HP A 5120 Manual

							 
271 
Enabling ARP detection based on static IP source guard binding 
Entries/DHCP snooping entries/802.1X security entries/OUI 
MAC addresses 
With  this  feature  enabled,  the  switch  compares  the  sender  IP  and  MAC  addresses  of  an  ARP  packet 
received  from  the  VLAN against the  static  IP source  guard binding  entries,  DHCP  snooping  entries, 
802.1X security entries, or OUI MAC addresses to prevent spoofing. 
After you enable this feature for a VLAN: 
1. Upon receiving an ARP packet from an ARP untrusted port, the switch compares the sender IP and 
MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is 
found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address 
but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded. If 
no entry with a matching IP address is found, the switch compares the ARP packet’s sender IP and 
MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC 
addresses. 
2. If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. ARP 
detection based on OUI MAC addresses refers to that if the sender MAC address of the received 
ARP packet is an OUI MAC address and voice VLAN is enabled, the packet is considered valid. 
3. If no match is found, the ARP packet is considered invalid and is discarded. 
4. Upon receiving an ARP packet from an ARP trusted port, the switch does not check the ARP packet.  
 NOTE: 
 Static IP source guard binding entries are created by using the user-bind command. For more information, see 
the chapter “IP source guard configuration.” 
 Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For more 
information, see the Layer 3—IP Services Configuration Guide.  
 802.1X security entries are generated by the 802.1X function. For more information, see the chapter “802.1X 
configuration.” 
 For more information about voice VLANs and QUI MAC addresses, see the Layer 2—LAN Switching 
Configuration Guide.  
Follow these steps to enable ARP detection for a VLAN and specify a trusted port: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter VLAN view vlan vlan-id — 
Enable ARP detection for the 
VLAN arp detection enable 
Required 
ARP detection based on static IP source 
guard binding entries/DHCP snooping 
entries/802.1X security entries/OUI MAC 
addresses is not enabled by default. 
Return to system view quit — 
Enter Layer 2 Ethernet port 
view/Layer 2 aggregate 
interface view 
interface interface-type 
interface-number —  
						

							 
272 
To do… Use the command… Remarks 
Configure the port as a 
trusted port on which ARP 
detection does not apply 
arp detection trust Optional 
The port is an untrusted port by default. 
 
 NOTE: 
 When configuring this feature, you need to configure ARP detection based on at least static IP source guard 
binding entries, DHCP snooping entries, or 802.1X security entries. Otherwise, all ARP packets received from an 
ARP untrusted port will be discarded, except the ARP packets with an OUI MAC address as the sender MAC 
address when voice VLAN is enabled. 
 When configuring an IP source guard binding entry, you need to specify the VLAN; otherwise, no ARP packet 
will pass the ARP detection based on static IP source guard binding entries.  
Configuring ARP detection based on specified objects 
With this feature configured, the switch permits the ARP packets received from an ARP trusted port to pass 
directly,  and  checks  the  ARP  packets  received from  an  ARP  untrusted  port. You  can specify  objects  in the 
ARP packets to be detected. The objects involve: 
 src-mac: Checks  whether  the sender MAC  address  of an ARP  packet  is  identical to the  source  MAC 
address in the Ethernet  header.  If  they  are  identical,  the  packet  is forwarded;  otherwise,  the  packet 
is discarded. 
 dst-mac:  Checks  the target MAC  address  of  ARP  replies.  If  the target MAC  address  is  all-zero,  all-
one,  or  inconsistent with the  destination  MAC  address in  the  Ethernet  header,  the  packet  is 
considered invalid and discarded. 
 ip: Checks the sender and target IP addresses in an ARP packet. Any all-zero, all-one or multicast IP 
addresses  are  considered  invalid  and the  corresponding  packets  are discarded.  With  this  object 
specified,  the sender and target IP  addresses  of  ARP  replies,  and  the  source  IP  address  of  ARP 
requests are checked. 
Follow these steps to configure ARP detection based on specified objects: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter VLAN view vlan vlan-id — 
Enable ARP detection for the 
VLAN arp detection enable Required 
Disabled by default. 
Return to system view quit — 
Specify objects for ARP detection arp detection validate { dst-mac | 
ip | src-mac } * 
Required 
Not specified by default. 
Enter Layer 2 Ethernet port 
view/Layer 2 aggregate interface 
view 
interface interface-type interface-
number — 
Configure the port as a trusted 
port on which ARP detection does 
not apply 
arp detection trust 
Optional 
The port is an untrusted port by 
default. 
  
						

							 
273 
Configuring ARP restricted forwarding 
ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted ports and 
have passed ARP detection in the following cases: 
 If the packets are ARP requests, they are forwarded through the trusted ports. 
 If the packets are ARP responses, they are forwarded according to their destination MAC address. If 
no match is found in the MAC address table, they are forwarded through the trusted ports. 
Before  performing  the  following  configuration,  make  sure  you  have  configured  the arp  detection  enable 
command. 
Follow these steps to enable ARP restricted forwarding: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter VLAN view vlan vlan-id — 
Enable ARP restricted forwarding arp restricted-forwarding enable Required 
Disabled by default. 
 
Displaying and maintaining ARP detection 
To do… Use the command… Remarks 
Display the VLANs enabled 
with ARP detection 
display arp detection [ | { begin | exclude | 
include } regular-expression ] Available in any view 
Display the ARP detection 
statistics 
display arp detection statistics [ interface 
interface-type interface-number ] [ | { begin | 
exclude | include } regular-expression ] 
Available in any view 
Clear the ARP detection 
statistics  
reset arp detection statistics [ interface interface-
type interface-number ] Available in user view 
 
ARP detection configuration example I 
Network requirements 
As  shown  in Figure  84,  configure  Switch  A  as  a  DHCP  server  and  enable  DHCP  snooping  on  Switch  B. 
Configure  Host  A  as  a  DHCP  client.  Configure  Host  B  whose  IP  address  is  10.1.1.6  and  MAC  address  is 
0001-0203-0607. Enable  ARP  detection  for  VLAN  10 to allow  only  packets  from  valid clients  or  hosts  to 
pass.  
						

							 
274 
Figure 84 Network diagram for ARP detection configuration 
 
 
Configuration procedure 
1. Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on 
Switch A. (details not shown) 
2. Configure Switch A as a DHCP server 
# Configure DHCP address pool 0. 
 system-view 
[SwitchA] dhcp enable 
[SwitchA] dhcp server ip-pool 0 
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 
3. Configure Host A as DHCP client, and Host B as user respectively. (details not shown) 
4. Configure Switch B 
# Enable DHCP snooping. 
 system-view 
[SwitchB] dhcp-snooping 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust 
[SwitchB-GigabitEthernet1/0/1] quit 
# Enable ARP detection for VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp detection enable 
# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an 
untrusted port by default). 
[SwitchB-vlan10] interface gigabitethernet 1/0/1 
[SwitchB-Gigabitethernet1/0/1] arp detection trust 
[SwitchB-Gigabitethernet1/0/1] quit 
# Configure a static IP source guard binding entry on interface GigabitEthernet1/0/3. 
[SwitchB] interface GigabitEthernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] user-bind  ip-address  10.1.1.6 mac-address  0001-0203-0607 
vlan 10    Switch A
Switch B
Host AHost B
Vlan-int10 10.1.1.1/24
DHCP server
GE1/0/2
GE1/0/1
GE1/0/3
DHCP clientDHCP client
VLAN10
DHCP snooping     
						

							 
275 
[SwitchB-GigabitEthernet1/0/3] quit 
# Enable the checking of the MAC addresses and IP addresses of ARP packets. 
[SwitchB] arp detection validate dst-mac ip src-mac 
After  the  preceding  configurations  are  complete,  when  ARP  packets  arrive  at  interfaces GigabitEthernet 
1/0/2  and GigabitEthernet  1/0/3,  their  MAC  and  IP  addresses  are  checked,  and  then  the  packets  are 
checked against the static IP source guard binding entries and finally DHCP snooping entries. 
ARP detection configuration example II 
Network requirements 
As  shown  in Figure  85,  configure  Switch  A  as  a  DHCP  server  and  Switch  B to  support 802.1X.  Enable 
ARP detection for VLAN 10 to allow only packets from valid clients to pass. Configure Host A and Host B 
as local 802.1X access users. 
Figure 85 Network diagram for ARP detection configuration 
 
 
Configuration procedure 
1. Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on 
Switch A. (details not shown) 
2. Configure Switch A as a DHCP server 
# Configure DHCP address pool 0 
 system-view 
[SwitchA] dhcp enable 
[SwitchA] dhcp server ip-pool 0 
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 
3. Configure Host A and Host B as 802.1X clients (the configuration procedure is omitted) and 
configure them to upload IP addresses for ARP detection. 
4. Configure Switch B 
# Enable the 802.1X function. 
 system-view 
[SwitchB] dot1x    Switch A
Switch B
Host AHost B
Vlan-int10 10.1.1.1/24
DHCP server
GE1/0/1
GE1/0/3
GE1/0/2
VLAN10     
						

							 
276 
[SwitchB] interface gigabitethernet 1/0/1 
[SwitchB-Gigabitethernet 1/0/1] dot1x 
[SwitchB-Gigabitethernet 1/0/1] quit 
[SwitchB] interface gigabitethernet 1/0/2 
[SwitchB-Gigabitethernet 1/0/2] dot1x 
[SwitchB-Gigabitethernet 1/0/2] quit 
# Add local access user test. 
[SwitchB] local-user test 
[SwitchB-luser-test] service-type lan-access 
[SwitchB-luser-test] password simple test 
[SwitchB-luser-test] quit 
# Enable ARP detection for VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp detection enable 
# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an 
untrusted port by default). 
[SwitchB-vlan10] interface gigabitethernet 1/0/3 
[SwitchB-gigabitethernet1/0/3] arp detection trust 
[SwitchB-gigabitethernet1/0/3] quit 
After  the  preceding  configurations  are  complete,  when  ARP  packets  arrive  at  interfaces GigabitEthernet 
1/0/1 and GigabitEthernet 1/0/2, they are checked against 802.1X security entries. 
ARP restricted forwarding configuration example 
Network requirements 
As  shown  in Figure  86, Switch  A acts as  a  DHCP  server. Host  A  acts  as  a  DHCP  client.  Host  B’s  IP 
address  is  10.1.1.6,  and  its  MAC  address  is 0001-0203-0607.  Port  isolation configured on  Switch  B 
isolates the  two  hosts at  Layer  2,  which can  communicate  with  the  gateway  Switch  A. GigabitEthernet 
1/0/1, GigabitEthernet  1/0/2  and GigabitEthernet  1/0/3  belong  to  VLAN  10.  Switch  B  is  enabled 
with DHCP snooping, and has ARP detection enabled in VLAN 10. 
Configure Switch B to still perform port isolation on ARP broadcast requests.   
						

							 
277 
Figure 86 Network diagram for ARP restricted forwarding configuration 
 
 
Configuration procedure 
1. Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as 
shown in Figure 86. (details not shown)  
2. Configure the DHCP server on Switch A. 
# Configure DHCP address pool 0. 
 system-view 
[SwitchA] dhcp enable 
[SwitchA] dhcp server ip-pool 0 
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 
3. Configure the DHCP client on Hosts A and B. (details not shown) 
4. Configure Switch B. 
# Enable DHCP snooping, and configure GigabitEthernet 1/0/3 as a DHCP-trusted port.  
 system-view 
[SwitchB] dhcp-snooping 
[SwitchB] interface GigabitEthernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust 
[SwitchB-GigabitEthernet1/0/3] quit 
# Enable ARP detection. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp detection enable 
# Configure GigabitEthernet 1/0/3 as an ARP-trusted port. 
[SwitchB-vlan10] interface GigabitEthernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] arp detection trust 
[SwitchB-GigabitEthernet1/0/3] quit 
# Configure a static IP source guard entry on interface GigabitEthernet 1/0/2. 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] user-bind  ip-address  10.1.1.6 mac-address  0001-0203-0607 
vlan 10  DHCP client
Switch A
Switch B
Host AHost B
GE1/0/3Vlan-int10 10.1.1.1/24
GatewayDHCP server
GE1/0/1
GE1/0/3
GE1/0/2
VLAN 10
DHCP snooping
10.1.1.60001-0203-0607   
						

							 
278 
[SwitchB-GigabitEthernet1/0/2] quit 
# Enable the checking of the MAC addresses and IP addresses of ARP packets. 
[SwitchB] arp detection validate dst-mac ip src-mac 
# Configure port isolation. 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port-isolate enable 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] port-isolate enable 
[SwitchB-GigabitEthernet1/0/2] quit 
After  the  preceding  configurations are  complete,  when  ARP  packets  arrive  at  interfaces GigabitEthernet 
1/0/1  and  GigabitEthernet  1/0/2,  their  MAC  and  IP  addresses  are  checked,  and  then  the  packets  are 
checked  against  the static IP source  guard binding entries and  finally  DHCP  snooping  entries. However, 
ARP broadcast requests sent from Host A can pass the check on Switch B. Port isolation fails. 
# Configure ARP restricted forwarding. 
[SwitchB] vlan 10 
[SwitchB-vlan10] arp restricted-forwarding enable 
[SwitchB-vlan10] quit 
Switch  B  forwards  ARP  broadcast  requests  from  Host  A  to  Switch  A  through  the  trusted  port 
GigabitEthernet 1/0/3, and thus Host B cannot receive such packets. Port isolation works normally.  
Configuring ARP automatic scanning and fixed ARP 
Introduction 
ARP automatic scanning is usually used together with the fixed ARP feature. 
With  ARP  automatic  scanning  enabled  on  an  interface,  the  switch automatically scans  neighbors  on  the 
interface,  sends  ARP  requests  to  the  neighbors,  obtains their  MAC  addresses,  and  creates  dynamic  ARP 
entries. 
Fixed  ARP  allows  the  switch  to  change  the  existing  dynamic  ARP  entries (including  those  generated 
through  ARP  automatic  scanning) into  static  ARP  entries. The  fixed  ARP  feature  effectively  prevents  ARP 
entries from being modified by attackers.  
 NOTE: 
HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as 
a cybercafé.  
Configuration procedure 
Follow these steps to configure ARP automatic scanning and fixed ARP: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter interface view interface interface-type interface-number —  
						

							 
279 
To do… Use the command… Remarks 
Enable ARP automatic 
scanning arp scan [ start-ip-address to end-ip-address ] Required 
Return to system view quit — 
Enable fixed ARP arp fixup Required 
 
 NOTE: 
 IP addresses already existing in ARP entries are not scanned. 
 ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are 
created based on ARP replies received before the scan is terminated. 
 The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured 
static ARP entries.  
 Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can use this 
command again to change the dynamic ARP entries learned later into static ARP entries. 
 The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP 
entries that the switch supports. As a result, the switch may fail to change all dynamic ARP entries into static ARP 
entries. 
 To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address command. To 
delete all such static ARP entries, use the reset arp all or reset arp static command.  
Configuring ARP gateway protection 
Introduction 
The  ARP  gateway  protection  feature,  if  configured  on  ports  not  connected  with  the  gateway,  can block 
gateway spoofing attacks. 
When  such  a  port  receives  an  ARP  packet,  it  checks  whether  the  sender  IP  address  in  the  packet  is 
consistent  with  that  of  any  protected  gateway.  If  yes,  it  discards  the  packet.  If  not,  it  handles  the  packet 
normally.  
Configuration procedure 
Follow these steps to configure ARP gateway protection: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet port 
view/Layer 2 aggregate interface 
view  
interface interface-type interface-
number — 
Enable ARP gateway protection for a 
specified gateway arp filter source ip-address Required 
Disabled by default. 
  
						

							 
280 
  NOTE: 
 You can enable ARP gateway protection for up to eight gateways on a port. 
 Commands arp filter source and arp filter binding cannot be both configured on a port. 
 If ARP gateway protection works with ARP detection, ARP gateway protection applies first.  
ARP gateway protection configuration example 
Network requirements 
As  shown  in Figure  87,  Host  B  launches  gateway  spoofing  attacks  to  Switch  B.  As  a  result,  traffic  that 
Switch B intends to send to Switch A is sent to Host B. 
Configure Switch B to block such attacks. 
Figure 87 Network diagram for ARP gateway protection configuration 
 
 
Configuration procedure 
# Configure ARP gateway protection on Switch B.  
 system-view 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] arp filter source 10.1.1.1 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] arp filter source 10.1.1.1 
After the configuration is complete, Switch B will discard the ARP packets whose source IP address is that 
of the gateway.  
Configuring ARP filtering 
Introduction 
To  prevent  gateway  spoofing  and  user  spoofing,  the  ARP  filtering  feature  controls  the  forwarding  of  ARP 
packets on a port.  Switch A
Switch B
Host AHost B
Gateway
GE1/0/1
GE1/0/3
GE1/0/2
10.1.1.1/24