Filters and QoS Configuration for ERS 5500 |
|
|
Technical Configuration Guide | v2.0 |
|
8. IP Security Features
This section covers the security features DHCP Snooping,
8.1 DHCP Snooping
DHCP snooping is a security feature that builds a binding table on untrusted ports by monitoring DHCP messages. On core or uplink ports, the port(s) is considered trusted and should be configured as such. The DHCP snooping binding table consists of the leased IP address, MAC address, lease time, port number, and VLAN ID. DHCP snooping is configured at a per VLAN basis where, by default, all ports are set to untrusted. You must configure the uplink ports as trusted.
Overall, DHCP snooping operates as follows:
•Allows only DHCP requests form untrusted ports.
•DHCP replies and all other DHCP messages from untrusted ports are dropped
•Verifies the DHCP snooping binding table on untrusted ports to verify the traffic entering a port by comparing the source MAC address against the DHCP lease IP address. If there is no match, the packet is dropped
8.1.1 DHCP Snooping Configuration
To enable DHCP snooping, enter the following command assuming we wish to enable DHCP snooping on VLANs 100 and 200 and the uplink port is 1/24.
•5500(config)#ip
•5500(config)#ip
•5500(config)#ip
•5500(config)#interface fastEthernet 1/24
•
•
8.2Dynamic ARP Inspection
Dynamic ARP Inspection verifies the ARP packets to prevent
8.2.1 Dynamic ARP Inspection Configuration
Assuming DHCP snooping is already enable for VLANs 100 and 200 and port 1/19 is the uplink port, enter the following commands:
___________________________________________________________________________________________________________________________
Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved. |
|
External Distribution | 30 |