Good day to all
How to enable dhcp snooping and ip source guard, so that the user of the VLAN 60 (PC1) was not able to use other static addresses except 192.168.20.2 from DHCP, while not affecting the other VLAN? The scheme does not change and there is no other equipment.
Solved! Go to Solution.
If you look at the scheme, the DHCP server and the hosts are on different switches. As the access switches are 2960 with c2960-lanbasek9-mz.122-52.SE.bin. 3750G as a DHCP relay . If possible, give at least one example in this scheme with detailed instructions.
1) What settings should be on Switch1?
2) On 3750G ?
3) On Switch0?
Here is the guide for 2960's with LAN BASE.
You only need to configure the 2960 switch that has the clients on it (switch1) that you want to restrict. Mark the trunk as trusted.
You can almost use the config I gave above, but change the client DHCP port to be:
interface Gigabit a/b/d
description Interface facing client
ip verify source
Thank you very much, it worked.
But I still have one problem.
It is necessary that one of the ports to bind the IP address , which in the future could be used static for all hosts. Only one IP.
Personally, because I have had a lot of grief with static hosts, so I normally just remove the "ip verify source" command.
However if you are keen, this is the syntax to add a static host:
ip source binding mac-address vlan vlan-id ip-address inteface interface-id
In my case it is necessary to somehow tie the ip to the switch port, not to host mac-address . Because hosts on that port are changed 4-5 times a day. And that these hosts could use only one IP.
What to do?
In that case you need to stick to using "ip verify source", and use a DHCP server that can process option 82 - and configure the DHCP server to always give out the same IP address to the port regardless of the MAC address.
This link talks about enabling DHCP option 82 on the 2960. Search for "Enabling DHCP Snooping and Option 82".
But you need to get a DHCP server that can process option 82 first.
The free Linux ISC DHCP server can process option 82 requests, but it is a bit beyond the scope of a Cisco forum to go into the complete Linux configuration.
No. "ip helper-address" tells a layer 3 interface to forward DHCP requests to a DHCP server on a remote subnet.
Option 82 is used on a (usuallly) layer 2 port to insert an extra DHCP option that says what port the DHCP request came in on. Then a DHCP server knows which switch and which port the request came from, and can allocate an IP addresses based on that, rather than purely on the client's MAC address like normal.
In my scheme on which the switch to enable this option? At that where clients sit?
Give an example on my scheme. In which of the switch, which settings must be. As a DHCP I have a MikroTik. What settings should be on DHCP Server..And further I have enabled ip verify source on all ports of Switch1. If I enable an option 82, it will not affect to other ports, where i have ip verify source?