< Home

Example for Configuring IPSG Based on the DHCP Snooping Dynamic Binding Table to Prevent Hosts from Changing Their Own IP Addresses

Networking Requirements

In Figure 1, hosts access the Internet through Switch_1, and Switch_2 functions as a DHCP server to allocate IP addresses to the hosts. The gateway is the egress device of the enterprise network. The administrator requires that the hosts use dynamically allocated IP addresses. The hosts cannot change their IP addresses to statically configured IP addresses to access the internet.

Figure 1 Configuring IPSG based on the DHCP snooping dynamic binding table to prevent hosts from changing their own IP addresses

Configuration Roadmap

The requirement of the administrator can be met by configuring IPSG. The configuration roadmap is as follows:

  1. Configure the DHCP server (IP address pool 10.1.1.0/24) on Switch_2 to allocate IP addresses to hosts.
  2. Configure DHCP snooping on Switch_1. Hosts can then obtain IP addresses from the valid DHCP server, and the DHCP server can generate DHCP snooping dynamic binding entries. These entries record the bindings of IP addresses, MAC addresses, VLANs, and interfaces of hosts.
  3. Enable IPSG in the interfaces to which the hosts belong to prevent the hosts from accessing the internet with changed IP addresses.

Procedure

  1. Configure the DHCP server on Switch_2.
    1. Choose Configuration > Basic Services > Interface Settings > Service Interface Settings.
    2. Click Connect to Switch below Step 1: Select Task.
    3. Click GigabitEthernet 0/0/1 below Step 2: Select Interface.
    4. Below Step 3: Configure Interface, set Interface Status to ON, Allowed VLANs to 10, and Auto VLAN Creation to ON, and retain the default values for other parameters, as shown in Figure 2. Click Apply. In the dialog box that is displayed, click OK.

      Figure 2 Connecting an interface to a switch

    5. Click the VLAN menu on the left. The VLAN configuration page is displayed.
    6. Set VLAN ID to 10, set parameters according to the following configuration items, and retain the default values for other parameters, as shown in Figure 3. Click OK.

      • Create VLANIF: select.
      • IPv4 address: 10.1.1.1.
      • Mask: 24 (255.255.255.0).
      Figure 3 Configuring VLANIF 10

    7. Choose DHCP > DHCP Address Pool on the left. The DHCP Address Pool page is displayed. Set DHCP status to ON to enable the DHCP function, as shown in Figure 4.

      Figure 4 Enabling DHCP

    8. Click Create. The Create DHCP Address Pool page is displayed. Set parameters according to the following configuration items, and retain the default values for other parameters, as shown in Figure 5. Click OK.

      • Address pool type: Global address pool.
      • Address pool name: 10.
      • Subnet address: 10.1.1.0.
      • Subnet mask: 24 (255.255.255.0).
      • Gateway IP: 10.1.1.1.
      • Address pool interface: Vlanif10.
      Figure 5 Configure a global address pool

  2. Configure DHCP snooping on Switch_1.

    • Configure VLANs that interfaces belong to.
      1. Choose Configuration > Basic Services > Interface Settings > Service Interface Settings.
      2. Click Connect to Switch below Step 1: Select Task.
      3. Click GigabitEthernet 0/0/3 below Step 2: Select Interface.
      4. Below Step 3: Configure Interface, set Interface Status to ON, Allowed VLANs to 10, and Auto VLAN Creation to ON, and retain the default values for other parameters, as shown in Figure 6. Click Apply. In the dialog box that is displayed, click OK.
        Figure 6 Configuring an interface on Switch_1 to connect to a switch

      5. Choose Configuration > Basic Services > Interface Settings > Service Interface Settings.
      6. Click Connect to PC below Step 1: Select Task.
      7. Click GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 below Step 2: Select Interface
      8. Below Step 3: Configure Interface, set Interface Status to ON and Default VLANto 10, and retain the default values for other parameters, as shown in Figure 7. Click Apply. In the dialog box that is displayed, click OK.
        Figure 7 Configuring an interface on Switch_1 to connect to a PC

    • Enable DHCP snooping and configure GigabitEthernet 0/0/3 connected to the DHCP server as a trusted interface.
      1. Choose Configuration > Basic Services > DHCP > DHCP Address Pool. The DHCP Address Pool page is displayed. Set DHCP status to ON to enable the DHCP function, as shown in Figure 8.
        Figure 8 Enabling DHCP

      2. Choose Configuration > Security Services > IP Security > DHCP Snooping. Set Global status to ON to enable the DHCP snooping function, as shown in Figure 9.
        Figure 9 Enabling global DHCP snooping

      3. Click New next to Trusted port. In the displayed dialog box, click GigabitEthernet 0/0/3. Click Apply.
      4. Select VLAN 10 in VLAN List and click Enable. In the dialog box that is displayed, click OK to enable DHCP snooping in VLAN 10.

  3. Enable IPSG on an interface of Switch_1.
    1. Choose Configuration > Security Services > IP Security > IPSG to access the IPSG page.
    2. Click GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 below Select Interface. Set IPSG status to ON, as shown in Figure 10.

      Figure 10 Enable IPSG

    3. Click Apply. In the dialog box that is displayed, click OK.

Operation Result

After the host goes online, choose Configuration > Security Services > IP Security > Dynamic Binding Table to view dynamic binding entries, as shown in Figure 11.
Figure 11 Displaying dynamic binding entries

Parent Topic: Configuration Examples
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >