04-22-2014 03:47 AM - edited 03-07-2019 07:10 PM
Hello,
I have enabled dhcp snooping on a WS-C2960-24TC-L running c2960-lanbasek9-mz.122-50.SE5.bin.
A device with static IP is connected to this switch, so I created a manual entry in the dhcp snooping database with the command:
ip source binding 0080.A361.D027 vlan 1 192.168.140.101 interface Fa0/12
The dhcp snooping database shows no entry for this device!!!! (unfortunately I have only one device connected to this switch)
#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
My configuration is as follows:
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping trust (on interface connected to the router and interfaces to downlink switches)
Any ideas why the dhcp snooping database is empty? Devices running DHCP do indeed populate the database!
Thank you in advance,
Katerina
04-22-2014 04:20 AM
04-22-2014 04:50 AM
Hi,
The reason there is no entry in the dhcp snooping bidning database after you have used the ip source binding - is because the ip source guard does not configure a static dhcp snooping entry in the snooping binding database. IP source guard is a slightly different technology that uses the dhcp snooping binding database - along with static bindings to prevent a malicious host from impersonating another host.
So there are 2 slightly different technologies here:
dhcp snooping =
- track the physical locations of ip addresses
- ensure only 'authorized' dhcp servers can issue ip addressing
- ensure that only the issued ip addressing can send traffic on a given port.
IP source guard ensures that only traffic from a specific ip address can be received on a particular port, and the ip address / port mapping information comes from 2 sources:
- dhcp snooping binding database
- static ip binding on a particular port.
To verify what ip addressing is 'permitted' to send traffic on a given port, use the command :
show ip verify source interface [interface]
Very best wishes
Mike
04-22-2014 05:03 AM
Maybe there is something I am not understanding...
I want to populate the dhcp snooping database of the switch, so I can enable DAI in the future. Unfortunately I have devices with static IP addresses.
My understanding was that if I enable DAI and all access ports are untrusted, then traffic will pass only for DHCP enabled hosts, which are in the database. Traffic of static IPs will be dropped, unless the port is trusted or the binding is manually entered in the database (that is what I am trying to do). Is this correct?
I do not want to enable IPSG yet.
To sum it up, I want to enable DAI on a mixed environment with DHCP enabled and static hosts. How do I populate the DHCP snooping database with static bindings?
Thank you in advance,
Katerina
04-22-2014 05:20 AM
Hi Katerina,
so you want to enable DAI in an environment where some hosts obtain ip via DHCP, and some via static addressing.
The way round this is to configure an ARP ACL - which is cisco's way of configuring a static binding, i.e.
arp access-list [name]
permit ip host [sender ip] mac host [sender mac]
then apply this to the vlan using the command
ip arp inspection filter [ARP ACL] vlan [vlan]
there is a link here explaining fully:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swdynarp.html#wp1039773
Very best wishes
Mike
04-23-2014 12:29 AM
Thank you so much for your reply and the link.
Another thing that I want to try and see if it works is this:
I manually added the static entry in the database (in enable mode, not configuration mode):
ip dhcp snooping binding 0080.a361.d027 vlan 1 192.168.140.101 interface fa0/12 expiry 4294967295
#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:80:A3:61:D0:27 192.168.140.101 infinite dhcp-snooping 1 FastEthernet0/12
Total number of bindings: 1
I also enabled a dhcp database agent on the switch.
I now want to reload the switch to see what happens.
Thanks!
Katerina
05-07-2014 03:47 AM
Hi all!
I wanted to comment that the correct answer is that proposed by Mike, that utilizes the ARP ACL.
The other approach I tested with the manual entry in the database doesn't achieve the desired results and this is why.
If you manually enter a static binding and also have the database agent enabled, an entry is created in the database and is redirected to where the agent is pointing (tftp server or locally on switch). What happens if someone clears the dhcp snooping binding database? Then the entry is also deleted from where the database is stored. So in a few minutes, if DAI is enabled, connectivity to the static IP is lost!!!!! Same thing happens if switch is reloaded and it tries to load the bindings from the stored database. Since the static entry isn't present anymore, there is no connectivity to the device with the static IP!
So, as Mike said, ARP ACL is the only solution.
Hope this helps someone who wants an understanding of why static bindings won't work!
Thanks!
05-01-2020 10:17 PM
Hi Katerina
I know it an old post and maybe things have changed since then, but I've gone through some testing and found out that with ip source binding command the entry is written in the switch config and not in the dhcp snooping database. Note, that I also enabled snooping agent and the ip source binding entries still do not write in snooping database. Furthermore I also performed the clearing of all dhcp snooping bindings and the only thing cleared was the dhcp-snooping entires and not the one with ip source binding command.
Therefore, when the switch reloads the static host allowed with ip source binding command will be allowed to send data since the entry is stored in the startup config. I believe you can either use ARP ACLs or IP Source bind to solve for static address assignment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide