The following example configures anti-spoofing features on a switch at the edge of the network, with two ports connected to a DHCP server and the rest of the ports connected to users. DHCP snooping is configured on the ports connected to the DHCP server so the binding table will be populated by DHCP snooping.
Two sets of user ports are configured for ARP inspection or IP source guard inspection, but are enabled for inspection only, since the binding table entries are added by DHCP snooping on the DHCP server trusted ports. Also, DHCP snooping MAC verification is enabled on the untrusted user ports.
As part of the configuration:
This example assumes that quarantine policy profile 3 has previously been configured. Refer to the “Authentication Configuration” chapter in this book for more information about using quarantine profiles and the quarantine agent.
System(su)->set antispoof class 1 name DHCP System(su)->set antispoof class 1 timeout 7200 System(su)->set antispoof class 1 threshold-index 1 threshold-value 1 action syslog trap System(su)->set antispoof class 2 name “IPSG and DAI” System(su)->set antispoof class 2 timeout 3600 System(su)->set antispoof class 2 threshold-index 1 threshold-value 1 action syslog System(su)->set antispoof class 2 threshold-index 2 threshold-value 2 action trap System(su)->set antispoof class 2 threshold-index 3 threshold-value 3 quarantine-profile 3 action quarantine System(su)->set policy profile 1 name DHCP System(su)->set policy rule 1 udpsourceportIP 67 mask 16 drop System(su)->set policy port ge.2.10-40 1 System(su)->set antispoof dhcp-snooping enable ge.2.2,4 System(su)->set antispoof dhcp-snooping port-mode trusted ge.2.2,4 System(su)->set antispoof arp-inspection inspection-only ge.2.10-40 System(su)->set antispoof ip-inspection inspection-only ge.2.10-40 System(su)->set antispoof dhcp-snooping enable ge.2.10-40 System(su)->set antispoof dhcp-snooping mac-verification enable ge.2.10-40 System(su)->set antispoof port-class 1 ge.2.2,4 System(su)->set antispoof port-class 2 ge.2.10-40 System(su)->set antispoof enable System(su)->set antispoof notifications interval 30 System(su)->set antispoof duplicateIP enable