R3303-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG TAA-compliant Router

Configuring IP source guard ·································································································································· 502

Overview ······································································································································································· 502

Static IP source guard entries ····························································································································· 502

Dynamic IP source guard entries ······················································································································· 503

Configuring IPv4 source guard ··································································································································· 503

Enabling IPv4 source guard on a port ·············································································································· 503

Configuring a static IPv4 source guard entry ··································································································· 504

Setting the maximum number of IPv4 source guard entries ············································································ 505

Displaying and maintaining IP source guard ············································································································ 505

Static IPv4 source guard entry configuration example ···························································································· 506

Dynamic IPv4 source guard by DHCP snooping configuration example ······························································ 508

Dynamic IPv4 source guard by DHCP relay configuration example ······································································ 509

Troubleshooting IP source guard ································································································································ 510

Configuring ARP attack protection ························································································································· 511

ARP attack protection configuration task list ············································································································· 511

Configuring unresolvable IP attack protection ·········································································································· 512

Configuring ARP source suppression ················································································································ 512

Enabling ARP blackhole routing ························································································································ 512

Displaying and maintaining ARP source suppression ····················································································· 513

Configuration example ······································································································································· 513

Configuring ARP packet rate limit ······························································································································ 514

Configuring ARP packet source MAC consistency check ························································································ 514

Configuring ARP active acknowledgement ··············································································································· 514

Configuring authorized ARP ······································································································································· 515

Configuration example (on a DHCP server) ····································································································· 515

Authorized ARP configuration example (on a DHCP relay agent) ································································ 517

Configuring ARP detection ·········································································································································· 518

Configuring user validity check ························································································································· 519

Configuring ARP packet validity check ············································································································· 520

Configuring ARP restricted forwarding ············································································································· 520

Displaying and maintaining ARP detection ······································································································ 521

User validity check configuration example ······································································································· 521

User validity check and ARP packet validity check configuration example ·················································· 522

ARP restricted forwarding configuration example ··························································································· 524

Configuring ARP automatic scanning and fixed ARP ······························································································· 526

Configuration guidelines ···································································································································· 526

Configuration procedure ···································································································································· 526

Configuring ARP gateway protection ························································································································ 527

ARP gateway protection configuration example ······························································································ 527

Configuring ARP filtering ············································································································································· 528

ARP filtering configuration example ·················································································································· 529

Configuring ND attack defense ····························································································································· 530

Enabling source MAC consistency check for ND packets ······················································································· 531

Configuring URPF ···················································································································································· 532

URPF check modes ·············································································································································· 532

URPF features ······················································································································································· 532

URPF work flow ···················································································································································· 533

Network application ··········································································································································· 535

Configuring URPF on an interface ······························································································································ 535

URPF configuration example ······································································································································· 536