User validity check and ARP packet validity check configuration example
Network requirements
As shown in Figure 119,
Configure the DHCP server on Switch A.
Configure DHCP snooping on Switch B.
Configure a static IP source guard binding entry for Host B on Switch B.
Enable ARP detection and ARP packet validity check in VLAN 10.
Figure 119: Network diagram
Configuration procedure
Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.)
Configure DHCP address pool 0 for the DHCP server on Switch A.
<SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
Configure the DHCP client on Host A and Host B. (Details not shown.)
Configure Switch B:
# Enable DHCP snooping.
<SwitchB> system-view [SwitchB] dhcp-snooping [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit
# Enable ARP detection for VLAN 10.
[SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable
# Configure the upstream port as a trusted port (a port is an untrusted port by default).
[SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit
# Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.
[SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [SwitchB-GigabitEthernet1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
[SwitchB] arp detection validate dst-mac ip src-mac
After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.