R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

Blacklist configuration example ··························································································································· 15

Traffic statistics configuration example ··············································································································· 17

TCP proxy configuration example ······················································································································· 18

Configuring TCP attack protection ···························································································································· 21

Overview ········································································································································································· 21

Enabling the SYN Cookie feature ································································································································ 21

Enabling protection against Naptha attacks ··············································································································· 22

Displaying and maintaining TCP attack protection ···································································································· 22

Configuring IP source guard ····································································································································· 23

Static IP source guard entries ······························································································································· 23

Dynamic IP source guard entries ························································································································· 24

Configuring IPv4 source guard ····································································································································· 24

Enabling IPv4 source guard on a port ················································································································ 24

Configuring a static IPv4 source guard entry ····································································································· 25

Setting the maximum number of IPv4 source guard entries ·············································································· 26

Displaying and maintaining IP source guard ·············································································································· 26

Static IPv4 source guard entry configuration example ······························································································ 27

Dynamic IPv4 source guard by DHCP snooping configuration example ································································ 29

Dynamic IPv4 source guard by DHCP relay configuration example ········································································ 30

Troubleshooting IP source guard ·································································································································· 31

Configuring ARP attack protection ···························································································································· 32

ARP attack protection configuration task list ··············································································································· 32

Configuring unresolvable IP attack protection ············································································································ 33

Configuring ARP source suppression ·················································································································· 33

Enabling ARP blackhole routing ·························································································································· 33

Displaying and maintaining ARP source suppression ······················································································· 34

Configuration example ········································································································································· 34

Configuring ARP packet rate limit ································································································································ 35

Configuring ARP packet source MAC consistency check ·························································································· 35

Configuring ARP active acknowledgement ················································································································· 36

Configuring authorized ARP ········································································································································· 36

Configuration example (on a DHCP server) ······································································································· 37

Authorized ARP configuration example (on a DHCP relay agent) ·································································· 38

Configuring ARP detection ············································································································································ 39

Configuring user validity check ··························································································································· 40

Configuring ARP packet validity check ··············································································································· 41

Configuring ARP restricted forwarding ··············································································································· 41

Displaying and maintaining ARP detection ········································································································ 42

User validity check configuration example ········································································································· 42

User validity check and ARP packet validity check configuration example ···················································· 44

ARP restricted forwarding configuration example ····························································································· 45

Configuring ARP automatic scanning and fixed ARP ································································································· 47

Configuration guidelines ······································································································································ 47

Configuration procedure ······································································································································ 48

Configuring ARP gateway protection ·························································································································· 48

ARP gateway protection configuration example ································································································ 49

Configuring ARP filtering ··············································································································································· 49

ARP filtering configuration example ···················································································································· 50

Configuring ND attack defense ································································································································ 52