3com 2928 User Guide
2-3
After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an ARP
packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP
packet against the static IP-to-MAC bindings.
packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP
packet against the static IP-to-MAC bindings.
z
If an entry with a matching IP address but a different MAC address is found, the ARP packet is
considered invalid and discarded.
considered invalid and discarded.
z
If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid
and can pass the detection.
and can pass the detection.
z
If no match is found, the ARP packet is considered valid and can pass the detection.
If all the detection types are specified, the system uses static IP-to-MAC binding entries first, then
DHCP snooping entries, and then 802.1X security entries. To prevent gateway spoofing, ARP detection
based on IP-to-MAC binding entries is required. After passing this type of ARP detection, users that can
pass ARP detection based on DHCP snooping entries or 802.1X security entries are considered to be
valid. The last two detection types are used to prevent user spoofing. You can select detection types
according to the networking environment.
DHCP snooping entries, and then 802.1X security entries. To prevent gateway spoofing, ARP detection
based on IP-to-MAC binding entries is required. After passing this type of ARP detection, users that can
pass ARP detection based on DHCP snooping entries or 802.1X security entries are considered to be
valid. The last two detection types are used to prevent user spoofing. You can select detection types
according to the networking environment.
z
If all access clients acquire IP addresses through DHCP, it is recommended that you enable DHCP
snooping and ARP detection based on DHCP snooping entries on your access device.
snooping and ARP detection based on DHCP snooping entries on your access device.
z
If access clients are 802.1X clients and large in number, and most of them use static IP addresses,
it is recommended that you enable 802.1X authentication, upload of client IP addresses, and ARP
detection based on 802.1X security entries on your access device. After that, the access device
uses mappings between IP addresses, MAC addresses, VLAN IDs, and ports of 802.1X
authentication clients for ARP detection.
it is recommended that you enable 802.1X authentication, upload of client IP addresses, and ARP
detection based on 802.1X security entries on your access device. After that, the access device
uses mappings between IP addresses, MAC addresses, VLAN IDs, and ports of 802.1X
authentication clients for ARP detection.
If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP snooping
entries, and then 802.1X security entries. If an ARP packet fails to pass ARP detection based on static
IP-to-MAC bindings, it is discarded. If the packet passes this detection, it will be checked against DHCP
snooping entries. If a match is found, the packet is considered to be valid and will not be checked
against 802.1X security entries; otherwise, the packet is checked against 802.1X security entries. If a
match is found, the packet is considered to be valid; otherwise, the packet is discarded.
2) ARP detection based on specified objects
You can also specify objects in ARP packets to be detected. The objects involve:
entries, and then 802.1X security entries. If an ARP packet fails to pass ARP detection based on static
IP-to-MAC bindings, it is discarded. If the packet passes this detection, it will be checked against DHCP
snooping entries. If a match is found, the packet is considered to be valid and will not be checked
against 802.1X security entries; otherwise, the packet is checked against 802.1X security entries. If a
match is found, the packet is considered to be valid; otherwise, the packet is discarded.
2) ARP detection based on specified objects
You can also specify objects in ARP packets to be detected. The objects involve:
z
src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source
MAC address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the
packet is discarded.
MAC address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the
packet is discarded.
z
dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
z
ip: Checks both the source and destination IP addresses in an ARP packet. The all-zero, all-one or
multicast IP addresses are considered invalid and the corresponding packets are discarded. With
this object specified, the source and destination IP addresses of ARP replies, and the source IP
address of ARP requests are checked.
multicast IP addresses are considered invalid and the corresponding packets are discarded. With
this object specified, the source and destination IP addresses of ARP replies, and the source IP
address of ARP requests are checked.