Configuring user validity check
After you enable this feature, the device checks user validity as follows:
Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and MAC addresses of the ARP packet against user validity check rules. If a matching rule is found, the ARP packet is processed according to the rule.
If no matching rule is found, the device compares the sender IP and MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded. If no entry with a matching IP address is found, the device compares the ARP packet's sender IP and MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC addresses.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. (For a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must be an OUI MAC address and the voice VLAN must be enabled.)
If no match is found, the ARP packet is considered invalid and is discarded.
Static IP source guard binding entries are created by using user-bind. For more information, see "Configuring IP source guard."
Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.
802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X security entry. The 802.1X client must be enabled to upload its IP address to the device. For more information, see "Configuring 802.1X."
For more information about voice VLAN and OUI MAC addresses, see Layer 2—LAN Switching Configuration Guide.
To configure user validity check:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Configure a user validity check rule. | arp detection id-number { deny | permit } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ] | Optional. Not configured by default. |
3. Enter VLAN view. | vlan vlan-id | N/A |
4. Enable ARP detection. | arp detection enable | Disabled by default. |
5. Return to system view. | quit | N/A |
6. Enter Layer-2 Ethernet interface view or Layer aggregate interface view. | interface interface-type interface-number | N/A |
7. Configure the port as a trusted port that is excluded from ARP detection. | arp detection trust | Optional. A port is an untrusted port by default. |
At least a user validity check rule, a static IP source guard binding entry, a DHCP snooping entry, or an 802.1X security entry must be available to perform user validity check. Otherwise, ARP packets received from ARP untrusted ports will be discarded, except for the ARP packets whose sender MAC address is an OUI MAC address when voice VLAN is enabled.
You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can match the IP source guard binding entry.