[x]

Configuring ARP attack detection > Example: Configuring user validity check and ARP packet validity check

 

 Next

Example: Configuring user validity check and ARP packet validity check

Network configuration

As shown in Figure 163, configure Device B to perform ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts.

Figure 163: Network diagram

Procedure

  1. Add all interfaces on Device B to VLAN 10, and specify the IP address of VLAN-interface 10 on Device A. (Details not shown.)

  2. Configure the DHCP server on Device A, and configure DHCP address pool 0.

    <DeviceA> system-view
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 0
[DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

  3. Configure Host A (DHCP client) and Host B. (Details not shown.)

  4. Configure Device B:

    # Enable DHCP snooping.

    <DeviceB> system-view
[DeviceB] dhcp snooping enable
[DeviceB] interface hundredgige 1/0/3
[DeviceB-HundredGigE1/0/3] dhcp snooping trust
[DeviceB-HundredGigE1/0/3] quit

    # Enable recording of client information in DHCP snooping entries on HundredGigE 1/0/1.

    [DeviceB] interface hundredgige 1/0/1
[DeviceB-HundredGigE1/0/1] dhcp snooping binding record
[DeviceB-HundredGigE1/0/1] quit

    # Enable ARP attack detection for VLAN 10.

    [DeviceB] vlan 10
[DeviceB-vlan10] arp detection enable

    # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface.

    [DeviceB-vlan10] interface hundredgige 1/0/3
[DeviceB-HundredGigE1/0/3] arp detection trust
[DeviceB-HundredGigE1/0/3] quit

    # Configure a static IP source guard binding entry on interface HundredGigE 1/0/2 for user validity check.

    [DeviceB] interface hundredgige 1/0/2
[DeviceB-HundredGigE1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10
[DeviceB-HundredGigE1/0/2] quit

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

    [DeviceB] arp detection validate dst-mac ip src-mac

Verifying the configuration

# Verify that Device B first checks the validity of ARP packets received on HundredGigE 1/0/1 and HundredGigE 1/0/2. If the ARP packets are confirmed valid, Device B performs user validity check by using the static IP source guard bindings and finally DHCP snooping entries.

prev

 

up

 next

Example: Configuring user validity check 

home

 Example: Configuring ARP restricted forwarding

© Copyright 2017 Hewlett Packard Enterprise Development LP