Dynamic Arp Protection; Introduction - HP 2530 Manual Supplement

Unauthorized server <ip-address> detected on port <port-number>. An unauthorized DHCP server
is attempting to send packets, recognized when a server packet is dropped because it was received
from a server not configured as an authorized server.
Write database to remote file failed errno (error-num). An error occurred while writing the temporary
file and sending it using tftp to the remote server.

Dynamic ARP protection

Fix or Feature update?
Feature update: Dynamic ARP
Protection

Introduction

On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP
requests and responses are relayed or used to update the local ARP cache. ARP packets with
invalid IP-to-MAC address bindings advertised in the source protocol address and source physical
address fields are discarded. For more information about the ARPcache, see "ARP Cache Table"
in the HP Switch Software Multicast and Routing Guide.
ARP requests are normally broadcast and received by all devices in a broadcast domain. Most
ARP devices update their IP-to-MAC address entries each time they receive an ARP packet even if
they did not request the information. This behavior makes an ARP cache vulnerable to attacks.
Because ARP allows a node to update its cache entries on other systems by broadcasting or
unicasting a gratuitous ARP reply, an attacker can send his own IP-to-MAC address binding in the
reply that causes all traffic destined for a VLAN node to be sent to the attacker's MAC address.
Thus the attacker can intercept traffic for other hosts in a classic "man-in-the-middle" attack. The
attacker gains access to any traffic sent to the poisoned address and can capture passwords,
e-mail, and VoIP calls or even modify traffic before resending it.
The ARP cache of known IP addresses and associated MAC addresses can also be poisoned
through unsolicited ARP responses. For example, an attacker can associate the IP address of the
network gateway with the MAC address of a network node, preventing all outgoing traffic from
leaving the network because the node does not have access to outside networks. Thus, the node
is overwhelmed by outgoing traffic intended for another network.
Dynamic ARP protection protects your network against ARP poisoning attacks as follows:
Lets you differentiate between trusted and untrusted ports.
Intercepts all ARP requests and responses on untrusted ports before forwarding them.
Verifies IP-to-MAC address bindings on untrusted ports with the information stored in the lease
database maintained by DHCP snooping and user configured static bindings (in non-DHCP
environments):
◦
If a binding is valid, the switch updates its local ARP cache and forwards the packet.
◦
If a binding is invalid, the switch drops the packet, preventing other network devices from
receiving the invalid IP-to-MAC information.
DHCP snooping intercepts and examines DHCP packets received on switch ports before forwarding
the packets. DHCP packets are checked against a database of DHCP binding information. Each
binding consists of a client MAC address, port number, VLAN identifier, leased IP address, and
lease time. The DHCP binding database is used to validate packets by other security features on
the switch. For more information, see "DHCP Snooping" in the HP Switch Software Access Security
Guide.
Software Release
Available for software release
YA.15.13 and later.
Affected Chapter
'Dynamic ARP protection' is a new section in
Chapter 10 — Port Security of the HP Switch
Software Access Security Guide
Dynamic ARP protection 15