R3303-HP HSR6800 Routers Security Configuration Guide
39
[RouterB-GigabitEthernet3/0/1] ip address 10.1.1.2 24
[RouterB-GigabitEthernet3/0/1] quit
[RouterB] interface gigabitethernet 3/0/2
[RouterB-GigabitEthernet3/0/2] ip address 10.10.1.1 24
# Enable DHCP relay agent on GigabitEthernet 3/0/2.
[RouterB-GigabitEthernet3/0/2] dhcp select relay
[RouterB-GigabitEthernet3/0/2] quit
# Add the DHCP server 10.1.1.1 to DHCP server group 1.
[RouterB] dhcp relay server-group 1 ip 10.1.1.1
# Correlate GigabitEthernet 3/0/2 to DHCP server group 1.
[RouterB] interface gigabitethernet 3/0/2
[RouterB-GigabitEthernet3/0/2] dhcp relay server-select 1
# Configure the DHCP server to support authorized ARP.
[RouterB-GigabitEthernet3/0/2] dhcp update arp
# Enable authorized ARP.
[RouterB-GigabitEthernet3/0/2] arp authorized enable
[RouterB-GigabitEthernet3/0/2] quit
3. Configure Router C:
<RouterC> system-view
[RouterC] ip route-static 10.1.1.0 24 10.10.1.1
[RouterC] interface gigabitethernet 3/0/2
[RouterC-GigabitEthernet3/0/2] ip address dhcp-alloc
[RouterC-GigabitEthernet3/0/2] quit
4. After Router C obtains the IP address from Router A, display the authorized ARP information on
Router B.
[RouterB] display arp all
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
10.10.1.2 0012-3f86-e94c N/A GE3/0/2 N/A A
The output shows that Router A assigned an IP address 10.10.1.2 to Router C.
Router C must use the IP address and MAC address in the authorized ARP entry to communicate
with Router B. Otherwise, the communication fails. Thus the user validity is ensured.
Configuring ARP detection
NOTE:
This feature is supported only when SAP modules operate in bridge mode.
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
• User validity check.
• ARP packet validity check.
• ARP restricted forwarding.