User validity check configuration example

Network requirements

As shown in Figure 107, configure Switch B to perform user validity check based on 802.1X security entries for connected hosts.

Figure 107: Network diagram

Configuration procedure

  • Add all ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.)

  • Configure Switch A as a DHCP server:

  • # Configure DHCP address pool 0.

    <SwitchA> system-view
    [SwitchA] dhcp enable
    [SwitchA] dhcp server ip-pool 0
    [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
    
  • Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.)

  • Configure Switch B:

  • # Enable the 802.1X function.

    <SwitchB> system-view
    [SwitchB] dot1x
    [SwitchB] interface ethernet 1/0/1
    [SwitchB-Ethernet1/0/1] dot1x
    [SwitchB-Ethernet1/0/1] quit
    [SwitchB] interface ethernet 1/0/2
    [SwitchB-Ethernet1/0/2] dot1x
    [SwitchB-Ethernet1/0/2] quit
    

    # Add local access user test.

    [SwitchB] local-user test
    [SwitchB-luser-test] service-type lan-access
    [SwitchB-luser-test] password simple test
    [SwitchB-luser-test] quit
    

    # Enable ARP detection for VLAN 10.

    [SwitchB] vlan 10
    [SwitchB-vlan10] arp detection enable
    

    # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).

    [SwitchB-vlan10] interface ethernet 1/0/3
    [SwitchB-Ethernet1/0/3] arp detection trust
    [SwitchB-Ethernet1/0/3] quit
    

    After the preceding configurations are complete, when ARP packets arrive at interfaces Ethernet 1/0/1 and Ethernet 1/0/2, they are checked against 802.1X security entries.