Configuring arp detection, Configuring user validity check – H3C Technologies H3C S12500-X Series Switches User Manual

Page 237

Advertising
background image

225

[SwitchB-Ten-GigabitEthernet1/0/1] quit

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] ip address 10.10.1.1 24

# Enable DHCP relay agent on Ten-GigabitEthernet 1/0/2.

[SwitchB-Ten-GigabitEthernet1/0/2] dhcp select relay

# Add the DHCP server 10.1.1.1 to DHCP server group 1.

[SwitchB-Ten-GigabitEthernet1/0/2] dhcp relay server-address 10.1.1.1

# Enable authorized ARP.

[SwitchB-Ten-GigabitEthernet1/0/2] arp authorized enable

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Enable recording of relay entries on the relay agent.

[SwitchB] dhcp relay client-information record

3.

Configure Switch C:

<SwitchC> system-view

[SwitchC] ip route-static 10.1.1.0 24 10.10.1.1

[SwitchC] interface ten-gigabitethernet 1/0/2

[SwitchC-Ten-GigabitEthernet1/0/2] ip address dhcp-alloc

[SwitchC-Ten-GigabitEthernet1/0/2] quit

536B

Verifying the configuration

After Switch C obtains an IP address from Switch A, display the authorized ARP information on Switch B.

[SwitchB] display arp all

Type: S-Static D-Dynamic O-Openflow M-Multiport I-Invalid

IP Address MAC Address VLAN Interface Aging Type

10.10.1.2 0012-3f86-e94c N/A XGE1/0/2 20 D

The output shows that Switch A assigned an IP address 10.10.1.2 to Switch C.
Switch C must use the IP address and MAC address in the authorized ARP entry to communicate with

Switch B. Otherwise, the communication fails. Thus the user validity is ensured.

138B

Configuring ARP detection

ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks. ARP detection does not check ARP packets received from ARP

trusted ports.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding

functions.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and

then the latter applies.

310B

Configuring user validity check

Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and

MAC addresses against the static IP source guard binding entries and the DHCP snooping entries. If a

match is found from those entries, the ARP packet is considered valid and is forwarded. If no match is

found, the ARP packet is considered invalid and is discarded.

Advertising
This manual is related to the following products:

H3C S5560 Series Switches, H3C WX6000 Series Access Controllers, H3C WX5000 Series Access Controllers, H3C WX3000 Series Unified Switches, H3C LSWM1WCM10 Access Controller Module, H3C LSWM1WCM20 Access Controller Module, H3C LSQM1WCMB0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module, H3C LSBM1WCM2A0 Access Controller Module, H3C S9800 Series Switches, H3C S5130 Series Switches, H3C S5120 Series Switches

Popular Brands
Popular manuals