Code Example

The following example configures anti-spoofing features on a switch at the edge of the network, with two ports connected to a DHCP server and the rest of the ports connected to users. DHCP snooping is configured on the ports connected to the DHCP server so the binding table will be populated by DHCP snooping.

Two sets of user ports are configured for ARP inspection or IP source guard inspection, but are enabled for inspection only, since the binding table entries are added by DHCP snooping on the DHCP server trusted ports. Also, DHCP snooping MAC verification is enabled on the untrusted user ports.

As part of the configuration:

• Two port classes and timeout, threshold, and action values for those classes are configured.
• DHCP-snooping is enabled on the ports connected to the DHCP server, and they are configured as trusted ports.
• A simple policy profile is created that will drop DHCP server traffic and it is applied to untrusted ports.
• DAI and IP source guard are configured for inspection only on user ports 10 through 40.
• MAC verification is enabled on all user ports. (DHCP snooping must also be enabled on these ports for MAC verification to work.)
• The appropriate port class is assigned to the user ports.
• The notifications interval is changed to 30 seconds.
• Anti-spoofing is enabled globally and duplicate IP address detection is enabled.

This example assumes that quarantine policy profile 3 has previously been configured. Refer to the “Authentication Configuration” chapter in this book for more information about using quarantine profiles and the quarantine agent.

System(su)->set antispoof class 1 name DHCP
System(su)->set antispoof class 1 timeout 7200
System(su)->set antispoof class 1 threshold-index 1 threshold-value 1
action syslog trap
System(su)->set antispoof class 2 name “IPSG and DAI”
System(su)->set antispoof class 2 timeout 3600
System(su)->set antispoof class 2 threshold-index 1 threshold-value 1 action syslog
System(su)->set antispoof class 2 threshold-index 2 threshold-value 2 action trap
System(su)->set antispoof class 2 threshold-index 3 threshold-value 3 quarantine-profile 3 action quarantine
System(su)->set policy profile 1 name DHCP
System(su)->set policy rule 1 udpsourceportIP 67 mask 16 drop
System(su)->set policy port ge.2.10-40 1
System(su)->set antispoof dhcp-snooping enable ge.2.2,4
System(su)->set antispoof dhcp-snooping port-mode trusted ge.2.2,4
System(su)->set antispoof arp-inspection inspection-only ge.2.10-40
System(su)->set antispoof ip-inspection inspection-only ge.2.10-40
System(su)->set antispoof dhcp-snooping enable ge.2.10-40
System(su)->set antispoof dhcp-snooping mac-verification enable ge.2.10-40
System(su)->set antispoof port-class 1 ge.2.2,4
System(su)->set antispoof port-class 2 ge.2.10-40
System(su)->set antispoof enable
System(su)->set antispoof notifications interval 30
System(su)->set antispoof duplicateIP enable