cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1865
Views
5
Helpful
24
Replies
Highlighted
Beginner

IP Dhcp snooping and IP Source Guard

Good day to all

How to enable dhcp snooping and ip source guard, so that the user of the VLAN 60 (PC1) was not able to use other static addresses except 192.168.20.2 from DHCP, while not affecting the other VLAN? The scheme does not change and there is no other equipment.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advisor

Something a bit like:

ip dhcp snooping vlan 60
ip dhcp snooping

interface Gigabit a/b/c
  description DHCP Server
  ip dhcp snooping trust

interface Gigabit a/b/d
  description Interface facing client
  ip verify source vlan dhcp-snooping
  

View solution in original post

24 REPLIES 24
Highlighted
Advisor

Something a bit like:

ip dhcp snooping vlan 60
ip dhcp snooping

interface Gigabit a/b/c
  description DHCP Server
  ip dhcp snooping trust

interface Gigabit a/b/d
  description Interface facing client
  ip verify source vlan dhcp-snooping
  

View solution in original post

Highlighted

If you look at the scheme, the DHCP server and the hosts are on different switches. As the access switches are 2960 with c2960-lanbasek9-mz.122-52.SE.bin. 3750G as a DHCP relay . If possible, give at least one example in this scheme with detailed instructions.

1) What settings should be on Switch1?
2) On 3750G ?
3) On Switch0?
Highlighted

Here is the guide for 2960's with LAN BASE.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swdhcp82.html#wp1328394

You only need to configure the 2960 switch that has the clients on it (switch1) that you want to restrict.  Mark the trunk as trusted.

You can almost use the config I gave above, but change the client DHCP port to be:

interface Gigabit a/b/d
  description Interface facing client
  ip verify source
Highlighted

Thank you very much, it worked.

But I still have one problem.

It is necessary that one of the ports to bind the IP address , which in the future could be used static for all hosts. Only one IP.

Highlighted

Personally, because I have had a lot of grief with static hosts, so I normally just remove the "ip verify source" command.

However if you are keen, this is the syntax to add a static host:

ip source binding mac-address vlan vlan-id ip-address inteface interface-id
Highlighted

In my case it is necessary to somehow tie the ip to the switch port, not to host mac-address . Because hosts on that port are changed 4-5 times a day. And that these hosts could use only one IP.

What to do?

Highlighted

In that case you need to stick to using "ip verify source", and use a DHCP server that can process option 82 - and configure the DHCP server to always give out the same IP address to the port regardless of the MAC address.

This link talks about enabling DHCP option 82 on the 2960.  Search for "Enabling DHCP Snooping and Option 82".

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swdhcp82.html#wp1070843

But you need to get a DHCP server that can process option 82 first.

Highlighted

If it is possible can you introduce any example on any scheme? Or on my scheme with specific commands.

I will be very grateful.

Highlighted

The free Linux ISC DHCP server can process option 82 requests, but it is a bit beyond the scope of a Cisco forum to go into the complete Linux configuration.

Highlighted

Under option 82 is meant ip helper-address?

Highlighted

No.  "ip helper-address" tells a layer 3 interface to forward DHCP requests to a DHCP server on a remote subnet.

Option 82 is used on a (usuallly) layer 2 port to insert an extra DHCP option that says what port the DHCP request came in on.  Then a DHCP server knows which switch and which port the request came from, and can allocate an IP addresses based on that, rather than purely on the client's MAC address like normal.

Highlighted

Give me an example , please, on any scheme.

Highlighted

Basic jist of inserting DHCP option 82:

ip dhcp snooping
ip dhcp snooping vlan 60
ip dhcp snooping information option
Highlighted

In my scheme on which the switch to enable this option? At that where clients sit?
Give an example on my scheme. In which of the switch, which settings must be. As a DHCP I have a MikroTik. What settings should be on DHCP Server..And further I have enabled ip verify source on all ports of Switch1. If I enable an option 82, it will not affect to other ports, where i have ip verify source?