User validity check configuration example

Network requirements

As shown in Figure 118,

Figure 118: Network diagram

Configuration procedure

  • Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.)

  • Configure DHCP address pool 0 for the DHCP server on Switch A.

  • <SwitchA> system-view
    [SwitchA] dhcp enable
    [SwitchA] dhcp server ip-pool 0
    [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
    
  • Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.)

  • Configure Switch B:

  • # Enable the 802.1X function.

    <SwitchB> system-view
    [SwitchB] dot1x
    [SwitchB] interface gigabitethernet 1/0/1
    [SwitchB-GigabitEthernet1/0/1] dot1x
    [SwitchB-GigabitEthernet1/0/1] quit
    [SwitchB] interface gigabitethernet 1/0/2
    [SwitchB-GigabitEthernet1/0/2] dot1x
    [SwitchB-GigabitEthernet1/0/2] quit
    

    # Add a local user test.

    [SwitchB] local-user test
    [SwitchB-luser-test] service-type lan-access
    [SwitchB-luser-test] password simple test
    [SwitchB-luser-test] quit
    

    # Enable ARP detection for VLAN 10 to check user validity based on 802.1X entries.

    [SwitchB] vlan 10
    [SwitchB-vlan10] arp detection enable
    

    # Configure the upstream port as an ARP-trusted port (a port is an untrusted port by default).

    [SwitchB-vlan10] interface gigabitethernet 1/0/3
    [SwitchB-GigabitEthernet1/0/3] arp detection trust
    [SwitchB-GigabitEthernet1/0/3] quit
    

    After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are checked against 802.1X entries.