01-24-2016 08:08 PM - edited 03-05-2019 03:11 AM
Good day to all
How to enable dhcp snooping and ip source guard, so that the user of the VLAN 60 (PC1) was not able to use other static addresses except 192.168.20.2 from DHCP, while not affecting the other VLAN? The scheme does not change and there is no other equipment.
Solved! Go to Solution.
01-24-2016 10:03 PM
Something a bit like:
ip dhcp snooping vlan 60
ip dhcp snooping
interface Gigabit a/b/c
description DHCP Server
ip dhcp snooping trust
interface Gigabit a/b/d
description Interface facing client
ip verify source vlan dhcp-snooping
01-24-2016 10:03 PM
Something a bit like:
ip dhcp snooping vlan 60
ip dhcp snooping
interface Gigabit a/b/c
description DHCP Server
ip dhcp snooping trust
interface Gigabit a/b/d
description Interface facing client
ip verify source vlan dhcp-snooping
01-24-2016 10:59 PM
If you look at the scheme, the DHCP server and the hosts are on different switches. As the access switches are 2960 with c2960-lanbasek9-mz.122-52.SE.bin. 3750G as a DHCP relay . If possible, give at least one example in this scheme with detailed instructions.
1) What settings should be on Switch1?
2) On 3750G ?
3) On Switch0?
01-24-2016 11:14 PM
Here is the guide for 2960's with LAN BASE.
You only need to configure the 2960 switch that has the clients on it (switch1) that you want to restrict. Mark the trunk as trusted.
You can almost use the config I gave above, but change the client DHCP port to be:
interface Gigabit a/b/d
description Interface facing client
ip verify source
01-25-2016 12:12 AM
Thank you very much, it worked.
But I still have one problem.
It is necessary that one of the ports to bind the IP address , which in the future could be used static for all hosts. Only one IP.
01-25-2016 12:16 AM
Personally, because I have had a lot of grief with static hosts, so I normally just remove the "ip verify source" command.
However if you are keen, this is the syntax to add a static host:
ip source binding mac-address vlan vlan-id ip-address inteface interface-id
01-25-2016 12:56 AM
In my case it is necessary to somehow tie the ip to the switch port, not to host mac-address . Because hosts on that port are changed 4-5 times a day. And that these hosts could use only one IP.
What to do?
01-25-2016 01:03 AM
In that case you need to stick to using "ip verify source", and use a DHCP server that can process option 82 - and configure the DHCP server to always give out the same IP address to the port regardless of the MAC address.
This link talks about enabling DHCP option 82 on the 2960. Search for "Enabling DHCP Snooping and Option 82".
But you need to get a DHCP server that can process option 82 first.
01-25-2016 02:12 AM
If it is possible can you introduce any example on any scheme? Or on my scheme with specific commands.
I will be very grateful.
01-25-2016 10:44 AM
The free Linux ISC DHCP server can process option 82 requests, but it is a bit beyond the scope of a Cisco forum to go into the complete Linux configuration.
01-25-2016 07:06 PM
Under option 82 is meant ip helper-address?
01-25-2016 07:10 PM
No. "ip helper-address" tells a layer 3 interface to forward DHCP requests to a DHCP server on a remote subnet.
Option 82 is used on a (usuallly) layer 2 port to insert an extra DHCP option that says what port the DHCP request came in on. Then a DHCP server knows which switch and which port the request came from, and can allocate an IP addresses based on that, rather than purely on the client's MAC address like normal.
01-25-2016 07:47 PM
Give me an example , please, on any scheme.
01-25-2016 08:00 PM
Basic jist of inserting DHCP option 82:
ip dhcp snooping
ip dhcp snooping vlan 60
ip dhcp snooping information option
01-25-2016 08:38 PM
In my scheme on which the switch to enable this option? At that where clients sit?
Give an example on my scheme. In which of the switch, which settings must be. As a DHCP I have a MikroTik. What settings should be on DHCP Server..And further I have enabled ip verify source on all ports of Switch1. If I enable an option 82, it will not affect to other ports, where i have ip verify source?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide