3Com 2928 User Guide - Page 353
Creating a Static Binding Entry, Description, Trusted Ports, <<
UPC - 662705557113
View all 3Com 2928 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 353 highlights
Item Description Trusted Ports Select trusted ports. To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted Ports list box and click the > button. User Validation Check Select user validity check modes, including: z Using DHCP Snooping to validate users z Using Dot1x to validate users z Using Static-Binding entries to guard against spoofing gateway attack: You can configure static IP-to-MAC bindings if you select this mode. For the detailed configuration, refer to Creating a Static Binding Entry. If all the detection types are specified, the system uses static IP-to-MAC bindings first, then DHCP snooping entries, and then 802.1X security entries. If an ARP packet fails to pass ARP detection based on static IP-to-MAC bindings, it is discarded. If the packet passes this detection, it will be checked against DHCP snooping entries. If a match is found, the packet is considered to be valid and will not be checked against 802.1X security entries; otherwise, the packet is checked against 802.1X security entries. If a match is found, the packet is considered to be valid; otherwise, the packet is discarded. If none of the above is selected, all ARP packets are considered to be invalid. ARP Packet Validation z Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping is enabled. z Before enabling ARP detection based on 802.1X security entries, make sure that 802.1X is enabled and the 802.1X clients are configured to upload IP addresses. Select ARP packet validity check modes, including: z If the source MAC address of an ARP packet is not identical to that in the Ethernet header, the ARP packet is discarded z If the destination MAC address of an ARP reply is all-zero, all-one, or inconsistent with that in the Ethernet header, the ARP packet is discarded z If the source IP address of an ARP request, or the source IP address or destination IP address of an ARP reply is all-zero, all-one or an multicast IP address, the ARP packet is discarded If none of the above is selected, the system does not check the validity of ARP packets. Creating a Static Binding Entry If you select Using Static-Binding entries to anti fake gateway attack, you can configure static IP-to-MAC binding entries. To create a static binding entry, type an IP address and MAC address in the Static Bindings field, and then click Add, as shown in Figure 2-2. 2-5