HPE FlexNetwork 10500 Series Security Configuration Manual page 13

Configuring an attack defense policy ············································································································· 476
Creating an attack defense policy ·········································································································· 476
Configuring a single-packet attack defense policy ················································································· 477
Configuring a scanning attack defense policy ························································································ 479
Configuring a flood attack defense policy ······························································································ 479
Configuring attack detection exemption ································································································· 484
Applying an attack defense policy to an interface ·················································································· 484
Applying an attack defense policy to the device ···················································································· 485
Enabling log non-aggregation for single-packet attack events······························································· 485
Configuring TCP fragment attack prevention ································································································· 485
Configuring the IP blacklist feature ················································································································ 486
Configuring the user blacklist feature ············································································································· 486
Configuring login attack prevention ················································································································ 487
Enabling the login delay ································································································································· 487
Displaying and maintaining attack detection and prevention ········································································· 488
Attack detection and prevention configuration examples ··············································································· 490
Interface-based attack detection and prevention configuration example ··············································· 490
IP blacklist configuration example ·········································································································· 493
User blacklist configuration example ······································································································ 494
Configuring TCP attack prevention ···························································· 496
Overview ························································································································································ 496
Configuring Naptha attack prevention ············································································································ 496
Configuring IP source guard ······································································ 497
Overview ························································································································································ 497
Static IPSG bindings ······························································································································ 497
Dynamic IPSG bindings ························································································································· 498
Configuration restrictions and guidelines ······································································································· 498
IPSG configuration task list ···························································································································· 499
Configuring the IPv4SG feature ····················································································································· 499
Enabling IPv4SG on an interface ··········································································································· 499
Configuring a static IPv4SG binding ······································································································ 500
Excluding IPv4 packets from IPSG filtering ···························································································· 500
Configuring the IPv6SG feature ····················································································································· 501
Enabling IPv6SG on an interface ··········································································································· 501
Configuring a static IPv6SG binding ······································································································ 501
Displaying and maintaining IPSG··················································································································· 502
IPSG configuration examples ························································································································ 503
Static IPv4SG configuration example ····································································································· 503
Dynamic IPv4SG using DHCP snooping configuration example ··························································· 504
Dynamic IPv4SG using DHCP relay agent configuration example ························································ 505
Static IPv6SG configuration example ····································································································· 506
Dynamic IPv6SG using DHCPv6 snooping configuration example ······················································· 507
Dynamic IPv6SG using DHCPv6 relay agent configuration example ···················································· 508
Configuring ARP attack protection ····························································· 510
ARP attack protection configuration task list ·································································································· 510
Configuring unresolvable IP attack protection ······························································································· 510
Configuring ARP source suppression ···································································································· 511
Configuring ARP blackhole routing ········································································································ 511
Displaying and maintaining unresolvable IP attack protection ······························································· 511
Configuration example ··························································································································· 511
Configuring ARP packet rate limit ·················································································································· 512
Configuration guidelines ························································································································· 512
Configuration procedure ························································································································· 513
Configuring source MAC-based ARP attack detection ·················································································· 514
Configuration procedure ························································································································· 514
Displaying and maintaining source MAC-based ARP attack detection ·················································· 514
Configuration example ··························································································································· 515
Configuring ARP packet source MAC consistency check ·············································································· 516
Configuring ARP active acknowledgement ···································································································· 516
xi