KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

381

382

383

384

385

386

387

388

389

390

If you have already enabled DHCP snooping on a switch, you may also want to add static IP-to-MAC

address bindings to the DHCP snooping database so that ARP packets from devices that have been

assigned static IP addresses are also verified.

• Supports additional checks to verify source MAC address, destination MAC address, and IP

address.

ARP packets that contain invalid IP addresses or MAC addresses in their body that do not

match the addresses in the Ethernet header are dropped.

When dynamic ARP protection is enabled, only ARP request and reply packets with valid IP-to-MAC

address bindings in their packet header are relayed and used to update the ARP cache.

Dynamic ARP protection is implemented in the following ways on a switch:

• You can configure dynamic ARP protection only from the CLI; you cannot configure this feature

from the WebAgent or menu interfaces.

• Line rate—Dynamic ARP protection copies ARP packets to the switch CPU, evaluates the

packets, and then re-forwards them through the switch software. During this process, if ARP

packets are received at too high a line rate, some ARP packets may be dropped and will

need to be retransmitted.

• The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection

and to report ARP packet-forwarding status and counters.

Dynamic IP Lockdown

The Dynamic IP Lockdown feature is used to prevent IP source address spoofing on a per-port and

per-VLAN basis. When dynamic IP lockdown is enabled, IP packets in VLAN traffic received on a

port are forwarded only if they contain a known source IP address and MAC address binding for

the port. The IP-to-MAC address binding can either be statically configured or learned by the DHCP

Snooping feature.

Protection against IP source address spoofing

Many network attacks occur when an attacker injects packets with forged IP source addresses into

the network. Also, some network services use the IP source address as a component in their

authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source

address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address

lists to limit management access. An attacker that is able to send traffic that appears to originate

from an authorized IP source address may gain access to network services for which he is not

authorized. Dynamic IP lockdown provides protection against IP source address spoofing by means

of IP-level port security. IP packets received on a port enabled for dynamic IP lockdown are only

forwarded if they contain a known IP source address and MAC address binding for the port.

Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through

statically configured IP source bindings to create internal, per-port lists. The internal lists are

dynamically created from known IPto- MAC address bindings to filter VLAN traffic on both the

source IP address and source MAC address.

Prerequisite: DHCP snooping

Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation

on ports and VLAN traffic:

• Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already

stored in the lease database created by DHCP snooping or added through a static configuration

of an IP-to-MAC binding. Therefore, if you enable DHCP snooping after dynamic IP lockdown

is enabled, clients with an existing DHCP-assigned address must either request a new leased

IP address or renew their existing DHCP-assigned address. Otherwise, a client’s leased IP

390 Port Security