»Unlabelled » IP DHCP Snooping Switch Settings

IP DHCP Snooping Switch Settings

Posted by fanie on Sunday, January 20, 2013

Ip dhcp snooping


DHCP Snooping to stop rogue DHCP servers. Only allow dhcp messages from "trusted" ports

ip dhcp snooping trust -> to the dhcp server
ip dchp snooping vlan 100 -> inspect dhcp messages in vlan 100
ip dhcp snooping binding abcd.abcd.abcd vlan 100 1.1.1.2 vlan 100 (static binding)
ip dhcp snooping information option -> insertion 82 (in cisco drop insertion 82 when activating dhcp snooping-> default)

router drop insertion 82 message, to overcome this matter :
switch
no ip dhcp snooping information option
router
ip dhcp relay information trust-all (accept insertion 82 from switch)

ip dhcp snooping databse flash:data.txt (save ip dhcp mapping)

Verification


switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100
DHCP snooping is operational on following VLANs:   
100
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/8              yes         unlimited

switch#sh ip dhcp snooping binding vlan 100
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0A:BC:1F:41:31   10.10.10.3         56371       dhcp-snooping   100    FastEthernet0/8
Total number of bindings: 1

Do static dhcp snooping binding
switch#ip dhcp snooping binding abcd.abcd.abcd vlan 100 10.10.10.2 interface f0/5 expiry 5000
Cat2#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:0A:BC:1F:41:31   10.10.10.3         56371       dhcp-snooping   100    FastEthernet0/8
ab:cd:ab:cd:ab:cd   10.10.10.2          4995       dhcp-snooping   100    FastEthernet0/5
Total number of bindings: 2

Ip source guard
ip verify source -> inspect spoofed ip
ip verify source port-security -> inspect spoofed ip and mac address (need insertion 82)


DAI (dynamic arp inspection)

at 8:00 AM

{ 0 comments... read them below or add one }


Post a Comment