Configuring User Validity Check - HPE FlexNetwork 7500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (506 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
ARP attack detection provides the following features:
•
User validity check.
•
ARP packet validity check.
•
ARP restricted forwarding.
•
ARP attack detection logging.
If both ARP packet validity check and user validity check are enabled, the former one applies first,
and then the latter applies.
Configuring user validity check
User validity check compares the sender IP and sender MAC in the received ARP packet with the
matching criteria in the following order:
1.
User validity check rules.
If a match is found, the device processes the ARP packet according to the rule.
If no match is found or no user validity check rule is configured, proceeds to step 2.
2.
Static IP source guard bindings, DHCP snooping entries, and 802.1X security entries.
If a match is found, the device forwards the ARP packet.
If no match is found, the device discards the ARP packet.
Static IP source guard bindings are created by using the ip source binding command. For more
information, see "Configuring IP source guard."
DHCP snooping entries are automatically generated by DHCP snooping. For more information, see
Layer 3—IP Services Configuration Guide.
802.1X security entries record the IP-to-MAC mappings for 802.1X clients. After a client passes
802.1X authentication and uploads its IP address to an ARP attack detection enabled device, the
device automatically generates an 802.1X security entry. The 802.1X client must be enabled to
upload its IP address to the device. For more information, see "Configuring 802.1X."
Configuration guidelines
When you configure user validity check, follow these guidelines:
•
Make sure one or more of the following items is configured for user validity check:
User validity check rules.
Static IP source guard bindings.
DHCP snooping.
802.1X.
If none of the items is configured, all incoming ARP packets on ARP untrusted interfaces are
discarded.
•
Specify an IP address, a MAC address, and a VLAN where ARP attack detection is enabled for
an IP source guard binding. Otherwise, no ARP packets can match the IP source guard binding.
Configuration procedure
To configure user validity check:
Step
1.
Enter system view.
2.
(Optional.) Configure a user
validity check rule.
Command
system-view
arp detection rule rule-id
{ deny | permit } ip
{ ip-address [ mask ] | any }
mac { mac-address [ mask ] |
425
Remarks
N/A
By default, no user validity check
rule is configured.
Advertisement
Table of Contents
Troubleshooting
