HP VPN Firewall Appliances Attack Protection Configuration Guide
57
Configuring ARP detection
The following matrix shows the feature and hardware compatibility:
Hardware Com
p
atibilit
y
F1000-A-EI/F1000-S-EI Yes
F1000-E No
F5000 No
F5000-S/F5000-C No
VPN firewall modules No
20-Gbps VPN firewall modules No
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding
functions.
Configuring user validity check
Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and
MAC addresses against the user validity check rule. If a match is found, the ARP packet is considered
valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and
then the latter applies.
Configure a user validity check rule before you enable user validity check. Otherwise, ARP packets
received from ARP untrusted ports are discarded.
To configure user validity check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure a user validity
check rule.
arp detection id-number { deny |
permit } ip { any | ip-address
[ ip-address-mask ] } mac { any |
mac-address [ mac-address-mask ] }
[ vlan vlan-id ]
Optional.
By default, no rule is configured.
3. Enter VLAN view.
vlan vlan-id N/A
4. Enable ARP detection.
arp detection enable By default, ARP detection is disabled.
5. Return to system view.
quit N/A
6. Enter Layer 2 Ethernet
interface view or Layer 2
aggregate interface view.
interface interface-type
interface-number
N/A