Configuring Arp Attack Defense; Overview; User Validity Check; Arp Packet Validity Check - HP 830 Series Configuration Manual
Poe+ unified wired-wlan switch switching engine web-based
Hide thumbs
Also See for HP 830 Series:
- Configuration manual (177 pages) ,
- Command reference manual (136 pages) ,
- Installation manual (58 pages)
Table of Contents
Advertisement
Configuring ARP attack defense
Overview
ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks.
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions: user validity check and ARP packet validity check.
User validity check
This feature does not check ARP packets received from an ARP trusted port. It checks an ARP packet
received from an ARP untrusted port as follows:
1.
It compares the sender IP and MAC addresses of the ARP packet against the static IP Source Guard
binding entries. If a match is found, the ARP packet is considered valid and is forwarded. If an
entry with a matching IP address but an unmatched MAC address is found, the ARP packet is
considered invalid and is discarded. If no entry with a matching IP address is found, the device
matches the packet against the DHCP snooping entries, 802.1X security entries, and OUI MAC
addresses.
2.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. If the
sender MAC address of the received ARP packet is an OUI MAC address, the packet is
considered valid.
3.
If no match is found, the ARP packet is considered invalid and is discarded.
ARP packet validity check
This feature does not check ARP packets received from an ARP trusted port. It checks ARP packets
received from ARP untrusted ports based on the following objects:
src-mac—Checks whether the sender MAC address of an ARP packet is identical to the source
•
MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the
packet is discarded.
dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
•
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
ip—Checks both the source and destination IP addresses in an ARP packet. The all-zero, all-one or
•
multicast IP addresses are considered invalid and the corresponding packets are discarded. With
this object specified, the source and destination IP addresses of ARP replies, and the source IP
address of ARP requests are checked.
Configuring ARP detection
If you have configured packet validity check, packet validity check is performed first.
1.
Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection
page.
234
- Quick Links:
- Web Interface
Hide quick links:
Advertisement
Table of Contents
