Cisco WS-X6416-GE-MT - Interface Module - Expansion Manual de usuario descargar pdf (Pagina 32)

White Paper

DHCP. In contrast, trusted ports allow all DHCP traffic to traverse the port, including requests and

offers for IP addresses.

●

For ports attached to all hosts, or all ports connected to unknown devices, the port should

be set to DHCP untrusted. In this case, should a server attach itself to an untrusted port, it

cannot issue an IP address to requesting hosts.

●

DHCP Snooping also maintains a DHCP Snooping Table that contains the MAC address,

IP address, lease time of the client, and the VLAN of the untrusted host on the port. This

table is used for other features, including Dynamic ARP Inspection, to help ensure users

attaching to ports are not attempting to attack the network. It does this by validating the IP

address and MAC address binding of all hosts. The example below enables dhcp-snooping

on VLAN 20, and all ports on that VLAN are by default, untrusted:

Cisco Catalyst OS Cisco IOS Software

Console>(enable)set security acl ip snoopname permit dhcp-snooping

Console>(enable)set security acl ip snoopname permit ip any any

Console>(enable)commit security acl snoopname

Console>(enable)set security acl map snoopname 20

Router(config)# ip dhcp snooping

Router(config)# ip dhcp snooping vlan 20

Dynamic ARP Inspection (DAI) validates ARP packets in a network. It allows a network

administrator to intercept, log, and discard ARP packets with invalid MAC address to IP bindings

(set forth in the DHCP Snooping binding tables). It prevents certain MIM attacks from occurring.

The example below enables DAI on all ARP traffic from port 4/2 (because 4/2 is set to untrusted)

on VLAN 20:

Cisco Catalyst OS Cisco IOS Software

Console>(enable)set security acl arp-inspection dynamic enable 20

Console>(enable)set port arp-inspection 4/2 trust disable

Router(config)# ip arp inspection vlan 20

Router(config)# interface FastEthernet 4/2

Router(config-if)# no ip arp inspection trust

IP Source Guard prevents IP spoofing by allowing only the IP addresses that are logged in the

DHCP Snooping binding table on a particular port. Initially, all traffic on the port is blocked except

for DHCP packets that are captured by DHCP snooping. When the client receives a DHCP IP

address, a port-based ACL is installed on the port which permits traffic from the IP address, or a

static IP address configured by the user. Any IP address with a source IP address other than that

in the PACL permit list will be filtered out. This prevents the possibility of users attempting to spoof

their neighbor’s IP address.

●

Configuring IP Source Guard requires the port security-acl be placed in port-based mode,

and requires DHCP Snooping be enabled. The example below enables IP Source Guard on

port 4/2, and enables the security-acl “dhcpsnoop,” which enables dhcp-snooping, on the

VLAN 10:

Cisco Catalyst OS Cisco IOS Software

Console>(enable)set port security-acl 4/2 port-based

Console>(enable)set port dhcp-snooping 4/2 source-guard enable

Console>(enable)set security-acl ip dhcpsnoop permit dhcp-snooping

Console>(enable)set security-acl ip dhcpsnoop permit any any

Console>(enable)commit security-acl dhcpsnoop

Console>(enable)set security acl map dhcpsnoop 10

Console>(config)ip dhcp snooping

Console>(config)ip dhcp snooping vlan 10

Console>(config)int gi 4/2

Console>(config-if)no ip dhcp snooping trust

Console>(config-if)ip verify source vlan dhcp-

snooping

1 2 ... 27 28 29 30 31 32 33 34 35 36 37 ... 50 51

Comentarios a estos manuales

Sin comentarios

Cisco WS-X6416-GE-MT - Interface Module - Expansion Manual de usuario Pagina 32

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Cisco WS-X6416-GE-MT - Interface Module - Expansion