Configuring Anti-Spoofing Features describes the tasks and commands used to configure anti-spoofing features on the switch. Managing Anti-Spoofing Features describes the tasks and commands used to manage anti-spoofing features. Displaying Anti-Spoofing Information describes the commands used to display anti-spoofing information.
Refer to the Anti-Spoofing Commands chapter in the S-, K-, and 7100 Series CLI Reference Guide for details about using these commands.
Step | Task | Command(s) |
---|---|---|
1 | Create a port class and optionally, configure a name and timeout value. Up to 3 classes can be configured. |
set antispoof class class-index {name name | timeout timeout} |
2 | Configure thresholds and actions for the class. Up to 6 threshold indexes can be specified per class. |
set antispoof class class-index threshold-index thresh-index [threshold-value thresh-value] [quarantine-profile quar-profile] [action {[syslog] [trap] [quarantine]}] |
3 | Enable DHCP snooping on the desired port or ports. | set antispoof dhcp-snooping enable port-string |
4 | Configure the ports on which trusted DHCP server traffic will be accepted. DHCP ACK packets received on these ports will be used to populate the MAC-to-IP address binding table. All other ports will default to untrusted mode. DHCP packets received on untrusted ports will increment the untrusted server counter. |
set antispoof dhcp-snooping port-mode trusted port-string |
5 | Optionally, enable DHCP snooping MAC verification on the desired untrusted port or ports. | set antispoof dhcp-snooping mac-verification enable port-string |
6 | Optionally, enable dynamic ARP inspection or specify ARP packet inspection only, on the desired port or ports. | set antispoof arp-inspection enable port-string set antispoof arp-inspection inspection-only port-string |
7 | Optionally, enable IP source guard or specify IP packet inspection only, on the desired port or ports. | set antispoof ip-inspection enable port-string set antispoof ip-inspection inspection-only port-string |
8 | Optionally, configure bypass ports. DHCP server packets received on these ports will be ignored. | set antispoof dhcp-snooping port-mode bypass port-string |
9 | Assign port classes to ports. | set antispoof port-class class-index port-string |
10 | Globally enable anti-spoofing features on the switch. | set antispoof enable |
11 | Optionally, change the notifications interval. The default value is 60 seconds. Note that sending notifications is enabled by default. |
set antispoof notifications interval interval |
12 | Optionally, enable duplicate IP address detection. | set antispoof duplicateIP enable |
The following table lists the commands used to disable or reset anti-spoofing features and to manage the binding table entries.
Task | Command(s) |
---|---|
Disable anti-spoofing globally or Reset all anti-spoofing configuration to default values. |
set antispoof disable clear antispoof clear antispoof all |
Disable sending anti-spoofing notifications. | set antispoof notifications disable |
Reset the notification interval to the default of 60 seconds. | clear antispoof notifications interval |
Disable duplicate IP address detection. | set antispoof duplicateIP disable clear antispoof duplicateIP |
Delete an anti-spoofing port class or clear specific configuration values to their defaults. | clear antispoof class class-index [name] [timeout] [threshold-index thresh-index] |
Disable DHCP snooping on the specified port or ports. | clear antispoof dhcp-snooping port-string |
Disable DHCP snooping MAC verification on the specified port or ports. | clear antispoof dhcp-snooping mac-verification port-string |
Reset the DHCP snooping port mode to untrusted for the specified port or ports. | clear antispoof dhcp-snooping port-mode port-string |
Disable dynamic ARP inspection on the specified port or ports. | set antispoof arp-inspection disable port-string clear antispoof arp-inspection port-string |
Disable IP source guard on the specified port or ports. | set antispoof ip-inspection disable port-string clear antispoof ip-inspection port-string |
Remove an anti-spoofing port class assignment from the specified port or ports. | clear antispoof port-class port-string |
Delete an anti-spoofing user source MAC address to source IP address binding from the binding table. | clear antispoof binding {port port-string | mac mac-addr | ip ip-addr} |
Reset the anti-spoofing threshold counters to 0 by port, MAC address, or IP address. | clear antispoof counters {port port-string | mac mac-addr | ip ip-addr} |
The following table lists the commands used to display anti-spoofing information.
Task | Command |
---|---|
Display global anti-spoofing values | show antispoof |
Display anti-spoofing class information | show antispoof class [class-index] |
Display anti-spoofing port configuration | show antispoof port [port-string] [-interesting] |
Display anti-spoofing source MAC address to source IP address bindings | show antispoof binding [port port-string] [mac mac-addr] [ip ip-addr] [all] [-verbose] |
Display anti-spoofing statistics | show antispoof counters [port port-string] [mac mac-addr] [ip ip-addr] [all] [-verbose] |