Dynamic Ip Lockdown; Protection Against Ip Source Address Spoofing; Prerequisite: Dhcp Snooping - HP 2530 Manual Supplement

Example 1 1 The debug arp-protect command
HP Switch(config)# debug arp-protect
1. ARP request is valid
"DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port 1, vlan 1"
2. ARP request detected with an invalid binding
"DARPP: Deny ARP request 000000-000003,10.0.0.1 port 1, vlan 1"
3. ARP response with a valid binding
"DARPP: Allow ARP reply 000000-000002,10.0.0.2 port 2, vlan 1"
4. ARP response detected with an invalid binding
"DARPP: Deny ARP reply 000000-000003,10.0.0.2 port 2, vlan 1"

Dynamic IP Lockdown

Fix or Feature update?
Feature update: Dynamic IP
Lockdown
The Dynamic IP Lockdown feature prevents IP source address spoofing on a per-port and per-VLAN
basis. With dynamic IP lockdown enabled, IP packets in VLAN traffic received on a port are
forwarded only if they contain a known source IP address and MAC address binding for the port.
The IP-to-MAC address binding can either be statically configured or learned by the DHCP Snooping
feature.

Protection against IP source address spoofing

Many network attacks occur when an attacker injects packets with forged IP source addresses into
the network. Also, some network services use the IP source address as a component in their
authentication schemes. For example, the BSD "r" protocols (rlogin, rcp, rsh) rely on the IP source
address for packet authentication. SNMPv1 and SNMPv2c also often use authorized IP address
lists to limit management access. An attacker that can send traffic that appears to originate from
an authorized IP source address may gain access to network services for which he is not authorized.
Dynamic IP lockdown provides protection against IP source address spoofing with IP-level port
security. IP packets received on a port enabled for dynamic IP lockdown are forwarded only if
they contain a known IP source address and MAC address binding for the port.
Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through
statically configured IP source bindings to create internal, per-port lists. The internal lists are
dynamically created from known IP-to- MAC address bindings to filter VLAN traffic on both the
source IP address and source MAC address.

Prerequisite: DHCP snooping

For Dynamic IP lockdown, you must enable DHCP snooping as a prerequisite for its operation on
ports and VLAN traffic:
Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already
stored in the lease database created by DHCP snooping or added through a static configuration
of an IP-to-MAC binding.
Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled, clients with
an existing DHCP-assigned address must either request a new leased IP address or renew
their existing DHCP-assigned address. Otherwise, a client's leased IP address is not contained
20 Updates for the HP Switch Software Access Security Guide
Software Release
Available for software release
YA.15.13 and later.
Affected Chapter/Section
'Dynamic IP Lockdown' is a new section in
Chapter 10 — Port Security of the HP Switch
Software Access Security Guide