Configuring Anti-Spoofing Features describes the tasks and commands used to configure anti-spoofing features on the switch. Managing Anti-Spoofing Features describes the tasks and commands used to manage anti-spoofing features. Displaying Anti-Spoofing Information describes the commands used to display anti-spoofing information.
Refer to the Anti-Spoofing Commands chapter in the S-, K-, and 7100 Series CLI Reference Guide for details about using these commands.
Configuring Anti-Spoofing Features
| Step | Task | Command(s) |
|---|---|---|
| 1 | Create a port class and optionally, configure a name and timeout value. Up to 3 classes can be configured. |
set antispoof class class-index {name name | timeout timeout} |
| 2 | Configure thresholds and actions for the class. Up to 6 threshold indexes can be specified per class. |
set antispoof class class-index threshold-index thresh-index [threshold-value thresh-value] [quarantine-profile quar-profile] [action {[syslog] [trap] [quarantine]}] |
| 3 | Enable DHCP snooping on the desired port or ports. | set antispoof dhcp-snooping enable port-string |
| 4 | Configure the ports on which trusted DHCP server traffic will be accepted. DHCP ACK packets received on these ports will be used to populate the MAC-to-IP address binding table. All other ports will default to untrusted mode. DHCP packets received on untrusted ports will increment the untrusted server counter. |
set antispoof dhcp-snooping port-mode trusted port-string |
| 5 | Optionally, enable DHCP snooping MAC verification on the desired untrusted port or ports. | set antispoof dhcp-snooping mac-verification enable port-string |
| 6 | Optionally, enable dynamic ARP inspection or specify ARP packet inspection only, on the desired port or ports. | set antispoof arp-inspection enable port-string set antispoof arp-inspection inspection-only port-string |
| 7 | Optionally, enable IP source guard or specify IP packet inspection only, on the desired port or ports. | set antispoof ip-inspection enable port-string set antispoof ip-inspection inspection-only port-string |
| 8 | Optionally, configure bypass ports. DHCP server packets received on these ports will be ignored. | set antispoof dhcp-snooping port-mode bypass port-string |
| 9 | Assign port classes to ports. | set antispoof port-class class-index port-string |
| 10 | Globally enable anti-spoofing features on the switch. | set antispoof enable |
| 11 | Optionally, change the notifications interval. The default value is 60 seconds. Note that sending notifications is enabled by default. |
set antispoof notifications interval interval |
| 12 | Optionally, enable duplicate IP address detection. | set antispoof duplicateIP enable |
The following table lists the commands used to disable or reset anti-spoofing features and to manage the binding table entries.
Managing Anti-Spoofing Features
| Task | Command(s) |
|---|---|
| Disable anti-spoofing globally or Reset all anti-spoofing configuration to default values. |
set antispoof disable clear antispoof clear antispoof all |
| Disable sending anti-spoofing notifications. | set antispoof notifications disable |
| Reset the notification interval to the default of 60 seconds. | clear antispoof notifications interval |
| Disable duplicate IP address detection. | set antispoof duplicateIP disable clear antispoof duplicateIP |
| Delete an anti-spoofing port class or clear specific configuration values to their defaults. | clear antispoof class class-index [name] [timeout] [threshold-index thresh-index] |
| Disable DHCP snooping on the specified port or ports. | clear antispoof dhcp-snooping port-string |
| Disable DHCP snooping MAC verification on the specified port or ports. | clear antispoof dhcp-snooping mac-verification port-string |
| Reset the DHCP snooping port mode to untrusted for the specified port or ports. | clear antispoof dhcp-snooping port-mode port-string |
| Disable dynamic ARP inspection on the specified port or ports. | set antispoof arp-inspection disable port-string clear antispoof arp-inspection port-string |
| Disable IP source guard on the specified port or ports. | set antispoof ip-inspection disable port-string clear antispoof ip-inspection port-string |
| Remove an anti-spoofing port class assignment from the specified port or ports. | clear antispoof port-class port-string |
| Delete an anti-spoofing user source MAC address to source IP address binding from the binding table. | clear antispoof binding {port port-string | mac mac-addr | ip ip-addr} |
| Reset the anti-spoofing threshold counters to 0 by port, MAC address, or IP address. | clear antispoof counters {port port-string | mac mac-addr | ip ip-addr} |
The following table lists the commands used to display anti-spoofing information.
Displaying Anti-Spoofing Information
| Task | Command |
|---|---|
| Display global anti-spoofing values | show antispoof |
| Display anti-spoofing class information | show antispoof class [class-index] |
| Display anti-spoofing port configuration | show antispoof port [port-string] [-interesting] |
| Display anti-spoofing source MAC address to source IP address bindings | show antispoof binding [port port-string] [mac mac-addr] [ip ip-addr] [all] [-verbose] |
| Display anti-spoofing statistics | show antispoof counters [port port-string] [mac mac-addr] [ip ip-addr] [all] [-verbose] |
Print
this page
Email this topic
Feedback
View PDF
Download EPUB