Riverstone Networks WICT1-12 User Manual

7-22 Riverstone Networks RS Switch Router User Guide Release 8.0

Anti-Spoofing

CMTS Configuration Guide

Static and Dynamic Anti-IP Spoofing

IP-spoofing can be implemented statically or dynamically. The following sections give examples of each type of
anti-spoofing.

Static Anti-IP Spoofing

Static configuration requires manually assigning an individual MAC address to an individual IP address.

Here is an example:

Dynamic Configuration of Anti-IP Spoofing

In dynamic configuration, a snoop function snoops DHCP packets to find IP address/MAC address information. If
anti-IP spoofing is enabled, the information is used to prevent spoofing. To prevent spoofing, the IP address/MAC
address pairs are stored in a data base and are used to check for spoofed IP addresses.

Note

Dynamic configuration is enabled using the

anti-ip-spoofing

command in

conjunction with the

dhcp-ipaddr-snoop

command.

Here is an example.

Implementing DHCP-strict forces all CPEs to use DHCP. This implementation provides strict provisioning over IP
address usage. Here is the command to implement
DHCP-strict:

! Configure static anti-IP spoofing

cmts set headend cm.5.1 anti-ip-spoofing enable

cmts set cpe cm.5.1 macaddr 00BOCC:D6B4A ip 50.2.1.91

cmts set cpe cm.5.1 macaddr 00AOCC:D5B3A ip 50.2.1.92

! Configure dynamic anti-IP spoofing

cmts set headend cm.5.1 anti-ip-spoofing enable

cmts set headend cm.5.1 dhcp-ipaddr-snoop enable

! Enable dhcp strict

cmts set headend cm.5.1 dhcp-strict