beautypg.com

Configuring user validity check – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 348

background image

334

ARP detection provides the following functions, user validity check, ARP packet validity check, and ARP

restricted forwarding.

NOTE:

If both ARP packet validity check and user validity check are enabled, the former one applies first, and
then the latter applies.

ARP detection does not check ARP packets received from ARP trusted ports.

Configuring user validity check

After you enable this feature, the device checks user validity as follows:

1.

Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and
MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is
found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address

but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded.

If no entry with a matching IP address is found, the device compares the ARP packet's sender IP

and MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC
addresses.

2.

If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. (For
a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must

be an OUI MAC address and the voice VLAN must be enabled.)

3.

If no match is found, the ARP packet is considered invalid and is discarded.

NOTE:

Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more
information, see

Layer 3 Configuration Guide.

802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and
uploads its IP address to an ARP detection enabled device, the device automatically generates an

802.1X security entry. The 802.1X client must be enabled to upload its IP address to the device. For more

information, see "802.1X configuration."

To user validity check for a VLAN and specify a trusted port:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter VLAN view.

vlan vlan-id N/A

3.

Enable ARP detection.

arp detection enable

ARP detection based on static IP
Source Guard binding

entries/DHCP snooping

entries/802.1X security
entries/OUI MAC addresses is

disabled by default.

4.

Return to system view.

quit

N/A

5.

Enter Layer 2 Ethernet interface view
or WLAN-ESS interface view.

interface interface-type
interface-number

N/A