Configuration Examples

Configuring Anti-Spoofing Features describes the tasks and commands used to configure anti-spoofing features on the switch. Managing Anti-Spoofing Features describes the tasks and commands used to manage anti-spoofing features. Displaying Anti-Spoofing Information describes the commands used to display anti-spoofing information.

Refer to the Anti-Spoofing Commands chapter in the S-, K-, and 7100 Series CLI Reference Guide for details about using these commands.

Click to expand in new window

Configuring Anti-Spoofing Features

Step Task Command(s)
1 Create a port class and optionally, configure a name and timeout value.

Up to 3 classes can be configured.

set antispoof class class-index {name name | timeout timeout}
2 Configure thresholds and actions for the class.

Up to 6 threshold indexes can be specified per class.

set antispoof class class-index threshold-index thresh-index [threshold-value thresh-value] [quarantine-profile quar-profile] [action {[syslog] [trap] [quarantine]}]
3 Enable DHCP snooping on the desired port or ports. set antispoof dhcp-snooping enable port-string
4 Configure the ports on which trusted DHCP server traffic will be accepted.

DHCP ACK packets received on these ports will be used to populate the MAC-to-IP address binding table.

All other ports will default to untrusted mode. DHCP packets received on untrusted ports will increment the untrusted server counter.

set antispoof dhcp-snooping port-mode trusted port-string
5 Optionally, enable DHCP snooping MAC verification on the desired untrusted port or ports. set antispoof dhcp-snooping mac-verification enable port-string
6 Optionally, enable dynamic ARP inspection or specify ARP packet inspection only, on the desired port or ports. set antispoof arp-inspection enable port-string

set antispoof arp-inspection inspection-only port-string

7 Optionally, enable IP source guard or specify IP packet inspection only, on the desired port or ports. set antispoof ip-inspection enable port-string

set antispoof ip-inspection inspection-only port-string

8 Optionally, configure bypass ports. DHCP server packets received on these ports will be ignored. set antispoof dhcp-snooping port-mode bypass port-string
9 Assign port classes to ports. set antispoof port-class class-index port-string
10 Globally enable anti-spoofing features on the switch. set antispoof enable
11 Optionally, change the notifications interval. The default value is 60 seconds.

Note that sending notifications is enabled by default.

set antispoof notifications interval interval
12 Optionally, enable duplicate IP address detection. set antispoof duplicateIP enable

The following table lists the commands used to disable or reset anti-spoofing features and to manage the binding table entries.

Click to expand in new window

Managing Anti-Spoofing Features

Task Command(s)
Disable anti-spoofing globally

or

Reset all anti-spoofing configuration to default values.

set antispoof disable

clear antispoof

clear antispoof all

Disable sending anti-spoofing notifications. set antispoof notifications disable
Reset the notification interval to the default of 60 seconds. clear antispoof notifications interval
Disable duplicate IP address detection. set antispoof duplicateIP disable

clear antispoof duplicateIP

Delete an anti-spoofing port class or clear specific configuration values to their defaults. clear antispoof class class-index [name] [timeout] [threshold-index thresh-index]
Disable DHCP snooping on the specified port or ports. clear antispoof dhcp-snooping port-string
Disable DHCP snooping MAC verification on the specified port or ports. clear antispoof dhcp-snooping mac-verification port-string
Reset the DHCP snooping port mode to untrusted for the specified port or ports. clear antispoof dhcp-snooping port-mode port-string
Disable dynamic ARP inspection on the specified port or ports. set antispoof arp-inspection disable port-string

clear antispoof arp-inspection port-string

Disable IP source guard on the specified port or ports. set antispoof ip-inspection disable port-string

clear antispoof ip-inspection port-string

Remove an anti-spoofing port class assignment from the specified port or ports. clear antispoof port-class port-string
Delete an anti-spoofing user source MAC address to source IP address binding from the binding table. clear antispoof binding {port port-string | mac mac-addr | ip ip-addr}
Reset the anti-spoofing threshold counters to 0 by port, MAC address, or IP address. clear antispoof counters {port port-string | mac mac-addr | ip ip-addr}

The following table lists the commands used to display anti-spoofing information.

Click to expand in new window

Displaying Anti-Spoofing Information

Task Command
Display global anti-spoofing values show antispoof
Display anti-spoofing class information show antispoof class [class-index]
Display anti-spoofing port configuration show antispoof port [port-string] [-interesting]
Display anti-spoofing source MAC address to source IP address bindings show antispoof binding [port port-string] [mac mac-addr] [ip ip-addr] [all] [-verbose]
Display anti-spoofing statistics show antispoof counters [port port-string] [mac mac-addr] [ip ip-addr] [all] [-verbose]