Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6419
Views
15
Helpful
7
Replies

static dhcp snooping entry

katerina.dardoufa
Level 4
Level 4

‎04-22-2014 03:47 AM - edited ‎03-07-2019 07:10 PM

Hello,

I have enabled dhcp snooping on a WS-C2960-24TC-L running c2960-lanbasek9-mz.122-50.SE5.bin.

A device with static IP is connected to this switch, so I created a manual entry in the dhcp snooping database with the command:

ip source binding 0080.A361.D027 vlan 1 192.168.140.101 interface Fa0/12

The dhcp snooping database shows no entry for this device!!!! (unfortunately I have only one device connected to this switch)

#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0

 

My configuration is as follows:

ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping

ip dhcp snooping trust  (on interface connected to the router and interfaces to downlink switches)

 

Any ideas why the dhcp snooping database is empty? Devices running DHCP do indeed populate the database!

 

Thank you in advance,

Katerina

 

Labels:
0 Helpful
7 Replies 7

edwin.matos
Level 1
Level 1

‎04-22-2014 04:20 AM

kateria, Has any new dhcp request happend since the setup? You could expired a dhcp entry and force the client to request its IP again. It might be that no new request has happened since the lease hasn't expired yet on the dhcp server. Setup looks fine to me.
0 Helpful

luckymike33
Level 1
Level 1
In response to edwin.matos

‎04-22-2014 04:50 AM

Hi,

 

The reason there is no entry in the dhcp snooping bidning database after you have used the ip source binding - is because the ip source guard does not configure a static dhcp snooping entry in the snooping binding database. IP source guard is a slightly different technology that uses the dhcp snooping binding database - along with static bindings to prevent a malicious host from impersonating another host.

 

So there are 2 slightly different technologies here:

dhcp snooping =

- track the physical locations of ip addresses

- ensure only 'authorized' dhcp servers can issue ip addressing

- ensure that only the issued ip addressing can send traffic on a given port.

 

IP source guard ensures that only traffic from a specific ip address can be received on a particular port, and the ip address / port mapping information comes from 2 sources:

 

- dhcp snooping binding database

- static ip binding on a particular port.

 

To verify what ip addressing is 'permitted' to send traffic on a given port, use the command :

show ip verify source interface [interface]

 

Very best wishes

 

Mike

 

0 Helpful

katerina.dardoufa
Level 4
Level 4
In response to luckymike33

‎04-22-2014 05:03 AM

Maybe there is something I am not understanding...

 

I want to populate the dhcp snooping database of the switch, so I can enable DAI in the future. Unfortunately I have devices with static IP addresses.

My understanding was that if I enable DAI and all access ports are untrusted, then traffic will pass only for DHCP enabled hosts, which are in the database. Traffic of static IPs will be dropped, unless the port is trusted or the binding is manually entered in the database (that is what I am trying to do). Is this correct?

I do not want to enable IPSG yet.

To sum it up, I want to enable DAI on a mixed environment with DHCP enabled and static hosts. How do I populate the DHCP snooping database with static bindings?

Thank you in advance,

Katerina

0 Helpful

luckymike33
Level 1
Level 1
In response to katerina.dardoufa

‎04-22-2014 05:20 AM

Hi Katerina,

 

so you want to enable DAI in an environment where some hosts obtain ip via DHCP, and some via static addressing.

The way round this is to configure an ARP ACL - which is cisco's way of configuring a static binding, i.e.

 

arp access-list [name]

permit ip host [sender ip] mac host [sender mac]

 

then apply this to the vlan using the command

ip arp inspection filter [ARP ACL] vlan [vlan]

 

there is a link here explaining fully:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swdynarp.html#wp1039773

 

Very best wishes

 

Mike

 

katerina.dardoufa
Level 4
Level 4
In response to luckymike33

‎04-23-2014 12:29 AM

Thank you so much for your reply and the link.

Another thing that I want to try and see if it works is this:

I manually added the static entry in the database (in enable mode, not configuration mode):

ip dhcp snooping binding 0080.a361.d027 vlan 1 192.168.140.101 interface fa0/12 expiry 4294967295

#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:80:A3:61:D0:27   192.168.140.101  infinite    dhcp-snooping   1     FastEthernet0/12
Total number of bindings: 1

I also enabled a dhcp database agent on the switch.

I now want to reload the switch to see what happens.

Thanks!

Katerina

katerina.dardoufa
Level 4
Level 4
In response to katerina.dardoufa

‎05-07-2014 03:47 AM

Hi all!

 

I wanted to comment that the correct answer is that proposed by Mike, that utilizes the ARP ACL.

The other approach I tested with the manual entry in the database doesn't achieve the desired results and this is why.

If you manually enter a static binding and also have the database agent enabled, an entry is created in the database and is redirected to where the agent is pointing (tftp server or locally on switch). What happens if someone clears the dhcp snooping binding database? Then the entry is also deleted from where the database is stored. So in a few minutes, if DAI is enabled, connectivity to the static IP is lost!!!!! Same thing happens if switch is reloaded and it tries to load the bindings from the stored database. Since the static entry isn't present anymore, there is no connectivity to the device with the static IP!

 

So, as Mike said, ARP ACL is the only solution.

Hope this helps someone who wants an understanding of why static bindings won't work!

 

Thanks!

rudimocnik
Level 1
Level 1
In response to katerina.dardoufa

‎05-01-2020 10:17 PM

Hi Katerina

 

I know it an old post and maybe things have changed since then, but I've gone through some testing and found out that with ip source binding command the entry is written in the switch config and not in the dhcp snooping database. Note, that I also enabled snooping agent and the ip source binding entries still do not write in snooping database. Furthermore I also performed the clearing of all dhcp snooping bindings and the only thing cleared was the dhcp-snooping entires and not the one with ip source binding command.

Therefore, when the switch reloads the static host allowed with ip source binding command will be allowed to send data since the entry is stored in the startup config. I believe you can either use ARP ACLs or IP Source bind to solve for static address assignment.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card