Ip source guard, The dhcp relay agent – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Configuring the source IP address of a DHCP-client packet on the DHCP
relay agent

Enables the DHCP server to know the source subnet or network of a DHCP-client packet.

By default, a DHCP relay agent forwards a DHCP-client packet with the source IP address set to the IP
address of the outgoing interface to the DHCP server. You can configure ACLs on a DHCP server to
provide or block DHCP services to particular subnets or networks. Running the ip bootp-use-intf-ip
command configures a DHCP relay agent to set the source IP address of a DHCP-client packet with the
IP address of the incoming interface for the packet. This reveals the source subnet or network of a
DHCP-client packet to the DHCP server and enables the DHCP server to process or discard the DHCP
traffic according to the configured ACLs.

Run the ip bootp-use-intf-ip command in the global configuration mode of the DHCP relay agent.

Brocade (config)# ip bootp-use-intf-ip

The following example shows a DHCP relay agent set to configure the source IP
address of a DHCP-client packet with the IP address of the interface on which
the DHCP-client packet is received.

Brocade (config)# ip bootp-use-intf-ip

IP source guard

You can use IP Source Guard together with Dynamic ARP Inspection on untrusted ports. Refer to

DHCP snooping

on page 336 and

Dynamic ARP inspection

on page 331.

The Brocade implementation of the IP Source Guard feature supports configuration on a port, on
specific VLAN memberships on a port (Layer 2 devices only), and on specific ports on a virtual interface
(VE) (Layer 3 devices only).

When IP Source Guard is first enabled, only DHCP packets are allowed and all other IP traffic is
blocked. When the system learns a valid IP address, IP Source Guard then allows IP traffic. Only the
traffic with valid source IP addresses are permitted. The system learns of a valid IP address from DHCP
Snooping. When it learns a valid IP address, the system permits the learned source IP address.

When a new IP source entry binding on the port is created or deleted, the ACL will be recalculated and
reapplied in hardware to reflect the change in IP source binding. By default, if IP Source Guard is
enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on the port.

Configuration notes and feature limitations for IP source guard

• To run IP Source Guard, you must first enable support for ACL filtering based on VLAN membership

or VE port membership. To do so, enter the following commands at the Global CONFIG Level of the
CLI.

device(config #enable ACL-per-port-per-vlan

device(config)#write memory

device(config)#exit

device#reload

Configuring the source IP address of a DHCP-client packet on the DHCP relay agent

FastIron Ethernet Switch Security Configuration Guide

349

53-1003088-03