Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 2041

    Page 2041 376 Configuring URPF (available only on the HP 5500 EI) The term router in this feature refers to both routers and Layer 3 switches. URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of... 
     376 
Configuring URPF (available only on the HP 
5500 EI) 
The term router in this feature refers to both routers and Layer 3 switches. 
URPF overview 
What is URPF 
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, 
such as denial of service (DoS) and distributed denial of service (DDoS) attacks. 
Attackers launch attacks by creating a series of packets with forged source addresses. For applications 
using IP-address-based authentication, this type of...

    Page 2042

    Page 2042 377 How URPF works URPF does not check multicast packets. URPF works in the steps, as shown in Figure 137. Figure 137 URPF work flow 1. URPF checks the source address validity: 
     377 
How URPF works 
URPF does not check multicast packets. 
URPF works in the steps, as shown in Figure 137. 
Figure 137  URPF work flow 
 
1. URPF checks the source address validity:

    Page 2043

    Page 2043 378 { Discards packets with a broadcast source address. { Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet, and is not discarded.) { For other packets, precede to step 2. 2. URPF checks whether the source address matches a FIB entry: { If yes, precede to step 3. { If not, precede to step 6. 3. URPF checks whether the check mode is loose: { If... 
     378 
{ Discards packets with a broadcast source address. 
{ Discards packets with an all-zero source address but a non-broadcast destination address. (A 
packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a 
DHCP or BOOTP packet, and is not discarded.) 
{ For other packets, precede to step 2. 
2. URPF checks whether the source address matches a FIB entry: 
{  If yes, precede to step 3. 
{ If not, precede to step 6. 
3. URPF checks whether the check mode is loose: 
{  If...

    Page 2044

    Page 2044 379 Network application Figure 138 Network diagram Configure strict URPF between each ISP and its connected users, and loose URPF between ISPs. Configuring URPF To configure URPF globally: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable URPF check globally. ip urpf { loose | strict } Disabled by default. NOTE: • The routing table size decreases by half when URPF is enabled on the HP 5500 EI switches. • To prevent loss of routes and packets, URPF cannot... 
     379 
Network application 
Figure 138 Network diagram 
 
 
Configure strict URPF between each ISP and its connected users, and loose URPF between ISPs. 
Configuring URPF 
To configure URPF globally:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enable URPF check globally. 
ip urpf { loose  | strict }   Disabled by default. 
 
 NOTE: 
•  The routing table size decreases by half when URPF is enabled on the HP 5500 EI switches.  
•   To prevent loss of routes and packets, URPF cannot...

    Page 2045

    Page 2045 380 Figure 139 Network diagram Configuration procedure 1. Configure Switch A: # Enable strict URPF check. system-view [SwitchA] ip urpf strict 2. Configure Switch B: # Enable strict URPF check. system-view [SwitchB] ip urpf strict 
     380 
Figure 139 Network diagram 
 
 
Configuration procedure 
1. Configure Switch A: 
# Enable strict URPF check. 
 system-view 
[SwitchA] ip urpf strict 
2. Configure Switch B: 
# Enable strict URPF check. 
 system-view 
[SwitchB] ip urpf strict

    Page 2046

    Page 2046 381 Configuring SAVI SAVI overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets. SAVI can be used in the following address assignment scenarios: • DHCPv6-only: The hosts connected to the SAVI-e... 
     381 
Configuring SAVI 
SAVI overview 
Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between 
addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source 
Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol 
packets, ND protocol packets, and IPv6 data packets.  
SAVI can be used in the following address assignment scenarios:  
•   DHCPv6-only: The hosts connected to the SAVI-e...

    Page 2047

    Page 2047 382 NOTE: If a port on the SAVI enabled device is down for three minutes or more, the device deletes the DHCPv6 snooping entries and ND snooping entries corresponding to the port. SAVI configuration in DHCPv6-only address assignment scenario Network requirements Figure 140 Network diagram As shown in Figure 140, Sw i t c h A i s t h e D H C P v 6 s e r v e r. Sw i t c h B c o n n e c t s t o t h e D H C P v 6 s e r v e r t h ro u g h interface GigabitEthernet 1/0/1, and... 
     382 
 NOTE: 
If a port on the SAVI enabled device is down for  three minutes or more, the device deletes the DHCPv6 
snooping entries and ND snooping entries corresponding to the port. 
 
SAVI configuration in DHCPv6-only address 
assignment scenario 
Network requirements 
Figure 140  Network diagram 
 
 
As shown in Figure 140, Sw i t c h  A  i s  t h e  D H C P v 6  s e r v e r.  Sw i t c h  B  c o n n e c t s  t o  t h e  D H C P v 6  s e r v e r  t h ro u g h  
interface GigabitEthernet 1/0/1, and...

    Page 2048

    Page 2048 383 Packet check principles Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries; checks ND protocol packets against link-l ocal address ND snooping entries, DHCPv6 snooping entries, and static binding entries; and checks th e IPv6 data packets from the clients against dynamic binding entries (including link-local address ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the clients an d against static... 
     383 
Packet check principles 
Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping 
entries; checks ND protocol packets against link-l ocal address ND snooping entries, DHCPv6 snooping 
entries, and static binding entries; and checks th e IPv6 data packets from the clients against dynamic 
binding entries (including link-local address  ND snooping entries and DHCPv6 snooping entries) 
applied on the interfaces connected to the clients an d against static...

    Page 2049

    Page 2049 384 SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 141 Network diagram As shown in Figure 141, Swi tch A se r ve s as t h e g a teway. Swi tch B c o n ne cts H os t A a nd H os t B. Th e hos ts can obtain IPv6 addresses only through SLAAC. Configure SAVI on Switch B to bind the addresses assigned through SLAAC and permit only packets from the bound addresses. Configuration considerations Configure Switch B as follows: • Enable... 
     384 
SAVI configuration in SLAAC-only address 
assignment scenario 
Network requirements 
Figure 141 Network diagram 
 
 
As shown in Figure 141, Swi tch  A  se r ve s  as  t h e  g a teway.  Swi tch  B  c o n ne cts  H os t  A  a nd  H os t  B.  Th e  hos ts  
can obtain IPv6 addresses only through SLAAC. Configure SAVI on Switch B to bind the addresses 
assigned through SLAAC and permit only packets from the bound addresses.  
Configuration considerations  
Configure Switch B as follows: 
•   Enable...

    Page 2050

    Page 2050 385 Packet check principles Switch B checks ND protocol packets against ND snooping entries and static binding entries; and checks the IPv6 data packets from the hosts against dynami c binding entries (including ND snooping entries) applied on the interfaces connected to the hosts an d against static binding entries. The items to be examined include MAC address, IPv6 address, VLAN information, and ingress port. Configuration procedure # Enable SAVI. system-view [SwitchB] ipv6 savi strict #... 
     385 
Packet check principles 
Switch B checks ND protocol packets against ND snooping entries and static binding entries; and checks 
the IPv6 data packets from the hosts against dynami c binding entries (including ND snooping entries) 
applied on the interfaces connected to the hosts an d against static binding entries. The items to be 
examined include MAC address, IPv6 address, VLAN information, and ingress port. 
Configuration procedure 
# Enable SAVI. 
 system-view 
[SwitchB] ipv6 savi strict 
#...
    Start reading HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

    All HP manuals