User validity check and ARP packet validity check configuration example

Network requirements

As shown in Figure 119,

Figure 119: Network diagram

Configuration procedure

  • Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.)

  • Configure DHCP address pool 0 for the DHCP server on Switch A.

  • <SwitchA> system-view
    [SwitchA] dhcp enable
    [SwitchA] dhcp server ip-pool 0
    [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
    
  • Configure the DHCP client on Host A and Host B. (Details not shown.)

  • Configure Switch B:

  • # Enable DHCP snooping.

    <SwitchB> system-view
    [SwitchB] dhcp-snooping
    [SwitchB] interface gigabitethernet 1/0/3
    [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust
    [SwitchB-GigabitEthernet1/0/3] quit
    

    # Enable ARP detection for VLAN 10.

    [SwitchB] vlan 10
    [SwitchB-vlan10] arp detection enable
    

    # Configure the upstream port as a trusted port (a port is an untrusted port by default).

    [SwitchB-vlan10] interface gigabitethernet 1/0/3
    [SwitchB-GigabitEthernet1/0/3] arp detection trust
    [SwitchB-GigabitEthernet1/0/3] quit
    

    # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.

    [SwitchB] interface gigabitethernet 1/0/2
    [SwitchB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10
    [SwitchB-GigabitEthernet1/0/2] quit
    

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

    [SwitchB] arp detection validate dst-mac ip src-mac
    

    After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.