Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
441442443444445446447448449450
45
# Enable DHCP snooping.
<RouterB> system-view
[RouterB] dhcp-snooping
[RouterB] interface gigabitethernet 3/0/3
[RouterB-GigabitEthernet3/0/3] port link-mode bridge
[RouterB-GigabitEthernet3/0/3] dhcp-snooping trust
[RouterB-GigabitEthernet3/0/3] quit
# Enable ARP detection for VLAN 10.
[RouterB] vlan 10
[RouterB-vlan10] arp detection enable
# Configure the upstream port as a trusted port (a port is an untrusted port by default).
[RouterB-vlan10] interface gigabitethernet 3/0/3
[RouterB-GigabitEthernet3/0/3] port link-mode bridge
[RouterB-GigabitEthernet3/0/3] arp detection trust
[RouterB-GigabitEthernet3/0/3] quit
# Configure a static IP source guard binding entry on interface GigabitEthernet 3/0/2 for user
validity check.
[RouterB] interface gigabitethernet 3/0/2
[RouterB-GigabitEthernet3/0/2] port link-mode bridge
[RouterB-GigabitEthernet3/0/2] ip source binding ip-address 10.1.1.6 mac-address
0001-0203-0607 vlan 10
[RouterB-GigabitEthernet3/0/2] ip verify source ip-address mac-address
[RouterB-GigabitEthernet3/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP
packets.
[RouterB] arp detection validate dst-mac ip src-mac
After the configurations are completed, ARP packets received on interfaces GigabitEthernet
3/0/1 and GigabitEthernet 3/0/2, have their MAC and IP addresses checked first, and then are
checked against the static IP source guard binding entries and finally DHCP snooping entries.
ARP restricted forwarding configuration example
Network requirements
As shown in Figure 142,
Configure DHCP snooping and enable ARP detection in VLAN 10 on Router B.
Configure the DHCP server on Router A.
Configure port isolation on Router B to isolate the two hosts at Layer 2.
Enable ARP restricted forwarding in VLAN 10.