HP A 5120 Manual

							 
261 
[Switch-Vlan100] quit 
[Switch] interface vlan-interface 100 
[Switch-Vlan-interface100] ip check source ip-address mac-address 
[Switch-Vlan-interface100] quit 
2. Configure DHCP relay 
# Enable DHCP relay. 
[Switch] dhcp enable 
# Configure the IP address of the DHCP server. 
[Switch] dhcp relay server-group 1 ip 10.1.1.1 
# Configure VLAN-interface 100 to work in DHCP relay mode. 
[Switch] interface vlan-interface 100 
[Switch-Vlan-interface100] dhcp select relay 
#  Correlate VLAN-interface 100 with DHCP server group 1. 
[Switch-Vlan-interface100] dhcp relay server-select 1 
[Switch-Vlan-interface100] quit 
Verification 
# Display the generated dynamic IPv4 source guard binding entries. 
[Switch] display ip check source 
Total entries found: 1 
 MAC Address       IP Address     VLAN   Interface              Type 
 0001-0203-0406    192.168.0.1    100    Vlan100                DHCP-RLY 
Static IPv6 source guard binding entry configuration example 
Network requirements 
As  shown  in Figure  81, the  host is connected to port GigabitEthernet  1/0/1  of the  device. Configure  a 
static IPv6 source guard binding entry for GigabitEthernet 1/0/1 of the device to allow only packets from 
the host to pass. 
Figure 81 Network diagram for configuring static IPv6 source guard binding entries 
 
 
Configuration procedure 
#  Configure  port GigabitEthernet  1/0/1 to  allow  only  IPv6 packets  with  the  source  MAC  address of 
0001-0202-0202 and the source IPv6 address of 2001::1 to pass. 
 system-view 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1]  user-bind  ipv6  ip-address  2001::1  mac-address  0001-0202-
0202 
[Device-GigabitEthernet1/0/1] quit DeviceHost IP: 2001::1MAC: 0001-0202-0202
GE1/0/1Internet  
						

							 
262 
Verification 
# On the device, display the information about static IPv6 source guard binding entries. The output shows 
that the binding entry is configured successfully. 
[Device] display user-bind ipv6 
Total entries found: 1 
 MAC Address        IP Address        VLAN   Interface              Type 
 0001-0202-0202     2001::1           N/A    GE1/0/1                Static_IPv6 
Dynamic IPv6 source guard binding by DHCPv6 snooping 
configuration example 
Network requirements 
As  shown  in Figure  82,  the  device connects to the  host (DHCPv6  client) and  the  DHCPv6 server through 
ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively.  
Enable DHCPv6 and DHCPv6 snooping on the device, so that the host can obtain an IP address through 
the  DHCPv6 server and  the  IPv6  IP  address  and the MAC  address  of  the  host  can  be  recorded  in  a 
DHCPv6 snooping entry. 
Enable dynamic IPv6 source guard binding function on port GigabitEthernet 1/0/1 of the device to filter 
packets  based  on DHCPv6  snooping  entries, allowing only  packets  from a  client that  obtains  an  IP 
address through the DHCP server to pass. 
Figure 82 Network diagram for configuring dynamic IPv6 source guard binding by DHCPv6 snooping 
 
 
Configuration procedure 
1. Configure DHCPv6 snooping 
# Enable DHCPv6 snooping globally. 
 system-view 
[Device] ipv6 dhcp snooping enable 
# Enable DHCPv6 snooping in VLAN 2. 
[Device] vlan 2 
[Device-vlan2] ipv6 dhcp snooping vlan enable 
[Device-vlan2] quit 
# Configure the port connecting to the DHCP server as a trusted port. 
[Device] interface gigabitethernet 1/0/2 
[Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust 
[Device-GigabitEthernet1/0/2] quit 
2. Configure the dynamic IPv6 source guard binding function 
# Configure  dynamic  IPv6  source  guard  binding  of  packet  source  IP  address  and  MAC  address  on 
GigabitEthernet 1/0/1 to filter packets based on the dynamically generated DHCPv6 snooping entries. Host
GE1/0/1GE1/0/2
DHCPv6 snoopingDHCPv6 serverDevice
VLAN 2  
						

							 
263 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address 
[Device-GigabitEthernet1/0/1] quit 
Verification 
# Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1. 
[Device] display ip check source ipv6 
Total entries found: 1 
 MAC Address          IP Address        VLAN   Interface       Type 
 040a-0000-0001       2001::1           2      GE1/0/1         DHCPv6-SNP 
#  Display  all  DHCPv6 snooping  entries to  see  whether they  are consistent with  the  dynamic IP  source 
guard entries generated on GigabitEthernet 1/0/1. 
[Device] display ipv6 dhcp snooping user-binding dynamic 
IP Address                     MAC Address    Lease      VLAN Interface 
============================== ============== ========== ==== ================== 
2001::1                        040a-0000-0001 286        2    GigabitEthernet1/0/1 
---   1 DHCPv6 snooping item(s) found   --- 
The  output  shows  that  a dynamic IPv6  source  guard  entry has  been  generated  on  port  GigabitEthernet 
1/0/1 based on the DHCPv6 snooping entry. 
Dynamic IPv6 source guard binding by ND snooping 
configuration example 
Network requirements 
The client is connected to the device through port GigabitEthernet 1/0/1. 
Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. 
Enable the dynamic  IPv6  source  guard  binding  function  on  port  GigabitEthernet  1/0/1  to  filter  packets 
based on ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.  
Figure 83 Network diagram for configuring dynamic IPv6 source guard binding by ND snooping 
 
 
Configuration procedure 
1. Configure ND snooping 
# In VLAN 2, enable ND snooping. 
 system-view 
[Device] vlan 2 
[Device-vlan2] ipv6 nd snooping enable 
[Device-vlan2] quit 
2. Configure the dynamic IPv6 source guard binding function. Client
GE1/0/1GE1/0/2
ND snooping
VLAN 2
IP network
Device  
						

							 
264 
# Configure  dynamic  IPv6  source  guard  binding  of  packet  source  IP  address  and  MAC  address  on 
GigabitEthernet 1/0/1 to filter packets based on the dynamically generated ND snooping entries. 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address 
[Device-GigabitEthernet1/0/1] quit 
Vefification 
# Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1. 
[Device] display ip check source ipv6 
Total entries found: 1 
 MAC Address          IP Address        VLAN   Interface       Type 
 040a-0000-0001       2001::1           2      GE1/0/1         ND-SNP 
#  Display  the  IPv6 ND  snooping entries to  see  whether they  are consistent with  the  dynamic IP  source 
guard entries generated on GigabitEthernet 1/0/1. 
[Device] display ipv6 nd snooping 
IPv6 Address                   MAC Address     VID  Interface       Aging Status 
2001::1                        040a-0000-0001  2     GE1/0/1        25     Bound 
---- Total entries: 1 ---- 
The  output  shows  that  a dynamic IPv6  source  guard entry has  generated on  port  GigabitEthernet  1/0/1 
based on the ND snooping entry.  
Troubleshooting IP source guard 
Neither static binding entries nor the dynamic binding function 
can be configured 
Symptom 
Failed to configure static binding entries or dynamic binding on a port.  
Analysis 
IP source guard is not supported on a port in an aggregation group.  
Solution 
Remove the port from the aggregation group.   
						

							 
265 
ARP attack protection configuration 
ARP attack protection overview 
Although  ARP  is  easy to implement,  it  provides  no  security  mechanism  and  is  prone  to  network  attacks. 
An attacker may send the following: 
 ARP  packets  by  acting  as  a  trusted  user  or  gateway  so  that  the  receiving  devices  obtain  incorrect 
ARP entries. As a result, network attacks occur. 
 A  large  number  of  IP  packets  with  unreachable  destinations.  As  a result,  the  receiving  device 
continuously resolves destination IP addresses and its CPU is overloaded. 
 A large number of ARP packets to create a great impact to the CPU. 
For more  information about  ARP  attack  features  and  types,  see ARP  Attack  Protection  Technology  White 
Paper. 
ARP  attacks  and  viruses  threaten  LAN  security.  The  switch can provide  multiple  features  to  detect  and 
prevent such attacks. This chapter mainly introduces these features. 
ARP attack protection configuration task list 
Complete the following tasks to configure ARP attack protection: 
Task Remarks 
Flood prevention 
Configuring ARP 
defense against 
IP packet attacks 
Configuring ARP source 
suppression 
Optional 
Configure this function on gateways 
(recommended). 
Enabling ARP black hole 
routing 
Optional 
Configure this function on gateways 
(recommended). 
Configuring ARP packet rate limit 
Optional 
Configure this function on access 
devices (recommended). 
Configuring source MAC address based ARP 
attack detection 
Optional 
Configure this function on gateways 
(recommended). 
User and 
gateway 
spoofing 
prevention 
Configuring ARP packet source MAC address 
consistency check 
Optional 
Configure this function on gateways 
(recommended). 
Configuring ARP active acknowledgement 
Optional 
Configure this function on gateways 
(recommended).  
						

							 
266 
Task Remarks 
Configuring ARP detection 
Optional 
Configure this function on access 
devices (recommended). 
Configuring ARP automatic scanning and fixed 
ARP 
Optional 
Configure this function on gateways 
(recommended). 
Configuring ARP gateway protection 
Optional 
Configure this function on access 
devices (recommended). 
Configuring ARP filtering 
Optional 
Configure this function on access 
devices (recommended). 
 
Configuring ARP defense against IP packet attacks 
Introduction 
If the switch receives a large number of IP packets from a host addressed to unreachable destinations, 
 The switch sends a large number of ARP requests to the destination subnets, and thus the load of the 
destination subnets increases. 
 The switch keeps trying to resolve destination IP addresses, which increases the load on the CPU. 
To  protect  the switch from  IP  packet attacks,  you  can enable the  ARP  source  suppression  function  or  ARP 
black hole routing function. 
If  the  packets  have  the  same  source  address,  you  can enable  the  ARP  source  suppression  function.  With 
the  function  enabled,  whenever  the  number  of ARP  requests  triggered  by  the packets  with unresolvable 
destination IP  addresses from a  host within  five  seconds  exceeds a specified  threshold,  the switch 
suppresses the  packets  of  the  sending host from triggering any  ARP  requests within the  following five 
seconds.  
If  the  packets  have  various  source  addresses, you  can enable the  ARP black  hole  routing function.  After 
receiving  an  IP packet whose  destination  IP  address  cannot  be  resolved  by  ARP, the switch with  this 
function enabled immediately creates a black hole route and simply drops all packets matching the route 
during the aging time of the black hole route. 
Configuring ARP source suppression 
Follow  these  steps  to  configure  ARP  source  suppression:
To do… Use the command… Remarks 
Enter system view system-view — 
Enable ARP source suppression arp source-suppression enable Required 
Disabled by default.  
						

							 
267 
To do… Use the command… Remarks 
Set the maximum number of packets with the 
same source IP address but unresolvable 
destination IP addresses that the switch can 
receive in five consecutive seconds 
arp source-suppression limit 
limit-value 
Optional 
10 by default. 
 
Enabling ARP black hole routing 
Follow these steps to configure ARP black hole routing: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable ARP black hole routing arp resolving-route enable Optional 
Enabled by default. 
 
Displaying and maintaining ARP defense against IP packet 
attacks 
To do… Use the command… Remarks 
Display the ARP source suppression 
configuration information 
display arp source-suppression [ 
| { begin | exclude | include } 
regular-expression ]  
Available in any view 
 
Configuring ARP packet rate limit 
Introduction 
This  feature  allows you to limit  the  rate  of  ARP  packets to  be delivered to the  CPU. For  example,  if  an 
attacker sends a large number of ARP packets to an ARP detection enabled switch, the CPU of the switch 
may  become  overloaded  because  all of the  ARP  packets  are  redirected  to  the  CPU  for  checking.  As  a 
result,  the  switch fails  to deliver  other  functions  properly  or  even  crashes.  To  prevent this, configure ARP 
packet rate limit. 
Enable this feature after the ARP detection is configured or use this feature to prevent ARP flood attacks. 
Configuring ARP packet rate limit 
When the ARP packet rate exceeds the rate limit set on an interface, the switch with ARP packet rate limit 
enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you 
can set the interval for sending such messages. Within each interval, the switch will output the peak ARP 
packet rate in the trap and log messages. 
Trap and  log messages  are  generated  only  after the  trap  function  of ARP  packet  rate  limit  is  enabled. 
Trap and log messages will be sent to the information center of the switch. You can set the parameters of 
the  information  center  to  determine the  output  rules  of trap and  log messages.  The  output  rules  specify 
whether  the  messages  are  allowed  to  be output and  where  they  are  bound  for.  For the  parameter  
						

							 
268 
configuration  of the  information  center, see the Network  Management  and  Monitoring  Configuration 
Guide. 
Follow these steps to configure ARP packet rate limit: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable ARP packet rate limit 
trap 
snmp-agent trap enable arp 
rate-limit 
Optional 
Enabled by default. 
Set the interval for sending 
trap and log messages when 
ARP packet rate exceeds the 
specified threshold rate 
arp rate-limit information 
interval seconds 
Optional 
60 seconds by default. 
Enter Layer 2 Ethernet port 
view/Layer 2 aggregate 
interface view 
interface interface-type 
interface-number — 
Configure ARP packet rate 
limit 
arp rate-limit { disable | rate 
pps drop } 
Required 
Disabled by default.. 
 
 NOTE: 
 If you enable ARP packet rate limit on a Layer 2 aggregate interface, trap and log messages are sent when the 
ARP packet rate of a member port exceeds the preset threshold rate. 
 For more information about the snmp-agent trap enable arp rate-limit command, see the Network 
Management and Monitoring Command Reference.  
Configuring source MAC address based ARP attack 
detection 
Introduction 
This  feature allows  the  switch  to check  the  source  MAC  address  of  ARP  packets  delivered  to  the  CPU. If 
the  number  of  ARP  packets  from  a  MAC  address exceeds a specified threshold within  five  seconds, the 
switch considers this an attack and adds the MAC address to the attack detection table. Before the attack 
detection  entry  is  aged  out,  the  switch generates  a log  message upon  receiving  an  ARP  packet sourced 
from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode), or 
only generates a log message upon receiving an ARP packet sourced from that MAC address (in monitor 
mode). 
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from 
being  discarded,  you  can  specify  the  MAC  address  of  the  gateway  or  server  as  a  protected  MAC 
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker. 
Configuration procedure 
Follow these steps to configure source MAC address based ARP attack detection:  
						

							 
269 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable source MAC address 
based ARP attack detection and 
specify the detection mode 
arp anti-attack source-mac { filter 
| monitor } 
Required 
Disabled by default. 
Configure the threshold arp anti-attack source-mac 
threshold threshold-value 
Optional 
50 by default. 
Configure the age timer for ARP 
attack detection entries 
arp anti-attack source-mac aging-
time time 
Optional 
300 seconds by default. 
Configure protected MAC 
addresses 
arp anti-attack source-mac 
exclude-mac mac-address& 
Optional 
No protected MAC address is 
configured by default. 
 
 NOTE: 
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry 
can be processed normally.  
Displaying and maintaining source MAC address based ARP 
attack detection 
To do… Use the command… Remarks 
Display attacking MAC addresses detected 
by source MAC address based ARP attack 
detection 
display arp anti-attack source-mac { 
slot slot-number | interface interface-
type interface-number } [ | { begin | 
exclude | include } regular-
expression ] 
Available in any 
view 
 
Configuring ARP packet source MAC address 
consistency check 
Introduction 
This  feature  enables  a  gateway  device  to  filter  out  ARP  packets  with a source  MAC  address  in  the 
Ethernet header different from the sender MAC address in the message body, so that the gateway device 
can learn correct ARP entries. 
Configuration procedure 
Follow these steps to enable ARP packet source MAC address consistency check: 
To do… Use the command… Remarks 
Enter system view system-view —  
						

							 
270 
To do… Use the command… Remarks 
Enable ARP packet source MAC 
address consistency check arp anti-attack valid-check enable Required 
Disabled by default. 
 
Configuring ARP active acknowledgement 
Introduction 
The ARP  active  acknowledgement  feature  is  configured  on  gateway  devices  to  identify  invalid  ARP 
packets. 
ARP active  acknowledgement  works  before the  gateway creates  or  modifies  an  ARP  entry  to avoid 
generating  any incorrect  ARP entry.  For more  information about  its  working  mechanism,  see ARP  Attack 
Protection Technology White Paper. 
Configuration procedure 
Follow these steps to configure ARP active acknowledgement: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable the ARP active 
acknowledgement function arp anti-attack active-ack enable Required 
Disabled by default. 
 
Configuring ARP detection 
Introduction 
The  ARP  detection  feature is  mainly  configured  on  an  access  device  to allow  only the  ARP  packets  of 
authorized clients to be forwarded and prevent user spoofing and gateway spoofing.  
ARP  detection  includes ARP  detection  based  on  static  IP  source  guard  binding  entries/DHCP  snooping 
entries/802.1X security entries/OUI MAC addresses, ARP detection based on specified objects, and ARP 
restricted forwarding.  
 NOTE: 
If both the ARP detection based on specified objects and the ARP detection based on static IP source 
guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are 
enabled, the former one applies first, and then the latter applies.