4000 Router Series Security Configuration Guide

285

3. Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP

detection. (Details not shown.)

4. Configure Switch B:

# Enable the 802.1X function.

<SwitchB> system-view

[SwitchB] dot1x

[SwitchB] interface ethernet 1/1

[SwitchB-Ethernet1/1] dot1x

[SwitchB-Ethernet1/1] quit

[SwitchB] interface ethernet 1/2

[SwitchB-Ethernet1/2] dot1x

[SwitchB-Ethernet1/2] quit

# Add a local user test.

[SwitchB] local-user test

[SwitchB-luser-test] service-type lan-access

[SwitchB-luser-test] password simple test

[SwitchB-luser-test] quit

# Enable ARP detection for VLAN 10 to check user validity based on 802.1X entries.

[SwitchB] vlan 10

[SwitchB-vlan10] arp detection enable

# Configure the upstream interface as an ARP-trusted interface (an interface is an untrusted

interface by default).

[SwitchB-vlan10] interface ethernet 1/3

[SwitchB-Ethernet1/3] arp detection trust

[SwitchB-Ethernet1/3] quit

After the configurations are completed, ARP packets received on interfaces Ethernet 1/1 and

Ethernet 1/2 are checked against 802.1X entries.

User validity check and ARP packet validity check

configuration example

Network requirements

As shown in Figure 82, configure Switch B to perform ARP packet validity check and user validity check

based on static IP source guard binding entries and DHCP snooping entries for connected hosts.