3com 2928 User Guide
2-5
Item
Description
Trusted Ports
Select trusted ports.
To add ports to the Trusted Ports list box, select one or multiple ports from the
Untrusted Ports
To add ports to the Trusted Ports list box, select one or multiple ports from the
Untrusted Ports
list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from
the list box and click the >> button.
User Validation
Check
Select user validity check modes, including:
z
Using DHCP Snooping to validate users
z
Using Dot1x to validate users
z
Using Static-Binding entries to guard against spoofing gateway attack: You can
configure static IP-to-MAC bindings if you select this mode. For the detailed
configuration, refer to
If all the detection types are specified, the system uses static IP-to-MAC bindings
first, then DHCP snooping entries, and then 802.1X security entries. If an ARP
packet fails to pass ARP detection based on static IP-to-MAC bindings, it is
discarded. If the packet passes this detection, it will be checked against DHCP
snooping entries. If a match is found, the packet is considered to be valid and will
not be checked against 802.1X security entries; otherwise, the packet is checked
against 802.1X security entries. If a match is found, the packet is considered to be
valid; otherwise, the packet is discarded.
If none of the above is selected, all ARP packets are considered to be invalid.
If none of the above is selected, all ARP packets are considered to be invalid.
z
Before enabling ARP detection based on DHCP snooping entries, make sure
that DHCP snooping is enabled.
that DHCP snooping is enabled.
z
Before enabling ARP detection based on 802.1X security entries, make sure
that 802.1X is enabled and the 802.1X clients are configured to upload IP
addresses.
that 802.1X is enabled and the 802.1X clients are configured to upload IP
addresses.
ARP Packet
Validation
Select ARP packet validity check modes, including:
z
If the source MAC address of an ARP packet is not identical to that in the
Ethernet header, the ARP packet is discarded
z
If the destination MAC address of an ARP reply is all-zero, all-one, or
inconsistent with that in the Ethernet header, the ARP packet is discarded
z
If the source IP address of an ARP request, or the source IP address or
destination IP address of an ARP reply is all-zero, all-one or an multicast IP
address, the ARP packet is discarded
If none of the above is selected, the system does not check the validity of ARP
packets.
Creating a Static Binding Entry
If you select Using Static-Binding entries to anti fake gateway attack, you can configure static
IP-to-MAC binding entries.
To create a static binding entry, type an IP address and MAC address in the Static Bindings field, and
then click Add, as shown in
IP-to-MAC binding entries.
To create a static binding entry, type an IP address and MAC address in the Static Bindings field, and
then click Add, as shown in