User validity check configuration example
Network requirements
As shown in Figure 118,
Configure the DHCP server on Switch A.
Configure 802.1X on Switch B.
Enable ARP detection in VLAN 10 to check user validity based on 802.1X entries.
Configure Host A and Host B as 802.1X users.
Figure 118: Network diagram
Configuration procedure
Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.)
Configure DHCP address pool 0 for the DHCP server on Switch A.
<SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.)
Configure Switch B:
# Enable the 802.1X function.
<SwitchB> system-view [SwitchB] dot1x [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dot1x [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] dot1x [SwitchB-GigabitEthernet1/0/2] quit
# Add a local user test.
[SwitchB] local-user test [SwitchB-luser-test] service-type lan-access [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit
# Enable ARP detection for VLAN 10 to check user validity based on 802.1X entries.
[SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable
# Configure the upstream port as an ARP-trusted port (a port is an untrusted port by default).
[SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit
After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are checked against 802.1X entries.