Configuring User Validity Check - HP 6600 Security Configuration Manual
Hide thumbs
Also See for 6600:
- Command reference manual (286 pages) ,
- Configuration manual (236 pages) ,
- Installation and getting started manual (103 pages)
Table of Contents
Advertisement
If both ARP packet validity check and user validity check are enabled, the former one applies first, and
then the latter applies.
ARP detection does not check ARP packets received from ARP trusted ports.
Configuring user validity check
After you enable this feature, the device checks user validity as follows:
1.
Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and
MAC addresses of the ARP packet against user validity check rules. If a matching rule is found, the
ARP packet is processed according to the rule.
2.
If no matching rule is found, the device compares the sender IP and MAC addresses of the ARP
packet against the static IP source guard binding entries. If a match is found, the ARP packet is
considered valid and is forwarded. If an entry with a matching IP address but an unmatched MAC
address is found, the ARP packet is considered invalid and is discarded. If no entry with a
matching IP address is found, the device compares the ARP packet's sender IP and MAC
addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC addresses.
3.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. (For
a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must
be an OUI MAC address and the voice VLAN must be enabled.)
4.
If no match is found, the ARP packet is considered invalid and is discarded.
Static IP source guard binding entries are created by using the user-bind command. For more information,
see "Configuring IP source guard."
Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more information,
see Layer 3—IP Services Configuration Guide.
802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and
uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X
security entry. The 802.1X client must be enabled to upload its IP address to the device. For more
information, see "Configuring 802.1X."
For more information about voice VLAN and QUI MAC addresses, see Layer 2—LAN Switching
Configuration Guide.
To configure user validity check:
Step
1.
Enter system view.
2.
Configure a user validity check
rule.
3.
Enter VLAN view.
4.
Enable ARP detection.
5.
Return to system view.
6.
Enter Layer 2 Ethernet interface
view or Layer aggregate
interface view.
Command
system-view
arp detection id-number { deny | permit } ip
{ any | ip-address [ ip-address-mask ] } mac
{ any | mac-address [ mac-address-mask ] }
[ vlan vlan-id ]
vlan vlan-id
arp detection enable
quit
interface interface-type interface-number
516
Remarks
N/A
Optional.
Not configured by
default.
N/A
Disabled by default.
N/A
N/A
Advertisement
Table of Contents
Troubleshooting
