EOS – Antispoof

14th January 2016 by Martin Flammia

Filed under Extreme Networks EOS

Last modified 18th January 2016

ANTI-SPOOF will not work without a Multiauth binding entry, so this will need to be configured along with auto-tracking!

An Anti-spoofing is configured by defining class or classes that a single class can be added to all ports or different classes applied to different ports. As default threshold of 450 IP address changes per 30 seconds, to give an average of 15pps (packets per second) and thereafter send a trap notification and syslog you can use the following configuration.

Uplink ports can be configured as trusted, access ports will be left with the default “untrusted” setting.

To configure the trusted ports use the following commands;

To configure the untrusted ports use the following commands;

Mac Verification
With DHCP snooping and MAC verification, this will check parts transiting untrusted ports against entries in the binding table.

Dynamic ARP Inspection (DAI)
DAI can be used to populate the binding table, ARP responses will be check for the correct sender MAC address against source IP address.

ARP Inspection / C-Series

IP Source Guard
IP Source Guard can be used to populate the binding table and will check the MAC and IP address pairs that are not picked up by DAI.

Duplicate IP
Log duplicate IP entries

 

Leave a Comment