R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

431

432

433

434

435

436

437

438

439

440

If both ARP packet validity check and user validity check are enabled, the former one applies first, and

then the latter applies.

ARP detection does not check ARP packets received from ARP trusted ports.

Configuring user validity check

After you enable this feature, the device checks user validity as follows:

1. Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and

MAC addresses of the ARP packet against user validity check rules. If a matching rule is found, the

ARP packet is processed according to the rule.

2. If no matching rule is found, the device compares the sender IP and MAC addresses of the ARP

packet against the static IP source guard binding entries. If a match is found, the ARP packet is

considered valid and is forwarded. If an entry with a matching IP address but an unmatched MAC

address is found, the ARP packet is considered invalid and is discarded. If no entry with a

matching IP address is found, the device compares the ARP packet's sender IP and MAC

addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC addresses.

3. If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. (For

a packet to pass user validity check based on OUI MAC addresses, the sender MAC address must

be an OUI MAC address and the voice VLAN must be enabled.)

4. If no match is found, the ARP packet is considered invalid and is discarded.

Static IP source guard binding entries are created by using the user-bind command. For more information,

see "Configuring IP source guard."

Dynamic DHCP snooping entries are automatically generated by DHCP snooping. For more information,

see Layer 3—IP Services Configuration Guide.

802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and

uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X

security entry. The 802.1X client must be enabled to upload its IP address to the device. For more

information, see "Configuring 802.1X."

For more information about voice VLAN and QUI MAC addresses, see Layer 2—LAN Switching

Configuration Guide.

To configure user validity check:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Configure a user validity check

rule.

arp detection id-number { deny | permit } ip

{ any | ip-address [ ip-address-mask ] } mac

{ any | mac-address [ mac-address-mask ] }

[ vlan vlan-id ]

Optional.

Not configured by

default.

3. Enter VLAN view.

vlan vlan-id N/A

4. Enable ARP detection.

arp detection enable Disabled by default.

5. Return to system view.

quit N/A

6. Enter Layer 2 Ethernet interface

view or Layer aggregate

interface view.

interface interface-type interface-number N/A