User validity check and ARP packet validity check configuration example
Network requirements
As shown in Figure 205, configure Router B to perform ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts.
Figure 200: Network diagram
Configuration procedure
Add all interfaces on Router B to VLAN 10, and specify the IP address of VLAN-interface 10 on Router A. (Details not shown.)
Configure the DHCP server on Router A, and configure DHCP address pool 0.
<RouterA> system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
Configure Host A (DHCP client) and Host B. (Details not shown.)
Configure Router B:
# Enable DHCP snooping.
<RouterB> system-view [RouterB] dhcp snooping enable [RouterB] interface gigabitethernet 1/0/3 [RouterB-GigabitEthernet1/0/3] dhcp snooping trust [RouterB-GigabitEthernet1/0/3] quit
# Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.
[RouterB] interface gigabitethernet 1/0/1 [RouterB-GigabitEthernet1/0/1] dhcp snooping binding record [RouterB-GigabitEthernet1/0/1] quit
# Enable ARP attack detection for VLAN 10.
[RouterB] vlan 10 [RouterB-vlan10] arp detection enable
# Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface.
[RouterB-vlan10] interface gigabitethernet 1/0/3 [RouterB-GigabitEthernet1/0/3] arp detection trust [RouterB-GigabitEthernet1/0/3] quit
# Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.
[RouterB] interface gigabitethernet 1/0/2 [RouterB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [RouterB-GigabitEthernet1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
[RouterB] arp detection validate dst-mac ip src-mac
After the configurations are completed, Router B first checks the validity of ARP packets received on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. If the ARP packets are confirmed valid, the router performs user validity check by using the static IP source guard bindings and finally DHCP snooping entries.