HP A 5120 Manual

 
281 
The  port  checks  the  sender  IP  and  MAC addresses  in  a  received  ARP  packet  against  configured  ARP 
filtering entries. If a match is found, the packet is handled normally. If not, the packet is discarded. 
Configuration procedure 
Follow these steps to configure ARP filtering: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet port 
view/Layer 2 aggregate interface 
view  
interface interface-type interface-
number — 
Configure an ARP filtering...

 
282 
 system-view 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 
After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender 
IP and MAC addresses as 10.1.1.2 and 000f-e349-1233, and discard other ARP packets. GigabitEthernet 
1/0/2...

 
283 
ND attack defense configuration 
Introduction to ND attack defense  
The  IPv6  Neighbor  Discovery  (ND)  protocol  provides  rich  functions, such  as  address  resolution,  neighbor 
reachability  detection,  duplicate  address  detection,  router/prefix  discovery  and  address 
autoconfiguration,  and  redirection.  However,  it  does  not  provide  any  security  mechanisms. Attackers  can 
easily exploit the ND protocol to attack hosts and gateways by sending forged packets.  
The ND...

 
284 
 The  mapping  between  the  source  IPv6  address  and  the  source  MAC  address  in  the  Ethernet  frame 
header is invalid.  
To  identify  forged  ND  packets, HP developed  the  source  MAC  consistency  check  and  ND  detection 
features.   
 NOTE: 
For more information about the functions of the ND protocol, see the Layer 3—IP Services 
Configuration Guide.  
Enabling source MAC consistency check for ND 
packets 
Use source MAC consistency check on a gateway to filter out ND packets...

 
285 
 NOTE: 
 To create IPv6 static bindings with IP source guard, use the user-bind ipv6 command. For more information, see 
the chapter “IP source guard configuration.”  
 The DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more information, 
see the Layer 3—IP Services Configuration Guide.  
 The ND snooping table is created automatically by the ND snooping module. For more information, see the 
Layer 3—IP Services Configuration Guide.  
Configuring ND detection...

 
286 
ND detection configuration example 
Network requirements  
As  shown  in Figure  90,  Host  A  and  Host  B  connect  to  Switch  A,  the  gateway,  through  Switch  B.  Host  A 
has  the  IPv6  address  10::5  and  MAC  address  0001-0203-0405.  Host  B  has  the  IPv6  address 10::6  and 
MAC address 0001-0203-0607.  
Enable ND detection on Switch B to filter out forged ND packets.  
Figure 90 Network diagram for ND detection configuration 
 
 
Configuration procedure 
1. Configuring Switch A...

 
287 
[SwitchA-Vlan-interface10] quit 
2. Configuring Switch B 
# Enable IPv6 forwarding. 
 system-view 
[SwitchB] ipv6 
# Create VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] quit 
# Assign ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3 to VLAN 10. 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port link-type trunk 
[SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface GigabitEthernet 1/0/2...

 
288 
Support and other resources 
Contacting HP 
For worldwide technical support information, see the HP support website: 
http://www.hp.com/support 
Before contacting HP, collect the following information: 
 Product model names and numbers 
 Technical support registration number (if applicable) 
 Product serial numbers 
 Error messages 
 Operating system type and revision level 
 Detailed questions 
Subscription service 
HP recommends that you register your product at the Subscribers Choice for...

 
289 
Conventions 
This section describes the conventions used in this documentation set. 
Command conventions 
Convention Description 
Boldface Bold text represents commands and keywords that you enter literally as shown. 
Italic Italic text represents arguments that you replace with actual values. 
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. 
{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which 
you select one....

 
290 
Network topology icons 
 Represents a generic network device, such as a router, switch, or firewall. 
 Represents a routing-capable device, such as a router or Layer 3 switch. 
 
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that 
supports Layer 2 forwarding and other Layer 2 features. 
 
Port numbering in examples 
The port numbers in this document are for illustration only and might be unavailable on your device.