Configuring user validity check

User validity check does not check ARP packets received on ARP trusted interfaces. This feature compares the sender IP and sender MAC in the ARP packet received on an ARP untrusted interface with the matching criteria in the following order:

1. User validity check rules.

   • If a match is found, the device processes the ARP packet according to the rule.

   • If no match is found or no user validity check rule is configured, proceeds to step 2.

2. Static IP source guard bindings, 802.1X security entries, and DHCP snooping entries.

   • If a match is found, the device forwards the ARP packet.

   • If no match is found, the device discards the ARP packet.

Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."

DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.

802.1X security entries record the IP-to-MAC mappings for 802.1X clients. After a client passes 802.1X authentication and uploads its IP address to an ARP attack detection enabled device, the device automatically generates an 802.1X security entry. The 802.1X client must be enabled to upload its IP address to the device. For more information, see "Configuring 802.1X."

When you configure user validity check, make sure one or more of the following items are configured:

• User validity check rules.

• Static IP source guard bindings.

• DHCP snooping.

• 802.1X.

If none of the items is configured, all incoming ARP packets on ARP untrusted interfaces are discarded.

Specify an IP address, a MAC address, and a VLAN where ARP attack detection is enabled for an IP source guard binding. Otherwise, no ARP packets can match the IP source guard binding.

1. Enter system view.

   system-view

2. (Optional.) Configure a user validity check rule.

   arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ]

   By default, no user validity check rules are configured.

3. Enter VLAN view.

   vlan vlan-id

4. Enable ARP attack detection.

   arp detection enable

   By default, ARP attack detection is disabled.

5. (Optional.) Configure an interface that does not require ARP user validity check as a trusted interface.

   1. Return to system view.

      quit

   2. Enter interface view.

      interface interface-type interface-number

      Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.

   3. Configure the interface as a trusted interface excluded from ARP attack detection.

      arp detection trust

      By default, an interface is untrusted.