[x]

Configuring authorized ARP > Configuration example (on a DHCP relay agent)

 

 Next

Configuration example (on a DHCP relay agent)

Network requirements

As shown in Figure 204, configure authorized ARP on GigabitEthernet 1/0/2 of Device B (a DHCP relay agent) to ensure user validity.

Figure 199: Network diagram

Configuration procedure

  1. Configure Device A:

    # Specify the IP address for GigabitEthernet 1/0/1.

    <DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[DeviceA-GigabitEthernet1/0/1] quit

    # Configure DHCP.

    [DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0
[DeviceA-dhcp-pool-1] gateway-list 10.10.1.1
[DeviceA-dhcp-pool-1] quit
[DeviceA] ip route-static 10.10.1.0 24 10.1.1.2

  2. Configure Device B:

    # Enable DHCP.

    <DeviceB> system-view
[DeviceB] dhcp enable

    # Specify the IP addresses of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

    [DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 10.1.1.2 24
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip address 10.10.1.1 24

    # Enable DHCP relay agent on GigabitEthernet 1/0/2.

    [DeviceB-GigabitEthernet1/0/2] dhcp select relay

    # Add the DHCP server 10.1.1.1 to DHCP server group 1.

    [DeviceB-GigabitEthernet1/0/2] dhcp relay server-address 10.1.1.1

    # Enable authorized ARP.

    [DeviceB-GigabitEthernet1/0/2] arp authorized enable
[DeviceB-GigabitEthernet1/0/2] quit

    # Enable recording of relay entries on the relay agent.

    [DeviceB] dhcp relay client-information record

  3. Configure Device C:

    <DeviceC> system-view
[DeviceC] ip route-static 10.1.1.0 24 10.10.1.1
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] ip address dhcp-alloc
[DeviceC-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display authorized ARP information on Device B.

[DeviceB] display arp all
  Type: S-Static   D-Dynamic   O-Openflow   R-Rule   M-Multiport  I-Invalid
IP Address       MAC Address     VLAN    Interface          Aging Type
10.10.1.2        0012-3f86-e94c  N/A     GE1/0/2            20    D

The output shows that Device A assigned the IP address 10.10.1.2 to Device C.

Device C must use the IP address and MAC address in the authorized ARP entry to communicate with Device B. Otherwise, the communication fails. Thus the user validity is ensured.

prev

 

up

 next

Configuration example (on a DHCP server) 

home

 Configuring ARP attack detection

© Copyright 2017 Hewlett Packard Enterprise Development LP