Configuring user validity check
This feature enables a device to check user validity as follows:
Upon receiving an ARP packet from an ARP untrusted interface, the device checks the packet against the configured rules. If a match is found, the ARP packet is processed according to the matching rule. If no match is found, the device checks the packet against static IP Source Guard binding entries
The device compares the sender IP and MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded. If no entry with a matching IP address is found, the device compares the ARP packet's sender IP and MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC addresses.
If a match is found from those entries, the ARP packet is considered valid and is forwarded. (For a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must be an OUI MAC address and the voice VLAN must be enabled.)
If no match is found, the ARP packet is considered invalid and is discarded.
For more information about voice VLANs and OUI MAC addresses, see Layer 2—LAN Switching Configuration Guide.
Configuration guideliens
Follow these guidelines when you configure user validity check:
Static IP source guard binding entries are created by using the ip source binding command. For more information, see "Configuring IP source guard."
Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.
802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device. For more information, see "Configuring 802.1X."
At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or 802.1X security entries must be available for user validity check. Otherwise, ARP packets received from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled.
You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can match the IP source guard binding entry.
Configuration procedure
To configure user validity check:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Set rules for user validity check. | arp detection id-number { permit | deny } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ] | Optional. By default, no rule is configured. |
3. Enter VLAN view. | vlan vlan-id | N/A |
4. Enable ARP detection for the VLAN. | arp detection enable | ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses is disabled by default. |
5. Return to system view. | quit | N/A |
6. Enter Layer 2 Ethernet interface/Layer 2 aggregate interface view. | interface interface-type interface-number | N/A |
7. Configure the port as a trusted port on which ARP detection does not apply. | arp detection trust | Optional. The port is an untrusted port by default. |