R0106-HP MSR Router Series Security Configuration Guide(V7)
ix
Configuring session logging ······································································································································· 380
Displaying and maintaining session management ··································································································· 381
Configuring connection limits ································································································································· 383
Overview ······································································································································································· 383
Connection limit configuration task list ······················································································································ 383
Creating a connection limit policy ····························································································································· 383
Configuring the connection limit policy ····················································································································· 384
Applying the connection limit policy ·························································································································· 384
Displaying and maintaining connection limits ·········································································································· 385
Connection limit configuration example ···················································································································· 386
Troubleshooting ACLs in the connection limit rules with overlapping segments ··················································· 388
Configuring object groups······································································································································ 389
Overview ······································································································································································· 389
Configuring an IPv4 address object group ··············································································································· 389
Configuring an IPv6 address object group ··············································································································· 389
Configuring a port object group ································································································································ 390
Configuring a service object group ··························································································································· 390
Displaying and maintaining object groups ··············································································································· 390
Configuring IP source guard ·································································································································· 392
Overview ······································································································································································· 392
Static IP source guard binding entries ··············································································································· 392
Dynamic IP source guard binding entries ········································································································· 393
Feature and hardware compatibility ·························································································································· 393
IP source guard configuration task list ······················································································································· 393
Configuring the IPv4 source guard function ·············································································································· 394
Enabling IPv4 source guard on an interface ···································································································· 394
Configuring a static IPv4 source guard binding entry on an interface ························································· 394
Configuring the IPv6 source guard function ·············································································································· 395
Enabling IPv6 source guard on an interface ···································································································· 395
Configuring a static IPv6 source guard binding entry on an interface ························································· 396
Displaying and maintaining IP source guard ············································································································ 396
IP source guard configuration examples ··················································································································· 397
Static IPv4 source guard configuration example ····························································································· 397
Dynamic IPv4 source guard using DHCP snooping configuration example ················································· 398
Static IPv6 source guard configuration example ····························································································· 399
Dynamic IPv6 source guard using DHCPv6 snooping configuration example ············································· 400
Configuring ARP attack protection ························································································································· 402
ARP attack protection configuration task list ············································································································· 402
Configuring unresolvable IP attack protection ·········································································································· 402
Configuring ARP source suppression ················································································································ 403
Enabling ARP blackhole routing ························································································································ 403
Displaying and maintaining unresolvable IP attack protection ······································································ 403
Configuration example ······································································································································· 403
Configuring source MAC-based ARP attack detection ···························································································· 404
Configuration procedure ···································································································································· 405
Displaying and maintaining source MAC-based ARP attack detection ························································· 405
Configuration example ······································································································································· 405
Configuring ARP packet source MAC consistency check ························································································ 407
Configuring ARP active acknowledgement ··············································································································· 407
Configuring authorized ARP ······································································································································· 407
Configuration procedure ···································································································································· 407
Configuration example (on a DHCP server) ····································································································· 408