Network requirements – H3C Technologies H3C S7500E Series Switches User Manual

13-6

[SwitchB-GigabitEthernet2/0/2] user-bind ip-address 192.168.0.1 mac-address

0001-0203-0406

[SwitchB-GigabitEthernet2/0/2] quit

# Configure port GigabitEthernet 2/0/1 of Switch B to allow only IP packets with the source MAC

address of 00-01-02-03-04-07 and the source IP address of 192.168.0.2 to pass.

[SwitchB] interface gigabitethernet 2/0/1

[SwitchB-GigabitEthernet2/0/1] user-bind ip-address 192.168.0.2 mac-address

0001-0203-0407

3) Verify

the

configuration

# On Switch A, static IP source guard binding entries are configured successfully.

display user-bind

Total entries found: 2

MAC IP Vlan Port Status

0001-0203-0405 192.168.0.3 N/A GigabitEthernet2/0/2 Static

0001-0203-0406 192.168.0.1 N/A GigabitEthernet2/0/1 Static

# On Switch B, static IP source guard binding entries are configured successfully.

display user-bind

Total entries found: 2

MAC IP Vlan Port Status

0001-0203-0406 192.168.0.1 N/A GigabitEthernet2/0/2 Static

0001-0203-0407 192.168.0.2 N/A GigabitEthernet2/0/1 Static

Dynamic IP Source Guard Binding Function Configuration Example 1

Network requirements

As shown in

Figure 13-3

, Switch A connects to Client A and the DHCP server through ports

GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 respectively. DHCP snooping is enabled on

Switch A.

Detailed requirements are as follows:

z

Client A (with the MAC address of 00-01-02-03-04-06) obtains an IP address through the

DHCP server.

z

On Switch A, create a DHCP snooping entry for Client A.

z

On port GigabitEthernet 2/0/1 of Switch A, enable dynamic IP source guard binding

function to prevent attackers from using forged IP addresses to attack the server.

For detailed configuration of a DHCP server, see DHCP Server Configuration in the Layer 3 - IP

Services Configuration Guide.