R3303-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG Router

531

532

533

534

535

536

537

538

539

540

525

[RouterA] dhcp enable

[RouterA] dhcp server ip-pool 0

[RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

3. Configure the DHCP client on Hosts A and Host B. (Details not shown.)

4. Configure Router B:

# Enable DHCP snooping, and configure GigabitEthernet 3/0/3 as a DHCP-trusted port.

<RouterB> system-view

[RouterB] dhcp-snooping

[RouterB] interface gigabitethernet 3/0/3

[RouterB-GigabitEthernet3/0/3] port link-mode bridge

[RouterB-GigabitEthernet3/0/3] dhcp-snooping trust

[RouterB-GigabitEthernet3/0/3] quit

# Enable ARP detection.

[RouterB] vlan 10

[RouterB-vlan10] arp detection enable

# Configure GigabitEthernet 3/0/3 as an ARP-trusted port.

[RouterB-vlan10] interface gigabitethernet 3/0/3

[RouterB-GigabitEthernet3/0/3] port link-mode bridge

[RouterB-GigabitEthernet3/0/3] arp detection trust

[RouterB-GigabitEthernet3/0/3] quit

# Configure a static IP source guard entry on interface GigabitEthernet 3/0/2.

[RouterB] interface gigabitethernet 3/0/2

[RouterB-GigabitEthernet3/0/2] port link-mode bridge

[RouterB-GigabitEthernet3/0/2] ip source binding ip-address 10.1.1.6 mac-address

0001-0203-0607 vlan 10

[RouterB-GigabitEthernet3/0/2] ip verify source ip-address mac-address

[RouterB-GigabitEthernet3/0/2] quit

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP

packets.

[RouterB] arp detection validate dst-mac ip src-mac

# Configure port isolation.

[RouterB] interface gigabitethernet 3/0/1

[RouterB-GigabitEthernet3/0/1] port link-mode bridge

[RouterB-GigabitEthernet3/0/1] port-isolate enable

[RouterB-GigabitEthernet3/0/1] quit

[RouterB] interface gigabitethernet 3/0/2

[RouterB-GigabitEthernet3/0/2] port-isolate enable

[RouterB-GigabitEthernet3/0/2] quit

After the preceding configurations are complete, ARP packets received on interfaces

GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 have their MAC and IP addresses checked

first, and then are checked against the static IP source guard binding entries and finally DHCP

snooping entries. However, ARP broadcast requests sent from Host A can pass the check on Router

B. Port isolation fails.

# Enable ARP restricted forwarding.

[RouterB] vlan 10

[RouterB-vlan10] arp restricted-forwarding enable

[RouterB-vlan10] quit