Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 2021

    Page 2021 356 Configuring source MAC address based ARP attack detection With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the specified threshold. The device adds the MAC address to the attack detection table. Before the attack detection entry is aged out, the de vice uses either of the following detection modes to respond to the detected attack: • Monitor mode... 
     356 
Configuring source MAC address based ARP 
attack detection 
With this feature enabled, the device checks the source MAC address of ARP packets delivered to the 
CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the 
specified threshold. The device adds the MAC address to the attack detection table.  
Before the attack detection entry is aged out, the de vice uses either of the following detection modes to 
respond to the detected attack: 
•   Monitor mode...

    Page 2022

    Page 2022 357 Task Command Remarks Display attacking MAC addresses detected by source MAC address based ARP attack detection. display arp anti-attack source-mac { slot slot-number | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view Configuration example Network requirements As shown in Figure 128 , the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the... 
     357 
Task Command Remarks 
Display attacking MAC addresses 
detected by source MAC address based 
ARP attack detection.  display arp anti-attack source-mac 
{ slot 
slot-number  | interface  interface-type  
interface-number  } [ |  { begin | exclude  | 
include  } regular-expression ]  Available in any view
 
 
Configuration example 
Network requirements 
As shown in Figure 128
, the hosts access the Internet through a gateway (Device). If malicious users send 
a large number of ARP requests to the...

    Page 2023

    Page 2023 358 [Device] arp anti-attack source-mac filter # Set the threshold to 30. [Device] arp anti-attack source-mac threshold 30 # Set the age timer for detection entries to 60 seconds. [Device] arp anti-attack source-mac aging-time 60 # Configure 0012-3f86-e94c as a protected MAC address. [Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC address consistency check Introduction The ARP packet source MAC address consistency check feature enables a... 
     358 
[Device] arp anti-attack source-mac filter 
# Set the threshold to 30. 
[Device] arp anti-attack source-mac threshold 30 
# Set the age timer for detection entries to 60 seconds. 
[Device] arp anti-attack source-mac aging-time 60 
# Configure 0012-3f86-e94c as a protected MAC address. 
[Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c 
Configuring ARP packet source MAC address 
consistency check 
Introduction 
The ARP packet source MAC address consistency check feature enables a...

    Page 2024

    Page 2024 359 Step Command Remarks 2. Enable the ARP active acknowledgement function. arp anti-attack active-ack enable Disabled by default Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding functions. If both ARP packet validity check and user validity check are enabled,... 
     359 
Step Command Remarks 
2.  Enable the ARP active acknowledgement 
function.  arp anti-attack active-ack enable 
Disabled by default 
 
Configuring ARP detection 
Introduction 
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user 
spoofing and gateway spoofing attacks. 
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding 
functions. If both ARP packet validity check and user validity check are enabled,...

    Page 2025

    Page 2025 360 • At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or 802.1X security entries must be available for user validity check. Otherwise, ARP packets received from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled. • You must specify a VLAN for an IP source guard binding entry; otherwise, no ARP packets can match the IP source guard binding entry. Configuration... 
     360 
•  At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or 
802.1X security entries must be available for user validity check. Otherwise, ARP packets received 
from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as 
the sender MAC address when voice VLAN is enabled. 
•   You must specify a VLAN for an IP source guard binding entry; otherwise, no ARP packets can 
match the IP source guard binding entry. 
Configuration...

    Page 2026

    Page 2026 361 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Enable ARP detection for the VLAN. arp detection enable Disabled by default. 4. Return to system view. quit N/A 5. Enable ARP packet validity check and specify the objects to be checked. arp detection validate { dst-mac | ip | src-mac } * Disabled by default. 6. Enter Layer 2 Ethernet port/Layer 2 aggregate interface view. interface interface-type interface-number... 
     361 
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enter VLAN view. 
vlan vlan-id  N/A 
3.  Enable ARP detection for the 
VLAN.  arp detection enable
 Disabled  by default. 
4.  Return to system view. 
quit  N/A 
5.  Enable ARP packet validity 
check and specify the objects to 
be checked.  arp detection validate 
{ dst-mac | ip  | 
src-mac  } *  Disabled by default. 
6.
  Enter Layer 2 Ethernet 
port/Layer 2 aggregate 
interface view.  interface 
interface-type 
interface-number...

    Page 2027

    Page 2027 362 User validity check configuration example Network requirements As shown in Figure 129, conf igure Switch B to perform user validity check based on 802.1X security entries for connected hosts. Figure 129 Network diagram Configuration procedure 1. Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) 2. Configure Switch A as a DHCP server: # Configure DHCP address pool 0. system-view [SwitchA] dhcp enable... 
     362 
User validity check configuration example 
Network requirements 
As shown in  Figure 129, conf igure Switch B to perform user validity check based on 802.1X security 
entries for connected hosts.  
Figure 129  Network diagram 
 
 
Configuration procedure 
1. Add all the ports on Switch B into VLAN 10, and configure the IP address of  VLAN-interface 10 on 
Switch A. (Details not shown.) 
2.  Configure Switch A as a DHCP server: 
# Configure DHCP address pool 0. 
 system-view 
[SwitchA] dhcp enable...

    Page 2028

    Page 2028 363 [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port an d the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit After the preceding configurations are complete, when ARP... 
     363 
[SwitchB-luser-test] password simple test 
[SwitchB-luser-test] quit 
# Enable ARP detection for VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp detection enable 
# Configure the upstream port as a trusted port an d the downstream ports as untrusted ports (a port 
is an untrusted port by default). 
[SwitchB-vlan10] interface gigabitethernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] arp detection trust 
[SwitchB-GigabitEthernet1/0/3] quit 
After the preceding configurations are complete, when ARP...

    Page 2029

    Page 2029 364 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure Host A as DHCP client, and Host B as user. (Details not shown.) 4. Configure Switch B: # Enable DHCP snooping. system-view [SwitchB] dhcp-snooping [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port... 
     364 
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 
3. Configure Host A as DHCP client, and  Host B as user. (Details not shown.) 
4. Configure Switch B: 
# Enable DHCP snooping. 
 system-view 
[SwitchB] dhcp-snooping 
[SwitchB] interface gigabitethernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust 
[SwitchB-GigabitEthernet1/0/3] quit 
# Enable ARP detection for VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp detection enable 
# Configure the upstream port as a trusted port...

    Page 2030

    Page 2030 365 Figure 131 Network diagram Configuration procedure 1. Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 127. (D etails not shown.) 2. Configure the DHCP server on Switch A. # Configure DHCP address pool 0. system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure the DHCP client on Hosts A and B. (Details not shown.) 4. Configure Switch B.... 
     365 
Figure 131  Network diagram 
 
 
Configuration procedure 
1. Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, 
as shown in  Figure 127. (D
 etails not shown.)  
2. Configure the DHCP server on Switch A. 
# Configure DHCP address pool 0. 
 system-view 
[SwitchA] dhcp enable 
[SwitchA] dhcp server ip-pool 0 
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 
3. Configure the DHCP client on Hosts A and B. (Details not shown.) 
4. Configure Switch B....
    Start reading HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

    All HP manuals