No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Service

S1720, S2700, S5700, and S6720 V200R012(C00 and C20)

This document describes the configurations of IP Service, including IP address, ARP, DHCP, DHCP policy VLAN, DNS, mDNS gateway, mDNS relay, UDP Helper, IP performance optimization, IPv6, DHCPv6, IPv6 DNS, IPv6 over IPv4 tunnel, and IPv4 over IPv6 tunnel.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Egress ARP Inspection

Example for Configuring Egress ARP Inspection

Networking Requirements

In Figure 2-32, Switch_2 connects to Switch_1 (DHCP server) through GE0/0/3, and connects to Host_1 and Host_2 through GE0/0/1 and GE0/0/2 respectively.

Figure 2-32  Networking diagram for configuring EAI

Host_1 and Host_2 obtain IP addresses using DHCP. GE0/0/3 on Switch_1 belongs to the same VLAN (VLAN 2) as GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_2.

The administrator from the customer requires that:

  • Layer 2 isolation and Layer 3 interworking should be implemented between Host_1 and Host_2 in VLAN 2.
  • Switch_2 should not broadcast ARP Request packets in the VLAN to reduce the intra-VLAN network load.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure port isolation on GE0/0/1 and GE0/0/2 of Switch_2, and enable intra-VLAN proxy ARP on Switch_1 to implement isolation at Layer 2 and interworking at Layer 3 between Host_1 and Host_2.

  2. Configure DHCP snooping and enable EAI on Switch_2. Switch_2 then can match the destination IP address of an ARP Request packet with the DHCP snooping dynamic binding table to determine the packet's outbound interface, preventing the intra-VLAN packet broadcast.

  3. Enable Switch_2 to forward ARP packets after port isolation is configured, so that Host_1 and Host_2 are isolated at Layer 2 and can communicate at Layer 3 when EAI is configured.

Procedure

  1. On Switch_1, create a VLAN, add interfaces to the VLAN, and configure the DHCP server function.

    # Create VLAN 2 and add GE0/0/3 to VLAN 2.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch_1
    [Switch_1] vlan batch 2
    [Switch_1] interface gigabitethernet 0/0/3
    [Switch_1-GigabitEthernet0/0/3] port link-type trunk
    [Switch_1-GigabitEthernet0/0/3] port trunk allow-pass vlan 2
    [Switch_1-GigabitEthernet0/0/3] quit
    

    # Create VLANIF 2, configure an IP address for VLANIF 2, and enable the DHCP server function on VLANIF 2.

    [Switch_1] dhcp enable
    [Switch_1] interface vlanif 2
    [Switch_1-Vlanif2] ip address 10.10.10.1 24
    [Switch_1-Vlanif2] dhcp select interface
    

  2. On Switch_2, create a VLAN and add interfaces to the VLAN.

    # Create VLAN 2, and add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 2.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch_2
    [Switch_2] vlan batch 2
    [Switch_2] interface gigabitethernet 0/0/1
    [Switch_2-GigabitEthernet0/0/1] port link-type access
    [Switch_2-GigabitEthernet0/0/1] port default vlan 2
    [Switch_2-GigabitEthernet0/0/1] quit
    [Switch_2] interface gigabitethernet 0/0/2
    [Switch_2-GigabitEthernet0/0/2] port link-type access
    [Switch_2-GigabitEthernet0/0/2] port default vlan 2
    [Switch_2-GigabitEthernet0/0/2] quit
    [Switch_2] interface gigabitethernet 0/0/3
    [Switch_2-GigabitEthernet0/0/3] port link-type trunk
    [Switch_2-GigabitEthernet0/0/3] port trunk allow-pass vlan 2
    [Switch_2-GigabitEthernet0/0/3] quit
    

  3. Configure DHCP snooping on Switch_2.

    # Enable DHCP snooping globally and in VLAN 2.

    [Switch_2] dhcp enable 
    [Switch_2] dhcp snooping enable 
    [Switch_2] vlan 2
    [Switch_2-vlan2] dhcp snooping enable 
    [Switch_2-vlan2] quit

    # Configure GE0/0/3 as a trusted interface.

    [Switch_2] interface gigabitethernet 0/0/3
    [Switch_2-GigabitEthernet0/0/3] dhcp snooping trusted
    [Switch_2-GigabitEthernet0/0/3] quit
    

    After the configurations, Host_1 and Host_2 functioning as DHCP clients can go online and ping each other, and Switch_2 generates the DHCP snooping dynamic binding table.

  4. Configure port isolation on Switch_2.

    # Configure isolation at Layer 2 and interworking at Layer 3, and configure port isolation between GE0/0/1 and GE0/0/2.

    [Switch_2] port-isolate mode l2
    [Switch_2] interface gigabitethernet 0/0/1
    [Switch_2-GigabitEthernet0/0/1] port-isolate enable
    [Switch_2-GigabitEthernet0/0/1] quit
    [Switch_2] interface gigabitethernet 0/0/2
    [Switch_2-GigabitEthernet0/0/2] port-isolate enable
    [Switch_2-GigabitEthernet0/0/2] quit

    After the configurations, Host_1 and Host_2 cannot ping each other, indicating that they have been isolated at Layer 2.

  5. Enable intra-VLAN proxy ARP on Switch_1.

    # Enable intra-VLAN proxy ARP on VLANIF 2.

    [Switch_1-Vlanif2] arp-proxy inner-sub-vlan-proxy enable
    [Switch_1-Vlanif2] quit
    

    After the configurations, Host_1 and Host_2 can ping each other, indicating that they can communicate at Layer 3.

  6. Enable EAI on Switch_2.

    # Enable EAI in VLAN 2.

    [Switch_2] vlan 2
    [Switch_2-vlan2] dhcp snooping arp security enable
    

    After EAI is enabled and the ARP entry mapping Host_2 on Host_1 has been aged, Host_1 sends an ARP Request packet before it pings Host_2.

    As EAI is enabled, Switch_2 matches the destination IP address of the ARP Request packet with the DHCP snooping dynamic binding table to determine the packet's outbound interface. Switch_2 forwards the ARP Request packet to GE0/0/1. As a result, intra-VLAN proxy ARP triggered when the ARP packet reaches Switch_1 through GE0/0/3 cannot take effect. The outbound interface GE0/0/1 determined through EAI has been isolated from the packet's inbound interface GE0/0/2. Therefore, Switch_2 discards the ARP Request packet and Host_1 fails to learn the ARP entry.

    At this time, Host_1 and Host_2 cannot ping each other.

  7. Enable Switch_2 to forward ARP packets when port isolation is configured.

    # Enable Switch_2 to forward ARP packets in VLAN 2 when port isolation is configured.

    [Switch_2-vlan2] dhcp snooping arp security isolate-forwarding-trust
    [Switch_2-vlan2] quit
    

    After the configuration, Switch_2 directly forwards the ARP Request packet from Host_1 to the trusted interface GE0/0/3. As intra-VLAN proxy ARP is configured on Switch_1, Host_1 and Host_2 can ping each other, indicating that Switch_2 has been enabled to forward ARP packets when port isolation is configured.

  8. Verify the configuration.

    Host_1 and Host_2 can ping each other.

Configuration Files

  • Switch_1 configuration file

    #
    sysname Switch_1
    #
    vlan batch 2 
    #
    dhcp enable 
    #
    interface Vlanif2
     ip address 10.10.10.1 255.255.255.0
     arp-proxy inner-sub-vlan-proxy enable
     dhcp select interface 
    #
    interface GigabitEthernet0/0/3
     port link-type trunk
     port trunk allow-pass vlan 2
    #
    return
    
  • Switch_2 configuration file

    #
    sysname Switch_2
    #
    vlan batch 2
    #                                                                               
    dhcp enable                                                                     
    #                                                                               
    dhcp snooping enable                                                            
    #
    vlan 2                                                                          
     dhcp snooping enable                                                           
     dhcp snooping arp security enable                                              
     dhcp snooping arp security isolate-forwarding-trust    
    #   
    interface GigabitEthernet0/0/1
     port link-type access
     port default vlan 2
     port-isolate enable group 1 
    #   
    interface GigabitEthernet0/0/2
     port link-type access
     port default vlan 2
     port-isolate enable group 1
    #
    interface GigabitEthernet0/0/3
     port link-type trunk                                                           
     port trunk allow-pass vlan 2                                                   
     dhcp snooping trusted       
    #   
    return
    
Translation
Download
Updated: 2018-12-24

Document ID: EDOC1100038342

Views: 84149

Downloads: 281

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next