Hi everyone,
there is problem with the dot1x feature and the arp detection one on the HPE Comware switches (5140/5130).
Ports where user laptops live are just access port with vlan 10. For this vlan was enabled the arp detection feature:
vlan 10
name mil-employees
arp detection enable
#
everything had worked fine before I enabled dot1x.
After I enabled dot1x for users ports the arp detection feature start to block arp packets. Here an example of typical port settings:
interface GigabitEthernet2/0/13
description employees-dot1x
stp edged-port
poe enable
dot1x
undo dot1x handshake
dot1x mandatory-domain jetbrains.com
dot1x port-method portbased
dot1x re-authenticate
dot1x guest-vlan 16
dot1x auth-fail vlan 16
dot1x critical vlan 16
dot1x re-authenticate server-unreachable keep-online
#
What happens:
1. At the beginning the switch port is assigned the guest vlan (vlan id 16).
2. User's laptop gets IP address at the guest vlan.
3. User's laptop perform dot1x authenticates succesfully.
4. The switch port is assigned a authorization vlan (vlan id 10)
5. User's laptop gets IP address from the authorization vlan.
6. ARP detection blocks arp requestes from the laptop.
%Apr 8 16:23:38:455 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1802 packet(s) dropped.
%Apr 8 16:22:38:454 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1790 packet(s) dropped.
%Apr 8 16:21:38:453 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1762 packet(s) dropped.
%Apr 8 16:20:38:454 2024 core.mil ARP/5/ARP_INSPECTION: -Slot=2; Detected an ARP attack on interface GigabitEthernet2/0/13: IP 172.25.67.38, MAC c4cb-e10f-6132, VLAN 10. 1725 packet(s) dropped.
I'm confused and don't understand what wrong with the settings.
Is it bug or normal behavior? Can I use the arp detection and dot1x at the same time?