Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

Comware dot1x and arp detection features.

This thread has been viewed 5 times

  • 1.  Comware dot1x and arp detection features.

    Posted 24 days ago

    Hi everyone,

    there is problem with the dot1x feature and the arp detection one on the HPE Comware switches (5140/5130).

    Ports where user laptops live are just access port with vlan 10. For this vlan was enabled the arp detection feature:

    vlan 10
     name mil-employees
     arp detection enable
    #

    everything had worked fine before I enabled dot1x.

    After I enabled dot1x for users ports the arp detection feature start to block arp packets. Here an example of typical port settings:

    interface GigabitEthernet2/0/13
     description employees-dot1x
     stp edged-port
     poe enable
     dot1x
     undo dot1x handshake
     dot1x mandatory-domain jetbrains.com
     dot1x port-method portbased
     dot1x re-authenticate
     dot1x guest-vlan 16
     dot1x auth-fail vlan 16
     dot1x critical vlan 16
     dot1x re-authenticate server-unreachable keep-online
    #

    What happens:

    1. At the beginning the switch port is assigned the guest vlan (vlan id 16).
    2. User's laptop gets IP address at the guest vlan.
    3. User's laptop perform dot1x authenticates succesfully.
    4. The switch port is assigned a authorization vlan (vlan id 10)
    5. User's laptop gets IP address from the authorization vlan.
    6. ARP detection blocks arp requestes from the laptop.

    %Apr  8 16:23:38:455 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1802 packet(s) dropped.
    %Apr  8 16:22:38:454 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1790 packet(s) dropped.
    %Apr  8 16:21:38:453 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1762 packet(s) dropped.
    %Apr  8 16:20:38:454 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1725 packet(s) dropped.


    I'm confused and don't understand what wrong with the settings. 


    Is it bug or normal behavior? Can I use the arp detection and dot1x at the same time?