Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
53
Figure 46 Network diagram
Configuration considerations
An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the
source MAC address. To prevent such attacks, configure the gateway as follows:
1. Enable source MAC-based ARP attack detection and specify the handling method.
2. Set the threshold.
3. Set the lifetime for ARP attack entries.
4. Exclude the MAC address of the server from this detection.
Configuration procedure
# Enable source MAC-based ARP attack detection and specify the handling method.
<Firewall> system-view
[Firewall] arp source-mac filter
# Set the threshold to 30.
[Firewall] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[Firewall] arp source-mac aging-time 60
# Exclude 0012-3f86-e94c from this detection.
[Firewall] arp source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC consistency
check
ARP packet source MAC consistency check can be configured only at the CLI.
IP network
Gateway
Firewall
Host A Host B Host C Host D
ARP attack protection
Server
0012-3f86-e94c