HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 2008
343
# Configure the IPv4 source guard function on Gi gabitEthernet 1/0/2 to filter packets based on
both the source IP address and MAC address.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
# Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of
0001-0203-0406 and the so urce IP address of 192.168.0.1 to pass.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip source...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2007.png "Page 2008
343
# Configure the IPv4 source guard function on Gi gabitEthernet 1/0/2 to filter packets based on
both the source IP address and MAC address.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
# Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of
0001-0203-0406 and the so urce IP address of 192.168.0.1 to pass.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip source...")
![Page 2009
344
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Figure 121 Network diagram
Configuration procedure
1. Configure DHCP snooping.
# Enable DHCP snooping.
system-view
[Device] dhcp-snooping
# Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted
port.
[Device] interface gigabitethernet1/0/2
[Device-GigabitEthernet1/0/2] dhcp-snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Configure the IPv4...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2008.png "Page 2009
344
For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Figure 121 Network diagram
Configuration procedure
1. Configure DHCP snooping.
# Enable DHCP snooping.
system-view
[Device] dhcp-snooping
# Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted
port.
[Device] interface gigabitethernet1/0/2
[Device-GigabitEthernet1/0/2] dhcp-snooping trust
[Device-GigabitEthernet1/0/2] quit
2. Configure the IPv4...")
![Page 2011
346
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 100 Vlan100 DHCP-RLY\
Static IPv6 source guard configuration example
Network requirements
As shown in Figure 123 , the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a
static IPv6 source guard entry for GigabitEthernet 1/ 0/1 of the device to allow only packets from the
host to pass.
Figure 123 Network diagram...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2010.png "Page 2011
346
Total entries found: 1
MAC Address IP Address VLAN Interface Type
0001-0203-0406 192.168.0.1 100 Vlan100 DHCP-RLY\
Static IPv6 source guard configuration example
Network requirements
As shown in Figure 123 , the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a
static IPv6 source guard entry for GigabitEthernet 1/ 0/1 of the device to allow only packets from the
host to pass.
Figure 123 Network diagram...")
![Page 2012
347
Enable IPv6 source guard function on the device’s po rt GigabitEthernet 1/0/1 to filter packets based on
DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the
DHCP server to pass.
Figure 124 Network diagram
Configuration procedure
1. Configure DHCPv6 snooping:
# Enable DHCPv6 snooping globally.
system-view
[Device] ipv6 dhcp snooping enable
# Enable DHCPv6 snooping in VLAN 2.
[Device] vlan 2
[Device-vlan2] ipv6 dhcp snooping vlan enable...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2011.png "Page 2012
347
Enable IPv6 source guard function on the device’s po rt GigabitEthernet 1/0/1 to filter packets based on
DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the
DHCP server to pass.
Figure 124 Network diagram
Configuration procedure
1. Configure DHCPv6 snooping:
# Enable DHCPv6 snooping globally.
system-view
[Device] ipv6 dhcp snooping enable
# Enable DHCPv6 snooping in VLAN 2.
[Device] vlan 2
[Device-vlan2] ipv6 dhcp snooping vlan enable...")
![Page 2015
350
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
[DeviceB-GigabitEthernet1/0/2] quit
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address
[DeviceB-GigabitEthernet1/0/3] quit
# Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC
address of Host A and Host B from being forwarded.
[DeviceB] ip source binding ip-address 192.168.0.2 mac-address 0001-0203\
-0406...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2014.png "Page 2015
350
[DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address
[DeviceB-GigabitEthernet1/0/2] quit
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address
[DeviceB-GigabitEthernet1/0/3] quit
# Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC
address of Host A and Host B from being forwarded.
[DeviceB] ip source binding ip-address 192.168.0.2 mac-address 0001-0203\
-0406...")
346 Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 100 Vlan100 DHCP-RLY\ Static IPv6 source guard configuration example Network requirements As shown in Figure 123 , the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a static IPv6 source guard entry for GigabitEthernet 1/ 0/1 of the device to allow only packets from the host to pass. Figure 123 Network diagram Configuration procedure # Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-addres\ s # Configure GigabitEthernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass. [Device-GigabitEthernet1/0/1] ipv6 source binding ipv6-address 2001::1 m\ ac-address 0001-0202-0202 [Device-GigabitEthernet1/0/1] quit Verifying the configuration # On Device, display the information about static IPv6 source guard entries. The output shows that the binding entry is configured successfully. [Device] display ipv6 source binding static Total entries found: 1 MAC Address IP Address VLAN Interface Typ\ e 0001-0202-0202 2001::1 N/A GE1/0/1 Sta\ tic-IPv6 Dynamic IPv6 source guard using DHCPv6 snooping configuration example Network requirements As shown in Figure 124, the h ost (DHCPv6 client) and the DHCPv6 server are connected to the device through ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. Enable DHCPv6 and DHCPv6 snooping on the device, so that the host can obtain an IP address through the DHCPv6 server and the IPv6 IP address and the MAC address of the host can be recorded in a DHCPv6 snooping entry.
347 Enable IPv6 source guard function on the device’s po rt GigabitEthernet 1/0/1 to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through the DHCP server to pass. Figure 124 Network diagram Configuration procedure 1. Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Device-GigabitEthernet1/0/2] quit 2. Configure the IPv6 source guard function: # Configure the IPv6 source guard function on Gi gabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-addres\ s [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Display the dynamic IPv6 source guard entries generated on port GigabitEthernet 1/0/1. [Device] display ipv6 source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 040a-0000-0001 2001::1 2 GE1/0/1 DHCPv6-SN\ P # Display all DHCPv6 snooping entries to see whethe r they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1/0/1. [Device] display ipv6 dhcp snooping user-binding dynamic IP Address MAC Address Lease VLAN Interface \ ============================== ============== ========== ==== ==========\ ======== 2001::1 040a-0000-0001 286 2 GigabitEth\ ernet1/0/1 --- 1 DHCPv6 snooping item(s) found --- The output shows that a dynamic IPv6 source guard entry has been generated on port GigabitEthernet 1/0/1 based on the DHCPv6 snooping entry.
348 Dynamic IPv6 source guard using ND snooping configuration example Network requirements As shown in Figure 125, the c lient is connected to the device through port GigabitEthernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass. Figure 125 Network diagram Configuration procedure 1. Configure ND snooping: # In VLAN 2, enable ND snooping. system-view [Device] vlan 2 [Device-vlan2] ipv6 nd snooping enable [Device-vlan2] quit 2. Configure the IPv6 source guard function: # Configure the IPv6 source guard function on Gi gabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-addres\ s [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Display the IPv6 source guard entries generated on port GigabitEthernet 1/0/1. [Device] display ipv6 source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 040a-0000-0001 2001::1 2 GE1/0/1 ND-SNP # Display the IPv6 ND snooping entries to see whethe r they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 1/0/1. [Device] display ipv6 nd snooping IPv6 Address MAC Address VID Interface Aging\ Status 2001::1 040a-0000-0001 2 GE1/0/1 25 \ Bound ---- Total entries: 1 ---- The output shows that a dynamic IPv6 source guard entry has generated on port GigabitEthernet 1/0/1 based on the ND snooping entry.
349 Global static IP source guard configuration example Network requirements As shown in Figure 126 , Device A is a distribution layer device. Device B is an access device. Host A in VLAN 10 and Host B in VLAN 20 communicate with each other through Device A. • Configure Device B to discard attack packets that exploit the IP address or MAC address of Host A and Host B. • Configure Device B to forward packets of Host A and Host B normally. Figure 126 Network diagram Configuration procedure # Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10. system-view [DeviceB] vlan 10 [DeviceB-vlan10] port gigabitethernet 1/0/2 [DeviceB-vlan10] quit # Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20. [DeviceB] vlan 20 [DeviceB-vlan20] port gigabitethernet 1/0/3 [DeviceB-vlan20] quit # Configure the link type of GigabitEthernet 1/0/1 as trunk, and permit packets of VLAN 10 and VLAN 20 to pass the port. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 10 20 [DeviceB-GigabitEthernet1/0/1] quit # Configure IPv4 source guard on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 to filter packets based on both the source IP address and MAC address. [DeviceB] interface gigabitethernet 1/0/2
350 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/3] quit # Configure global static IP binding entries to prevent attack packets that exploit the IP address or MAC address of Host A and Host B from being forwarded. [DeviceB] ip source binding ip-address 192.168.0.2 mac-address 0001-0203\ -0406 [DeviceB] ip source binding ip-address 192.168.1.2 mac-address 0001-0203\ -0407 Verifying the configuration # Display static IPv4 binding entries on Device B. [DeviceB] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.2 N/A N/A Static 0001-0203-0407 192.168.1.2 N/A N/A Static After the configurations, Host A and Host B can ping each other successfully. Troubleshooting IP source guard Symptom Failed to configure static or dynamic IP source guard on a port. Analysis IP source guard is not supported on a port in an aggregation group. Solution Remove the port from the aggregation group.
351 Configuring ARP attack protection Only the HP 5500 EI switches support Layer 3 Ethernet port configuration. The term interface in the ARP attack protection features refers to Layer 3 interfaces, including VLAN interfaces and route-mode (or Layer 3) Ethernet ports. You can set an Ethernet port to operate in route mode by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide ). Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries. • Sends a large number of destination unreachable IP packets to have the receiving device busy with resolving destination IP addresses until its CPU is overloaded. • Sends a large number of ARP packets to overload the CPU of the receiving device. For more information about ARP attack features and types, see ARP Attack Protection Technology White Pa p e r . ARP attacks and viruses are threatening LAN security. This chapter introduces multiple features to detect and prevent such attacks. ARP attack protection configuration task list Task Remarks Flood prevention Configuring ARP defense agai nst IP packet attacks Configuring ARP source suppression Optional. Configure this function on gateways (recommended). Enabling ARP black hole routing Optional. Configure this function on gateways (recommended). Configuring ARP packet rate limit Optional. Configure this function on access devices (recommended). Configuring source MAC address based ARP attack detection Optional. Configure this function on gateways (recommended). User and gateway spoofing prevention Configuring ARP packet source MAC address consistency che ck Optional. Configure this function on gateways (recommended).
352 Task Remarks Configuring ARP active acknowledgement Optional. Configure this function on gateways (recommended). Configuring ARP detection Optional. Configure this function on access devices (recommended). Configuring ARP automatic scanning and fixed ARP Optional. Configure this function on gateways (recommended). Configuring ARP gateway protection Optional. Configure this function on access devices (recommended). Configuring ARP filtering Optional. Configure this function on access devices (recommended). Configuring ARP defense against IP packet attacks If the device receives a large number of IP packets from a host addressed to unreachable destinations, • The device sends a large number of ARP requests to the destination subnets, and thus the load of the destination subnets increases. • The device keeps trying to resolve destination IP addresses, which increases the load on the CPU. To protect the device from IP packet attacks, you can enable the ARP source suppression function or ARP black hole routing function. If the packets have the same source address, you can enable the ARP source suppression function. With the function enabled, you can set a threshold for the number of ARP requests that a sending host can trigger in five seconds with packets with unresolvable destination IP addresses. When the number of ARP requests exceeds that threshold, the device suppresses the host from triggering any ARP requests in the following five seconds. If the packets have various source addresses, you can enable the ARP black hole routing function. After receiving an IP packet whose destination IP address cannot be resolved by ARP, the device with this function enabled immediately creates a black hole route and simply drops all packets matching the route during the aging time of the black hole route.
353
Configuring ARP source suppression
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable ARP source suppression.
arp source-suppression enable Disabled by default.
3. Set the maximum number of packets with the
same source IP address but unresolvable
destination IP addresses that the device can
receive in five consecutive seconds. arp source-suppression limit
limit-value
Optional.
10 by default.
Enabling ARP black hole routing
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enable ARP black hole routing.
arp resolving-route enable Optional.
Enabled by default.
Displaying and maintaining ARP defense against IP packet
attacks
Task Command Remarks
Display the ARP source suppression
configuration information. display arp source-suppression
[ |
{ begin | exclude | include }
regular-expression ] Available in any view
Configuration example
Network requirements
As shown in
Figure 127, a L AN contains two areas: an R&D area in VLAN 10 and an office area in VLAN
20. The two areas connect to the gateway (Device) through an access switch.
A large number of ARP requests are detected in the office area and are considered as the consequence
of an IP flood attack. To prevent such attacks, configure ARP source suppression and ARP black hole
routing.
354 Figure 127 Network diagram Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: 1. Enable ARP source suppression. 2. Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in five seconds exceed s 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the following five seconds. If the attacking packets have different source addresse s, enable the ARP black hole routing function on the device. Configuration procedure 1. Configure ARP source suppression: # Enable ARP source suppression on the device and set the threshold for ARP packets from the same source address to 100. system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100 2. Configure ARP black hole routing: # Enable ARP black hole routing on the device. system-view [Device] arp resolving-route enable IP network Gateway Device R&D Office VLAN 10 VLAN 20 Host A Host BHost C Host D ARP attack protection
355
Configuring ARP packet rate limit
Introduction
The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU
on a switch. For example, if an attacker sends a large number of ARP packets to an ARP detection
enabled device, the CPU of the device will be overloaded because all of the ARP packets are redirected
to the CPU for checking. As a result, the device fails to deliver other functions properly or even crashes.
To solve this problem, you can configure ARP packet rate limit.
Enable this feature after the ARP detection or ARP snoo ping feature is configured, or use this feature to
prevent ARP flood attacks.
Configuration procedure
When the ARP packet rate exceeds the rate limit set on an interface, the device with ARP packet rate limit
enabled sends trap and log messages to inform the event. To avoid too many trap and log messages, you
can set the interval for sending such messages. Within each interval, the device will output the peak ARP
packet rate in the trap and log messages.
Note that trap and log messages are generated only af ter the trap function of ARP packet rate limit is
enabled. Trap and log messages will be sent to the information center of the device. You can set the
parameters of the information center to determine the output rules of trap and log messages. The output
rules specify whether the messages are allowed to be output and where they are bound for. For the
parameter configuration of the information center, see Network Management and Monitoring
Configuration Guide .
If you enable ARP packet rate limit on a Layer 2 ag gregate interface, trap and log messages are sent
when the ARP packet rate of a member port exceeds the preset threshold rate.
To configure ARP packet rate limit:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable ARP packet rate limit
trap. snmp-agent trap enable arp
rate-limit Optional.
Enabled by default.
For more information, see the
snmp-agent trap enable
arp
command in Network Management
and Monitoring Command
Reference .
3. Set the interval for sending
trap and log messages when
ARP packet rate exceeds the
specified threshold rate. arp rate-limit information interval
seconds Optional.
60 seconds by default.
4.
Enter Layer 2 Ethernet
interface/Layer 2 aggregate
interface view. interface
interface-type
interface-number N/A
5.
Configure ARP packet rate
limit. arp rate-limit
{ disable | rate pps
drop } By default, ARP packet rate limit is
disabled.