Enterasys SecureStack C2 C2G170-24

Enterasys SecureStack C2 C2G170-24

698 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Dynamic ARP Inspection Overview

17-18 DHCP Snooping and Dynamic ARP Inspection

Basic Configuration

Thefollowingbasicconfigurationdoesnotchange thedefaultratelimitingparameters.

Example Configuration

ThefollowingexampleconfiguresDHCPsnoopinganddynamicARPinspectioninarouting

environmentusingRIP.Theexampleconfigurestwointerfacesontheswitch,configuringRIPon

bothinterfaces,assigningeachtoadifferentVLAN,andthenenablingDHCPsnoopingand

dynamicARPinspection onthem:

•Interfacege.1.1,whichisconnected

toaremoteDHCPserver,onVLAN192

•Interfacege.1.2,whichisconnectedtoDHCPclients,onVLAN10

Inaddition,thedefaultVLAN,VLAN1,isalsoenabledforDHCPsnoopinganddynamicARP

inspection.

SincetheDHCPserverisremote,theswitchhasbeenconfiguredasaDHCPrelayagent

(withthe

iphelper‐addresscommand),toforwardclientrequeststotheDHCPserver.Therefore,MAC

addressverificationisdisabled(withthesetdhcpsnoopingverifymac‐addressdisable

command)inordertoallowDHCPRELEASEpacketstobeprocessedbytheDHCPsnooping

functionalityandclientbindingsremovedfromthebindings

database

Router Configuration

router

enable

configure

interface vlan 10

no shutdown

ip address 10.2.0.1 255.255.0.0

ip helper-address 192.168.0.200

ip rip send version 2

ip rip receive version 2

ip rip enable

Procedure 17-2 Basic Dynamic ARP Inspection Configuration

Step Task Command(s)

1. Configure DHCP snooping. Refer to Procedure 17-1 on page 17-3.

2. Enable ARP inspection on the VLANs where

clients are connected, and optionally, enable

logging of invalid ARP packets.

set arpinspection vlan vlan-range

[logging]

3. Determine which ports are not security threats

and configure them as DAI trusted ports.

set arpinspection trust port

port-string enable

4. If desired, configure optional validation

parameters.

set arpinspection validate

{[src-mac] [dst-mac] [ip]}

5. If desired, configure static mappings for DAI by

creating ARP ACLs:

• Create the ARP ACL

• Apply the ACL to a VLAN

set arpinspection filter name permit

ip host sender-ipaddr mac host

sender-macaddr

set arpinspection filter name vlan

vlan-range [static]

Table of Contents

Other manuals for Enterasys SecureStack C2 C2G170-24

Hardware Installation Guide74 pages

Related product manuals

Preview: SecureStack C2 C2G124-24

SecureStack C2 C2G124-24

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Preview: SecureStack A2 A2H124-24

SecureStack A2 A2H124-24

Preview: SecureStack B3 B3G124-48

SecureStack B3 B3G124-48

SecureStack A2 A2H254-16

Preview: SecureStack B3 B3G124-24P

SecureStack B3 B3G124-24P

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P

Enterasys SSA-G1018-0652

Preview: Enterasys C3G124-24

Enterasys C3G124-24

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Preview: Enterasys 08H20G4-24

Enterasys 08H20G4-24

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24