Nortel Networks 5530 Manual Do Utilizador
Filters and QoS Configuration for ERS 5500
Technical Configuration Guide
Technical Configuration Guide
v2.0
NN48500-559
___________________________________________________________________________________________________________________________
Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.
External Distribution
30
8. IP Security Features
This section covers the security features DHCP Snooping, ARP-Inspection, and IP Source Guard.
DHCP Snooping and ARP-Inspection where added in the 5.0 software release while IP Source
Guard was added in the 5.1 software release. If you are using a software release prior to 5.0,
please see the next section.
DHCP Snooping and ARP-Inspection where added in the 5.0 software release while IP Source
Guard was added in the 5.1 software release. If you are using a software release prior to 5.0,
please see the next section.
8.1 DHCP Snooping
DHCP snooping is a security feature that builds a binding table on untrusted ports by monitoring
DHCP messages. On core or uplink ports, the port(s) is considered trusted and should be
configured as such. The DHCP snooping binding table consists of the leased IP address, MAC
address, lease time, port number, and VLAN ID. DHCP snooping is configured at a per VLAN
basis where, by default, all ports are set to untrusted. You must configure the uplink ports as
trusted.
DHCP messages. On core or uplink ports, the port(s) is considered trusted and should be
configured as such. The DHCP snooping binding table consists of the leased IP address, MAC
address, lease time, port number, and VLAN ID. DHCP snooping is configured at a per VLAN
basis where, by default, all ports are set to untrusted. You must configure the uplink ports as
trusted.
Overall, DHCP snooping operates as follows:
•
Allows only DHCP requests form untrusted ports.
•
DHCP replies and all other DHCP messages from untrusted ports are dropped
•
Verifies the DHCP snooping binding table on untrusted ports to verify the traffic entering
a port by comparing the source MAC address against the DHCP lease IP address. If
there is no match, the packet is dropped
a port by comparing the source MAC address against the DHCP lease IP address. If
there is no match, the packet is dropped
8.1.1 DHCP Snooping Configuration
To enable DHCP snooping, enter the following command assuming we wish to enable DHCP
snooping on VLANs 100 and 200 and the uplink port is 1/24.
snooping on VLANs 100 and 200 and the uplink port is 1/24.
•
5500(config)#
ip dhcp-snooping vlan 100
•
5500(config)#
ip dhcp-snooping vlan 200
•
5500(config)#
ip dhcp-snooping enable
•
5500(config)#
interface fastEthernet 1/24
•
5500(config-if)#
ip dhcp-snooping trusted
•
5500(config-if)#
exit
8.2 Dynamic
ARP
Inspection
Dynamic ARP Inspection verifies the ARP packets to prevent man-in-the-middle (MITM) types of
attacks. Without dynamic ARP inspection, a malicious user can attack hosts in a local subnet by
poisoning the ARP cache of hosts connected to this subnet by intercepting traffic intended for
other hosts on the subnet. This normally takes place on VLAN with multiple hosts connected.
Dynamic ARP inspection is used together with DHCP snooping by using the binding table to
validate the host MAC address to IP address binding on untrusted ports. ARP packets on
untrusted ports are only forward if they match the source MAC to IP address in the binding table.
DHCP snooping must be enable prior to enabling dynamic ARP inspection.
attacks. Without dynamic ARP inspection, a malicious user can attack hosts in a local subnet by
poisoning the ARP cache of hosts connected to this subnet by intercepting traffic intended for
other hosts on the subnet. This normally takes place on VLAN with multiple hosts connected.
Dynamic ARP inspection is used together with DHCP snooping by using the binding table to
validate the host MAC address to IP address binding on untrusted ports. ARP packets on
untrusted ports are only forward if they match the source MAC to IP address in the binding table.
DHCP snooping must be enable prior to enabling dynamic ARP inspection.
8.2.1 Dynamic ARP Inspection Configuration
Assuming DHCP snooping is already enable for VLANs 100 and 200 and port 1/19 is the uplink
port, enter the following commands:
port, enter the following commands: