User validity check and ARP packet validity check configuration example

Network requirements

As shown in Figure 205, configure Router B to perform ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts.

Figure 200: Network diagram

Configuration procedure

  1. Add all interfaces on Router B to VLAN 10, and specify the IP address of VLAN-interface 10 on Router A. (Details not shown.)

  2. Configure the DHCP server on Router A, and configure DHCP address pool 0.

    <RouterA> system-view
    [RouterA] dhcp enable
    [RouterA] dhcp server ip-pool 0
    [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
    
  3. Configure Host A (DHCP client) and Host B. (Details not shown.)

  4. Configure Router B:

    # Enable DHCP snooping.

    <RouterB> system-view
    [RouterB] dhcp snooping enable
    [RouterB] interface gigabitethernet 1/0/3
    [RouterB-GigabitEthernet1/0/3] dhcp snooping trust
    [RouterB-GigabitEthernet1/0/3] quit
    

    # Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.

    [RouterB] interface gigabitethernet 1/0/1
    [RouterB-GigabitEthernet1/0/1] dhcp snooping binding record
    [RouterB-GigabitEthernet1/0/1] quit
    

    # Enable ARP attack detection for VLAN 10.

    [RouterB] vlan 10
    [RouterB-vlan10] arp detection enable
    

    # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface.

    [RouterB-vlan10] interface gigabitethernet 1/0/3
    [RouterB-GigabitEthernet1/0/3] arp detection trust
    [RouterB-GigabitEthernet1/0/3] quit
    

    # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.

    [RouterB] interface gigabitethernet 1/0/2
    [RouterB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10
    [RouterB-GigabitEthernet1/0/2] quit
    

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

    [RouterB] arp detection validate dst-mac ip src-mac
    

    After the configurations are completed, Router B first checks the validity of ARP packets received on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. If the ARP packets are confirmed valid, the router performs user validity check by using the static IP source guard bindings and finally DHCP snooping entries.