HP A 5120 Manual

Here you can view all the pages of manual HP A 5120 Manual. The HP manuals for Switch are available online for free. You can easily download all the documents as PDF.

Overview View all the pages Comments

Page 281

 
271 
Enabling ARP detection based on static IP source guard binding 
Entries/DHCP snooping entries/802.1X security entries/OUI 
MAC addresses 
With  this  feature  enabled,  the  switch  compares  the  sender  IP  and  MAC  addresses  of  an  ARP  packet 
received  from  the  VLAN against the  static  IP source  guard binding  entries,  DHCP  snooping  entries, 
802.1X security entries, or OUI MAC addresses to prevent spoofing. 
After you enable this feature for a VLAN: 
1. Upon receiving an ARP packet...

Page 282

 
272 
To do… Use the command… Remarks 
Configure the port as a 
trusted port on which ARP 
detection does not apply 
arp detection trust Optional 
The port is an untrusted port by default. 
 
 NOTE: 
 When configuring this feature, you need to configure ARP detection based on at least static IP source guard 
binding entries, DHCP snooping entries, or 802.1X security entries. Otherwise, all ARP packets received from an 
ARP untrusted port will be discarded, except the ARP packets with an OUI MAC address...

Page 283

 
273 
Configuring ARP restricted forwarding 
ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted ports and 
have passed ARP detection in the following cases: 
 If the packets are ARP requests, they are forwarded through the trusted ports. 
 If the packets are ARP responses, they are forwarded according to their destination MAC address. If 
no match is found in the MAC address table, they are forwarded through the trusted ports. 
Before  performing  the...

Page 284

 
274 
Figure 84 Network diagram for ARP detection configuration 
 
 
Configuration procedure 
1. Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on 
Switch A. (details not shown) 
2. Configure Switch A as a DHCP server 
# Configure DHCP address pool 0. 
 system-view 
[SwitchA] dhcp enable 
[SwitchA] dhcp server ip-pool 0 
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 
3. Configure Host A as DHCP client, and Host B as user respectively. (details not...

Page 285

 
275 
[SwitchB-GigabitEthernet1/0/3] quit 
# Enable the checking of the MAC addresses and IP addresses of ARP packets. 
[SwitchB] arp detection validate dst-mac ip src-mac 
After  the  preceding  configurations  are  complete,  when  ARP  packets  arrive  at  interfaces GigabitEthernet 
1/0/2  and GigabitEthernet  1/0/3,  their  MAC  and  IP  addresses  are  checked,  and  then  the  packets  are 
checked against the static IP source guard binding entries and finally DHCP snooping entries. 
ARP...

Page 286

 
276 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-Gigabitethernet 1/0/1] dot1x 
[SwitchB-Gigabitethernet 1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-Gigabitethernet 1/0/2] dot1x 
[SwitchB-Gigabitethernet 1/0/2] quit 
# Add local access user test. 
[SwitchB] local-user test 
[SwitchB-luser-test] service-type lan-access 
[SwitchB-luser-test] password simple test 
[SwitchB-luser-test] quit 
# Enable ARP detection for VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp detection...

Page 287

 
277 
Figure 86 Network diagram for ARP restricted forwarding configuration 
 
 
Configuration procedure 
1. Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as 
shown in Figure 86. (details not shown)  
2. Configure the DHCP server on Switch A. 
# Configure DHCP address pool 0. 
 system-view 
[SwitchA] dhcp enable 
[SwitchA] dhcp server ip-pool 0 
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 
3. Configure the DHCP client on Hosts A and B....

Page 288

 
278 
[SwitchB-GigabitEthernet1/0/2] quit 
# Enable the checking of the MAC addresses and IP addresses of ARP packets. 
[SwitchB] arp detection validate dst-mac ip src-mac 
# Configure port isolation. 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port-isolate enable 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] port-isolate enable 
[SwitchB-GigabitEthernet1/0/2] quit 
After  the  preceding  configurations are...

Page 289

 
279 
To do… Use the command… Remarks 
Enable ARP automatic 
scanning arp scan [ start-ip-address to end-ip-address ] Required 
Return to system view quit — 
Enable fixed ARP arp fixup Required 
 
 NOTE: 
 IP addresses already existing in ARP entries are not scanned. 
 ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are 
created based on ARP replies received before the scan is terminated. 
 The static ARP entries changed from dynamic ARP entries...

Page 290

 
280 
  NOTE: 
 You can enable ARP gateway protection for up to eight gateways on a port. 
 Commands arp filter source and arp filter binding cannot be both configured on a port. 
 If ARP gateway protection works with ARP detection, ARP gateway protection applies first.  
ARP gateway protection configuration example 
Network requirements 
As  shown  in Figure  87,  Host  B  launches  gateway  spoofing  attacks  to  Switch  B.  As  a  result,  traffic  that 
Switch B intends to send to Switch A is...

Start reading HP A 5120 Manual

Related Manuals for HP A 5120 Manual

HP 18108 Instruction Manual
71 pages | HP Switch
HP A 5120 Manual
1464 pages | HP Switch

All HP manuals