HP 6120G/XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 36
BPDU Filtering and BPDU Protection, STP Root Guard
View all HP 6120G/XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 36 highlights
Security Overview Network Security Features Feature Default Setting ConnectionRate Filtering based on Virus-Throttling Technology none Spanning Tree none Protection DHCP Snooping, none Dynamic ARP Protection, and Dynamic IP Lockdown Security Guidelines More Information and Configuration Details This feature helps protect the network from attack and Chapter 3, "Virus Throttling is recommended for use on the network edge. It is (Connection-Rate Filtering)" primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports. In this case, the malicious code tries to create a large number of outbound connections on an interface in a short time. Connection-Rate filtering detects hosts that are generating traffic that exhibits this behavior, and causes the switch to generate warning messages and (optionally) to throttle or drop all traffic from the offending hosts. These features prevent your switch from malicious Advanced Traffic attacks or configuration errors: Management Guide, refer to • BPDU Filtering and BPDU Protection: Protects the the chapter "Multiple network from denial-of-service attacks that use Instance Spanning-Tree spoofing BPDUs by dropping incoming BPDU frames Operation" and/or blocking traffic through a port. • STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes. These features provide the following additional protections for your network: • DHCP Snooping: Protects your network from common DHCP attacks, such as address spoofing and repeated address requests. Chapter 11, "Configuring Advanced Threat Protection" • Dynamic ARP Protection: Protects your network from ARP cache poisoning. • Dynamic IP Lockdown: Prevents IP source address spoofing on a per-port and per-VLAN basis • Instrumentation Monitor. Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch. 1-8