EasyManuals Logo
Home>HP>Switch>3600 v2 Series

HP 3600 v2 Series Security Configuration Guide

HP 3600 v2 Series
398 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #356 background imageLoading...
Page #356 background image
345
# Enable the checking of the MAC addresses and IP addresses of ARP packets.
[SwitchB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[SwitchB] interface ethernet 1/0/1
[SwitchB-Ethernet1/0/1] port-isolate enable
[SwitchB-Ethernet1/0/1] quit
[SwitchB] interface ethernet 1/0/2
[SwitchB-Ethernet1/0/2] port-isolate enable
[SwitchB-Ethernet1/0/2] quit
After the preceding configurations are complete, when ARP packets arrive at interfaces Ethernet 1/0/1
and Ethernet 1/0/2, their MAC and IP addresses are checked, and then the packets are checked
against the static IP source guard binding entries and finally DHCP snooping entries. However, ARP
broadcast requests sent from Host A can pass the check on Switch B. Port isolation fails.
# Configure ARP restricted forwarding.
[SwitchB] vlan 10
[SwitchB-vlan10] arp restricted-forwarding enable
[SwitchB-vlan10] quit
Then, Switch B forwards ARP broadcast requests from Host A to Switch A through the trusted port Ethernet
1/0/3, and thus Host B cannot receive such packets. Port isolation works normally.
Configuring ARP automatic scanning and fixed ARP
Introduction
ARP automatic scanning is usually used together with the fixed ARP feature.
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on the
interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates dynamic ARP
entries.
Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP
entries from being modified by attackers.
NOTE:
HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a
cybercafe.
Configuration procedure
Follow these steps to configure ARP automatic scanning and fixed ARP:
To do… Use the command…
Remarks
Enter system view system-view —
Enter interface view interface interface-type interface-number —
Enable ARP automatic
scanning
arp scan [ start-ip-address to end-ip-address ] Required

Table of Contents

Other manuals for HP 3600 v2 Series

Preview: Command Reference
Command Reference479 pages
Preview: Installation Guide
Installation Guide62 pages
Preview: Compliance And Safety Manual
Compliance And Safety Manual51 pages
Preview: Configuration Guide
Configuration Guide449 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HP 3600 v2 Series and is the answer not in the manual?

HP 3600 v2 Series Specifications

General IconGeneral
BrandHP
Model3600 v2 Series
CategorySwitch
LanguageEnglish

Related product manuals