HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Ste

Command

Remarks

7. Configure the interface as

a trusted interface

excluded from ARP

detection.

arp detection trust

Optional.

By default, an interface is untrusted.

Configuring ARP packet validity check

Enable validity check for ARP packets received on untrusted ports and specify the following objects to be

checked:

• src-mac—Checks whether the sender MAC address in the message body is identical to the source

MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the

packet is discarded.

• dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero,

all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is

considered invalid and discarded.

• ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP

requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding

packets are discarded.

To configure ARP packet validity check:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VLAN view.

vlan vlan-id N/A

3. Enable ARP detection.

arp detection enable By default, ARP detection is disabled.

4. Return to system view.

quit N/A

5. Enable ARP packet validity check and

specify the objects to be checked.

arp detection validate

{ dst-mac | ip |

src-mac } *

The default depends on the device

model.

6. Enter Layer 2 Ethernet interface view or

Layer 2 aggregate interface view.

interface interface-type

interface-number

N/A

7. Configure the interface as a trusted

interface excluded from ARP detection.

arp detection trust

Optional.

By default, an interface is untrusted.

Configuring ARP restricted forwarding

ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted

interfaces and have passed user validity check as follows:

• If the packets are ARP requests, they are forwarded through the trusted interface.

• If the packets are ARP replies, they are forwarded according to their destination MAC address. If no

match is found in the MAC address table, they are forwarded through the trusted interface.

Before configuring this feature, configure user validity check.

To enable ARP restricted forwarding: