Thanks for your reply:

I already tried doing that, because I read that suggestion in a post somewhere in this Cisco Support Forum.

I changed the syntax of that command adding that 01. It did not give me an error (something that I find confusing, since a MAC address is 12 hex digits, and that syntax changes the MAC to 14 digits in a format 01aa.bbbb.cccc.dd which is weird...)

The output of the show ip dhcp bindings stayed the same (the static DHCP assignment worked), but the main problem persists:

if I release the static DHCP provided IP address, and I configure the network settings of another user with that IP address (statically), that IP address gets assigned to the other user.

The main question that I have is still there:

- How can I configure a solution for the wired users like the one I want? One that:

   * Assigns a static IP addresses to the user PCs based on their MAC addresses.

   * So those users will always get that assign IP address, even if they try to "renew" their IP addresses in their PCs (or like when they turn off their PCs at the end of the day and return the next day).

   * And they will not be able to change it to a different one statically, that means, the DHCP configuration supersedes the static attempt.

- Could it be that this solution is beyond the scope of DHCP configuration? What should I configure to obtain this?

Thanks a lot for your answer.

As I see in that configuration, you:

- Create a general DHCP pool with excluded addresses,

- Then you define things like domain, lease time, default addresses

- Interestingly, you also list a default boot file for the DHCP client with the bootfile command.

- You also define two DHCP Static pools (for two users). The addresses that you assign to them are part of the excluded addresses defined in the general pool. The definition of these pools include client names and domain.

As I see, that configuration is not so different from mine (it only includes more options), so I daresay it would give the same results as the one that I already tried.

Could you please explain to me the following things:

- How does the configuration you propose solve the issue I want to solve? That is to assign static IP addresses to the users based on their MAC addresses, so that each user will get a unique IP address (via DHCP) and will not be able to change it to a different one statically.

- Does any of the options you configure in your example help to solve the issue?

- Also I am not familiar with the bootfile pxelinux.0 command Could you please explain what is it for? Is that a file that includes the DHCP mapping? I read somewhere it can be done that way, but that file needs to be in a TFTP server. Where is located that file in your configuration example?

- Is the solution that I look related to DHCP configuration, or does it go beyond this topic? Any other way to configure this?

Thanks in advance for your time.

Hi David

I must admit I didn't read your entire post. That was why i did not answer all your questions.

I think the feature you need is IP Source Guard. The user can only transmit packets with the source IP it recieves from the DHCP server, and then you create the static bindings and control the clients.

You need to configure DHCP Snooping for IPSG to work.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/37sg/configuration/guides/config/dhcp.html

Hello Rasmus. Thanks for your answer

As I have checked in the link you provided, the solution that I want may be given by IP source guard. It restricts IP traffic by filtering the traffic based on a DHCP snooping binding, right?

It seems that to configure that IP source guard I have to configure DHCP Snooping, that filters untrusted DHCP messages based on a table, right?

Please remember the topology I have. It's attached in this post.

As I have checked on some links, to configure that DHCP snooping, I have to do it this way:

SWACPB02(config)# ip dhcp snooping
SWACPB02(config)# ip dhcp snooping vlan 120
SWACPB02(config)# interface GigabitEthernet 0/5
SWACPB02(config-if)# ip dhcp snooping trust
SWACPB02(config-if)# end
SWACPB02# show ip dhcp snooping

It should give this kind of output:

SWACPB02#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
120
Insertion of option 82 is enabled
Interface                       Trusted      Rate limit (pps)
————————        ——-          —————-
GigabitEthernet 0/5      yes             unlimited

Then I have to define a dhcp snooping database (in an external file like one located in a TFTP server). I don't find much information about what it is for or how to configure it.

Once I have those things, I can configure the IP Source Guard. To configure that IP source guard I have to to this:

SWACPB02(config)#int gi0/5
SWACPB02(config)#ip source binding 3c97.0e90.50f5 vlan 120 10.10.120.62 int gi0/5
SWACPB02(config-if)#ip verify source
SWACPB02(config-if)#switchport port-security

To verify that, I can use

SWACPB02# show ip source binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

3c:97:0e:90:50:f5   10.10.120.62         infinite    static         120    GigabitEthernet0/5

SWACPB02# show ip verify source

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan

---------  -----------  -----------  ---------------  -----------------  ----

Gi0/5      ip mac       active       10.10.120.62     3c:97:0e:90:50:f5   120

I have several questions regarding these topics and configurations:

- In my topology are the configurations (HDCP Snooping and IPsg) done in the access switches or in the core switch? The info you mentioned is about a 4500/6500 switch.

- The IPsg configuration has to be done in access ports (those connected to the final users), right? Will they give any error if they are applied in interswitch link ports?

- Do I have to define a dhcp snooping database prior to configure that IP Source Guard? What is that for? How do I configure it?

- With that IP source guard configuration do assure that users get a unique IP address (via DHCP) based on the MAC so they will not be able to change it to a different one statically?

Thanks a lot for further clarifications about this solution.

Hi

- In my topology are the configurations (HDCP Snooping and IPsg) done in the access switches or in the core switch? The info you mentioned is about a 4500/6500 switch.

You only need to activate the features on the End Device facing ports. So only the access layer. Trust all other ports(the upllinks to the 3750). The configuration for the 2960 i pretty much the same: - In my topology are the configurations (HDCP Snooping and IPsg) done in the access switches or in the core switch? The info you mentioned is about a 4500/6500 switch.

The IPsg configuration has to be done in access ports (those connected to the final users), right? Will they give any error if they are applied in interswitch link ports?

You will experience packet loss if you enable it on uplink ports, because the DHCP snooping wont have a binding table for traffic on that port.

Do I have to define a dhcp snooping database prior to configure that IP Source Guard? What is that for? How do I configure it?

The DHCP snooping database is dynamicaly buildt when the clients asks for an DHCP address. This is the DB IPSG uses later on.

With that IP source guard configuration do assure that users get a unique IP address (via DHCP) based on the MAC so they will not be able to change it to a different one statically?

If they change theire address then it is not in the DHCP snooping DB and IPSG bloks the traffic from that address.

Then I have to define a dhcp snooping database (in an external file like one located in a TFTP server). I don't find much information about what it is for or how to configure it.

Forget the stuff about the external DB, it is only used if you want the DB to be persistent accross switch reboots, but if the switch reboots the clients ask for a new address and the table is rebuilt in RAM.

It seems that to configure that IP source guard I have to configure DHCP Snooping, that filters untrusted DHCP messages based on a table, right?

Correct.

BTW i dont think you have to make any static IPSG static bindings, if all your client get DHCP addresses.

Hope this answers all your questions.

SWACPB02(config)# ip dhcp snooping
SWACPB02(config)# ip dhcp snooping vlan 120
SWACPB02(config)# interface GigabitEthernet 0/5

SWACPB02(config-if)# description Uplink port to the Core
SWACPB02(config-if)# ip dhcp snooping trust

SWACPB02(config)# interface GigabitEthernet 0/20

SWACPB02(config-if)# description Access port

SWACPB02(config-if)#ip verify source port-security
SWACPB02(config-if)#switchport port-security 

Take a look at dynamic ARP inspection as well, then you have the full access layer protection packet:)

Thanks a lot for the follow up you are doing to this topic.

From the answer you gave me I understand this sequence of configuration:

1) I have to configure DHCP Snooping in the access switches.

   * And the ip dhcp snooping trust command in the uplinks to the core switch.

2) I can let the DHCP snooping database to be dynamically built (although I am quite sure I should build it statically to assure the correct MAC to IP bindings)

3) Then I configure IPsg in the access switches.

   * The IPsg should not be applied in the uplink ports to the core.

I have some more questions regarding this topic:

- If I build the DHCP snooping database statically I should have more control over the MAC to IP addressing, right?

- What are the disadvantages of building a statically  DHCP snooping database? I guess it should be the best way to get more security in most cases.

- Either way, I have discovered that the IPsg configuration also includes a mac to IP binding:

SWACPB02(config)#int gi0/5
SWACPB02(config)#ip source binding 3c97.0e90.50f5 vlan 120 10.10.120.62 int gi0/5
SWACPB02(config-if)#ip verify source

Is that configuration consistent with the previous configuration of the DHCP Snooping (specially with the database previously discussed)?. Should I (do I have to) configure both mappings with the same information? What could happen if these two tables (the DHCP snooping table and the IPsg binding table) have different information?

(It would believe it points as an advantage of the static DHCP snooping table... )

- I also checked that ARP dynamic inspection you mentioned. It seems that it's useful just to prevent MitM attacks because of an ARP spoofing attack, right?

Do you believe it's useful to apply this in my scenario? What advantages could I have if I do so?

Thanks in advance for your help.

As far as I understand your setup, all the static bindings is done by a static DHCP entry. Then you dont need static IPSG, because the DHCP Snooping table is complete. If you want to avoid the clients from using an address outside the static DHCP bindings you have made then you need the static IPSG conifguration.

So all in all i dont think you need the static DHCP snooping DB og IPSG, it will only give you more work, and a less dynamic network.

If you want DAI or not is completely up to you. It will give you resistance to MiTM attacks, and you have all the features enabled for it to work.

All the questions you asked i haven't answered is because you are right.

I am not quite sure if you over complicate the setup, or if it is complicated, so remember to test the features in a lab before you apply it to production.

My guideline would be:

1. Configure all static addresses using static DHCP bindings.
2. enable DHCP snooping on all access switches+VLANs
3. trust uplink ports
4. enable IPSG with MAC validation on all access ports.
5. Enable DAI for the fun of it/extra security.:-)

When you enable this all the clients need to pull a new IP address from the DHCP or they will lose connectivity.

Hello Rasmus:

Thanks for your patience and support.

These days I extensively tried making the configurations we have been discussing, but I have been partially successful.

I was successful in configuring the the IPsg with a static IP configuration for the users, but I could not make it work with a DHCP IP addressing.

Please take a look at the attached diagram that explains the scenario I used as a test.

The steps done were:

1) Definition of a DHCP Pool in the Core Switch

SWCOPB01(config)#ip dhcp pool Network80
SWCOPB01(dhcp-config)#network 10.10.80.0 255.255.255.0
SWCOPB01(dhcp-config)#dns-server 192.168.5.13 8.8.8.8
SWCOPB01(dhcp-config)#default-router 10.10.80.1
SWCOPB01(dhcp-config)#domain-name abc.com.ec
SWCOPB01(dhcp-config)#exit
SWCOPB01(config)#ip dhcp excluded-address 10.10.80.30 10.10.80.40

It is correctly defined as seen:

SWCOPB01#show runn | sec ip dhcp pool Network80
ip dhcp pool Network80
network 10.10.80.0 255.255.255.0
default-router 10.10.80.1 
domain-name abc.com.ec
dns-server 192.168.5.13 8.8.8.8

2) Configure DHCP Snooping in the access switch and trust the uplink port

SWACPB01(config)# ip dhcp snooping
SWACPB01(config)# ip dhcp snooping vlan 80
SWACPB01(config)# interface GigabitEthernet 0/1
SWACPB01(config-if)# ip dhcp snooping trust
SWACPB01(config-if)# end

3) Configure IPsg

SWACPB01(config)#ip source binding d43d.7ee9.063c vlan 80 10.10.80.35 int fa0/46

SWACPB01(config)#ip source binding 3c97.0e90.50f5 vlan 80 10.10.80.36 int fa0/48

SWACPB01(config)#int fa0/46
SWACPB01(config-if)#ip verify source
SWACPB01(config-if)#switchport port-security
SWACPB01(config-if)#exit
SWACPB01(config)#int fa0/48
SWACPB01(config-if)#ip verify source
SWACPB01(config-if)#switchport port-security
SWACPB01(config-if)#exit

It seems to work:

SWACPB01(config)#do show ip source bind
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
3C:97:0E:90:50:F5 10.10.80.36 infinite static 80 FastEthernet0/48
D4:3D:7E:E9:06:3C 10.10.80.35 infinite static 80 FastEthernet0/46
Total number of bindings: 2

SWACPB01(config)#

4) I assign static IP addresses to User1 and User2 PCs (with the same 10.10.80.35 and 10.10.80.36 addresses as stated in the commands)

This solution seems to work, because if I change the IP addresses of either user to any other one, the user loses connectivity.

But the solution done above does not use DHCP scheme as I originally wanted.

So I tried to combine it with the DHCP by doing this:

5) Make a DHCP static mapping to those users:

SWCOPB01(config)#ip dhcp pool ManualDHCPUser1
SWCOPB01(dhcp-config)#host 10.10.80.35 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier d43d.7ee9.063c

SWCOPB01(dhcp-config)#exit
SWCOPB01(config)#ip dhcp pool ManualDHCPUser2
SWCOPB01(dhcp-config)#host 10.10.80.36 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier 3c97.0e90.50f5

Those pools work:

SWCOPB01#show ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
10.10.80.35        d43d.7ee9.063c          Infinite                Manual

10.10.80.36        3c97.0e90.50f5          Infinite                Manual

6) But if I configure DHCP addresses to User1 and User2 PCs (Network and sharing center - Network Connection - Local Area connection  for Windows users) the DHCP won't assign them the previously defined binding in the DHCP server switch.

They will be assigned the IP addresses 10.10.80.2 and 10.10.80.3 via DHCP, and they are not able to reach internet. I did not try assigning them another IP address via static configuration.

So, with that said I have some more questions:

- Are the DHCP Pools correctly defined? Do I have to exclude the IP addresses (from the main DHCP Pool) that will later be used as hosts in the two DHCP Pools for hosts? I get confusing information about this topic from different sources (some pages say that I should exclude those addresses, and some others say I don't have to).

- How can I change the configuration that worked (IPsg for static IP addresses) to include DHCP static assignments?. The goal is that the users will be given "DHCP addresses" (but defined by me), so if they want to change them (to other static IP addresses) they will lose connectivity.

How do I have to configure that static dhcp bindings joined to the IPsg configuration?

- Does that configuration include those two definitions of bindings (the one done in the IPsg and the same one done in the DHCP static mapping)? I suspect the problem is around here...

- By the way, how does the DHCP snooping activation in the switch affect traffic from/to other vlans defined there (but not included in the dhcp snooping configuration)?. I suffered problems in other vlans (like wireless vlans), and I suspect it's because of that snooping activation.

By the way, should I also "trust" the uplink port to an access point attached to the access switch? What about ports connected to servers?

Thanks in advance for your cooperation and patience. I think we are close to the solution. (I am not forgetting that I have to mark your posts as "correct solution" once we are finished)

Have a nice day. Bye

Hi

Just to clarify. I understand why you have some of the problems you have.

First of all. The IPSG will work on the information it get from DHCP Snooping/you static bindings. And since your DHCP is not working you have to configure static IP addresses and IPSG.

This is caused by the problem: Static DHCP not working

So first of all get that to work. Then work on the rest afterwards.

Setting Manual Bindings

There are two ways to set up manual bindings; one is for the Windows host, and the other is for non-Windows hosts. There are two different commands used to configure; one is for Microsoft DHCP clients, and the other is for non-Microsoft DHCP clients:DHCP client-identifier (manual binding - Microsoft DHCP clients) and DHCP hardware-address (manual binding - non-Microsoft DHCP clients). The reason for two different commands is that a PC that runs with Windows modifies its MACs, and a 01 is added at the beginning of the address. These are the sample configurations:

This is what i found on Ciscos page about DHCP servers on a Catalyst Switch.

Use the show ip dhcp server bindings commands to make sure the servers get the right address. it will show you the client-identifier you need to configure in your reservation.

By the way, should I also "trust" the uplink port to an access point attached to the access switch? What about ports connected to servers?

You should configure dhcp trust on all connections towards the DHCP server. So NOT in the downlinks to the APs.

By the way, how does the DHCP snooping activation in the switch affect traffic from/to other vlans defined there (but not included in the dhcp snooping configuration)?. I suffered problems in other vlans (like wireless vlans), and I suspect it's because of that snooping activation.

DHCP snooping will only block DHCP offers and DHCP ack packets on all links in the VLAN unless its trusted.

So the summary must be:

1. Disable all the features, DHCP Snooping, IPSG, port-security
2. Configure static DHCP bindings.
1. Make sure they work and the client get the addresses.
2. show ip dhcp server bindings
3. Configure DHCP snooping
1. Use the show ip dhcp-snooping bindings

Hope this helps, and i know i didn't answer some of you questions, but lets start somewhere and work your way to the top:)

Hello Rasmus:

Thanks again for your answer.

What you say it's very reasonable: To work in parts, one topic at a time using the test topology that I attach again (a little better drawn) in this post.

1) So let's start with the static DHCP bindings. To do that I will configure this:

SWCOPB01(config)#ip dhcp pool Network80
SWCOPB01(dhcp-config)#network 10.10.80.0 255.255.255.0
SWCOPB01(dhcp-config)#dns-server 192.168.5.13 8.8.8.8
SWCOPB01(dhcp-config)#default-router 10.10.80.1
SWCOPB01(dhcp-config)#domain-name abc.com.ec
SWCOPB01(dhcp-config)#exit

I will not exclude those 80.35 and 80.36 ip addresses that I will attempt to use later, right? Also it will somehow create "three dhcp pools: one parent and two children" (the main one with 10.10.80.0/24 and two hosts with 10.10.80.35 and 10.10.80.36). It is correct, right?

2) To create the DHCP static mapping to the users:

SWCOPB01(config)#ip dhcp pool ManualDHCPUser1
SWCOPB01(dhcp-config)#host 10.10.80.35 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier 01d4.3d7e.e906.3c

SWCOPB01(dhcp-config)#exit
SWCOPB01(config)#ip dhcp pool ManualDHCPUser2
SWCOPB01(dhcp-config)#host 10.10.80.36 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier 013c.970e.9050.f5

3) I will verify the configurations with the show ip dhcp bindings command. It should come out like this:

SWCOPB01#show ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
10.10.80.35        01d4.3d7e.e906.3c          Infinite                Manual

10.10.80.36        013c.970e.9050.f5          Infinite                Manual

4) I will configure on the user PCs a DHCP ip configuration (in Network and Sharing Center - Network Connection - Local Area Connection since they are Windows users), and check that they receive the .80.35 and .80.36 ip addresses (in cmd - ipconfig)

5) After all that is done we can continue with other topics like DHCP snooping and IPsg with port security

Please take this into consideration:

- When I last created all the configuration (as I said in my previous post), the show ip dhcp bindings command showed me correct static bindings as I expected (.80.35 and .80.36), but the actual users still got different IP addresses via DHCP (.80.2 and .80.3 that are part of the DHCP pool that I defined).

I still don't know why it got wrong...

I will keep you posted about the results of this configuration.

See you. Bye.

Hello, David

Greetings,

Actually the last configuration you have published is right, while you have a missed command! 

First you config the main pool:

SWCOPB01(config)#ip dhcp pool Network80
SWCOPB01(dhcp-config)#network 10.10.80.0 255.255.255.0
SWCOPB01(dhcp-config)#dns-server 192.168.5.13 8.8.8.8
SWCOPB01(dhcp-config)#default-router 10.10.80.1
SWCOPB01(dhcp-config)#domain-name abc.com.ec
SWCOPB01(dhcp-config)#exit

Second you config the sub pools:

SWCOPB01(config)#ip dhcp pool ManualDHCPUser1
SWCOPB01(dhcp-config)#host 10.10.80.35 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier 01d4.3d7e.e906.3c

SWCOPB01(dhcp-config)#exit
SWCOPB01(config)#ip dhcp pool ManualDHCPUser2
SWCOPB01(dhcp-config)#host 10.10.80.36 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier 013c.970e.9050.f5

until now, you will find the static bindings in the dhcp binding table, but anyway the clients will get other IP addresses than the static bindings that you have configured through the sub dhcp pools, simple because you didn't relate the sub dhcp pool to the main pool, do achieve that you should add the following command to each sub dhcp pool configuration:

SWCOPB01(config)#ip dhcp pool ManualDHCPUser1
SWCOPB01(dhcp-config)#host 10.10.80.35 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier 01d4.3d7e.e906.3c
SWCOPB01(dhcp-config)#default-router 10.10.80.1
SWCOPB01(dhcp-config)#exit

SWCOPB01(config)#ip dhcp pool ManualDHCPUser2
SWCOPB01(dhcp-config)#host 10.10.80.36 255.255.255.0
SWCOPB01(dhcp-config)#client-identifier 013c.970e.9050.f5
SWCOPB01(dhcp-config)#default-router 10.10.80.1
SWCOPB01(dhcp-config)#exit

Wishing to test it and let me know the result!

Andrew Khalil