- Switches can use IEEE 802.1X to perform user authentication.
- User authentication requires the user to supply a username & password, verified by a RADIUS server, before the switch will enable the switch port for normal user traffic.
- IEEE 8802.1X defines some of the LAN user authentication, but it also uses the Extensible Authentication Protocol (EAP).
- EAP: an internet standard (RFC 3748), as the underlying protocol used for authentication.
- EAP also provides One-time passwords (OTPs).
Sunday, June 17, 2012
802.1X Authentication Using EAP
IP Source Guard
- It add one more check to the DHCP snooping logic.
- When enabled along with DHCP snooping, IP Source Guard checks the source IP address of received packets against the DHCP snooping binding database.
- It checks both the source ip & source MAC address against that same database.
- If the entries do not match, the frame is filtered.
- ip verify source
- to check source ip address only
- ip verify source port-security
- check both the source ip & MAC address
- ip source binding mac-address vlan vlan-id ip-address interface interface-id
- Global command to create static entries that will be used in addition to the DHCP snooping binding database.
DCHP Snooping Commands
|
Command
|
Purpose
|
|
ip dhcp snooping vlan vlan-range
|
Global command to enable DHCP snooping for one or more VLANs
|
|
[no] ip dhcp snooping trust
|
Interface command to enable or disable a trust level on an interface;
|
|
Ip dhcp snooping binding mac-addre
vlan vlan-id ip-addre interface interface-id expiry seconds
|
Global command to add static entries to the DHCP snooping binding
database
|
|
Ip dhcp snooping verify mac-address
|
Global command to add static entries to the DHCP snooping binding
database
|
|
Ip dhcp snooping limit rate rate
|
Sets the maximum number of DHCP messages per second to mitigate DoS
attack.
|
Subscribe to:
Posts (Atom)