Filters and QoS Configuration for ERS 5500
Technical Configuration Guide v2.0 NN48500-559
___________________________________________________________________________________________________________________________
Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.
External Distribution
30
8. IP Security Features This section covers the security features DHCP Snooping, ARP-Inspec tion, and IP Source Guard.
DHCP Snooping and ARP-Inspection where added in the 5.0 software release while IP Source
Guard was added in the 5.1 software release. If you are using a soft ware release prior to 5.0,
please see the next section.
8.1 DHCP Snooping
DHCP snooping is a security feature that builds a binding table on untrusted ports by monitor ing
DHCP messages. On core or uplink ports, the port(s) is considered trusted and should be
configured as such. The DHCP snooping binding table consists of the le ased IP address, MAC
address, lease time, port number, and VLAN ID. DHCP snooping is configur ed at a per VLAN
basis where, by default, all ports are set to untrusted. You must conf igure the uplink ports as
trusted.
Overall, DHCP snooping operates as follows:
• Allows only DHCP requests form untrusted ports.
• DHCP replies and all other DHCP messages from untrusted ports are dropped
• Verifies the DHCP snooping binding table on untrusted ports to verify the traf fic entering
a port by comparing the source MAC address against the DHCP lease IP ad dress. If
there is no match, the packet is dropped
8.1.1 DHCP Snooping Configuration
To enable DHCP snooping, enter the following command assuming we wish t o enable DHCP
snooping on VLANs 100 and 200 and the uplink port is 1/24.
• 5500(config)#ip dhcp-snooping vlan 100
• 5500(config)#ip dhcp-snooping vlan 200
• 5500(config)#ip dhcp-snooping enable
• 5500(config)#interface fastEthernet 1/24
• 5500(config-if)#ip dhcp-snooping trusted
• 5500(config-if)#exit
8.2 Dynamic ARP Inspection
Dynamic ARP Inspection verifies the ARP packets to prevent man-in- the-middle (MITM) types of
attacks. Without dynamic ARP inspection, a malicious user can attac k hosts in a local subnet by
poisoning the ARP cache of hosts connected to this subnet by intercept ing traffic intended for
other hosts on the subnet. This normally takes place on VLAN with m ultiple hosts connected.
Dynamic ARP inspection is used together with DHCP snooping by using the b inding table to
validate the host MAC address to IP address binding on untrusted port s. ARP packets on
untrusted ports are only forward if they match the source MAC to IP address in the binding table.
DHCP snooping must be enable prior to enabling dynamic ARP inspection.
8.2.1 Dynamic ARP Inspection Configuration
Assuming DHCP snooping is already enable for VLANs 100 and 200 and port 1/1 9 is the uplink
port, enter the following commands: