2-5Item DescriptionTrusted PortsSelect trusted ports.To add ports to the Trusted Ports list box, select one or multiple ports from theUntrusted Ports list box and click the << button.To remove ports from the Trusted Ports list box, select one or multiple ports fromthe list box and click the >> button.User ValidationCheckSelect user validity check modes, including:z Using DHCP Snooping to validate usersz Using Dot1x to validate usersz Using Static-Binding entries to guard against spoofing gateway attack: You canconfigure static IP-to-MAC bindings if you select this mode. For the detailedconfiguration, refer to Creating a Static Binding Entry.If all the detection types are specified, the system uses static IP-to-MAC bindingsfirst, then DHCP snooping entries, and then 802.1X security entries. If an ARPpacket fails to pass ARP detection based on static IP-to-MAC bindings, it isdiscarded. If the packet passes this detection, it will be checked against DHCPsnooping entries. If a match is found, the packet is considered to be valid and willnot be checked against 802.1X security entries; otherwise, the packet is checkedagainst 802.1X security entries. If a match is found, the packet is considered to bevalid; otherwise, the packet is discarded.If none of the above is selected, all ARP packets are considered to be invalid.z Before enabling ARP detection based on DHCP snooping entries, make surethat DHCP snooping is enabled.z Before enabling ARP detection based on 802.1X security entries, make surethat 802.1X is enabled and the 802.1X clients are configured to upload IPaddresses.ARP PacketValidationSelect ARP packet validity check modes, including:z If the source MAC address of an ARP packet is not identical to that in theEthernet header, the ARP packet is discardedz If the destination MAC address of an ARP reply is all-zero, all-one, orinconsistent with that in the Ethernet header, the ARP packet is discardedz If the source IP address of an ARP request, or the source IP address ordestination IP address of an ARP reply is all-zero, all-one or an multicast IPaddress, the ARP packet is discardedIf none of the above is selected, the system does not check the validity of ARPpackets.Creating a Static Binding EntryIf you select Using Static-Binding entries to anti fake gateway attack, you can configure staticIP-to-MAC binding entries.To create a static binding entry, type an IP address and MAC address in the Static Bindings field, andthen click Add, as shown in Figure 2-2.