User validity check and ARP packet validity check configuration example
Network requirements
Configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts.
Figure 108: Network diagram
Configuration procedure
Add all ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.)
Configure DHCP address pool 0 on Switch A as a DHCP server.
<SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
Configure Host A as DHCP client, and Host B as user. (Details not shown.)
Configure Switch B:
# Enable DHCP snooping.
<SwitchB> system-view [SwitchB] dhcp-snooping [SwitchB] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] dhcp-snooping trust [SwitchB-Ethernet1/0/3] quit
# Enable ARP detection for VLAN 10.
[SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable
# Configure the upstream port as a trusted port (a port is an untrusted port by default).
[SwitchB-vlan10] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] arp detection trust [SwitchB-Ethernet1/0/3] quit
# Configure a static IP source guard binding entry on interface Ethernet 1/0/2.
[SwitchB] interface ethernet 1/0/2 [SwitchB-Ethernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [SwitchB-Ethernet1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
[SwitchB] arp detection validate dst-mac ip src-mac
After the configurations are completed, ARP packets received on interfaces Ethernet 1/0/1 and Ethernet 1/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.