IP Helper-address logs

Christian Jorge · ‎08-13-2014

Good morning

A 6509 switch of one of our costumers presents the "ip helper address" configuration. Actually, the real DHCP service is located in a Windows Server.

This feature works fine, but we are facing some issues related to the security policies required by this customer regarding logging.

Is there any way that the "ip helper-address" feature generate logging messages?

In a general vision, is there any way that switch generate logging messages related to this DHCP operation in customer environment?

I only found something related to "debug command". I need this as logging messages to be sent to a syslog server.

Regards

Christian

Rajeev Sharma · ‎08-13-2014

Hey Christian,

You may configure "debug dhcp server packets" command but it will produce a lot of chatter so make sure that console logging is diabled and once the it is configured all the messages will appear as normal syslog meaages in the log so you may send them to logging server.

HTH.

Regards,
RS.

Christian Jorge · ‎08-14-2014

Ok, thank you for your answer

But is there any way to receive logs without using "debug" comands running in device session?

We need automatic logging messages.

Regards

Furose M · ‎08-17-2014

unless you enable debugs, you wont be able to capture any logs since "ip helper" doesnt generate any logs.

what best you could do is, disable "debug logging" for console and buffer and enable debug only for syslog. this way, all the ip helper related logs would be redirected to syslog server.

keep in mind, whenevet the switch needs to send logs to the syslog server, the CPU need to generate the packets, which will result in high CPU utilization. so, enable as less debug as possible so that you wont chock the switch CPU.

Here are the steps to collect the debug outputs.

1. Run a syslog server in the network.
2. Disable debug level for buffer, session and console logging. (check the current status using “show log”

Default behavior:

switch#sho log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

<<snip>>
    Console logging: level debugging, 43 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 43 messages logged, xml disabled,
                    filtering disabled
    <<snip>>

To be changed to:

Change the level to “Informational” for console, monitor and buffer logging.
                                6500-1(config)#logging buffered informational
                                6500-1(config)#logging console informational
                                6500-1(config)#logging monitor informational
                                6500-1(config)#logging trap debug <-- enable debug level only for syslog.

3. Enable syslog logging in the switch.
Router# configure terminal
Router(config)# service timestamps debug datetime localtime show-timezone
Router(config)# service timestamps log datetime localtime show-timezone
Router(config)#logging host <IP address or host name of syslog server.>

Enabling the required debugs for DHCP

6500-1#debug ip dhcp server ?
class       Class-based address allocation
events      Report address assignments, lease expirations, etc.
linkage     Show database linkage
packet      Decode message receptions and transmissions
redundancy DHCP server redundancy events
snmp        DHCP server snmp events

how about enabling events alone?

Rajeev Sharma · ‎08-17-2014

Hey Christian,

There is another method we may use; ACL with log option. We may create an ACL matching the DHCP port numbers, we need to create it for both incoming and outgoing traffic and we can apply it to SVI where helper address is configured.

Example:

#ip access-list ext DHCP

#permit udp any 68 any 67 log

#permit udp any 67 any 68 log

#int vlan xxx

#ip access-group in DHCP

#ip access-group out DHCP

#exit

HTH.

Regards,

RS.