Nortel Networks 5530, 5520, 5510 manual IP Security Features, Dhcp Snooping, Dynamic ARP Inspection

Page 31

Filters and QoS Configuration for ERS 5500

 

 

Technical Configuration Guide

v2.0

NN48500-559

8. IP Security Features

This section covers the security features DHCP Snooping, ARP-Inspection, and IP Source Guard. DHCP Snooping and ARP-Inspection where added in the 5.0 software release while IP Source Guard was added in the 5.1 software release. If you are using a software release prior to 5.0, please see the next section.

8.1 DHCP Snooping

DHCP snooping is a security feature that builds a binding table on untrusted ports by monitoring DHCP messages. On core or uplink ports, the port(s) is considered trusted and should be configured as such. The DHCP snooping binding table consists of the leased IP address, MAC address, lease time, port number, and VLAN ID. DHCP snooping is configured at a per VLAN basis where, by default, all ports are set to untrusted. You must configure the uplink ports as trusted.

Overall, DHCP snooping operates as follows:

Allows only DHCP requests form untrusted ports.

DHCP replies and all other DHCP messages from untrusted ports are dropped

Verifies the DHCP snooping binding table on untrusted ports to verify the traffic entering a port by comparing the source MAC address against the DHCP lease IP address. If there is no match, the packet is dropped

8.1.1 DHCP Snooping Configuration

To enable DHCP snooping, enter the following command assuming we wish to enable DHCP snooping on VLANs 100 and 200 and the uplink port is 1/24.

5500(config)#ip dhcp-snooping vlan 100

5500(config)#ip dhcp-snooping vlan 200

5500(config)#ip dhcp-snooping enable

5500(config)#interface fastEthernet 1/24

5500(config-if)#ip dhcp-snooping trusted

5500(config-if)#exit

8.2Dynamic ARP Inspection

Dynamic ARP Inspection verifies the ARP packets to prevent man-in-the-middle (MITM) types of attacks. Without dynamic ARP inspection, a malicious user can attack hosts in a local subnet by poisoning the ARP cache of hosts connected to this subnet by intercepting traffic intended for other hosts on the subnet. This normally takes place on VLAN with multiple hosts connected. Dynamic ARP inspection is used together with DHCP snooping by using the binding table to validate the host MAC address to IP address binding on untrusted ports. ARP packets on untrusted ports are only forward if they match the source MAC to IP address in the binding table. DHCP snooping must be enable prior to enabling dynamic ARP inspection.

8.2.1 Dynamic ARP Inspection Configuration

Assuming DHCP snooping is already enable for VLANs 100 and 200 and port 1/19 is the uplink port, enter the following commands:

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

 

External Distribution

30

Image 31
Contents Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Tables List of FiguresText Document UpdatesSymbols ConventionsOverview Ethernet Routing Switch 5500 QoS and Filtering ƒ Layer 2 Classifier Elements ClassificationUntrusted Ports Unrestricted PortsStatistics Actions SupportedQoS Flow Chart Overall Classification Functionality Filter FunctionalityClassifier Block Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Port Range FunctionalityPolicies Default Policy Drop ActionNN48500-559 5520-24T-PWRconfig#default qos agent buffer 5520-24T-PWRconfig#qos agent buffer large maximum regularQueue Sets Egress CoS Queuing Ethernet Routing Switch 5500 Egress CoS QueuingCoS 5520-24T-PWRconfig#qos agent queue set 5520-24T-PWRconfig#show qos queue-set-assignment5520-24T-PWRconfig#qos agent reset-default 5520-24T-PWRconfig#default qos agent queue-setEgress Queue Recommendations Bucket Size Traffic Meter and ShapingParameter Description Actual Bucket SizePolicing Traffic Actual Bucket Size in Bytes Actual size in bytes InterfaceExample Meter Bucket Size and Duration Interface ShaperBucket Size Max burst rate Committed rate Duration MSec 5530-24TFDconfig#show qos if-shaper port Hex Decimal Default Nortel Class of ServiceDefault Nortel CoS Markings BinaryConfig#qos ip-acl name 1..16 character string ? QoS Access Lists ACLACL Configuration IP-ACL ConfigurationConfig#qos l2-acl name 1..16 character string ? 2 L2-ACL ConfigurationACL-Assign Configuration ACL Configuration Example5530H-24TFD#show qos acl-assign Verification5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy Changing ACL 5500config#no qos acl-assign5500config#no qos acl-assign 1 port 1/19 5500config#no qos ip-aclDhcp Snooping IP Security FeaturesDhcp Snooping Configuration Dynamic ARP Inspection ConfigurationIP Source Guard IP Source Guard ConfigurationBpdu Filtering Bpdu Filtering ConfigurationQoS Interface Applications QoS Applications Number of Classifiers Used FeatureARP Spoofing Configuration ExampleDhcp Snooping Dhcp Attacks10.3 DoS Bpdu Blocking ERS5500-48T#show qos if-group Configuration Steps Policy ConfigurationRole Combination ERS5500-48T#show qos if-assignIP Element ERS5500-48Tconfig#qos ip-element 1-64000?Classification Adding IP and L2 ElementAdding a Classifier Block Adding a ClassifierParameters and variables Description MetersAdd a New Policy Pre-defined Values Configuration ExamplesQoS Action Configure the IP elements Configuration Example 1 Traffic Meter Using Policies12.2.1 ERS5500 Configuration Using Policies Configure the Interface Role CombinationConfigure the Classifier Block Configure MetersERS5500 Create the classifier block Verify the Role Combination Configure the PolicyVerify Operations ERS5500 Create the policyName m1 Verify Classifier and Classifier Block ConfigurationERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard 12.3.1 ERS5500 ConfigurationERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 Verify DHCP-Snooping ERS5500 Assign the IP-ACL’s to portsVID Verify ARP InspectionVerify IP Source Guard Verify ACL ConfigurationNN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign TCP Port Range Configuration Example 3 Port Range Using ACL or PolicyConfigure the Policies Configuration Using PoliciesERS5500 Create IP elements for UDP port range ERS5500 Remark all other traffic to Bronze Configuration Using IP-ACL’sCreate Policy 12.5.1 ERS5500 Configuration Using PoliciesERS5500 Pass all other traffic with standard CoS 12.5.2 ERS5500 Configuration Using IP-ACL’sERS5500 Assign the L2-ACL’s to ports 12.6.1 ERS5500 Configuration Using Policies Configuration Example 5 L2 and L3 ClassificationERS5500 Add L2 elements for Vlan 110 Configure Classifier and Classifier BlocksDscp Mapping via Un-restricted Port Role 12.7.1 ERS5500 ConfigurationPolicy Configuration ACL ConfigurationID ID View the Queue AssignmentsEnable Shaping on Port Configuration Example 7 Interface ShapingVerify Shape Rate Configuration Reference Documentation Software BaselineContact us