3Com Switch 8800 Family Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

Configuring IP Address 75

configure static ARP entries that have only IP addresses. The switch will

automatically fill the MAC address in the ARP mapping entries so that only users

configured with static ARP entries can have access to the network.

IP address protection configuration

The tasks of IP address protection configuration include:

■ Configuring auto-fill ARP address

■ Enabling IP address protection

CAUTION:

■ The MAC address auto filling function is enabled only when the IP address

protection function is enabled on the interface.

■ Once after the initial auto filling of ARP address, the user-configured static ARP

entry becomes a normal static ARP entry and cannot be filled again.

Configuring Whether

the Switch Sends

Unreachable Packets

When receiving an IP packet whose TTL is 1, the switch sends an unreachable

packet to the sending end. However, if an attacker continuously sends IP packets

whose TTLs are less than or equal to 1 to the switch, the switch keeps sending

unreachable packets to the attacker. In this case, the switch CPU is under attack.

When receiving an IP packet whose TTL is less than or equal to 1, the switch sends

the ICMP packet "time exceeded" to the network management system instead of

sending an unreachable packet to the sending end, thus avoiding attack on the

CPU.

Tab le 55 Configure IP address protection

Operation Command Description

Enter system view system-view -

Configure auto-fill ARP

address

arp static ip-address Optional

Enter VLAN interface view

interface Vlan-interface

vlan-id

Enable IP address protection ip-protect enable

By default, the IP address

protection function is disabled

on VLAN interface

View the IP address protection

status of the current VLAN

interface

display this

You can carry out the display

this command in any view

Tab le 56 Configure whether the switch sends unreachable packets

Operation Command Description

Enter system view system-view -

Configure that the switch

sends the ICMP message

"time exceeded" to the

network management system

when the switch receives an IP

packet whose TTL is less than

or equal to 1

ip icmp-time-exceed enable

By default, the switch sends

the ICMP message "time

exceeded" to the network

management system