Source Address Validation; Enabling Ip Source Address Validation - Dell Force10 Z9000 Configuration Manual
Hide thumbs
Also See for Force10 Z9000:
- Reference manual (1483 pages) ,
- Configuration manual (984 pages) ,
- Manual (56 pages)
Table of Contents
Advertisement
•
Specify an interface as trusted so that ARPs are not validated against the binding table.
INTERFACE mode
arp inspection-trust
Dell Networking OS Behavior: Introduced in Dell Networking OS version 8.2.1.0, DAI was available for Layer 3 only. However, Dell
Networking OS version 8.2.1.1 extends DAI to Layer 2.
Source Address Validation
Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV).
Table 13. Three Types of Source Address Validation
Source Address Validation
IP Source Address Validation
DHCP MAC Source Address Validation
IP+MAC Source Address Validation
Enabling IP Source Address Validation
IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP
binding table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP
spoofing, an attacker can assume a legitimate client's identity and receive traffic addressed to it. Then the attacker can spoof the
client's IP address to interact with other clients.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the
requesting client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the system
verifies that the source IP address is one that is associated with the incoming port and optionally that the client belongs to the
permissible VLAN. If an attacker is impostering as a legitimate client, the source address appears on the wrong ingress port and the
system drops the packet. If the IP address is fake, the address is not on the list of permissible addresses for the port and the packet
is dropped. Similarly, if the IP address does not belong to the permissible VLAN, the packet is dropped.
To enable IP source address validation, use the following command.
NOTE: If you enable IP source guard using the ip dhcp source-address-validation command and if there are
more entries in the current DHCP snooping binding table than the available CAM space, SAV may not be applied to all
entries. To ensure that SAV is applied correctly to all entries, enable the ip dhcp source-address-validation
command before adding entries to the binding table.
•
Enable IP source address validation.
INTERFACE mode
ip dhcp source-address-validation
•
Enable IP source address validation with VLAN option.
INTERFACE mode
ip dhcp source-address-validation vlan vlan-id
NOTE:
Before enabling SAV With VLAN option, allocate at least one FP block to the ipmacacl CAM region.
236
Dynamic Host Configuration Protocol (DHCP)
Description
Prevents IP spoofing by forwarding only IP packets that have
been validated against the DHCP binding table.
Verifies a DHCP packet's source hardware address matches the
client hardware address field (CHADDR) in the payload.
Verifies that the IP source address and MAC source address are
a legitimate pair.
Advertisement
Table of Contents
Troubleshooting
