Dhcp Snooping Configuration Example; Ip Source Guard - Dell PowerConnect B-RX Configuration Manual

Bigiron rx series supporting multi-service ironware v02.7.03
Hide thumbs Also See for PowerConnect B-RX:
Table of Contents

Advertisement

35

IP source guard

DHCP snooping configuration example

The following example configures VLAN 2 and VLAN 20, and changes the CLI to the global
configuration level to enable DHCP snooping on the two VLANs. The commands are as follows.
FastIron SuperX Switch(config)#vlan 2
FastIron SuperX Switch(config-vlan-2)#untagged ethe 1/3 to 1/4
FastIron SuperX Switch(config-vlan-2)#router-interface ve 2
FastIron SuperX Switch(config-vlan-2)#exit
FastIron SuperX Switch(config)# ip dhcp snooping vlan 2
FastIron SuperX Switch(config)#vlan 20
FastIron SuperX Switch(config-vlan-20)#untagged ethe 1/1 to 1/2
FastIron SuperX Switch(config-vlan-20)#router-interface ve 20
FastIron SuperX Switch(config-vlan-20)#exit
FastIron SuperX Switch(config)#ip dhcp snooping vlan 20
On VLAN 2, client ports 1/3 and 1/4 are untrusted by default, all client ports are untrusted. Hence,
only DHCP client request packets received on ports 1/3 and 1/4 are forwarded.
On VLAN 20, ports 1/1 and 1/2 are connected to a DHCP server. DHCP server ports are set to
trusted.
FastIron SuperX Switch(config)#interface ethernet 1/1
FastIron SuperX Switch(config-if-e1000-1/1)#dhcp snooping trust
FastIron SuperX Switch(config-if-e1000-1/1)#exit
FastIron SuperX Switch(config)#interface ethernet 1/2
FastIron SuperX Switch(config-if-e1000-1/2)#dhcp snooping trust
FastIron SuperX Switch(config-if-e1000-1/2)#exit
Hence, DHCP sever reply packets received on ports 1/1 and 1/2 are forwarded, and client IP/MAC
binding information is collected.
The example also sets the DHCP server address for the local relay agent.
FastIron SuperX Switch(config)# interface ve 2
FastIron SuperX Switch(config-vif-2)#ip address 20.20.20.1/24
FastIron SuperX Switch(config-vif-2)#ip helper-address 30.30.30.4
FastIron SuperX Switch(config-vif-2)#interface ve 20
FastIron SuperX Switch(config-vif-20)#ip address 30.30.30.1/24
IP source guard
You can use IP Source Guard together with Dynamic ARP Inspection on untrusted ports. Refer to
"DHCP snooping"
IP source guard is used on client ports to prevent IP source address spoofing. Generally, IP source
guard is used together with DHCP snooping and Dynamic ARP Inspection on untrusted ports.
When IP source guard is first enabled, the client port allows only DHCP packets, and blocks all
other IP traffic. When the system learns a valid IP address on the port, the client port then allows IP
traffic. Client ports permit only the traffic with valid source IP addresses.
The system learns of a valid IP address from ARP. (For information on how the ARP table is
populated, refer to
a per-port IP ACL entry permitting the learned source IP address on the port.
When a new IP source entry binding on the port is created or deleted, the per-port IP ACL will be
recalculated and reapplied in hardware to reflect the change in IP source binding.
992
on page 988 and
"Dynamic ARP inspection"
"ARP entries"
on page 984) When it learns a valid IP address, the system loads
on page 983.
BigIron RX Series Configuration Guide
53-1001986-01

Advertisement

Table of Contents
loading

This manual is also suitable for:

Bigiron rx series

Table of Contents