7 displaying dhcp snooping configuration, 8 ip source guard, 1 enabling ip source guard – Siemens S223 User Manual
Page 261: 7 displaying dhcp snooping configuration 8.8.8, Ip source guard
User Manual UMN:CLI
SURPASS hiD 6615 S223/S323 R1.5
A50010-Y3-C150-2-7619 261
The DHCP snooping database agent should be TFTP server.
8.8.7.7
Displaying DHCP Snooping Configuration
To display DHCP snooping table, use the following command.
Command Mode
Description
show ip dhcp snooping
Shows a DHCP snooping configuration.
show ip dhcp snooping binding
Enable
Global
Shows DHCP snooping binding entries.
8.8.8
IP Source Guard
IP source guard is similar to DHCP snooping. This function is used on DHCP snooping
untrusted Layer 2 port. Basically, except for DHCP packets that are allowed by DHCP
snooping process, all IP traffic comes into a port is blocked. If an authorized IP address
from the DHCP server is assigned to a DHCP client, or if a static IP source binding is con-
figured, the IP source guard restricts the IP traffic of client to those source IP addresses
configured in the binding; any IP traffic with a source IP address other than that in the IP
source binding will be filtered out. This filtering limits a host's ability to attack the network
by claiming a neighbor host's IP address.
IP source guard supports the Layer 2 port only, including both access and trunk. For each
untrusted Layer 2 port, there are two levels of IP traffic security filtering:
•
Source IP Address Filter
IP traffic is filtered based on its source IP address. Only IP traffic with a source IP
address that matches the IP source binding entry is permitted. An IP source address
filter is changed when a new IP source entry binding is created or deleted on the port,
which will be recalculated and reapplied in the hardware to reflect the IP source bind-
ing change. By default, if the IP filter is enabled without any IP source binding on the
port, a default policy that denies all IP traffic is applied to the port. Similarly, when the
IP filter is disabled, any IP source filter policy will be removed from the interface.
•
Source IP and MAC Address Filter
IP traffic is filtered based on its source IP address as well as its MAC address; only IP
traffic with source IP and MAC addresses matching the IP source binding entry are
permitted. When IP source guard is enabled in IP and MAC filtering mode, the DHCP
snooping option 82 must be enabled to ensure that the DHCP protocol works properly.
Without option 82 data, the switch cannot locate the client host port to forward the
DHCP server reply. Instead, the DHCP server reply is dropped, and the client cannot
obtain an IP address.
8.8.8.1
Enabling IP Source Guard
After configuring DHCP snooping, configure the IP source guard using the provided com-
mand. When IP source guard is enabled with this option, IP traffic is filtered based on the
source IP address. The switch forwards IP traffic when the source IP address matches an
entry in the DHCP snooping binding database or a binding in the IP source binding table.
i