Configuring Advanced Threat Protection
Dynamic ARP Protection
■ Verifies IP-to-MAC address bindings on untrusted ports with the informa-
tion stored in the lease database maintained by DHCP snooping and user-
configured static bindings (in non-DHCP environments):
• If a binding is valid, the switch updates its local ARP cache and
forwards the packet.
• If a binding is invalid, the switch drops the packet, preventing other
network devices from receiving the invalid IP-to-MAC information.
DHCP snooping intercepts and examines DHCP packets received on
switch ports before forwarding the packets. DHCP packets are checked
against a database of DHCP binding information. Each binding consists
of a client MAC address, port number, VLAN identifier, leased IP address,
and lease time. The DHCP binding database is used to validate packets by
other security features on the switch. For more information, refer to
“DHCP Snooping” in the Access Security Guide.
If you have already enabled DHCP snooping on a switch, you may also
want to add static IP-to-MAC address bindings to the DHCP snooping
database so that ARP packets from devices that have been assigned static
IP addresses are also verified.
■ Supports additional checks to verify source MAC address, destination
MAC address, and IP address.
ARP packets that contain invalid IP addresses or MAC addresses in their
body that do not match the addresses in the Ethernet header are dropped.
When dynamic ARP protection is enabled, only ARP request and reply packets
with valid IP-to-MAC address bindings in their packet header are relayed and
used to update the ARP cache.
Dynamic ARP protection is implemented in the following ways on a switch:
■ You can configure dynamic ARP protection only from the CLI; you cannot
configure this feature from the web or menu interfaces.
■ Line rate—Dynamic ARP protection copies ARP packets to the switch
CPU, evaluates the packets, and then re-forwards them through the switch
software. During this process, if ARP packets are received at too high a
line rate, some ARP packets may be dropped and will need to be retrans-
mitted.
■ The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure
dynamic ARP protection and to report ARP packet-forwarding status and
counters.
10-16
To Next Page
Loading...
Need help?
General
