Brocade Communications Systems 6650 Switch User Manual


 
Brocade ICX 6650 Security Configuration Guide 283
53-1002601-01
DHCP snooping
Enabling trust on a port
The default trust setting for a port is untrusted. For ports that are connected to host ports, leave
their trust settings as untrusted.
To enable trust on a port, enter commands such as the following.
Brocade(config)# interface ethernet 1/1/4
Brocade(config-if-e10000-1/1/4)# arp inspection trust
The commands change the CLI to the interface configuration level of port 1/1/4 and set the trust
setting of port 1/1/4 to trusted.
Syntax: [no] arp inspection trust
Displaying ARP inspection status and ports
To display the ARP inspection status for a VLAN and the trusted or untrusted port, enter the
following command.
Syntax: show ip arp inspection [vlan vlan_id]
The vlan_id variable specifies the ID of a configured VLAN.
Displaying the ARP table
To display the ARP table, enter the show arp command.
The command displays all ARP entries in the system.
Syntax: show arp
DHCP snooping
Dynamic Host Configuration Protocol (DHCP) snooping enables the Brocade device to filter
untrusted DHCP packets in a subnet. DHCP snooping can ward off MiM attacks, such as a
malicious user posing as a DHCP server sending false DHCP server reply packets with the intention
of misdirecting other users. DHCP snooping can also stop unauthorized DHCP servers and prevent
errors due to user mis-configuration of DHCP servers.
Often DHCP snooping is used together with Dynamic ARP Inspection and IP Source Guard.
Brocade# show ip arp inspection vlan 2
IP ARP inspection VLAN 2: Disabled
Trusted Ports : ethe 1/1/4
Untrusted Ports : ethe 1/1/1 to 1/1/3 ethe 1/2/1 to 1/2/4 ethe 1/3/1 to 1/3/4
ethe 1/2/7 to 1/2/9
Brocade# show arp
Total number of ARP entries: 2, maximum capacity: 6000
No IP Address MAC Address Type Age Port Status
1 10.43.1.1 0000.00a0.4000 Dynamic 0 mgmt1 Valid
2 10.43.1.78 0000.0160.6ab1 Dynamic 2 mgmt1 Valid