User validity check and ARP packet validity check configuration example

Network requirements

As shown in Figure 138, configure Device B to perform ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts.

Figure 137: Network diagram

Configuration procedure

  1. Add all interfaces on Device B to VLAN 10, and specify the IP address of VLAN-interface 10 on Device A. (Details not shown.)

  2. Configure the DHCP server on Device A, and configure DHCP address pool 0.

    <DeviceA> system-view
    [DeviceA] dhcp enable
    [DeviceA] dhcp server ip-pool 0
    [DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
    
  3. Configure Host A (DHCP client) and Host B. (Details not shown.)

  4. Configure Device B:

    # Enable DHCP snooping.

    <DeviceB> system-view
    [DeviceB] dhcp snooping enable
    [DeviceB] interface gigabitethernet 1/0/3
    [DeviceB-GigabitEthernet1/0/3] dhcp snooping trust
    [DeviceB-GigabitEthernet1/0/3] quit
    

    # Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.

    [DeviceB] interface gigabitethernet 1/0/1
    [DeviceB-GigabitEthernet1/0/1] dhcp snooping binding record
    [DeviceB-GigabitEthernet1/0/1] quit
    

    # Enable ARP attack detection for VLAN 10.

    [DeviceB] vlan 10
    [DeviceB-vlan10] arp detection enable
    

    # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface.

    [DeviceB-vlan10] interface gigabitethernet 1/0/3
    [DeviceB-GigabitEthernet1/0/3] arp detection trust
    [DeviceB-GigabitEthernet1/0/3] quit
    

    # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.

    [DeviceB] interface gigabitethernet 1/0/2
    [DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10
    [DeviceB-GigabitEthernet1/0/2] quit
    

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

    [DeviceB] arp detection validate dst-mac ip src-mac
    

    After the configurations are completed, Device B first checks the validity of ARP packets received on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. If the ARP packets are confirmed valid, Device B performs user validity check by using the static IP source guard bindings and finally DHCP snooping entries.