258
Figure 78
Network diagram for configuring global static binding excluded port
GE1/0/2
GE1/0/1
Device A
Device B
IP: 192.168.0.2/24
MAC: 0001-0203-0406
Gateway: 192.168.0.1/24
Host A
IP: 192.168.1.2/24
MAC: 0001-0203-0407
Gateway: 192.168.1.1/24
Host B
GE1/0/3
Vlan-int10
192.168.0.1/24
VLAN 10
VLAN 20
Vlan-int20
192.168.1.1/24
VLAN 10
VLAN 20
Configuration procedure
Configure Device B
# Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10.
<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] port gigabitethernet 1/0/2
[DeviceB-vlan10] quit
# Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] port gigabitethernet 1/0/3
[DeviceB-vlan20] quit
# Specify port GigabitEthernet 1/0/1 as a trunk port, and configure the port to permit the packets of
VLAN 10 and VLAN 20 to pass.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 10 20
[DeviceB-GigabitEthernet1/0/1] quit
# Configure global static bindings to filter IP packets from any host spoofs Host A or Host B by using the
IP or MAC address of Host A or Host B.
<DeviceB> system-view
[DeviceB] user-bind ip-address 192.168.0.2 mac-address 0001-0203-0406
[DeviceB] user-bind ip-address 192.168.1.2 mac-address 0001-0203-0407
# Specify GigabitEthernet 1/0/1 as a global static binding excluded port.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] user-bind uplink
[DeviceB-GigabitEthernet1/0/1] quit
Verify the configuration
# Display the IP source guard bindings on Device B.