Item

Description

 

Select trusted ports.

 

To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted

Trusted Ports

Ports list box and click the << button.

 

To remove ports from the Trusted Ports list box, select one or multiple ports from the list box

 

and click the >> button.

 

 

 

Select user validity check modes, including:

 

Using DHCP Snooping to validate users

 

Using Dot1x to validate users

 

Using Static-Binding entries to guard against spoofing gateway attack: You can

 

configure static IP-to-MAC bindings if you select this mode. For the detailed

 

configuration, see “Creating a static binding entry”.

 

If all the detection types are specified, the system uses static IP-to-MAC bindings first, then

 

DHCP snooping entries, and then 802.1X security entries. If an ARP packet fails to pass

User Validation

ARP detection based on static IP-to-MAC bindings, it is discarded. If the packet passes this

detection, it will be checked against DHCP snooping entries. If a match is found, the packet

Check

is considered to be valid and will not be checked against 802.1X security entries;

 

 

otherwise, the packet is checked against 802.1X security entries. If a match is found, the

 

packet is considered to be valid; otherwise, the packet is discarded.

 

If none of the above is selected, all ARP packets are considered to be invalid.

 

IMPORTANT:

 

Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP

 

snooping is enabled.

 

Before enabling ARP detection based on 802.1X security entries, make sure that

 

802.1X is enabled and the 802.1X clients are configured to upload IP addresses.

 

 

 

Select ARP packet validity check modes, including:

 

If the source MAC address of an ARP packet is not identical to that in the Ethernet

 

header, the ARP packet is discarded

ARP Packet

If the destination MAC address of an ARP reply is all-zero, all-one, or inconsistent with

that in the Ethernet header, the ARP packet is discarded

Validation

If the source IP address of an ARP request, or the source IP address or destination IP

 

 

address of an ARP reply is all-zero, all-one or an multicast IP address, the ARP packet is

 

discarded

 

If none of the above is selected, the system does not check the validity of ARP packets.

 

 

Creating a static binding entry

If you select Using Static-Binding entries to guard against spoofing gateway attack, you can configure static IP-to-MAC binding entries.

To create a static binding entry, type an IP address and MAC address in the Static Bindings field, and then click Add, as shown in a.

NOTE:

If an entry with a matching IP address but a different MAC address is found, the ARP packet is considered invalid and discarded. If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid and can pass the detection.

319