You can configure Dynamic Host Control Protocol (DHCP) snooping on Huawei S5720 switch to prevent users from using unauthorized static IP addresses. DHCP
snooping checks user packets against the IP+MAC+port binding table and discards the
packets that do not match the binding table. After the DHCP snooping is configured, only the
user whose IP addresses and MAC addresses match the binding table and the user that obtain
IP addresses by using DHCP can access the switch. For example, to allow only the user
whose IP address is 10.1.1.2 and MAC address is 001c-2309-9aa7 to connect to Ethernet0/0/1
of the switch, perform the following steps:
1. Configure DHCP snooping on the switch.
# Enable DHCP snooping globally.
[HUAWEI] dhcp snooping enable
# Create VLAN and add the user-side interface to the VLAN.
[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] interface ethernet 0/0/1
[HUAWEI-Ethernet0/0/1] port default vlan 100
[HUAWEI-Ethernet0/0/1] quit
# Enable DHCP snooping in the VLAN.
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
2. Configure the packet checking function on the user-side interface.
[HUAWEI] interface ethernet 0/0/1
[HUAWEI-Ethernet0/0/1] arp anti-attack check user-bind enable
[HUAWEI-Ethernet0/0/1] ip source check user-bind enable
[HUAWEI-Ethernet0/0/1] quit
3. Configure a static binding entry.
[HUAWEI] user-bind static ip-address 10.1.1.2 mac-address 001c-2309-9aa7
interface ethernet 0/0/1
NOTE
Static DHCP snooping binding entries are required only for users that use static IP addresses. If all users
use DHCP to obtain IP addresses, you do not need to configure static DHCP snooping binding entries.
No comments:
Post a Comment