KB.15.15

Figure 293 Trusted Ports for Dynamic ARP Protection

Take into account the following configuration guidelines when you use dynamic ARP protection in

your network:

• You should configure ports connected to other switches in the network as trusted ports. In this

way, all network switches can exchange ARP packets and update their ARP caches with valid

information.

• Switches that do not support dynamic ARP protection should be separated by a router in their

own Layer 2 domain. Because ARP packets do not cross Layer 2 domains, the unprotected

switches cannot unknowingly accept ARP packets from an attacker and forward them to

protected switches through trusted ports.

Intruder protection

A port that detects an "intruder" blocks the intruding device from transmitting to the network through

that port.

Eavesdrop protection

Using either the port-security command or the switch WebAgent to enable port security on a given

port automatically enables eavesdrop prevention on that port.

General operation for port security

On a per-port basis, you can configure security measures to block unauthorized devices, and to

send notice of security violations. Once port security is configured, you can then monitor the network

for security violations through one or more of the following:

• Alert flags that are captured by network management tools such as HP PCM+

• Alert Log entries in the WebAgent

• Event Log entries in the console interface

• Intrusion Log entries in the menu interface, CLI, or WebAgent

For any port, you can configure the following:

• Action

Used when a port detects an intruder. Specifies whether to send an SNMP trap to a network

management station and whether to disable the port.

• Address Limit

Sets the number of authorized MAC addresses allowed on the port.

Overview 397