HP A 5120 Manual

Here you can view all the pages of manual HP A 5120 Manual. The HP manuals for Switch are available online for free. You can easily download all the documents as PDF.

Overview View all the pages Comments

Page 271

 
261 
[Switch-Vlan100] quit 
[Switch] interface vlan-interface 100 
[Switch-Vlan-interface100] ip check source ip-address mac-address 
[Switch-Vlan-interface100] quit 
2. Configure DHCP relay 
# Enable DHCP relay. 
[Switch] dhcp enable 
# Configure the IP address of the DHCP server. 
[Switch] dhcp relay server-group 1 ip 10.1.1.1 
# Configure VLAN-interface 100 to work in DHCP relay mode. 
[Switch] interface vlan-interface 100 
[Switch-Vlan-interface100] dhcp select relay 
#  Correlate VLAN-interface...

Page 272

 
262 
Verification 
# On the device, display the information about static IPv6 source guard binding entries. The output shows 
that the binding entry is configured successfully. 
[Device] display user-bind ipv6 
Total entries found: 1 
 MAC Address        IP Address        VLAN   Interface              Type 
 0001-0202-0202     2001::1           N/A    GE1/0/1                Static_IPv6 
Dynamic IPv6 source guard binding by DHCPv6 snooping 
configuration example 
Network requirements 
As  shown  in...

Page 273

 
263 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address 
[Device-GigabitEthernet1/0/1] quit 
Verification 
# Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1. 
[Device] display ip check source ipv6 
Total entries found: 1 
 MAC Address          IP Address        VLAN   Interface       Type 
 040a-0000-0001       2001::1           2      GE1/0/1         DHCPv6-SNP 
#  Display  all  DHCPv6...

Page 274

 
264 
# Configure  dynamic  IPv6  source  guard  binding  of  packet  source  IP  address  and  MAC  address  on 
GigabitEthernet 1/0/1 to filter packets based on the dynamically generated ND snooping entries. 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address 
[Device-GigabitEthernet1/0/1] quit 
Vefification 
# Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1. 
[Device] display ip check source...

Page 275

 
265 
ARP attack protection configuration 
ARP attack protection overview 
Although  ARP  is  easy to implement,  it  provides  no  security  mechanism  and  is  prone  to  network  attacks. 
An attacker may send the following: 
 ARP  packets  by  acting  as  a  trusted  user  or  gateway  so  that  the  receiving  devices  obtain  incorrect 
ARP entries. As a result, network attacks occur. 
 A  large  number  of  IP  packets  with  unreachable  destinations.  As  a result,  the  receiving  device...

Page 276

 
266 
Task Remarks 
Configuring ARP detection 
Optional 
Configure this function on access 
devices (recommended). 
Configuring ARP automatic scanning and fixed 
ARP 
Optional 
Configure this function on gateways 
(recommended). 
Configuring ARP gateway protection 
Optional 
Configure this function on access 
devices (recommended). 
Configuring ARP filtering 
Optional 
Configure this function on access 
devices (recommended). 
 
Configuring ARP defense against IP packet attacks 
Introduction 
If the...

Page 277

 
267 
To do… Use the command… Remarks 
Set the maximum number of packets with the 
same source IP address but unresolvable 
destination IP addresses that the switch can 
receive in five consecutive seconds 
arp source-suppression limit 
limit-value 
Optional 
10 by default. 
 
Enabling ARP black hole routing 
Follow these steps to configure ARP black hole routing: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable ARP black hole routing arp resolving-route enable Optional 
Enabled...

Page 278

 
268 
configuration  of the  information  center, see the Network  Management  and  Monitoring  Configuration 
Guide. 
Follow these steps to configure ARP packet rate limit: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable ARP packet rate limit 
trap 
snmp-agent trap enable arp 
rate-limit 
Optional 
Enabled by default. 
Set the interval for sending 
trap and log messages when 
ARP packet rate exceeds the 
specified threshold rate 
arp rate-limit information 
interval seconds...

Page 279

 
269 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable source MAC address 
based ARP attack detection and 
specify the detection mode 
arp anti-attack source-mac { filter 
| monitor } 
Required 
Disabled by default. 
Configure the threshold arp anti-attack source-mac 
threshold threshold-value 
Optional 
50 by default. 
Configure the age timer for ARP 
attack detection entries 
arp anti-attack source-mac aging-
time time 
Optional 
300 seconds by default. 
Configure protected MAC...

Page 280

 
270 
To do… Use the command… Remarks 
Enable ARP packet source MAC 
address consistency check arp anti-attack valid-check enable Required 
Disabled by default. 
 
Configuring ARP active acknowledgement 
Introduction 
The ARP  active  acknowledgement  feature  is  configured  on  gateway  devices  to  identify  invalid  ARP 
packets. 
ARP active  acknowledgement  works  before the  gateway creates  or  modifies  an  ARP  entry  to avoid 
generating  any incorrect  ARP entry.  For more  information about...

Start reading HP A 5120 Manual

Related Manuals for HP A 5120 Manual

HP 18108 Instruction Manual
71 pages | HP Switch
HP A 5120 Manual
1464 pages | HP Switch

All HP manuals