HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 2022
357
Task Command Remarks
Display attacking MAC addresses
detected by source MAC address based
ARP attack detection. display arp anti-attack source-mac
{ slot
slot-number | interface interface-type
interface-number } [ | { begin | exclude |
include } regular-expression ] Available in any view
Configuration example
Network requirements
As shown in Figure 128
, the hosts access the Internet through a gateway (Device). If malicious users send
a large number of ARP requests to the...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2021.png "Page 2022
357
Task Command Remarks
Display attacking MAC addresses
detected by source MAC address based
ARP attack detection. display arp anti-attack source-mac
{ slot
slot-number | interface interface-type
interface-number } [ | { begin | exclude |
include } regular-expression ] Available in any view
Configuration example
Network requirements
As shown in Figure 128
, the hosts access the Internet through a gateway (Device). If malicious users send
a large number of ARP requests to the...")
![Page 2023
358
[Device] arp anti-attack source-mac filter
# Set the threshold to 30.
[Device] arp anti-attack source-mac threshold 30
# Set the age timer for detection entries to 60 seconds.
[Device] arp anti-attack source-mac aging-time 60
# Configure 0012-3f86-e94c as a protected MAC address.
[Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC address
consistency check
Introduction
The ARP packet source MAC address consistency check feature enables a...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2022.png "Page 2023
358
[Device] arp anti-attack source-mac filter
# Set the threshold to 30.
[Device] arp anti-attack source-mac threshold 30
# Set the age timer for detection entries to 60 seconds.
[Device] arp anti-attack source-mac aging-time 60
# Configure 0012-3f86-e94c as a protected MAC address.
[Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC address
consistency check
Introduction
The ARP packet source MAC address consistency check feature enables a...")
356
Configuring source MAC address based ARP
attack detection
With this feature enabled, the device checks the source MAC address of ARP packets delivered to the
CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the
specified threshold. The device adds the MAC address to the attack detection table.
Before the attack detection entry is aged out, the de vice uses either of the following detection modes to
respond to the detected attack:
• Monitor mode —Generates a log message.
• Filter mode —Generates a log message and filters out subsequent ARP packets from the attacking
MAC address.
You can also configure protected MAC addresses to exclude a gateway or server from detection. A
protected MAC address is excluded from ARP attack detection even if it is an attacker.
Configuration procedure
To configure source MAC address based ARP attack detection:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable source MAC address
based ARP attack detection
and specify the detection
mode. arp anti-attack source-mac
{ filter |
monitor } Disabled by default.
3.
Configure the threshold. arp anti-attack source-mac threshold
threshold-value
Optional.
50 by default.
4.
Configure the age timer for
ARP attack detection entries. arp anti-attack source-mac aging-time
time Optional.
300 seconds by default.
5. Configure protected MAC
addresses. arp anti-attack source-mac exclude-mac
mac-address&
Optional.
Not configured by
default.
NOTE:
After an ARP attack detection entr y expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
Displaying and maintaining source MAC address based ARP
attack detection
357
Task Command Remarks
Display attacking MAC addresses
detected by source MAC address based
ARP attack detection. display arp anti-attack source-mac
{ slot
slot-number | interface interface-type
interface-number } [ | { begin | exclude |
include } regular-expression ] Available in any view
Configuration example
Network requirements
As shown in Figure 128
, the hosts access the Internet through a gateway (Device). If malicious users send
a large number of ARP requests to the gateway, the gateway may crash and cannot process requests
from the clients. To solve this problem, configure source MAC address based ARP attack detection on the
gateway.
Figure 128 Network diagram
Configuration considerations
An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the
source MAC address. To prevent such attacks, configure the gateway in the following steps:
1. Enable source MAC address based ARP attack detection and specify the filter mode.
2. Set the threshold.
3. Set the age timer for detection entries.
4. Configure the MAC address of the server as a pr otected MAC address so that it can send ARP
packets
Configuration procedure
# Enable source MAC address based ARP attack detection and specify the filter mode.
system-view
IP network
Gateway Device
Host A Host BHost C Host D
ARP attack protection
Server0012-3f 86-e 94c
358 [Device] arp anti-attack source-mac filter # Set the threshold to 30. [Device] arp anti-attack source-mac threshold 30 # Set the age timer for detection entries to 60 seconds. [Device] arp anti-attack source-mac aging-time 60 # Configure 0012-3f86-e94c as a protected MAC address. [Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC address consistency check Introduction The ARP packet source MAC address consistency check feature enables a gateway device to filter out ARP packets that have a different source MAC address in the Ethernet header from the sender MAC address in the message, so that the gateway device can learn correct ARP entries. Configuration procedure To enable ARP packet source MAC address consistency check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ARP packet source MAC address consistency check. arp anti-attack valid-check enable Disabled by default Configuring ARP active acknowledgement Introduction The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets. ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid generating any incorrect ARP entry. For more information about its working mechanism, see ARP Attack Protection Technology White Paper. Configuration procedure To configure ARP active acknowledgement: Step Command Remarks 1. Enter system view. system-view N/A
359 Step Command Remarks 2. Enable the ARP active acknowledgement function. arp anti-attack active-ack enable Disabled by default Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding functions. If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. ARP detection does not check ARP packets received from ARP trusted ports. Configuring user validity check This feature enables a device to check user validity as follows: 1. Upon receiving an ARP packet from an ARP untr usted interface, the device checks the packet against the configured rules. If a match is foun d, the ARP packet is processed according to the matching rule; if no matc h is found, the device checks the pac ket against static IP Source Guard binding entries 2. The device compares the sender IP and MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is fo und, the ARP packet is considered valid and is forwarded. If an entry with a matching IP addr ess but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded. If no entry with a matching IP address is found, the device compares the ARP packet’s sender IP and MAC addresses against the DHCP snooping entries, 802.1X security entr ies, and OUI MAC addresses. 3. If a match is found from those entries, the ARP pac ket is considered valid and is forwarded. (For a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must be an OUI MAC address and the voice VLAN must be enabled.) 4. If no match is found, the ARP packet is considered invalid and is discarded. For more information about voice VLANs and OUI MAC addresses, see Layer 2—LAN Switching Configuration Guide . Configuration guideliens Follow these guidelines when you configure user validity check: • Static IP source guard binding entries are created by using the ip source binding command. For more information, see Configuring IP source guard . • Dy namic DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide . • 802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device. For more information, see Configuring 802.1X.
360
• At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or
802.1X security entries must be available for user validity check. Otherwise, ARP packets received
from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as
the sender MAC address when voice VLAN is enabled.
• You must specify a VLAN for an IP source guard binding entry; otherwise, no ARP packets can
match the IP source guard binding entry.
Configuration procedure
To configure user validity check:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set rules for user validity
check. arp detection
id-number { permit |
deny } ip { any | ip-address
[ ip-address-mask ] } mac { any |
mac-address [ mac-address-mask ] }
[ vlan vlan-id ] Optional.
By default, no rule is configured.
3.
Enter VLAN view.
vlan vlan-id N/A
4. Enable ARP detection for the
VLAN. arp detection enable
ARP detection based on static IP
source guard binding
entries/DHCP snooping
entries/802.1X security
entries/OUI MAC addresses is
disabled by default.
5.
Return to system view.
quit N/A
6. Enter Layer 2 Ethernet
interface/Layer 2 aggregate
interface view. interface
interface-type
interface-number N/A
7.
Configure the port as a
trusted port on which ARP
detection does not apply. arp detection trust Optional.
The port is an untrusted port by
default.
Configuring ARP packet validity check
Perform this task to enable validity check for ARP
packets received on untrusted ports and specify the
following objects to be checked.
• src-mac —Checks whether the sender MAC address in the message body is identical to the source
MAC address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the
packet is discarded.
• dst-mac —Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MA C address in the Ethernet header, the packet is
considered invalid and discarded.
• ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP
requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding
packets are discarded.
To configure ARP packet validity check:
361
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Enable ARP detection for the
VLAN. arp detection enable
Disabled by default.
4. Return to system view.
quit N/A
5. Enable ARP packet validity
check and specify the objects to
be checked. arp detection validate
{ dst-mac | ip |
src-mac } * Disabled by default.
6.
Enter Layer 2 Ethernet
port/Layer 2 aggregate
interface view. interface
interface-type
interface-number N/A
7.
Configure the port as a trusted
port on which ARP detection
does not apply. arp detection trust Optional.
The port is an untrusted port
by default.
Configuring ARP restricted forwarding
ARP restricted forwarding controls the forwarding of
ARP packets that are received on untrusted ports
and have passed ARP detection in the following cases:
• If the packets are ARP requests, they are forwarded through the trusted ports.
• If the packets are ARP responses, they are forwarded according to their destination MAC address.
If no match is found in the MAC address table, they are forwarded through the trusted ports.
Before performing the following configuration, make sure you have configured the arp detection enable
command.
To enable ARP restricted forwarding:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Enable ARP restricted forwarding.
arp restricted-forwarding enable Disabled by default
Displaying and maintaining ARP detection
Task Command Remarks
Display the VLANs enabled
with ARP detection. display arp detection
[ | { begin | exclude |
include } regular-expression ] Available in any view
Display the ARP detection
statistics. display arp detection statistics [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Clear the ARP detection
statistics. reset arp detection statistics [ interface
interface-type interface-number
] Available in user view
362 User validity check configuration example Network requirements As shown in Figure 129, conf igure Switch B to perform user validity check based on 802.1X security entries for connected hosts. Figure 129 Network diagram Configuration procedure 1. Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) 2. Configure Switch A as a DHCP server: # Configure DHCP address pool 0. system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.) 4. Configure Switch B: # Enable the 802.1X function. system-view [SwitchB] dot1x [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dot1x [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] dot1x [SwitchB-GigabitEthernet1/0/2] quit # Add local access user test. [SwitchB] local-user test [SwitchB-luser-test] service-type lan-access
363 [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port an d the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit After the preceding configurations are complete, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/ 2, they are checked against 802.1X security entries. User validity check and ARP packet validity check configuration example Network requirements Configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts. Figure 130 Network diagram Configuration procedure 1. Add all the ports on Switch B to VLAN 10, and co nfigure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) 2. Configure Switch A as a DHCP server: # Configure DHCP address pool 0. system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0
364 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure Host A as DHCP client, and Host B as user. (Details not shown.) 4. Configure Switch B: # Enable DHCP snooping. system-view [SwitchB] dhcp-snooping [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2. [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac\ -address 0001-0203-0607 vlan 10 [SwitchB-GigabitEthernet1/0/2] quit # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the configurations are co mpleted, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard bind ing entries and finally DHCP snooping entries. ARP restricted forwarding configuration example Network requirements As shown in Figure 131, configure ARP restricted forwarding on Switch B where ARP detection is configured so that port isolation configured on Switch B can take effect for broadcast ARP requests.
365 Figure 131 Network diagram Configuration procedure 1. Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 127. (D etails not shown.) 2. Configure the DHCP server on Switch A. # Configure DHCP address pool 0. system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 3. Configure the DHCP client on Hosts A and B. (Details not shown.) 4. Configure Switch B. # Enable DHCP snooping, and configure GigabitEthernet 1/0/3 as a DHCP-trusted port. system-view [SwitchB] dhcp-snooping [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure GigabitEthernet 1/ 0/3 as an ARP-trusted port. [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit # Configure a static IP source guard entry on interface GigabitEthernet 1/0/2. [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac\ -address 0001-0203-0607 vlan 10 [SwitchB-GigabitEthernet1/0/2] quit