H3C S5830V2 Security Configuration Manual page 223

Enable dynamic IPv4 source guard on port Ten-GigabitEthernet 1/0/1 to filter received packets based
on DHCP snooping entries, allowing only packets from a client that obtains an IP address from the DHCP
server to pass.
Figure 65 Network diagram
Configuration procedure
1. Configure the DHCP server:
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
2. Configure DHCP snooping on the switch:
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable DHCP snooping.
<Switch> system-view
[Switch] dhcp snooping enable
# Configure port Ten-GigabitEthernet 1/0/2 as a trusted port.
[Switch] interface ten-gigabitEthernet1/0/2
[Switch-Ten-GigabitEthernet1/0/2] dhcp snooping trust
[Switch-Ten-GigabitEthernet1/0/2] quit
3. Configure IPv4 source guard on the switch:
# Enable IPv4 source guard on port Ten-GigabitEthernet 1/0/1 to filter packets based on both the
source IP address and the MAC address:
[Switch] interface ten-gigabitEthernet 1/0/1
[Switch-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address
# Enable recording of client information in DHCP snooping entries on Ten-GigabitEthernet 1/0/1.
[Switch-Ten-GigabitEthernet1/0/1] dhcp snooping binding record
[Switch-Ten-GigabitEthernet1/0/1] quit
Verifying the configuration
# Display dynamic IPv4 source guard binding entries obtained from DHCP snooping.
[Switch] display ip source binding dhcp-snooping
Total entries found: 1
IP Address
192.168.0.1
The output shows that IP source guard has generated a dynamic IPv4 binding entry on port
Ten-GigabitEthernet 1/0/1 based on the DHCP snooping entry.
MAC Address Interface
0001-0203-0406 XGE1/0/1
209
VLAN Type
1 DHCP snooping