H3C Low-End Ethernet Switches Configuration ExamplesARP Attack Prevention Chapter 2 Configuration Examples2-6[Gateway] interface vlan 10[Gateway-Vlan-interface10] ip address 192.168.0.1 24[Gateway-Vlan-interface10] quit# Configure the IP address of VLAN-interface 20 as 192.168.1.1/24.[Gateway] interface vlan 20[Gateway-Vlan-interface20] ip address 192.168.1.1 24[Gateway-Vlan-interface20] quitVI. Configure the DHCP serverBecause the configurations on the DHCP server vary with device models, theconfigurations are omitted. For details, refer to the related DHCP server configurationmanual.2.1.5 Configuration Guidelinesz Before configuring ARP attack detection, you need to enable DHCP snooping onthe switch and configure DHCP snooping trusted ports; otherwise, no ARP packetcan pass ARP attack detection.z Currently, after DHCP snooping is enabled on an H3C low-end Ethernet switch, allthe ports on the switch are DHCP snooping untrusted ports by default. You needto specify the ports connected to the valid DHCP servers as trusted to ensure thatDHCP clients can obtain valid IP addresses. The trusted ports and the portsconnected to DHCP clients must be in the same VLAN.z A DHCP snooping table only records IP-to-MAC bindings of clients that haveobtained IP addresses through DHCP. If a client with fixed IP address wants toaccess the network, you need to configure an IP static binding on the switch, thatis, the binding of the IP and MAC addresses of the client, and the port connectedto the client on the switch.z Currently, when you configure an IP static binding entry on a port of an H3C seriesEthernet switch, the VLAN ID of the entry is the default VLAN ID of the port.Therefore, if an ARP packet has a VLAN tag different from the default VLAN ID ofthe receiving port, it does not match the IP static binding entry and thus fails topass ARP attack detection.z An IP static binding entry configured on an H3C series Ethernet switch has ahigher priority than a DHCP snooping entry: If the IP address in an IP static bindingentry is the same as that in a DHCP snooping entry, the IP static binding entryoverwrites the DHCP snooping entry; if the IP static binding entry is configuredbefore DHCP snooping is enabled, no DHCP client cannot obtain the IP addressspecified in the IP static binding entry through the switch.