EasyManua.ls Logo

HPE FlexFabric 5940 SERIES

HPE FlexFabric 5940 SERIES
571 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
471
Configuration procedure
1. Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of VLAN-interface
10 on Device A. (Details not shown.)
2. Configure the DHCP server on Device A, and configure DHCP address pool 0.
<DeviceA> system-view
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 0
[DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3. Configure Host A (DHCP client) and Host B. (Details not shown.)
4. Configure Device B:
# Enable DHCP snooping, and configure Ten-GigabitEthernet 1/0/3 as a DHCP trusted
interface.
<DeviceB> system-view
[DeviceB] dhcp snooping enable
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] dhcp snooping trust
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Enable ARP attack detection for user validity check.
[DeviceB] vlan 10
[DeviceB-vlan10] arp detection enable
# Configure Ten-GigabitEthernet 1/0/3 as an ARP trusted interface.
[DeviceB-vlan10] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] arp detection trust
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Configure a static IP source guard entry on interface Ten-GigabitEthernet 1/0/2.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address
0001-0203-0607 vlan 10
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP
packets.
[DeviceB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[DeviceB] port-isolate group 1
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port-isolate enable group 1
[DeviceB-Ten-GigabitEthernet1/0/1] quit
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port-isolate enable group 1
[DeviceB-Ten-GigabitEthernet1/0/2] quit
After the configurations are completed, Device B first checks the validity of ARP packets
received on Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2. If the ARP packets are
confirmed valid, Device B performs user validity check by using the static IP source guard
bindings and finally DHCP snooping entries. However, ARP broadcast requests sent from Host
A can pass the check on Device B and reach Host B. Port isolation fails.
# Enable ARP restricted forwarding.
[DeviceB] vlan 10
[DeviceB-vlan10] arp restricted-forwarding enable

Table of Contents

Other manuals for HPE FlexFabric 5940 SERIES

Preview: Fundamentals Command Reference
Fundamentals Command Reference289 pages
Preview: Configuration Guide
Configuration Guide334 pages
Preview: Command Reference
Command Reference139 pages

Related product manuals