HP ProCurve Series 3400cl Release Notes page 137

Procurve series

Hide thumbs Also See for ProCurve Series 3400cl:

Management manual (664 pages)

Management and configuration manual (508 pages)

Access security manual (404 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

page of 197

/ 197
Contents
Table of Contents
Bookmarks

Table of Contents

Protection Against IP Source Address Spoofing

Many network attacks occur when an attacker injects packets with forged IP source addresses into

the network. Also, some network services use the IP source address as a component in their

authentication schemes. For example, the BSD "r" protocols (rlogin, rcp, rsh) rely on the IP source

address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address

lists to limit management access. An attacker that is able to send traffic that appears to originate

from an authorized IP source address may gain access to network services for which he is not

authorized.

Dynamic IP lockdown provides protection against IP source address spoofing by means of IP-level

port security. IP packets received on a port enabled for dynamic IP lockdown are only forwarded if

they contain a known IP source address and MAC address binding for the port.

Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through

statically configured IP source bindings to create internal, per-port lists. The internal lists are

dynamically created from known IP-to-MAC address bindings to filter VLAN traffic on both the source

IP address and source MAC address.

Differences Between Switch Platforms

There are some differences in the feature set and operation of Dynamic IP Lockdown, depending on

the switch on which it is implemented. These are listed below.

There is no restriction on GVRP on 3500/5400 switches. On 2600/2800/3400cl switches,

■

Dynamic IP Lockdown is not supported if GVRP is enabled on the switch.

■

Dynamic IP Lockdown has the host limits shown in the table below. There is a DHCP

snooping limit of 8,000 entries.

Switch

3500/5400

3400cl/2800

2600

■

A source is considered "trusted" for all VLANs if it is seen on any VLAN without DHCP

snooping enabled.

On the ProCurve switch series 5400 and 3500, dynamic IP lockdown is supported on a port

■

configured for statically configured port-based ACLs.

Number of Hosts

64 bindings per port

Up to 4096 bindings per switch

32 bindings per port

Up to 32 VLANs with DHCP snooping

enabled

8 bindings per port

Up to 8 VLANs with DHCP snooping

enabled

Release M.10.43 Enhancements

Comments

This limit is shared with DHCP snooping because

they both use the snooping database.

This is not guaranteed as the hardware

resources are shared with QoS.

This is not guaranteed as the hardware

resources are shared with QoS.

Enhancements

127

Table of Contents

This manual is also suitable for:

Procurve 3400cl-48g Procurve 6400cl-6xg Procurve 6410cl-6xg Procurve 3400cl-24g

HP ProCurve Series 3400cl Release Notes page 137

Related Manuals for HP ProCurve Series 3400cl

Related Products for HP ProCurve Series 3400cl

This manual is also suitable for:

Table of Contents