Example: Configuring ARP restricted forwarding
Network configuration
As shown in Figure 164, configure ARP restricted forwarding on Device B where ARP attack detection is configured. Port isolation configured on Device B can take effect for broadcast ARP requests.
Figure 164: Network diagram
Procedure
Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of VLAN-interface 10 on Device A. (Details not shown.)
Configure the DHCP server on Device A, and configure DHCP address pool 0.
<DeviceA> system-view [DeviceA] dhcp enable [DeviceA] dhcp server ip-pool 0 [DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
Configure Host A (DHCP client) and Host B. (Details not shown.)
Configure Device B:
# Enable DHCP snooping, and configure HundredGigE 1/0/3 as a DHCP trusted interface.
<DeviceB> system-view [DeviceB] dhcp snooping enable [DeviceB] interface hundredgige 1/0/3 [DeviceB-HundredGigE1/0/3] dhcp snooping trust [DeviceB-HundredGigE1/0/3] quit
# Enable ARP attack detection for user validity check.
[DeviceB] vlan 10 [DeviceB-vlan10] arp detection enable
# Configure HundredGigE 1/0/3 as an ARP trusted interface.
[DeviceB-vlan10] interface hundredgige 1/0/3 [DeviceB-HundredGigE1/0/3] arp detection trust [DeviceB-HundredGigE1/0/3] quit
# Configure a static IP source guard entry on interface HundredGigE 1/0/2.
[DeviceB] interface hundredgige 1/0/2 [DeviceB-HundredGigE1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [DeviceB-HundredGigE1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
[DeviceB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[DeviceB] port-isolate group 1 [DeviceB] interface hundredgige 1/0/1 [DeviceB-HundredGigE1/0/1] port-isolate enable group 1 [DeviceB-HundredGigE1/0/1] quit [DeviceB] interface hundredgige 1/0/2 [DeviceB-HundredGigE1/0/2] port-isolate enable group 1 [DeviceB-HundredGigE1/0/2] quit
After the configurations are completed, Device B first checks the validity of ARP packets received on HundredGigE 1/0/1 and HundredGigE 1/0/2. If the ARP packets are confirmed valid, Device B performs user validity check by using the static IP source guard bindings and finally DHCP snooping entries. However, ARP broadcast requests sent from Host A can pass the check on Device B and reach Host B. Port isolation fails.
# Enable ARP restricted forwarding.
[DeviceB] vlan 10 [DeviceB-vlan10] arp restricted-forwarding enable [DeviceB-vlan10] quit
Verifying the configuration
# Verify that Device B forwards ARP broadcast requests from Host A to Device A through the trusted interface HundredGigE 1/0/3. Host B cannot receive such packets. Port isolation operates correctly.