Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 2011

    Page 2011 346 Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 100 Vlan100 DHCP-RLY\ Static IPv6 source guard configuration example Network requirements As shown in Figure 123 , the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a static IPv6 source guard entry for GigabitEthernet 1/ 0/1 of the device to allow only packets from the host to pass. Figure 123 Network diagram... 
     346 
Total entries found: 1 
 MAC Address       IP Address     VLAN   Interface              Type 
 0001-0203-0406    192.168.0.1    100    Vlan100                DHCP-RLY\
 
Static IPv6 source guard configuration example 
Network requirements 
As shown in Figure 123 , the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a 
static IPv6 source guard entry for GigabitEthernet 1/ 0/1 of the device to allow only packets from the 
host to pass. 
Figure 123  Network diagram...

    Page 2012

    Page 2012 347 Enable IPv6 source guard function on the device’s po rt GigabitEthernet 1/0/1 to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the DHCP server to pass. Figure 124 Network diagram Configuration procedure 1. Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable... 
     347 
Enable IPv6 source guard function on the device’s po rt GigabitEthernet 1/0/1 to filter packets based on 
DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the 
DHCP server to pass. 
Figure 124  Network diagram 
 
 
Configuration procedure 
1. Configure DHCPv6 snooping: 
# Enable DHCPv6 snooping globally. 
 system-view 
[Device] ipv6 dhcp snooping enable 
# Enable DHCPv6 snooping in VLAN 2. 
[Device] vlan 2 
[Device-vlan2] ipv6 dhcp snooping vlan enable...

    Page 2013

    Page 2013 348 Dynamic IPv6 source guard using ND snooping configuration example Network requirements As shown in Figure 125, the c lient is connected to the device through port GigabitEthernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass. Figure 125 Network... 
     348 
Dynamic IPv6 source guard using ND snooping configuration 
example 
Network requirements 
As shown in  Figure 125, the c lient is connected to the device through port GigabitEthernet 1/0/1. 
Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. 
Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND 
snooping entries, allowing only packets with  a legally obtained IPv6 address to pass.  
Figure 125  Network...

    Page 2014

    Page 2014 349 Global static IP source guard configuration example Network requirements As shown in Figure 126 , Device A is a distribution layer device. Device B is an access device. Host A in VLAN 10 and Host B in VLAN 20 communicate with each other through Device A. • Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A and Host B. • Configure Device B to forward packets of Host A and Host B normally. Figure 126 Network diagram Configuration... 
     349 
Global static IP source guard configuration example 
Network requirements 
As shown in Figure 126 , Device A is a distribution layer device. Device B is an access device. Host A in 
VLAN 10 and Host B in VLAN 20 communicate with each other through Device A. 
•   Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A 
and Host B. 
•   Configure Device B to forward packets of Host A and Host B normally. 
Figure 126  Network diagram 
 
 
Configuration...

    Page 2015

    Page 2015 350 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/3] quit # Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC address of Host A and Host B from being forwarded. [DeviceB] ip source binding ip-address 192.168.0.2 mac-address 0001-0203\ -0406... 
     350 
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address 
[DeviceB-GigabitEthernet1/0/2] quit 
[DeviceB] interface gigabitethernet 1/0/3 
[DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address 
[DeviceB-GigabitEthernet1/0/3] quit 
# Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC 
address of Host A and Host B from being forwarded. 
[DeviceB] ip source binding ip-address 192.168.0.2 mac-address 0001-0203\
-0406...

    Page 2016

    Page 2016 351 Configuring ARP attack protection Only the HP 5500 EI switches support Layer 3 Ethernet port configuration. The term interface in the ARP attack protection features refers to Layer 3 interfaces, including VLAN interfaces and route-mode (or Layer 3) Ethernet ports. You can set an Ethernet port to operate in route mode by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide ). Overview Although ARP is easy to implement, it provides no security mechanism... 
     351 
Configuring ARP attack protection 
Only the HP 5500 EI switches support Layer 3 Ethernet port configuration.  
The term interface in the ARP attack protection features refers to Layer 3 interfaces, including VLAN 
interfaces and route-mode (or Layer  3) Ethernet ports. You can set an Ethernet port to operate in route 
mode by using the  port link-mode  route  command (see  Layer 2—LAN Switching Configuration Guide ). 
Overview 
Although ARP is easy to implement, it provides no security mechanism...

    Page 2017

    Page 2017 352 Task Remarks Configuring ARP active acknowledgement Optional. Configure this function on gateways (recommended). Configuring ARP detection Optional. Configure this function on access devices (recommended). Configuring ARP automatic scanning and fixed ARP Optional. Configure this function on gateways (recommended). Configuring ARP gateway protection Optional. Configure this function on access devices (recommended). Configuring ARP filtering Optional. Configure this function on... 
     352 
Task Remarks 
Configuring ARP active acknowledgement  Optional. 
Configure this function on 
gateways (recommended). 
Configuring ARP detection Optional. 
Configure this function on access 
devices (recommended). 
Configuring ARP automatic scanning and fixed 
ARP Optional. 
Configure this function on 
gateways (recommended). 
Configuring ARP gateway protection 
Optional. 
Configure this function on access 
devices (recommended). 
Configuring ARP filtering Optional. 
Configure this function on...

    Page 2018

    Page 2018 353 Configuring ARP source suppression Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ARP source suppression. arp source-suppression enable Disabled by default. 3. Set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five consecutive seconds. arp source-suppression limit limit-value Optional. 10 by default. Enabling ARP black hole routing Step Command Remarks 1. Enter... 
     353 
Configuring ARP source suppression  
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enable ARP source suppression. 
arp source-suppression enable Disabled by default. 
3.  Set the maximum number of packets with the 
same source IP address but unresolvable 
destination IP addresses that the device can 
receive in five consecutive seconds.  arp source-suppression limit 
limit-value
  Optional. 
10 by default. 
 
Enabling ARP black hole routing  
Step Command Remarks 
1.
  Enter...

    Page 2019

    Page 2019 354 Figure 127 Network diagram Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: 1. Enable ARP source suppression. 2. Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in five seconds exceed s 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests... 
     354 
Figure 127  Network diagram 
 
 
Configuration considerations 
If the attacking packets have the same source address, you can enable the ARP source suppression 
function with the following steps:  
1. Enable ARP source suppression. 
2. Set the threshold for ARP packets from the same  source address to 100. If the number of ARP 
requests sourced from the same  IP address in five seconds exceed s 100, the device suppresses the 
IP packets sourced from this IP address from triggering any ARP requests...

    Page 2020

    Page 2020 355 Configuring ARP packet rate limit Introduction The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU on a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected to the CPU for checking. As a result, the device fails to deliver other functions properly or even crashes. To solve this problem, you can... 
     355 
Configuring ARP packet rate limit 
Introduction 
The ARP packet rate limit feature allows you to limit  the rate of ARP packets to be delivered to the CPU 
on a switch. For example, if an attacker sends a  large number of ARP packets to an ARP detection 
enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected 
to the CPU for checking. As a result, the device fails to deliver other functions properly or even crashes. 
To solve this problem, you can...
    Start reading HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

    All HP manuals