EasyManuals Logo

HPE FlexNetwork 5510 HI Series Security Configuration Guide

HPE FlexNetwork 5510 HI Series
551 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #491 background imageLoading...
Page #491 background image
478
Configuring ND attack detection
About ND attack detection
ND attack detection checks incoming ND messages for user validity to prevent spoofing attacks. It is
typically configured on access devices.
ND attack detection defines the following types of interfaces:
• ND trusted interface—The device directly forwards ND messages or data packets received by
ND trusted interfaces. It does not perform user validity check.
• ND untrusted interface—The device discards RA and redirect messages received by ND
untrusted interfaces. For other types of ND messages received by the ND untrusted interfaces,
the device checks the user validity.
ND attack detection compares the source IPv6 address and the source MAC address in an incoming
ND message against security entries from other modules.
• If a match is found, the device verifies the user as legal in the receiving VLAN, and it forwards
the packet.
• If no match is found, the device verifies the user as illegal, and it discards the ND message.
ND attack detection uses the following security entries for user validity check:
• Static IPv6 source guard binding entries, which are created by using the ipv6 source binding
command. For information about IPv6 source guard, see "
Configuring IP source guard."
• ND snooping entries. For information about ND snooping, see Layer 3–IP Services
Configuration Guide.
• DHCPv6 snooping entries. For information about DHCPv6 snooping, see Layer 3–IP Services
Configuration Guide.
Configuration guidelines
When you configure ND attack detection, follow these restrictions and guidelines:
• Make sure one or more of the following features are configured to prevent ND untrusted
interfaces from dropping all received ND messages:
ï‚¡ IPv6 source guard static bindings.
ï‚¡ DHCPv6 snooping.
ï‚¡ ND snooping.
• To make the IPv6 source guard static bindings effective for ND attack detection, you must
perform the following operations:
ï‚¡ Specify the vlan vlan-id option in the ipv6 source binding command.
ï‚¡ Enable ND attack detection for the same VLAN.
Configuration procedure
To configure ND attack detection:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter VLAN view.
vlan
vlan-id N/A
3. Enable ND attack detection.
ipv6 nd detection enable
By default, ND attack detection is

Table of Contents

Other manuals for HPE FlexNetwork 5510 HI Series

Preview: Configuration Guide
Configuration Guide572 pages
Preview: Fundamentals Configuration Guide
Fundamentals Configuration Guide209 pages
Preview: Layer 3 - Ip Routing Configuration Guide
Layer 3 - Ip Routing Configuration Guide486 pages
Preview: Network Management And Monitoring Configuration Guide
Network Management And Monitoring Configuration Guide331 pages
Preview: Macsec Configuration Guide
Macsec Configuration Guide27 pages
Preview: Acl And Qos Configuration Guide
Acl And Qos Configuration Guide114 pages
Preview: Mpls Configuration Guide
Mpls Configuration Guide505 pages
Preview: Openflow Configuration Guide
Openflow Configuration Guide39 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork 5510 HI Series and is the answer not in the manual?

HPE FlexNetwork 5510 HI Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork 5510 HI Series
CategorySwitch
LanguageEnglish

Related product manuals