Operation Manual
Configuring Network Security Configuration Examples
Configuration Guide
601
8
Configuration Examples
8.1 Example for DHCP Snooping and ARP Detection
8.1.1 Network Requirements
As shown below, User 1 and User 2 get IP addresses from the DHCP server, and User 3 has
a static IP address. All of them are in the default VLAN 1. Now, untrusted DHCP packets
need to be filtered to ensure that the DHCP clients (User 1 and User 2) can get the IP
addresses from the legal DHCP server. Additionally, the network needs to be prevented
from ARP attacks.
Figure 8-1 Network Topology
Te1/0/4
Te1/0/1
Te1/0/2
Te1/0/3
User 3
88-A9-D4-54-FD-C3
192.168.0.33/24
User 1
74-D3-45-32-B6-8D
User 2
76-D9-33-56-78-A3
Switch A
DHCP
Server
8.1.2 Configuration Scheme
To meet these requirements, you can configure DHCP Snooping to filter the untrusted
DHCP messages from the illegal DHCP server and configure ARP Detection and ARP
Defend to prevent the network from ARP attacks. The overview of configuration is as
follows:
1) Configure DHCP Snooping on Switch A. Set port 1/0/4 as the trusted port and other
ports as untrusted ports.
2) Configure IP-MAC Binding on Switch A. The binding entries for User 1 and User 2 are
automatically recorded via DHCP Snooping, and you need to manually bind the entry for
User 3.