Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
55
Ste
p
Command
Remarks
2. Enable the ARP active
acknowledgement function.
arp anti-attack active-ack enable Disabled by default.
Configuring periodic sending of gratuitous ARP
packets
Periodic sending of gratuitous ARP packet can be configured only in the Web interface.
Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries in time. This feature can be used to prevent gateway spoofing,
prevent ARP entries from aging out, and prevent the virtual IP address of a VRRP group from being used
by a host.
Prevent ARP spoofing.
An attacker can use the gateway address to send gratuitous ARP packets to the hosts on a network
so that the traffic destined for the gateway from the hosts is sent to the attacker instead. As a result,
the hosts cannot access the external network.
To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP
packets containing its primary IP address and manually configured secondary IP addresses at a
specific interval, so hosts can learn correct gateway address information.
Prevent aging of the gateway ARP entry.
If network traffic is heavy or if a host's CPU usage is high, received ARP packets might be
discarded or might not be processed in time. Eventually, the dynamic ARP entries on the receiving
host age out, and the traffic between the host and the corresponding devices is interrupted until the
host re-creates the ARP entries.
To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically.
The gratuitous ARP packets contain the gateway's primary IP address or one of its manually
configured secondary IP addresses, so the receiving hosts can update ARP entries in time.
Prevent the virtual IP address of a VRRP group from being used by a host.
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the
local network, so that the hosts can update local ARP entries and avoid using the virtual IP address
of the VRRP group.
If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender
MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the
sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the
master router in the VRRP group.
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.
In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP
groups, interfaces configured with VLAN termination need to be disabled from transmitting
broadcast/multicast packets and a VRRP control VLAN needs to be configured so that VRRP
advertisements can be transmitted within the control VLAN only. In such cases, you can enable
periodic sending of gratuitous ARP packets containing the VRRP virtual IP address, and the primary
IP address or a manually configured secondary IP address of the sending interface on the
subinterfaces. In this way, when a VRRP failover occurs, devices in the VLANs having ambiguous