430
Configuration procedure
1.
Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as
shown in
. (Omitted)
2.
Configure the DHCP server on Router A.
# Configure DHCP address pool 0.
<RouterA> system-view
[RouterA] dhcp enable
[RouterA] dhcp server ip-pool 0
[RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3.
Configure the DHCP client on Hosts A and B. (Omitted)
4.
Configure Router B.
# Enable DHCP snooping, and configure GigabitEthernet1/0/3 as a DHCP-trusted port.
<RouterB> system-view
[RouterB] dhcp-snooping
[RouterB] interface gigabitethernet1/0/3
[RouterB-GigabitEthernet1/0/3] dhcp-snooping trust
[RouterB-GigabitEthernet1/0/3] quit
# Enable ARP detection.
[RouterB] vlan 10
[RouterB-vlan10] arp detection enable
# Configure GigabitEthernet1/0/3 as an ARP-trusted port.
[RouterB-vlan10] interface gigabitethernet1/0/3
[RouterB-GigabitEthernet1/0/3] arp detection trust
[RouterB-GigabitEthernet1/0/3] quit
# Configure a static IP source guard entry on interface GigabitEthernet1/0/2.
[RouterB] interface gigabitethernet1/0/2
[RouterB-GigabitEthernet1/0/2] user-bind ip-address 10.1.1.6 mac-address 0001-0203-0607
vlan 10
[RouterB-GigabitEthernet1/0/2] quit
# Enable the checking of the MAC addresses and IP addresses of ARP packets.
[RouterB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[RouterB] interface gigabitethernet1/0/1
[RouterB-GigabitEthernet1/0/1] port-isolate enable
[RouterB-GigabitEthernet1/0/1] quit
[RouterB] interface gigabitethernet1/0/2
[RouterB-GigabitEthernet1/0/2] port-isolate enable
[RouterB-GigabitEthernet1/0/2] quit
After the preceding configurations are complete, when ARP packets arrive at interfaces
GigabitEthernet1/0/1 and GigabitEthernet1/0/2, their MAC and IP addresses are checked, and then
the packets are checked against the static IP source guard binding entries and, finally, DHCP snooping
entries. However, ARP broadcast requests sent from Host A can pass the check on Router B. Port
isolation fails.