ECS3510-26P_Management Guide R02
Table Of Contents
- About This Guide
- Contents
- Figures
- Tables
- Getting Started
- Web Configuration
- Using the Web Interface
- Basic Management Tasks
- Displaying System Information
- Displaying Hardware/Software Versions
- Configuring Support for Jumbo Frames
- Displaying Bridge Extension Capabilities
- Managing System Files
- Setting the System Clock
- Configuring the Console Port
- Configuring Telnet Settings
- Displaying CPU Utilization
- Displaying Memory Utilization
- Resetting the System
- Interface Configuration
- VLAN Configuration
- Address Table Settings
- Spanning Tree Algorithm
- Congestion Control
- Class of Service
- Quality of Service
- VoIP Traffic Configuration
- Security Measures
- AAA Authorization and Accounting
- Configuring User Accounts
- Web Authentication
- Network Access (MAC Address Authentication)
- Configuring HTTPS
- Configuring the Secure Shell
- Access Control Lists
- ARP Inspection
- Filtering IP Addresses for Management Access
- Configuring Port Security
- Configuring 802.1X Port Authentication
- IP Source Guard
- DHCP Snooping
- DoS Protection
- Basic Administration Protocols
- IP Configuration
- IP Services
- Multicast Filtering
- Command Line Interface
- Using the Command Line Interface
- General Commands
- System Management Commands
- SNMP Commands
- Remote Monitoring Commands
- Authentication Commands
- User Accounts
- Authentication Sequence
- RADIUS Client
- TACACS+ Client
- AAA
- Web Server
- Telnet Server
- Secure Shell
- 802.1X Port Authentication
- dot1x default
- dot1x eapol-pass-through
- dot1x system-auth-control
- dot1x intrusion-action
- dot1x max-req
- dot1x operation-mode
- dot1x port-control
- dot1x re-authentication
- dot1x timeout quiet-period
- dot1x timeout re-authperiod
- dot1x timeout supp-timeout
- dot1x timeout tx-period
- dot1x re-authenticate
- dot1x identity profile
- dot1x max-start
- dot1x pae supplicant
- dot1x timeout auth-period
- dot1x timeout held-period
- dot1x timeout start-period
- show dot1x
- Management IP Filter
- General Security Measures
- Port Security
- Network Access (MAC Address Authentication)
- network-access aging
- network-access mac-filter
- mac-authentication reauth-time
- network-access dynamic-qos
- network-access dynamic-vlan
- network-access guest-vlan
- network-access link-detection
- network-access link-detection link-down
- network-access link-detection link-up
- network-access link-detection link-up-down
- network-access max-mac-count
- network-access mode mac-authentication
- network-access port-mac-filter
- mac-authentication intrusion-action
- mac-authentication max-mac-count
- clear network-access
- show network-access
- show network-access mac-address-table
- show network- access mac-filter
- Web Authentication
- DHCP Snooping
- IP Source Guard
- ARP Inspection
- ip arp inspection
- ip arp inspection filter
- ip arp inspection log-buffer logs
- ip arp inspection validate
- ip arp inspection vlan
- ip arp inspection limit
- ip arp inspection trust
- show ip arp inspection configuration
- show ip arp inspection interface
- show ip arp inspection log
- show ip arp inspection statistics
- show ip arp inspection vlan
- Denial of Service Protection
- Access Control Lists
- Interface Commands
- Link Aggregation Commands
- Port Mirroring Commands
- Rate Limit Commands
- Automatic Traffic Control Commands
- Threshold Commands
- SNMP Trap Commands
- snmp-server enable port-traps atc broadcast-alarm- clear
- snmp-server enable port-traps atc broadcast-alarm-fire
- snmp-server enable port-traps atc broadcast-control- apply
- snmp-server enable port-traps atc broadcast-control- release
- snmp-server enable port-traps atc multicast-alarm- clear
- snmp-server enable port-traps atc multicast-alarm-fire
- snmp-server enable port-traps atc multicast-control- apply
- snmp-server enable port-traps atc multicast-control- release
- ATC Display Commands
- Address Table Commands
- Spanning Tree Commands
- spanning-tree
- spanning-tree cisco-prestandard
- spanning-tree forward-time
- spanning-tree hello-time
- spanning-tree max-age
- spanning-tree mode
- spanning-tree pathcost method
- spanning-tree priority
- spanning-tree mst configuration
- spanning-tree transmission-limit
- max-hops
- mst priority
- mst vlan
- name
- revision
- spanning-tree bpdu-filter
- spanning-tree bpdu-guard
- spanning-tree cost
- spanning-tree edge- port
- spanning-tree link-type
- spanning-tree loopback-detection
- spanning-tree loopback-detection action
- spanning-tree loopback-detection release-mode
- spanning-tree loopback-detection trap
- spanning-tree mst cost
- spanning-tree mst port-priority
- spanning-tree port-priority
- spanning-tree root-guard
- spanning-tree spanning-disabled
- spanning-tree loopback-detection release
- spanning-tree protocol-migration
- show spanning-tree
- show spanning-tree mst configuration
- VLAN Commands
- Class of Service Commands
- Quality of Service Commands
- Multicast Filtering Commands
- IGMP Snooping
- ip igmp snooping
- ip igmp snooping proxy-reporting
- ip igmp snooping querier
- ip igmp snooping router-alert-option- check
- ip igmp snooping router-port-expire- time
- ip igmp snooping tcn-flood
- ip igmp snooping tcn-query-solicit
- ip igmp snooping unregistered-data- flood
- ip igmp snooping unsolicited-report- interval
- ip igmp snooping version
- ip igmp snooping version-exclusive
- ip igmp snooping vlan general-query- suppression
- ip igmp snooping vlan immediate- leave
- ip igmp snooping vlan last-memb- query-count
- ip igmp snooping vlan last-memb- query-intvl
- ip igmp snooping vlan mrd
- ip igmp snooping vlan proxy-address
- ip igmp snooping vlan query-interval
- ip igmp snooping vlan query-resp- intvl
- ip igmp snooping vlan static
- show ip igmp snooping
- show ip igmp snooping mrouter
- show ip igmp snooping group
- Static Multicast Routing
- IGMP Filtering and Throttling
- Multicast VLAN Registration
- IGMP Snooping
- LLDP Commands
- lldp
- lldp holdtime-multiplier
- lldp med-fast-start- count
- lldp notification-interval
- lldp refresh-interval
- lldp reinit-delay
- lldp tx-delay
- lldp admin-status
- lldp basic-tlv management-ip- address
- lldp basic-tlv port-description
- lldp basic-tlv system-capabilities
- lldp basic-tlv system-description
- lldp basic-tlv system-name
- lldp dot1-tlv proto-ident
- lldp dot1-tlv proto-vid
- lldp dot1-tlv pvid
- lldp dot1-tlv vlan-name
- lldp dot3-tlv link-agg
- lldp dot3-tlv max-frame
- lldp med-location civic-addr
- lldp med-notification
- lldp med-tlv ext-poe
- lldp med-tlv inventory
- lldp med-tlv location
- lldp med-tlv med-cap
- lldp med-tlv network-policy
- lldp notification
- show lldp config
- show lldp info local-device
- show lldp info remote-device
- show lldp info statistics
- Domain Name Service Commands
- DHCP Commands
- IP Interface Commands
- Appendices
- Glossary
- Command List
- Index
C
HAPTER
24
| General Security Measures
DHCP Snooping
– 686 –
ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore
the default setting.
SYNTAX
[no] ip dhcp snooping
DEFAULT SETTING
Disabled
COMMAND MODE
Global Configuration
COMMAND USAGE
◆ Network traffic may be disrupted when malicious DHCP messages are
received from an outside source. DHCP snooping is used to filter DHCP
messages received on an unsecure interface from outside the network
or fire wall. When DHCP snooping is enabled globally by this command,
and enabled on a VLAN interface by the ip dhcp snooping vlan
command, DHCP messages received on an untrusted interface (as
specified by the no ip dhcp snooping trust command) from a device not
listed in the DHCP snooping table will be dropped.
◆ When enabled, DHCP messages entering an untrusted interface are
filtered based upon dynamic entries learned via DHCP snooping.
◆ Table entries are only learned for trusted interfaces. Each entry
includes a MAC address, IP address, lease time, VLAN identifier, and
port identifier.
◆ When DHCP snooping is enabled, the rate limit for the number of DHCP
messages that can be processed by the switch is 100 packets per
second. Any DHCP packets in excess of this limit are dropped.
◆ Filtering rules are implemented as follows:
■
If global DHCP snooping is disabled, all DHCP packets are
forwarded.
■
If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, all DHCP packets are forwarded
for a trusted port. If the received packet is a DHCP ACK message, a
dynamic DHCP snooping entry is also added to the binding table.
■
If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, but the port is not trusted, it is
processed as follows:
■
If the DHCP packet is a reply packet from a DHCP server
(including OFFER, ACK or NAK messages), the packet is
dropped.