Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
51
Configuration procedure
# Enable ARP source suppression and set the threshold to 100.
<Firewall> system-view
[Firewall] arp source-suppression enable
[Firewall] arp source-suppression limit 100
# Enable ARP blackhole routing.
<Firewall> system-view
[Firewall] arp resolving-route enable
Configuring source MAC-based ARP attack
detection
Source MAC-based ARP attack detection can be configured only at the CLI.
The following matrix shows the feature and hardware compatibility:
Hardware Com
p
atibilit
y
F1000-A-EI/F1000-S-EI Yes
F1000-E No
F5000 No
F5000-S/F5000-C No
VPN firewall modules No
20-Gbps VPN firewall modules No
This feature checks the number of ARP packets received from the same MAC address within 5 seconds
against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP
attack entry.
Before the entry is aged out, the device handles the attack by using either of the following methods:
Monitor—Generates log messages.
Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed correctly.
You can exclude the MAC addresses of some gateways and servers from detection. This feature does not
inspect ARP packets from those devices even if they are attackers.
To configure source MAC-based ARP attack detection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable source MAC-based ARP
attack detection and specify the
handling method.
arp anti-attack source-mac { filter
| monitor }
Disabled by default.