Nortel Networks 5530, 5520, 5510 manual IP Security Features, Dhcp Snooping, Dynamic ARP Inspection

8. IP Security Features

This section covers the security features DHCP Snooping, ARP-Inspection, and IP Source Guard. DHCP Snooping and ARP-Inspection where added in the 5.0 software release while IP Source Guard was added in the 5.1 software release. If you are using a software release prior to 5.0, please see the next section.

8.1 DHCP Snooping

DHCP snooping is a security feature that builds a binding table on untrusted ports by monitoring DHCP messages. On core or uplink ports, the port(s) is considered trusted and should be configured as such. The DHCP snooping binding table consists of the leased IP address, MAC address, lease time, port number, and VLAN ID. DHCP snooping is configured at a per VLAN basis where, by default, all ports are set to untrusted. You must configure the uplink ports as trusted.

Overall, DHCP snooping operates as follows:

•Allows only DHCP requests form untrusted ports.

•DHCP replies and all other DHCP messages from untrusted ports are dropped

•Verifies the DHCP snooping binding table on untrusted ports to verify the traffic entering a port by comparing the source MAC address against the DHCP lease IP address. If there is no match, the packet is dropped

8.1.1 DHCP Snooping Configuration

To enable DHCP snooping, enter the following command assuming we wish to enable DHCP snooping on VLANs 100 and 200 and the uplink port is 1/24.

•5500(config)#ip dhcp-snooping vlan 100

•5500(config)#ip dhcp-snooping vlan 200

•5500(config)#ip dhcp-snooping enable

•5500(config)#interface fastEthernet 1/24

•5500(config-if)#ip dhcp-snooping trusted

•5500(config-if)#exit

8.2Dynamic ARP Inspection

Dynamic ARP Inspection verifies the ARP packets to prevent man-in-the-middle (MITM) types of attacks. Without dynamic ARP inspection, a malicious user can attack hosts in a local subnet by poisoning the ARP cache of hosts connected to this subnet by intercepting traffic intended for other hosts on the subnet. This normally takes place on VLAN with multiple hosts connected. Dynamic ARP inspection is used together with DHCP snooping by using the binding table to validate the host MAC address to IP address binding on untrusted ports. ARP packets on untrusted ports are only forward if they match the source MAC to IP address in the binding table. DHCP snooping must be enable prior to enabling dynamic ARP inspection.

8.2.1 Dynamic ARP Inspection Configuration

Assuming DHCP snooping is already enable for VLANs 100 and 200 and port 1/19 is the uplink port, enter the following commands:

___________________________________________________________________________________________________________________________