You can configure Dynamic Host Control Protocol (DHCP) snooping on the switch to prevent users from using unauthorized static IP addresses. DHCP snooping checks user packets against the IP+MAC+port binding table and discards the packets that do not match the binding table. After the DHCP snooping is configured, only the user whose IP addresses and MAC addresses match the binding table and the user that obtain IP addresses by using DHCP can access the switch. For example, to allow only the user whose IP address is 1.1.1.2 and MAC address is 001c-2309-9aa7 to connect to Ethernet0/0/1 of the switch, perform the following steps:

1. Configure DHCP snooping on the switch.
# Enable DHCP snooping globally.
[HUAWEI] dhcp snooping enable

# Create VLAN and add the user-side interface to the VLAN.

[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] interface ethernet 0/0/1
[HUAWEI-Ethernet0/0/1] port default vlan 100
[HUAWEI-Ethernet0/0/1] quit

# Enable DHCP snooping in the VLAN.

[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable

2. Configure the packet checking function on the user-side interface.

[HUAWEI] interface ethernet 0/0/1
[HUAWEI-Ethernet0/0/1] arp anti-attack check user-bind enable
[HUAWEI-Ethernet0/0/1] ip source check user-bind enable
[HUAWEI-Ethernet0/0/1] quit

3. Configure a static binding entry.

[HUAWEI] user-bind static ip-address 1.1.1.2 mac-address 001c-2309-9aa7 interface ethernet 0/0/1

PS. Static DHCP snooping binding entries are required only for users that use static IP addresses. If all users use DHCP to obtain IP addresses, you do not need to configure static DHCP snooping binding entries.