cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

1505
Views
5
Helpful
24
Replies
Highlighted
Beginner

IP Dhcp snooping and IP Source Guard

Good day to all

How to enable dhcp snooping and ip source guard, so that the user of the VLAN 60 (PC1) was not able to use other static addresses except 192.168.20.2 from DHCP, while not affecting the other VLAN? The scheme does not change and there is no other equipment.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Advisor

Something a bit like:

Something a bit like:

ip dhcp snooping vlan 60
ip dhcp snooping

interface Gigabit a/b/c
  description DHCP Server
  ip dhcp snooping trust

interface Gigabit a/b/d
  description Interface facing client
  ip verify source vlan dhcp-snooping
  

View solution in original post

24 REPLIES 24
Advisor

Something a bit like:

Something a bit like:

ip dhcp snooping vlan 60
ip dhcp snooping

interface Gigabit a/b/c
  description DHCP Server
  ip dhcp snooping trust

interface Gigabit a/b/d
  description Interface facing client
  ip verify source vlan dhcp-snooping
  

View solution in original post

Beginner

If you look at the scheme,

If you look at the scheme, the DHCP server and the hosts are on different switches. As the access switches are 2960 with c2960-lanbasek9-mz.122-52.SE.bin. 3750G as a DHCP relay . If possible, give at least one example in this scheme with detailed instructions.

1) What settings should be on Switch1?
2) On 3750G ?
3) On Switch0?
Advisor

Here is the guide for 2960's

Here is the guide for 2960's with LAN BASE.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swdhcp82.html#wp1328394

You only need to configure the 2960 switch that has the clients on it (switch1) that you want to restrict.  Mark the trunk as trusted.

You can almost use the config I gave above, but change the client DHCP port to be:

interface Gigabit a/b/d
  description Interface facing client
  ip verify source
Beginner

Thank you very much, it

Thank you very much, it worked.

But I still have one problem.

It is necessary that one of the ports to bind the IP address , which in the future could be used static for all hosts. Only one IP.

Advisor

Personally, because I have

Personally, because I have had a lot of grief with static hosts, so I normally just remove the "ip verify source" command.

However if you are keen, this is the syntax to add a static host:

ip source binding mac-address vlan vlan-id ip-address inteface interface-id
Beginner

In my case it is necessary to

In my case it is necessary to somehow tie the ip to the switch port, not to host mac-address . Because hosts on that port are changed 4-5 times a day. And that these hosts could use only one IP.

What to do?

Advisor

In that case you need to

In that case you need to stick to using "ip verify source", and use a DHCP server that can process option 82 - and configure the DHCP server to always give out the same IP address to the port regardless of the MAC address.

This link talks about enabling DHCP option 82 on the 2960.  Search for "Enabling DHCP Snooping and Option 82".

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swdhcp82.html#wp1070843

But you need to get a DHCP server that can process option 82 first.

Beginner

If it is possible can you

If it is possible can you introduce any example on any scheme? Or on my scheme with specific commands.

I will be very grateful.

Advisor

The free Linux ISC DHCP

The free Linux ISC DHCP server can process option 82 requests, but it is a bit beyond the scope of a Cisco forum to go into the complete Linux configuration.

Beginner

Under option 82 is meant ip

Under option 82 is meant ip helper-address?

Advisor

No.  "ip helper-address"

No.  "ip helper-address" tells a layer 3 interface to forward DHCP requests to a DHCP server on a remote subnet.

Option 82 is used on a (usuallly) layer 2 port to insert an extra DHCP option that says what port the DHCP request came in on.  Then a DHCP server knows which switch and which port the request came from, and can allocate an IP addresses based on that, rather than purely on the client's MAC address like normal.

Beginner

Give me an example , please,

Give me an example , please, on any scheme.

Advisor

Basic jist of inserting DHCP

Basic jist of inserting DHCP option 82:

ip dhcp snooping
ip dhcp snooping vlan 60
ip dhcp snooping information option
Beginner

In my scheme on which the

In my scheme on which the switch to enable this option? At that where clients sit?
Give an example on my scheme. In which of the switch, which settings must be. As a DHCP I have a MikroTik. What settings should be on DHCP Server..And further I have enabled ip verify source on all ports of Switch1. If I enable an option 82, it will not affect to other ports, where i have ip verify source?
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here