R0106-HP MSR Router Series Security Configuration Guide(V7)
410
[DeviceB-GigabitEthernet2/1/1] quit
[DeviceB] interface gigabitethernet 2/1/2
[DeviceB-GigabitEthernet2/1/2] ip address 10.10.1.1 24
# Enable DHCP relay agent on GigabitEthernet 2/1/2.
[DeviceB-GigabitEthernet2/1/2] dhcp select relay
# Add the DHCP server 10.1.1.1 to DHCP server group 1.
[DeviceB-GigabitEthernet2/1/2] dhcp relay server-address 10.1.1.1
# Enable authorized ARP.
[DeviceB-GigabitEthernet2/1/2] arp authorized enable
[DeviceB-GigabitEthernet2/1/2] quit
# Enable recording of relay entries on the relay agent.
[DeviceB] dhcp relay client-information record
3. Configure Device C:
<DeviceC> system-view
[DeviceC] ip route-static 10.1.1.0 24 10.10.1.1
[DeviceC] interface gigabitethernet 2/1/2
[DeviceC-GigabitEthernet2/1/2] ip address dhcp-alloc
[DeviceC-GigabitEthernet2/1/2] quit
Verifying the configuration
# Display authorized ARP information on Device B.
[DeviceB] display arp all
Type: S-Static D-Dynamic O-Openflow M-Multiport I-Invalid
IP Address MAC Address VLAN Interface Aging Type
10.10.1.2 0012-3f86-e94c N/A GE2/1/2 20 D
The output shows that Device A assigned the IP address 10.10.1.2 to Device C.
Device C must use the IP address and MAC address in the authorized ARP entry to communicate with
Device B. Otherwise, the communication fails. Thus the user validity is ensured.
Configuring ARP detection
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks. ARP detection does not check ARP packets received from ARP
trusted ports.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding
functions.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and
then the latter applies.
NOTE:
• This feature is available on only the routers installed with Layer 2 switching modules.
• The term "switch" in this section refers to the router installed with Layer 2 switching modules.