Manualshelf

R211x-HP Flexfabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
221222223224225226227228229230
216
Configuring ARP attack protection
ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to
detect and prevent ARP attacks.
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.
Sends a large number of IP packets for which ARP cannot find corresponding MAC addresses
(called unresolvable IP packets) to have the receiving device busy with resolving IP addresses until
its CPU is overloaded.
Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
NOTE:
The ARP attack protection feature is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN
interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use
the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see
Layer
2—LAN Switching Configuration Guide
).
ARP attack protection configuration task list
Tasks at a
g
lance
Flood prevention:
Configuring unresolvable IP attack protection (configured on gateways)
{ Configuring ARP source suppression
{ Enabling ARP blackhole routing
Configuring ARP packet rate limit (configured on access devices)
Configuring source MAC-based ARP attack detection (configured on gateways)
User and gateway spoofing prevention:
Configuring ARP packet source MAC consistency check (configured on gateways)
Configuring ARP active acknowledgement (configured on gateways)
Configuring authorized ARP (configured on gateways)
Configuring ARP detection (configured on access devices)
Configuring ARP automatic scanning and fixed ARP (configured on gateways)
Configuring ARP gateway protection (configured on access devices)
Configuring ARP filtering (configured on access devices)