Combine ARP Check with DHCP Snooping

Network Requirements

• PC1 and PC2 are connected to IP Network via Device; PC1 uses the static IP address and PC2 gets the IP address via DHCP.
• Device configures the DHCP Snooping and ARP Check function, realizing that PC2 can access IP Network normally and PC1 cannot access IP Network.

Network Topology

Figure 1-2 Networking of combining ARP Check with DHCP Snooping

Configuration Steps

Step 1: Configure the link type of the VLAN and port on Device.

#Create VLAN2.

#Configure the link type of the port gigabitethernet0/1, gigabitethernet0/2, and gigabitethernet0/3 as Access, all permitting the services of VLAN2 to pass.

Step 2: Configure the DHCP Snooping function on Device.

#Enable the DHCP Snooping function and configure the port gigabitethernet0/2 as trust port.

Step 3: Configure the ARP Check function on Device.

#Enable the ARP Check function on the port gigabitethernet0/1.

Step 4: Check the result.

#After PC2 gets the IP address successfully, view the DHCP Snooping dynamic entry on Device.

Device#show dhcp-snooping database  
        dhcp-snooping database: 
        database entries count:1 
        database entries delete time :300 
         	 
macAddr         ipAddr          transtion-id  vlan  interface leaseTime(s)  status      
0013.0100.0001	192.168.1.100   2             2     gi0/1     107990        active     
------

#View the ARP Check binding entry of the port gigabitethernet0/1.

Device#show arp-check interface gigabitethernet0/1 
--------------------ARP Check Table---------------
FLAG Codes: 
--------------------------------------------------
Interface-Name Status  MAC-Address    IP-Address     Rate PolicySource  SetHardware 
gi0/1          enable  0013.0100.0001 192.168.1.100  15   DHCPSP        active
total number: 1

#PC2 can access IP Network normally, but PC1 cannot.