HP 5120 SI Series Security Configuration Manual page 10

Displaying and maintaining source MAC address based ARP attack detection ·········································· 307
Configuring ARP packet source MAC address consistency check ········································································· 307
Introduction ·························································································································································· 307
Configuration procedure ···································································································································· 307
Configuring ARP active acknowledgement ··············································································································· 307
Introduction ·························································································································································· 307
Configuration procedure ···································································································································· 307
Configuring ARP detection ·········································································································································· 308
Introduction ·························································································································································· 308
Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X
security entries/OUI MAC addresses ··············································································································· 308
Configuring ARP detection based on specified objects ·················································································· 309
Configuring ARP restricted forwarding ············································································································· 310
Displaying and maintaining ARP detection ······································································································ 310
ARP detection configuration example I ············································································································· 311
ARP detection configuration example II ············································································································ 312
ARP restricted forwarding configuration example ··························································································· 313
Configuring ARP gateway protection ························································································································ 315
Introduction ·························································································································································· 315
Configuration procedure ···································································································································· 315
ARP gateway protection configuration example ······························································································ 316
Configuring ARP filtering ············································································································································· 317
Introduction ·························································································································································· 317
Configuration procedure ···································································································································· 317
ARP filtering configuration example ·················································································································· 317
ND attack defense configuration ··························································································································· 319
Introduction to ND attack defense ······························································································································ 319
Enabling source MAC consistency check for ND packets ······················································································· 320
Configuring the ND detection function ······················································································································ 320
Introduction to ND detection ······························································································································ 320
Configuring ND detection ·································································································································· 321
Displaying and maintaining ND detection ······································································································· 322
ND detection configuration example ························································································································· 322
SAVI configuration ·················································································································································· 325
SAVI overview ······························································································································································ 325
Global SAVI configuration ·········································································································································· 325
SAVI configuration in DHCPv6-only address assignment scenario ········································································ 326
SAVI configuration in SLAAC-only address assignment scenario ··········································································· 328
SAVI configuration in DHCPv6+SLAAC address assignment scenario ·································································· 330
System-guard configuration ···································································································································· 333
Configuring system-guard ··········································································································································· 333
Displaying system-guard ·············································································································································· 334
System-guard configuration example ························································································································· 334
Network requirements ········································································································································· 334
Configuration procedure ···································································································································· 334
Configuring FIPS······················································································································································ 335
Overview ······································································································································································· 335
FIPS self-tests ································································································································································· 335
Power-up self-test ················································································································································· 335
Conditional self-tests ············································································································································ 335
Triggering a self-test ············································································································································ 335
Configuration procedure ············································································································································· 336
viii