Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 2011 to Favourites
    image text
    Enable zoom 
    							 346 
Total entries found: 1 
 MAC Address       IP Address     VLAN   Interface              Type 
 0001-0203-0406    192.168.0.1    100    Vlan100                DHCP-RLY\
 
Static IPv6 source guard configuration example 
Network requirements 
As shown in Figure 123 , the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a 
static IPv6 source guard entry for GigabitEthernet 1/ 0/1 of the device to allow only packets from the 
host to pass. 
Figure 123  Network diagram 
  
 
Configuration procedure 
# Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the 
source IP address and MAC address. 
 system-view 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-addres\
s 
# Configure GigabitEthernet 1/0/1 to allow only IPv6 packets with the source MAC address of 
0001-0202-0202 and the source IPv6 address of 2001::1 to pass. 
[Device-GigabitEthernet1/0/1] ipv6 source binding ipv6-address 2001::1 m\
ac-address 
0001-0202-0202 
[Device-GigabitEthernet1/0/1] quit 
Verifying the configuration 
# On Device, display the information about static IPv6 source guard entries. The output shows that the 
binding entry is configured successfully. 
[Device] display ipv6 source binding static 
Total entries found: 1 
 MAC Address        IP Address        VLAN   Interface               Typ\
e 
 0001-0202-0202     2001::1           N/A    GE1/0/1                 Sta\
tic-IPv6 
Dynamic IPv6 source guard using DHCPv6 snooping 
configuration example 
Network requirements 
As shown in  Figure 124, the h ost (DHCPv6 client) and the DHCPv6 server are connected to the device 
through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively.  
Enable DHCPv6 and DHCPv6 snooping on the device, so that the host can obtain an IP address through 
the DHCPv6 server and the IPv6 IP address and the MAC address of the host can be recorded in a 
DHCPv6 snooping entry.
    Add page 2012 to Favourites
    image text
    Enable zoom 
    							 347 
Enable IPv6 source guard function on the device’s po rt GigabitEthernet 1/0/1 to filter packets based on 
DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the 
DHCP server to pass. 
Figure 124  Network diagram 
 
 
Configuration procedure 
1. Configure DHCPv6 snooping: 
# Enable DHCPv6 snooping globally. 
 system-view 
[Device] ipv6 dhcp snooping enable 
# Enable DHCPv6 snooping in VLAN 2. 
[Device] vlan 2 
[Device-vlan2] ipv6 dhcp snooping vlan enable 
[Device-vlan2] quit 
# Configure the port connecting to  the DHCP server as a trusted port. 
[Device] interface gigabitethernet 1/0/2 
[Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust 
[Device-GigabitEthernet1/0/2] quit 
2. Configure the IPv6 source guard function: 
# Configure the IPv6 source guard function on Gi gabitEthernet 1/0/1 to filter packets based on 
both the source IP address and MAC address. 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-addres\
s 
[Device-GigabitEthernet1/0/1] quit 
Verifying the configuration 
# Display the dynamic IPv6 source guard entries generated on port GigabitEthernet 1/0/1. 
[Device] display ipv6 source binding 
Total entries found: 1 
 MAC Address          IP Address        VLAN   Interface       Type 
 040a-0000-0001       2001::1           2      GE1/0/1         DHCPv6-SN\
P 
# Display all DHCPv6 snooping entries to see whethe r they are consistent with the dynamic IP source 
guard entries generated on GigabitEthernet 1/0/1. 
[Device] display ipv6 dhcp snooping user-binding dynamic 
IP Address                     MAC Address    Lease      VLAN Interface \
============================== ============== ========== ==== ==========\
======== 
2001::1                        040a-0000-0001 286        2    GigabitEth\
ernet1/0/1 
---   1 DHCPv6 snooping item(s) found   --- 
The output shows that a dynamic IPv6 source guard entry has been generated on port GigabitEthernet 
1/0/1 based on the DHCPv6 snooping entry.
    Add page 2013 to Favourites
    image text
    Enable zoom 
    							 348 
Dynamic IPv6 source guard using ND snooping configuration 
example 
Network requirements 
As shown in  Figure 125, the c lient is connected to the device through port GigabitEthernet 1/0/1. 
Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. 
Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND 
snooping entries, allowing only packets with  a legally obtained IPv6 address to pass.  
Figure 125  Network diagram 
 
 
Configuration procedure 
1. Configure ND snooping: 
# In VLAN 2, enable ND snooping. 
 system-view 
[Device] vlan 2 
[Device-vlan2] ipv6 nd snooping enable 
[Device-vlan2] quit 
2. Configure the IPv6 source guard function: 
# Configure the IPv6 source guard function on Gi gabitEthernet 1/0/1 to filter packets based on 
both the source IP address and MAC address. 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-addres\
s 
[Device-GigabitEthernet1/0/1] quit 
Verifying the configuration 
# Display the IPv6 source guard entries generated on port GigabitEthernet 1/0/1. 
[Device] display ipv6 source binding 
Total entries found: 1 
 MAC Address          IP Address        VLAN   Interface       Type 
 040a-0000-0001       2001::1           2      GE1/0/1         ND-SNP 
# Display the IPv6 ND snooping entries to see whethe r they are consistent with the dynamic IP source 
guard entries generated on GigabitEthernet 1/0/1. 
[Device] display ipv6 nd snooping 
IPv6 Address                   MAC Address     VID  Interface      Aging\
 Status 
2001::1                        040a-0000-0001  2    GE1/0/1        25   \
  Bound 
---- Total entries: 1 ---- 
The output shows that a dynamic IPv6 source guard  entry has generated on port GigabitEthernet 1/0/1 
based on the ND snooping entry.
    Add page 2014 to Favourites
    image text
    Enable zoom 
    							 349 
Global static IP source guard configuration example 
Network requirements 
As shown in Figure 126 , Device A is a distribution layer device. Device B is an access device. Host A in 
VLAN 10 and Host B in VLAN 20 communicate with each other through Device A. 
•   Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A 
and Host B. 
•   Configure Device B to forward packets of Host A and Host B normally. 
Figure 126  Network diagram 
 
 
Configuration procedure 
# Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10. 
 system-view 
[DeviceB] vlan 10 
[DeviceB-vlan10] port gigabitethernet 1/0/2 
[DeviceB-vlan10] quit 
# Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20. 
[DeviceB] vlan 20 
[DeviceB-vlan20] port gigabitethernet 1/0/3 
[DeviceB-vlan20] quit 
# Configure the link type of GigabitEthernet 1/0/1 as trunk, and permit packets of VLAN 10 and VLAN 
20 to pass the port. 
[DeviceB] interface gigabitethernet 1/0/1 
[DeviceB-GigabitEthernet1/0/1] port link-type trunk 
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 10 20 
[DeviceB-GigabitEthernet1/0/1] quit 
# Configure IPv4 source guard on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 to filter packets 
based on both the source IP address and MAC address. 
[DeviceB] interface gigabitethernet 1/0/2
    Add page 2015 to Favourites
    image text
    Enable zoom 
    							 350 
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address 
[DeviceB-GigabitEthernet1/0/2] quit 
[DeviceB] interface gigabitethernet 1/0/3 
[DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address 
[DeviceB-GigabitEthernet1/0/3] quit 
# Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC 
address of Host A and Host B from being forwarded. 
[DeviceB] ip source binding ip-address 192.168.0.2 mac-address 0001-0203\
-0406 
[DeviceB] ip source binding ip-address 192.168.1.2 mac-address 0001-0203\
-0407 
Verifying the configuration 
# Display static IPv4 binding entries on Device B. 
[DeviceB] display ip source binding static 
Total entries found: 2 
 MAC Address       IP Address       VLAN   Interface            Type 
 0001-0203-0406    192.168.0.2      N/A    N/A                  Static 
 0001-0203-0407    192.168.1.2      N/A    N/A                  Static 
After the configurations, Host A and Host B can ping each other successfully. 
Troubleshooting IP source guard 
Symptom 
Failed to configure static or dynamic IP source guard on a port.  
Analysis 
IP source guard is not supported on a port in an aggregation group.  
Solution 
Remove the port from the aggregation group.
    Add page 2016 to Favourites
    image text
    Enable zoom 
    							 351 
Configuring ARP attack protection 
Only the HP 5500 EI switches support Layer 3 Ethernet port configuration.  
The term interface in the ARP attack protection features refers to Layer 3 interfaces, including VLAN 
interfaces and route-mode (or Layer  3) Ethernet ports. You can set an Ethernet port to operate in route 
mode by using the  port link-mode  route  command (see  Layer 2—LAN Switching Configuration Guide ). 
Overview 
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network 
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: 
•  Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP 
entries.  
•   Sends a large number of destination unreachable IP packets to have the receiving device busy with 
resolving destination IP addresses until its CPU is overloaded. 
•   Sends a large number of ARP packets to overload the CPU of the receiving device. 
For more information about ARP attack features and types, see  ARP Attack Protection Technology White 
Pa p e r . 
ARP attacks and viruses are threatening LAN security. This chapter introduces multiple features to detect 
and prevent such attacks. 
ARP attack protection configuration task list 
 
Task Remarks 
Flood prevention  Configuring 
ARP 
defense 
agai

nst IP 
packet 
attacks  Configuring ARP source 
suppression
  Optional. 
Configure this function on 
gateways (recommended). 
Enabling ARP black hole routing 
Optional. 
Configure this function on 
gateways (recommended). 
Configuring ARP packet rate limit 
Optional. 
Configure this function on access 
devices (recommended). 
Configuring source MAC address based ARP 
attack detection Optional. 
Configure this function on 
gateways (recommended). 
User and gateway 
spoofing prevention 
Configuring ARP packet source MAC address 
consistency che
ck  Optional. 
Configure this function on 
gateways (recommended).
    Add page 2017 to Favourites
    image text
    Enable zoom 
    							 352 
Task Remarks 
Configuring ARP active acknowledgement  Optional. 
Configure this function on 
gateways (recommended). 
Configuring ARP detection Optional. 
Configure this function on access 
devices (recommended). 
Configuring ARP automatic scanning and fixed 
ARP Optional. 
Configure this function on 
gateways (recommended). 
Configuring ARP gateway protection 
Optional. 
Configure this function on access 
devices (recommended). 
Configuring ARP filtering Optional. 
Configure this function on access 
devices (recommended). 
 
Configuring ARP defense against IP packet attacks 
If the device receives a large number of IP packets
 from a host addressed to unreachable destinations, 
•   The device sends a large number of ARP requests to  the destination subnets, and thus the load of the 
destination subnets increases. 
•   The device keeps trying to resolve destination IP addresses, which increases the load on the CPU. 
To protect the device from IP packet attacks, you can enable the ARP source suppression function or ARP 
black hole routing function. 
If the packets have the same source address, you can enable the ARP source suppression function. With 
the function enabled, you can set a threshold for the number of ARP requests that a sending host can 
trigger in five seconds with packets with unresolvable destination IP addresses. When the number of ARP 
requests exceeds that threshold, the device suppresses the host from triggering any ARP requests in the 
following five seconds.  
If the packets have various source addresses, you can enable the ARP black hole routing function. After 
receiving an IP packet whose destination IP address cannot be resolved by ARP, the device with this 
function enabled immediately creates a black hole route and simply drops all packets matching the route 
during the aging time of the black hole route.
    Add page 2018 to Favourites
    image text
    Enable zoom 
    							 353 
Configuring ARP source suppression  
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enable ARP source suppression. 
arp source-suppression enable Disabled by default. 
3.  Set the maximum number of packets with the 
same source IP address but unresolvable 
destination IP addresses that the device can 
receive in five consecutive seconds.  arp source-suppression limit 
limit-value
  Optional. 
10 by default. 
 
Enabling ARP black hole routing  
Step Command Remarks 
1.
  Enter system view. 
system-view  N/A 
2.  Enable ARP black hole routing. 
arp resolving-route enable  Optional. 
Enabled by default. 
 
Displaying and maintaining ARP defense against IP packet 
attacks 
 
Task Command Remarks 
Display the ARP source suppression 
configuration information. display arp source-suppression
 [ | 
{  begin |  exclude | include  } 
regular-expression  ]   Available in any view 
 
Configuration example 
Network requirements 
As shown in 
Figure 127, a L AN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 
20. The two areas connect to the gateway (Device) through an access switch. 
A large number of ARP requests are detected in the office area and are considered as the consequence 
of an IP flood attack. To prevent such attacks, configure ARP source suppression and ARP black hole 
routing.
    Add page 2019 to Favourites
    image text
    Enable zoom 
    							 354 
Figure 127  Network diagram 
 
 
Configuration considerations 
If the attacking packets have the same source address, you can enable the ARP source suppression 
function with the following steps:  
1. Enable ARP source suppression. 
2. Set the threshold for ARP packets from the same  source address to 100. If the number of ARP 
requests sourced from the same  IP address in five seconds exceed s 100, the device suppresses the 
IP packets sourced from this IP address from triggering any ARP requests within the following five 
seconds. 
If the attacking packets have different source addresse s, enable the ARP black hole routing function on 
the device. 
Configuration procedure 
1.  Configure ARP source suppression: 
# Enable ARP source suppression on the device  and set the threshold for ARP packets from the 
same source address to 100. 
 system-view 
[Device] arp source-suppression enable 
[Device] arp source-suppression limit 100 
2.  Configure ARP black hole routing: 
# Enable ARP black hole routing on the device. 
 system-view 
[Device] arp resolving-route enable 
IP network
Gateway
Device
R&D Office
VLAN 10 VLAN  20
Host A Host BHost C Host D
ARP attack protection
    Add page 2020 to Favourites
    image text
    Enable zoom 
    							 355 
Configuring ARP packet rate limit 
Introduction 
The ARP packet rate limit feature allows you to limit  the rate of ARP packets to be delivered to the CPU 
on a switch. For example, if an attacker sends a  large number of ARP packets to an ARP detection 
enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected 
to the CPU for checking. As a result, the device fails to deliver other functions properly or even crashes. 
To solve this problem, you can configure ARP packet rate limit. 
Enable this feature after the ARP detection or ARP snoo ping feature is configured, or use this feature to 
prevent ARP flood attacks. 
Configuration procedure 
When the ARP packet rate exceeds the rate limit set on an interface, the device with ARP packet rate limit 
enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you 
can set the interval for sending such messages. Within  each interval, the device will output the peak ARP 
packet rate in the trap and log messages. 
Note that trap and log messages are generated only af ter the trap function of ARP packet rate limit is 
enabled. Trap and log messages will be sent to the  information center of the device. You can set the 
parameters of the information center to determine the  output rules of trap and log messages. The output 
rules specify whether the messages are allowed to be output and where they are bound for. For the 
parameter configuration of the information center, see  Network Management and Monitoring 
Configuration Guide . 
If you enable ARP packet rate limit on a Layer 2 ag gregate interface, trap and log messages are sent 
when the ARP packet rate of a member port exceeds the preset threshold rate. 
To configure ARP packet rate limit: 
 
Step Command Remarks 
1.   Enter system view. 
system-view N/A 
2.  Enable ARP packet rate limit 
trap.  snmp-agent trap enable arp 
rate-limit  Optional. 
Enabled by default. 
For more information, see the 
snmp-agent trap enable
 arp 
command in  Network Management 
and Monitoring Command 
Reference . 
3.  Set the interval for sending 
trap and log messages when 
ARP packet rate exceeds the 
specified threshold rate.  arp rate-limit information interval
 
seconds   Optional. 
60 seconds by default. 
4.
  Enter Layer 2 Ethernet 
interface/Layer 2 aggregate 
interface view.  interface 
interface-type 
interface-number   N/A 
5.
  Configure ARP packet rate 
limit.  arp rate-limit 
{ disable  | rate  pps 
drop  }  By default, ARP packet rate limit is 
disabled.
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide