Configuring Arp Detection; Configuring User Validity Check - HP 10500 Series Configuration Manual
Security configuration guide
Hide thumbs
Also See for 10500 Series:
- Security configuration manual (596 pages) ,
- Configuration manual (512 pages) ,
- Specifications (42 pages)
Table of Contents
Advertisement
To configure ARP active acknowledgement:
Step
1.
Enter system view.
2.
Enable the ARP active
acknowledgement function.
Configuring ARP detection
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
User validity check
•
ARP packet validity check
•
ARP restricted forwarding
•
If both ARP packet validity check and user validity check are enabled, the former one applies first, and
then the latter applies.
ARP detection does not check ARP packets received from ARP trusted ports.
Configuring user validity check
After you enable this feature, the device checks user validity as follows:
1.
Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and
MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is
found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address
but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded.
If no entry with a matching IP address is found, the device compares the ARP packet's sender IP
and MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC
addresses.
2.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. (For
a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must
be an OUI MAC address and the voice VLAN must be enabled.)
3.
If no match is found, the ARP packet is considered invalid and is discarded.
Static IP source guard binding entries are created by using user-bind. For more information, see
"Configuring IP source
Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more information,
see Layer 3—IP Services Configuration Guide.
802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and
uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X
security entry. The 802.1X client must be enabled to upload its IP address to the device. For more
information, see
For more information about voice VLAN and QUI MAC addresses, see Layer 2—LAN Switching
Configuration Guide.
Command
system-view
arp anti-attack active-ack enable
guard."
"Configuring
802.1X."
257
Remarks
N/A
Disabled by default.
Advertisement
Table of Contents
Troubleshooting
