HP 5500 Ei 5500 Si Switch Series Configuration Guide

 366 
# Enable the checking of the MAC addresses and IP addresses of ARP packets. 
[SwitchB] arp detection validate dst-mac ip src-mac 
# Configure port isolation. 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port-isolate enable 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] port-isolate enable 
[SwitchB-GigabitEthernet1/0/2] quit 
After the preceding configurations are comp lete, ARP packets received on...

 367 
•  The number of static ARP entries changed from dynamic ARP entries is restricted by the number of 
static ARP entries that the device supports. As a  result, the device may fail to change all dynamic 
ARP entries into static ARP entries. 
•   To delete a specific static ARP entry changed from a dynamic one, use the  undo arp ip-address  
[  vpn-instance-name  ] command (The HP 5500 SI switch series does not support the 
vpn-instance-name  argument in the command). To delete all such static ARP...

 368 
Step Command Remarks 
3.  Enable ARP gateway protection for a 
specified gateway.  arp filter source
 ip-address   Disabled by default 
 
Configuration example 
Network requirements 
As shown in Figure 132, H ost B launches gateway spoofing attacks to Switch B. As a result, traffic that 
Switch B intends to send to Switch A is sent to Host B. 
Configure Switch B to block such attacks. 
Figure 132  Network diagram 
 
 
Configuration procedure 
# Configure ARP gateway protection on Switch B....

 369 
Configuration guidelines 
Follow these guidelines when you configure ARP filtering: 
•  You can configure up to eight ARP filtering entries on a port. 
•   Commands  arp filter source  and arp filter binding  cannot be both configured on a port. 
•   If ARP filtering works with ARP detection an d ARP snooping, ARP filtering applies first. 
Configuration procedure 
To  c o n fig u re  A R P  fi l te ri ng :   
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enter Layer 2 Ethernet...

 370 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-123\
3 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-123\
4 
After the configuration is complete, GigabitEther net 1/0/1 will permit incoming ARP packets with 
sender IP and MAC addresses as 10.1.1.2 and 000f-e349-1233, and discard other ARP packets. 
GigabitEthernet 1/0/2 will permit...

 371 
Configuring ND attack defense 
Overview 
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor 
reachability detection, duplicate address detection, router/prefix discovery and address 
autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can 
easily exploit the ND protocol to attack hosts and gateways by sending forged packets. For more 
information about the five functions of the ND protocol, see...

 372 
•  The mapping between the source IPv6 address and the source MAC address in the Ethernet frame 
header is invalid.  
To identify forged ND packets, HP developed the source MAC consistency check and ND detection 
features.  
Enabling source MAC consistency check for ND 
packets 
Use source MAC consistency check on a gateway to filter out ND packets that carry different source 
MAC addresses in the Ethernet frame header and the source link layer address option.  
Follow these guidelines when you...

 373 
Configuration guidelines 
Follow these guidelines when you configure ND detection: 
•  To create IPv6 static bindings with IP source guard, use the  ipv6 source binding command. For more 
information, see  Configuring IP source guard .  
•   T

he DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more 
information, see  Layer 3—IP Services Configuration Guide .  
•   The ND snooping table is created automatically by the ND snooping module. For more information, 
see...

 374 
ND detection configuration example 
Network requirements 
As shown in Figure 135, Ho st A and Host B connect to Switch A, the gateway, through Switch B. Host A 
has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and 
MAC address 0001-0203-0607.  
Enable ND detection on Switch B to filter out forged ND packets.  
Figure 135  Network diagram 
 
 
Configuration procedure 
1. Configuring Switch A:  
# Enable IPv6 forwarding. 
 system-view 
[SwitchA] ipv6 
#...

 375 
[SwitchA-Vlan-interface10] ipv6 address 10::1/64 
[SwitchA-Vlan-interface10] quit 
2. Configuring Switch B: 
# Enable IPv6 forwarding. 
 system-view 
[SwitchB] ipv6 
# Create VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] quit 
# Add ports GigabitEthernet 1/0/1 throug h GigabitEthernet 1/0/3 to VLAN 10. 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port access vlan 10 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2...