host
MAC: 0001-0203-0406
Configuration procedure
1. Configure DHCP snooping:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP snooping.
<Device> system-view
[Device] dhcp snooping enable
# Configure GigabitEthernet 1/0/2 as a trusted interface.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] dhcp snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Configure IPv4SG on GigabitEthernet 1/0/1:
# Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address
for dynamic IPSG.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip verify source ip-address mac-address
# Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.
[Device-GigabitEthernet1/0/1] dhcp snooping binding record
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify that a dynamic IPv4SG binding is generated based on a DHCP snooping entry.
[Device] display ip source binding dhcp-snooping
Total entries found: 1
IP Address
192.168.0.1
Figure 116, the host (the DHCP client) obtains an IP address from the DHCP server.
DHCP snooping
GE1/0/1
Device
MAC Address
0001-0203-0406 GE1/0/1
DHCP server
GE1/0/2
Interface
410
VLAN Type
1 DHCP snooping