Ip dhcp snooping
DHCP Snooping to stop rogue DHCP servers. Only allow dhcp messages from "trusted" ports
ip dhcp snooping trust -> to the dhcp server
ip dchp snooping vlan 100 -> inspect dhcp messages in vlan 100
ip dhcp snooping binding abcd.abcd.abcd vlan 100 1.1.1.2 vlan 100 (static binding)
ip dhcp snooping information option -> insertion 82 (in cisco drop insertion 82 when activating dhcp snooping-> default)
router drop insertion 82 message, to overcome this matter :
switch
no ip dhcp snooping information option
router
ip dhcp relay information trust-all (accept insertion 82 from switch)
ip dhcp snooping databse flash:data.txt (save ip dhcp mapping)
Verification
switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100
DHCP snooping is operational on following VLANs:
100
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/8 yes unlimited
switch#sh ip dhcp snooping binding vlan 100
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0A:BC:1F:41:31 10.10.10.3 56371 dhcp-snooping 100 FastEthernet0/8
Total number of bindings: 1
Do static dhcp snooping binding
switch#ip dhcp snooping binding abcd.abcd.abcd vlan 100 10.10.10.2 interface f0/5 expiry 5000
Cat2#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0A:BC:1F:41:31 10.10.10.3 56371 dhcp-snooping 100 FastEthernet0/8
ab:cd:ab:cd:ab:cd 10.10.10.2 4995 dhcp-snooping 100 FastEthernet0/5
Total number of bindings: 2
Ip source guard
ip verify source -> inspect spoofed ip
ip verify source port-security -> inspect spoofed ip and mac address (need insertion 82)
DAI (dynamic arp inspection)