Configuring user validity check

User validity check compares the sender IP and sender MAC in the received ARP packet with the matching criteria in the following order:

  1. User validity check rules.

    • If a match is found, the device processes the ARP packet according to the rule.

    • If no match is found or no user validity check rule is configured, proceeds to step 2.

  2. Static IP source guard bindings, DHCP snooping entries, and 802.1X security entries.

    • If a match is found, the device forwards the ARP packet.

    • If no match is found, the device discards the ARP packet.

Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."

DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.

802.1X security entries record the IP-to-MAC mappings for 802.1X clients. After a client passes 802.1X authentication and uploads its IP address to an ARP attack detection enabled device, the device automatically generates an 802.1X security entry. The 802.1X client must be enabled to upload its IP address to the device. For more information, see "Configuring 802.1X."

Configuration guidelines

When you configure user validity check, follow these guidelines:

Configuration procedure

To configure user validity check:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. (Optional.) Configure a user validity check rule.

arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ]

By default, no user validity check rule is configured.

3. Enter VLAN view.

vlan vlan-id

N/A

4. Enable ARP attack detection.

arp detection enable

By default, ARP attack detection is disabled.

5. Return to system view.

quit

N/A

6. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A

7. (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection.

arp detection trust

By default, an interface is untrusted.