HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 2039
374
ND detection configuration example
Network requirements
As shown in Figure 135, Ho st A and Host B connect to Switch A, the gateway, through Switch B. Host A
has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and
MAC address 0001-0203-0607.
Enable ND detection on Switch B to filter out forged ND packets.
Figure 135 Network diagram
Configuration procedure
1. Configuring Switch A:
# Enable IPv6 forwarding.
system-view
[SwitchA] ipv6
#...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2038.png "Page 2039
374
ND detection configuration example
Network requirements
As shown in Figure 135, Ho st A and Host B connect to Switch A, the gateway, through Switch B. Host A
has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and
MAC address 0001-0203-0607.
Enable ND detection on Switch B to filter out forged ND packets.
Figure 135 Network diagram
Configuration procedure
1. Configuring Switch A:
# Enable IPv6 forwarding.
system-view
[SwitchA] ipv6
#...")
![Page 2040
375
[SwitchA-Vlan-interface10] ipv6 address 10::1/64
[SwitchA-Vlan-interface10] quit
2. Configuring Switch B:
# Enable IPv6 forwarding.
system-view
[SwitchB] ipv6
# Create VLAN 10.
[SwitchB] vlan 10
[SwitchB-vlan10] quit
# Add ports GigabitEthernet 1/0/1 throug h GigabitEthernet 1/0/3 to VLAN 10.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port access vlan 10
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2039.png "Page 2040
375
[SwitchA-Vlan-interface10] ipv6 address 10::1/64
[SwitchA-Vlan-interface10] quit
2. Configuring Switch B:
# Enable IPv6 forwarding.
system-view
[SwitchB] ipv6
# Create VLAN 10.
[SwitchB] vlan 10
[SwitchB-vlan10] quit
# Add ports GigabitEthernet 1/0/1 throug h GigabitEthernet 1/0/3 to VLAN 10.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port access vlan 10
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2...")
![Page 2045
380
Figure 139 Network diagram
Configuration procedure
1. Configure Switch A:
# Enable strict URPF check.
system-view
[SwitchA] ip urpf strict
2. Configure Switch B:
# Enable strict URPF check.
system-view
[SwitchB] ip urpf strict](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2044.png "Page 2045
380
Figure 139 Network diagram
Configuration procedure
1. Configure Switch A:
# Enable strict URPF check.
system-view
[SwitchA] ip urpf strict
2. Configure Switch B:
# Enable strict URPF check.
system-view
[SwitchB] ip urpf strict")
376 Configuring URPF (available only on the HP 5500 EI) The term router in this feature refers to both routers and Layer 3 switches. URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of attack allows unauthorized users to access the system in the name of authorized users, or to even access the system as the administrator. Even if the attackers cannot receive any response packets, the attacks are still disruptive to the attacked target. Figure 136 Attack based on source address spoofing As shown in Figure 136, Router A sends the server (Router B) requests with a forged source IP address 2.2.2.1 at a high rate, and Router B sends packets to IP address 2.2.2.1 (Router C) in response to the requests. Consequently, both Router B and Router C are attacked. URPF can prevent this source address spoofing attack by checking the source addresses of packets and filtering out invalid packets. URPF check modes URPF provides two check modes: strict and loose. Strict URPF To pass strict URPF check, the source address and receiving interface of a packet must match the destination address and output interface of a forwarding information base (FIB) entry. In some scenarios such as asymmetrical routing, strict URPF may discard valid packets. Strict URPF is often deployed between an internet service provider (ISP) and the connected users. Loose URPF To pass loose URPF check, the source address of a packet must match the destination address of a FIB entry. Loose URPF can avoid discarding valid packets, but may let go attack packets. Loose URPF is often deployed between ISPs, especially in asymmetrical routing.
377 How URPF works URPF does not check multicast packets. URPF works in the steps, as shown in Figure 137. Figure 137 URPF work flow 1. URPF checks the source address validity:
378
{ Discards packets with a broadcast source address.
{ Discards packets with an all-zero source address but a non-broadcast destination address. (A
packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a
DHCP or BOOTP packet, and is not discarded.)
{ For other packets, precede to step 2.
2. URPF checks whether the source address matches a FIB entry:
{ If yes, precede to step 3.
{ If not, precede to step 6.
3. URPF checks whether the check mode is loose:
{ If yes, precede to step 8.
{ If not, URPF checks whether the matching route is a direct route: if yes, precede to step 5; if not,
precede to step 4.
4. URPF checks whether the receiving interface matches the output interface of the matching FIB entry.
{ If yes, precede to step 8.
{ If not, precede to step 9.
5. URPF checks whether the source IP address matches an ARP entry.
{ If yes, precede to step 8.
{ If not, precede to step 9.
6. URPF checks whether the FIB table has a default route.
{ If yes, precede to step 7.
{ If not, precede to step 9.
7. URPF checks whether the check mode is loose:
{ If yes, precede to step 8.
{ If not, URPF checks whether the output interface of the default route matches the receiving
interface of the packet: if yes, precede to step 8; if not, precede to step 9.
8. The packet passes the check and is forwarded.
9. The packet is discarded.
379
Network application
Figure 138 Network diagram
Configure strict URPF between each ISP and its connected users, and loose URPF between ISPs.
Configuring URPF
To configure URPF globally:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable URPF check globally.
ip urpf { loose | strict } Disabled by default.
NOTE:
• The routing table size decreases by half when URPF is enabled on the HP 5500 EI switches.
• To prevent loss of routes and packets, URPF cannot be enabled if the number of route entries the switch
maintains exceeds half the routing table size.
URPF configuration example
Network requirements
As shown in Figure 139, a client (Switch A) directly connects to the ISP switch (Switch B). Enable URPF
check on Switch A and Switch B to prevent source address spoofing attacks.
380 Figure 139 Network diagram Configuration procedure 1. Configure Switch A: # Enable strict URPF check. system-view [SwitchA] ip urpf strict 2. Configure Switch B: # Enable strict URPF check. system-view [SwitchB] ip urpf strict
381 Configuring SAVI SAVI overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets. SAVI can be used in the following address assignment scenarios: • DHCPv6-only: The hosts connected to the SAVI-e nabled device obtain addresses only through DHCPv6. • SLAAC-only: The hosts connected to the SAVI-enabled device obtain addresses only through Stateless Address Autoconfiguration (SLAAC). • DHCPv6+SLAAC: The hosts connected to the SAVI-enabled device obtain addresses through DHCPv6 and SLAAC. The following section describes SAVI configurations in these address assignment scenarios. Configuring global SAVI Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SAVI function. ipv6 savi strict Disabled by default. 3. Set the time to wait for a duplicate address detection (DAD) NA. ipv6 savi dad-delay value Optional One second by default. If no DAD NA is received within the specified time when the corresponding ND snooping entry is in detect state, the ND snooping entry changes to bound state. 4. Set the time to wait for a DAD NS from a DHCPv6 client. ipv6 savi dad-preparedelay value Optional One second by default. This command is used with the DHCPv6 snooping function. After DHCPv6 snooping detects that a client obtains an IPv6 address, it monitors whether the client detects IP address conflict. If DHCPv6 snooping does not receive any DAD NS from the client before the set time expires, SAVI sends a DAD NS on behalf of the client.
382 NOTE: If a port on the SAVI enabled device is down for three minutes or more, the device deletes the DHCPv6 snooping entries and ND snooping entries corresponding to the port. SAVI configuration in DHCPv6-only address assignment scenario Network requirements Figure 140 Network diagram As shown in Figure 140, Sw i t c h A i s t h e D H C P v 6 s e r v e r. Sw i t c h B c o n n e c t s t o t h e D H C P v 6 s e r v e r t h ro u g h interface GigabitEthernet 1/0/1, and connects to two DHCPv6 clients through interfaces GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. The three interfaces of Switch B belong to VLAN 2. The client can obtain IP address only through DHCPv6. Configure SAVI on Switch B to automatically bind the IP addresses assigned through DHCPv6 and permit only packets from bound addresses and link-local addresses. Configuration considerations Configure Switch B as follows: • Enable SAVI. • Enable DHCPv6 snooping. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide . • Enable link-local address ND snooping. For more information about ND snooping, see Layer 3—IP Services Configuration Guide . • Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information about ND detection, see Configuring ND attack defense . • Configure a static IPv6 source guard binding entry on each interface connected to a client. This step i s o p t io n a l. I f t h i s s te p i s no t p e r fo rm e d, SAV I d o es not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see Configuring IP source guar d . • Configure dynamic IPv6 source guard binding on the interfaces connected to the clients. For more information about dynamic IPv6 source guard binding, see Configuring IP source guard. GE1/0/1 Switch A DHCPv6 server Switch B GE1/0/2 GE1/0/3 DHCPv6 client DHCPv6 client
383 Packet check principles Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries; checks ND protocol packets against link-l ocal address ND snooping entries, DHCPv6 snooping entries, and static binding entries; and checks th e IPv6 data packets from the clients against dynamic binding entries (including link-local address ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the clients an d against static binding entries. The items to be examined include MAC address, IPv6 address, VLAN information, and ingress port. Configuration procedure # Enable SAVI. system-view [SwitchB] ipv6 savi strict # Enable IPv6. [SwitchB] ipv6 # Globally enable DHCPv6 snooping. [SwitchB] ipv6 dhcp snooping enable # Assign interfaces GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 2. [SwitchB] vlan 2 [SwitchB-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 # Enable DHCPv6 snooping in VLAN 2. [SwitchB-vlan2] ipv6 dhcp snooping vlan enable [SwitchB] quit # Configure interface GigabitEthernet 1/0/1 as a DHCP snooping trusted port. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] ipv6 dhcp snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Enable link-local address ND snooping and ND detection. [SwitchB] ipv6 nd snooping enable link-local [SwitchB] vlan 2 [SwitchB-vlan2] ipv6 nd snooping enable [SwitchB-vlan2] ipv6 nd detection enable [SwitchB-vlan2] quit # Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-addre\ ss [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-addre\ ss [SwitchB-GigabitEthernet1/0/3] quit
384 SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 141 Network diagram As shown in Figure 141, Swi tch A se r ve s as t h e g a teway. Swi tch B c o n ne cts H os t A a nd H os t B. Th e hos ts can obtain IPv6 addresses only through SLAAC. Configure SAVI on Switch B to bind the addresses assigned through SLAAC and permit only packets from the bound addresses. Configuration considerations Configure Switch B as follows: • Enable SAVI. • Enable global unicast address ND snooping and link-local address ND snooping. For more information about ND snooping, see Layer 3—IP Services Configuration Guide . • Enable ND detection in VLAN 10 to check the ND packets arrived on the ports. For more information about ND detection, see Configuring ND attack defense. • Configure a static IPv6 source guard binding entry on each interface connected to a host. This step i s o p t io n a l. I f t h i s s te p i s no t p e r fo rm e d, SAV I d o es not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see Configuring IP source guar d . • Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more information about dynamic IPv6 source guard binding, see Configuring IP source guard. • Enable DHCPv6 snooping and leave the interface connected to the gateway as its default status (non-trusted port) so that the hosts cannot obtain IP addresses through DHCPv6. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. Switch A Switch B Host A Host B GE1/0/3 Vlan-int10 10::1 Gateway GE1/0/1GE1/0/3 GE1/0/2 VLAN 10 10::6 0001-0203-0607 10::5 0001-0203-0405 Internet
385 Packet check principles Switch B checks ND protocol packets against ND snooping entries and static binding entries; and checks the IPv6 data packets from the hosts against dynami c binding entries (including ND snooping entries) applied on the interfaces connected to the hosts an d against static binding entries. The items to be examined include MAC address, IPv6 address, VLAN information, and ingress port. Configuration procedure # Enable SAVI. system-view [SwitchB] ipv6 savi strict # Enable IPv6. [SwitchB] ipv6 # Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 [SwitchB-vlan10] quit # Enable global unicast address ND snooping and link-local address ND snooping. [SwitchB] ipv6 nd snooping enable link-local [SwitchB] ipv6 nd snooping enable global [SwitchB] vlan 10 [SwitchB-vlan10] ipv6 nd snooping enable # Enable ND detection. [SwitchB-vlan10] ipv6 nd detection enable [SwitchB-vlan10] quit # Enable DHCPv6 snooping. [SwitchB] ipv6 dhcp snooping enable # Configure uplink port GigabitEthernet 1/0/3 as an ND trusted port. [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 nd detection trust [SwitchB-GigabitEthernet1/0/3] quit # Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-addre\ ss [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-addre\ ss [SwitchB-GigabitEthernet1/0/2] quit