Riverstone Networks WICT1-12 User Manual
7-22 Riverstone Networks RS Switch Router User Guide Release 8.0
Anti-Spoofing
CMTS Configuration Guide
Static and Dynamic Anti-IP Spoofing
IP-spoofing can be implemented statically or dynamically. The following sections give examples of each type of
anti-spoofing.
anti-spoofing.
Static Anti-IP Spoofing
Static configuration requires manually assigning an individual MAC address to an individual IP address.
Here is an example:
Dynamic Configuration of Anti-IP Spoofing
In dynamic configuration, a snoop function snoops DHCP packets to find IP address/MAC address information. If
anti-IP spoofing is enabled, the information is used to prevent spoofing. To prevent spoofing, the IP address/MAC
address pairs are stored in a data base and are used to check for spoofed IP addresses.
anti-IP spoofing is enabled, the information is used to prevent spoofing. To prevent spoofing, the IP address/MAC
address pairs are stored in a data base and are used to check for spoofed IP addresses.
Note
Dynamic configuration is enabled using the
anti-ip-spoofing
command in
conjunction with the
dhcp-ipaddr-snoop
command.
Here is an example.
Implementing DHCP-strict forces all CPEs to use DHCP. This implementation provides strict provisioning over IP
address usage. Here is the command to implement
DHCP-strict:
address usage. Here is the command to implement
DHCP-strict:
! Configure static anti-IP spoofing
cmts set headend cm.5.1 anti-ip-spoofing enable
cmts set cpe cm.5.1 macaddr 00BOCC:D6B4A ip 50.2.1.91
cmts set cpe cm.5.1 macaddr 00AOCC:D5B3A ip 50.2.1.92
! Configure dynamic anti-IP spoofing
cmts set headend cm.5.1 anti-ip-spoofing enable
cmts set headend cm.5.1 dhcp-ipaddr-snoop enable
! Enable dhcp strict
cmts set headend cm.5.1 dhcp-strict