Configuring IP Source Guard (IPSG) with Static and DHCP Snooping Binding on Huawei Devices

Static Binding Table Configuration

First, add a static binding entry with source IP 192.168.1.1 and MAC 0003-0003-0003, then enable IPSG on interface GE0/0/1:

system-view

user-bind static ip-address 192.168.1.1 mac-address 0003-0003-0003

interface gigabitethernet 0/0/1

ip source check user-bind enable

Next, add another static entry with source IP 192.168.2.1, MAC 0002-0002-0002, interface GE0/0/1 and VLAN ID 10, then enable IPSG on VLAN 10:

system-view

user-bind static ip-address 192.168.2.1 mac-address 0002-0002-0002 interface gigabitethernet 0/0/1 vlan 10

vlan 10

ip source check user-bind enable

DHCP Snooping Dynamic Binding Table Configuration

Configure DHCP Snooping, set GE0/0/1 as a trusted interface, and enable IPSG on GE1/0/2:

system-view

dhcp enable

dhcp snooping enable

interface gigabitethernet 0/0/1

dhcp snooping trusted

quit

interface gigabitethernet 1/0/2

dhcp snooping enable

ip source check user-bind enable

Alternatively, enable DHCP Snooping on VLAN 10 after configuring the trunk port:

system-view

vlan batch 10

interface gigabitethernet 0/0/1

port link-type trunk

port trunk allow-pass vlan 10

quit

dhcp enable

dhcp snooping enable

vlan 10

dhcp snooping enable

dhcp snooping trusted interface gigabitethernet 0/0/1

ip source check user-bind enable

The above steps configure IP Source Guard using both static and dynamic (DHCP Snooping) binding tables, ensuring that only authorized IP‑MAC pairs can send traffic on the specified interfaces or VLANs.