HP A 5120 Manual

							 
281 
The  port  checks  the  sender  IP  and  MAC addresses  in  a  received  ARP  packet  against  configured  ARP 
filtering entries. If a match is found, the packet is handled normally. If not, the packet is discarded. 
Configuration procedure 
Follow these steps to configure ARP filtering: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet port 
view/Layer 2 aggregate interface 
view  
interface interface-type interface-
number — 
Configure an ARP filtering entry arp filter binding ip-address mac-
address 
Required 
Not configured by default. 
 
 NOTE: 
 You can configure up to eight ARP filtering entries on a port. 
 Commands arp filter source and arp filter binding cannot be both configured on a port. 
 If ARP filtering works with ARP detection, ARP filtering applies first.  
ARP filtering configuration example 
Network requirements 
As  shown  in Figure  88, the IP  and  MAC  addresses  of  Host  A  are 10.1.1.2 and 000f-e349-1233 
respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively. 
Configure  ARP  filtering  on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2  of  Switch  B  to permit 
specific ARP packets only.  
Figure 88 Network diagram for ARP filtering configuration 
 
 
Configuration procedure 
# Configure ARP filtering on Switch B.   Switch A
Switch B
Host AHost B
GE1/0/1
GE1/0/3
GE1/0/2   
						

							 
282 
 system-view 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 
After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender 
IP and MAC addresses as 10.1.1.2 and 000f-e349-1233, and discard other ARP packets. GigabitEthernet 
1/0/2 will permit  incoming  ARP  packets  with  sender  IP and MAC  addresses as 10.1.1.3  and 000f-e349-
1234 and discard other ARP packets.  
						

							 
283 
ND attack defense configuration 
Introduction to ND attack defense  
The  IPv6  Neighbor  Discovery  (ND)  protocol  provides  rich  functions, such  as  address  resolution,  neighbor 
reachability  detection,  duplicate  address  detection,  router/prefix  discovery  and  address 
autoconfiguration,  and  redirection.  However,  it  does  not  provide  any  security  mechanisms. Attackers  can 
easily exploit the ND protocol to attack hosts and gateways by sending forged packets.  
The ND protocol implements its function by using the following types of ICMPv6 messages:  
 Neighbor Solicitation (NS) 
 Neighbor Advertisement (NA)  
 Router Solicitation (RS)  
 Router Advertisement (RA)  
 Redirect (RR) 
An attacker can attack a network by sending forged ICMPv6 messages, as shown in Figure 89: 
 Sends  forged  NS/NA/RS  packets  with  the  IPv6  address  of  a  victim  host.  The  gateway  and  other 
hosts  update  the  ND  entry  for  the  victim  host  with  incorrect  address  information.  As  a  result,  all 
packets intended for the victim host are sent to the attacking host rather than the victim host.  
 Sends forged RA packets with the IPv6 address of a victim gateway. As a result, all hosts attached to 
the victim gateway maintain incorrect IPv6 configuration parameters and ND entries.  
Figure 89  ND attack diagram  
 
 
All forged ND packets have two common features:  
 The  Ethernet  frame  header  and  the  source  link  layer address option  of  the  ND  packet  contain 
different source MAC addresses.   Switch
Host A
Host B
IP_AMAC_A
IP_BMAC_B
IP_CMAC_C
Host C
Forged ND packetsForged ND packets  
						

							 
284 
 The  mapping  between  the  source  IPv6  address  and  the  source  MAC  address  in  the  Ethernet  frame 
header is invalid.  
To  identify  forged  ND  packets, HP developed  the  source  MAC  consistency  check  and  ND  detection 
features.   
 NOTE: 
For more information about the functions of the ND protocol, see the Layer 3—IP Services 
Configuration Guide.  
Enabling source MAC consistency check for ND 
packets 
Use source MAC consistency check on a gateway to filter out ND packets that carry different source MAC 
addresses in the Ethernet frame header and the source link layer address option.  
Follow these steps to enable source MAC consistency check for ND packets: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable source MAC consistency check for 
ND packets ipv6 nd mac-check enable Required 
Disabled by default. 
 
Configuring the ND detection function 
Introduction to ND detection 
Use  the  ND  detection  function  on  access  devices  to verify  the  source  of  ND  packets.  If  an  ND  packet 
comes from a spoofing host or gateway, it is discarded.  
The  ND  detection  function  operates  on  a  per  VLAN  basis.  In  an  ND  detection-enabled  VLAN,  a  port  is 
either ND-trusted or ND-untrusted:  
 An ND-trusted port does not check ND packets for address spoofing.  
 An  ND-untrusted  port  checks  all  ND  packets  but  RA  and  RR  messages  in  the  VLAN  for  source 
spoofing. RA and RR messages are considered illegal and are discarded directly.  
The  ND  detection  function  checks an  ND  packet  by  looking  up  the  IPv6  static  bindings  table  of  the  IP 
source guard function, ND snooping table, and DHCPv6 snooping table in the following steps:  
1. Looks up the IPv6 static bindings table of IP source guard, based on the source IPv6 address and 
the source MAC address in the Ethernet frame header of the ND packet. If an exact match is found, 
the ND packet is forwarded. If an entry matches the source IPv6 address but not the source MAC 
address, the ND packet is discarded. If no entry matches the source IPv6 address, the ND detection 
function continues to look up the DHCPv6 snooping table and the ND snooping table.  
2. If an exact match is found in either the DHCPv6 snooping or ND snooping table, the ND packet is 
forwarded. If no match is found in either table, the packet is discarded. If neither the DHCPv6 
snooping table nor the ND snooping table is available, the ND packet is discarded.   
						

							 
285 
 NOTE: 
 To create IPv6 static bindings with IP source guard, use the user-bind ipv6 command. For more information, see 
the chapter “IP source guard configuration.”  
 The DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more information, 
see the Layer 3—IP Services Configuration Guide.  
 The ND snooping table is created automatically by the ND snooping module. For more information, see the 
Layer 3—IP Services Configuration Guide.  
Configuring ND detection 
Follow these steps to configure ND detection: 
To do… Use the command… Remarks  
Enter system view system-view –– 
Enter VLAN view vlan vlan-id –– 
Enable ND Detection ipv6 nd detection enable Required 
Disabled by default.  
Quit system view quit –– 
Enter Layer 2 Ethernet interface view 
or Layer 2 aggregate interface view 
interface interface-type interface-
number –– 
Configure the port as an ND-trusted 
port ipv6 nd detection trust 
Optional 
A port does not trust sources 
of ND packets by default. 
 
 NOTE: 
 ND detection performs source check by using the binding tables of IP source guard, DHCPv6 snooping, and ND 
snooping. To prevent an ND-untrusted port from discarding legal ND packets in an ND detection-enabled 
VLAN, ensure that at least one of the three functions is available. 
 When creating an IPv6 static binding with IP source guard for ND detection in a VLAN, specify the VLAN ID for 
the binding. If not, no ND packets in the VLAN can match the binding.  
Displaying and maintaining ND detection 
To do… Use the command  Remarks 
Display the ND detection 
configuration 
display ipv6 nd detection [ | { begin | exclude 
| include } regular-expression ]  Available in any view 
Display the statistics of 
discarded packets when the ND 
detection checks the user 
legality 
display ipv6 nd detection statistics [ interface 
interface-type interface-number ] [ | { begin | 
exclude | include } regular-expression ] 
Available in any view 
Clear the statistics by ND 
detection 
reset ipv6 nd detection statistics [ interface 
interface-type interface-number ] Available in user view 
  
						

							 
286 
ND detection configuration example 
Network requirements  
As  shown  in Figure  90,  Host  A  and  Host  B  connect  to  Switch  A,  the  gateway,  through  Switch  B.  Host  A 
has  the  IPv6  address  10::5  and  MAC  address  0001-0203-0405.  Host  B  has  the  IPv6  address 10::6  and 
MAC address 0001-0203-0607.  
Enable ND detection on Switch B to filter out forged ND packets.  
Figure 90 Network diagram for ND detection configuration 
 
 
Configuration procedure 
1. Configuring Switch A  
# Enable IPv6 forwarding. 
 system-view 
[SwitchA] ipv6 
# Create VLAN 10. 
[SwitchA] vlan 10 
[SwitchA-vlan10] quit 
# Assign port GigabitEthernet 1/0/3 to VLAN 10. 
[SwitchA] interface GigabitEthernet 1/0/3 
[SwitchA-GigabitEthernet1/0/3] port link-type trunk 
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 10 
[SwitchA-GigabitEthernet1/0/3] quit 
# Assign an IPv6 address to VLAN-interface 10. 
[SwitchA] interface vlan-interface 10 
[SwitchA-Vlan-interface10] ipv6 address 10::1/64  10::50001-0203-0405
Switch A
Switch B
Host AHost B
GE1/0/3Vlan-int10 10::1
Gateway
GE1/0/1
GE1/0/3
GE1/0/2
VLAN 10ND snooping
10::60001-0203-0607
Internet   
						

							 
287 
[SwitchA-Vlan-interface10] quit 
2. Configuring Switch B 
# Enable IPv6 forwarding. 
 system-view 
[SwitchB] ipv6 
# Create VLAN 10. 
[SwitchB] vlan 10 
[SwitchB-vlan10] quit 
# Assign ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3 to VLAN 10. 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] port link-type trunk 
[SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 
[SwitchB-GigabitEthernet1/0/1] quit 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] port link-type trunk 
[SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 10 
[SwitchB-GigabitEthernet1/0/2] quit 
[SwitchB] interface GigabitEthernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] port link-type trunk 
[SwitchB-GigabitEthernet1/0/3] port trunk permit vlan 10 
[SwitchB-GigabitEthernet1/0/3] quit 
# Enable ND snooping in VLAN 10.  
[SwitchB] vlan 10 
[SwitchB-vlan 10] ipv6 nd snooping enable 
# Enable ND detection in VLAN 10.  
[SwitchB-vlan 10] ipv6 nd detection enable 
[SwitchB-vlan 10] quit 
#  Configure  the  uplink port  GigabitEthernet 1/0/3  as  an  ND-trusted  port,  and  the  downlink  ports 
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as ND-untrusted ports (the default).  
[SwitchB] interface GigabitEthernet 1/0/3 
[SwitchB-GigabitEthernet 1/0/3] ipv6 nd detection trust 
The  configuration  enables  Switch  B  to  check  all  incoming  ND  packets  of  ports  GigabitEthernet  1/0/1 
and GigabitEthernet 1/0/2 based on the ND snooping table.  
  
						

							 
288 
Support and other resources 
Contacting HP 
For worldwide technical support information, see the HP support website: 
http://www.hp.com/support 
Before contacting HP, collect the following information: 
 Product model names and numbers 
 Technical support registration number (if applicable) 
 Product serial numbers 
 Error messages 
 Operating system type and revision level 
 Detailed questions 
Subscription service 
HP recommends that you register your product at the Subscribers Choice for Business website: 
http://www.hp.com/go/wwalerts 
After  registering,  you  will  receive  email  notification  of  product  enhancements,  new  driver  versions, 
firmware updates, and other product resources. 
Related information 
Documents 
To find related documents, browse to the Manuals page of the HP Business Support Center website: 
http://www.hp.com/support/manuals 
 For related documentation, navigate to the Networking section, and select a networking category. 
 For a complete list of acronyms and their definitions, see HP A-Series Acronyms. 
Websites  
 HP.com http://www.hp.com 
 HP Networking http://www.hp.com/go/networking 
 HP manuals http://www.hp.com/support/manuals 
 HP download drivers and software http://www.hp.com/support/downloads 
 HP software depot http://www.software.hp.com  
						

							 
289 
Conventions 
This section describes the conventions used in this documentation set. 
Command conventions 
Convention Description 
Boldface Bold text represents commands and keywords that you enter literally as shown. 
Italic Italic text represents arguments that you replace with actual values. 
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. 
{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which 
you select one.  
[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars, 
from which you select one or none.  
{ x | y | ... } * Asterisk-marked braces enclose a set of required syntax choices separated by vertical 
bars, from which you select at least one. 
[ x | y | ... ] * Asterisk-marked square brackets enclose optional syntax choices separated by vertical 
bars, from which you select one choice, multiple choices, or none.  
& The argument or keyword and argument combination before the ampersand (&) sign 
can be entered 1 to n times. 
# A line that starts with a pound (#) sign is comments. 
 
GUI conventions 
Convention Description 
Boldface Window names, button names, field names, and menu items are in bold text. For 
example, the New User window appears; click OK. 
> Multi-level menus are separated by angle brackets. For example, File > Create > 
Folder. 
 
Symbols 
Convention Description 
 WARNING An alert that calls attention to important information that if not understood or followed 
can result in personal injury. 
 CAUTION An alert that calls attention to important information that if not understood or followed 
can result in data loss, data corruption, or damage to hardware or software.  
 IMPORTANT An alert that calls attention to essential information. 
NOTE An alert that contains additional or supplementary information. 
 TIP An alert that provides helpful information. 
      
						

							 
290 
Network topology icons 
 Represents a generic network device, such as a router, switch, or firewall. 
 Represents a routing-capable device, such as a router or Layer 3 switch. 
 
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that 
supports Layer 2 forwarding and other Layer 2 features. 
 
Port numbering in examples 
The port numbers in this document are for illustration only and might be unavailable on your device.