Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure Effective Port IP Source Guard Function Based on DHCP Snooping Dynamic Entries

Network Requirements

  • PC1 and PC2 are connected to IP Network via Device.
  • Configure global IP Snooping function.
  • Configure the port IP Source Guard function, so that PC2 can access IP Network normally and PC2 cannot access IP Network.

Network Topology

Networking of configuring effective port IP Source Guard function based on DHCP Snooping dynamic entries

Figure 4–1 Networking of configuring effective port IP Source Guard function based on DHCP Snooping dynamic entries

Configuration Steps

Step 1: On Device, configure VLAN and port link type.

#Create VLAN2.

Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit

#Configure the link type of port gigabitethernet0/1 as Access, permitting the services of VLAN2 to pass.

Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#switchport mode access
Device(config-if-gigabitethernet0/1)#switchport access vlan 2
Device(config-if-gigabitethernet0/1)#exit

Step 2: On Device, enable global DHCP Snooping function and configure gigabitethernet0/2 connected to DHCP Server as the trust port.

Device(config)#dhcp snooping enable
Device(config)#interface gigabitethernet 0/2
Device(config-if-gigabitethernet0/2)#dhcp snooping trust
Device(config-if-gigabitethernet0/2)#exit

Step 3: Configure the address pool of DHCP Server as 1.0.0.0/24. (omitted)

Step 4: On Device, configure the IP Source Guard function of the port.

#On port gigabitethernet0/1, enable port-based IP Source Guard function.

Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#ip verify source
Device(config-if-gigabitethernet0/1)#exit

Step 5: Check the result.

#View the configuration information of DHCP Snooping.

Device#show dhcp-snooping  
        dhcp-snooping configuration information: 
        dhcp-snooping status:enable 
        dhcp-snooping option82 information status:disable 
        dhcp-snooping option82 information policy:replace 
        dhcp-snooping option82 information format:default 
        dhcp-snooping option82 information remote id:default(mac address) 
        dhcp-snooping information relay-address :None 
        dhcp-snooping binding agent save mode :auto-flash 
        dhcp-snooping binding agent save delay :1800 
        dhcp-snooping binding agent save pool :30 
        dhcp-snooping interface information : 
-------------------------------------------------------------------------
interface   trust-status  rate-limit(pps) circuit-Id  
gi0/0/1     untrust       40              default(vlan-mod-interface)  
gi0/0/2     trust 	                      default(vlan-mod-interface)  
gi0/0/3     untrust       40              default(vlan-mod-interface)  
gi0/0/4     untrust       40              default(vlan-mod-interface)  
gi0/0/5     untrust       40              default(vlan-mod-interface) 
…… 

#View the configuration information of IP Source Guard.

Device#show ip source guard 
IP source guard interfaces on slot 0 : 
Total number of enabled interfaces : 1 
Interface Name   Status    Verify Type  L2 Status     
gi0/1            Enabled      ip        Disabled
gi0/2            Disabled     ip        Disabled
gi0/3            Disabled     ip        Disabled
gi0/4            Disabled     ip        Disabled
gi0/5            Disabled     ip        Disabled      
…… 

You can see that port gigabitethernet0/1 is enabled with the IP Source Guard function, and Verify Type is ip. Therefore, in the above example, the dynamic entries take effect based on ip+vlan.

#View the IP Source Guard bound entries of the port.

Device#show ip binding table  
--------------------------------------------
IP Source Guard binding table on slot 0 
     Total binding entries    : 1 
     Static binding entries   : 0 
     Dynamic binding entries : 1 
     Dynamic not write entries : 0 
     PCE writing entries       : 1 
-------------------------------------------------------------------------------------
Interface-Name MAC-Address     IP-Address  VLAN-ID  Type-Flag Writing-Flag  L2-Flag 
-------------------------------------------------------------------------------------                                             
gi0/1          0001.0001.0001  1.0.0.2     2        dynamic   Write         Not Write  

#PC1 can access IP Network normally, and PC2 cannot access IP Network.