Thursday, April 30, 2015

Dynamic ARP Protection in HP ProCurve Switches

Dynamic ARP protection is designed for defense against ARP spoofing attacks, which take advantage of gratuitous ARP replies to falsify IP-to-MAC bindings in network devices. Here's how it works:

- On ports not configured as "trusted" (by default all ports are "untrusted"), all ARP requests and responses are intercepted.
- The IP-to-MAC bindings in intercepted ARP messages are verified against the DHCP snooping binding database (including user-configured static bindings).
- If a binding is valid, the switch will use it to update its local ARP cache and forward the packet. Otherwise the packet containing that binding will be dropped.

Because of the binding validation against the DHCP snooping database, DHCP snooping has to be enabled for ARP protection to work. If DHCP snooping is not enabled, valid ARP traffic will be dropped.

Here's how to configure dynamic ARP protection:

HP-5406zl(config)# dhcp-snooping
HP-5406zl(config)# arp-protect
HP-5406zl(config)# arp-protect trust B1 (configuring port B1 as trusted)
HP-5406zl(config)# arp-protect vlan 1-2 (configuring ARP protect for VLANs 1 and 2)
HP-5406zl(config)# arp-protect validate dest-mac

The last command is optional. The option "dest-mac" means that the switch will drop any ARP response packet in which the destination MAC address in the Ethernet header does not match the target MAC address in the body of the packet. Other options are "src-mac" (drop any ARP request or response packet in which the source MAC in the Ethernet header does not match the sender MAC address in the body of the packet) and "ip" (drop any ARP request or reply with an invalid IP address -,, all IP multicast addresses and all class E IP addresses).

To verify and monitor/troubleshoot dynamic ARP protection, the following commands are available:

show arp-protect
show arp-protect statistics 1-2 (statistics for VLANs 1 and 2)
debug arp-protect

For example, the output of "show arp-protect" will look like below:

Lastly, to add static IP-to-MAC bindings to the DHCP snooping binding database, use the command ip source-binding in the global context.

Tuesday, April 28, 2015

Creating and Using Route Maps in ProCurve Switches

Creating route maps:

A route map consists of “match” statements to select the routes for the intended policy. Optionally, “set” statements can be included to modify route properties. Optional prefix lists can also be configured to select routes for the "match" statements.

Prefix lists can be configured as in the following example:

ip prefix-list TestList seq 5 permit ge 24 le 24

As seen above, prefix lists can only select routes by IP addresses. The “match” statements can select traffic based on various criteria, not just IP addresses. First create a route map, then configuring “match” statements and optional “set” statements using the syntax in the following examples:

route-map TestMap permit seq 5

match interface vlan 200: match the specified VLAN
match ip address prefix-list TestList: match the specified IP prefix
match ip next-hop match the next hop with the specified IP address or prefix 
match ip route-source prefix-list TestList: match the advertising router with the specified IP address or prefix 
match metric 120 
match route-type external [type-1|type-2]
match source-protocol [connected|static|rip|ospf|ospfv3|bgp]
match tag 200 (Note: the tag value is typically set by a set command on a different router) 

set ip next-hop
set metric 60 
set metric-type external [type-1|type-2] 
set tag 100

In addition, you can match some BGP-specific parameters such as as-path, community, local-preference, and set as-path, community, local-preference, origin, and weight.

Using route maps:

There are two ways to use route maps in the ProCurve as described below.

In Route Redistribution:

Below is an example in route redistribution using prefix lists and a route map. Here only routes from networks and can be redistributed from RIP into OSPF:

ip prefix-list “Odds” seq 5 permit ge 24 le 24
ip prefix-list “Odds” seq 10 permit ge 24 le 24
route-map “PermitOdds” permit seq 10 
  match ip address prefix-list “Odds”

router ospf area backbone 
  redistributed connected 
  redistributed rip route-map “PermitOdds” 

In BGP Route Advertisement:

In another example, a route map is used to filter BGP routes. In this case only routes matching prefix advertised by neighbor are accepted:

ip prefix-list “One” seq 5 permit ge 16 le 16
route-map “PermitOne” permit seq 10 
  match ip address prefix-list “One”
router bgp 100 
  neighbor route-map “PermitOne” in 

Another place to use route map in BGP is with the following command in the router BGP context. Here the route map filters out what routes to be advertised by the BGP routing process:

network route-map PermitOne

Note: Unlike Cisco routers, route maps in the ProCurve as of K/KA/KB.15.16 cannot be used for policy-based routing (PBR) configuration.

Friday, April 24, 2015

ProCurve Switches - Illegitimate 802.1x Clients Get past RADIUS via Backup Authentication Method

The symptom is that illegitimate 802.1x clients gain access to the VLANs they are not supposed to be in even though RADIUS authentication is configured.

This is a configuration error that might have easily escaped attention: the backup authentication method is configured as "authorized", which means to allow access without authentication, as seen in the following command:

# aaa authentication port-access eap-radius authorized

If for some reason RADIUS service becomes unavailable, the backup authentication method will kick in, and in this case will allow access with no authentication.

To fix this problem, instead of specifying the backup authentication method as "authorized", use "none" (which means no backup method is used) as follows:

# aaa authentication port-access eap-radius none