Configuring DHCP Features

Similar documents
Configuring DHCP Features and IP Source Guard

Configuring DHCP. Information About DHCP. DHCP Server. DHCP Relay Agent. DHCP Snooping

Configuring DHCP Snooping

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP Features and IP Source Guard

Configuring DHCP Features and IP Source Guard

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP Features

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Configuring DHCP. Finding Feature Information

Configuring Dynamic ARP Inspection

Finding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8

22 Cisco IOS Commands for the Catalyst 4500 Series Switches interface

Configuring Voice VLAN

Configuring DHCP Snooping

Configuring Dynamic ARP Inspection

DHCP Relay Server ID Override and Link Selection Option 82 Suboptions

Smart Install Concepts

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

Understanding and Configuring Dynamic ARP Inspection

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Configuring ARP attack protection 1

Configuring IGMP Snooping and MVR

Configuring Port-Based Traffic Control

Table of Contents 1 ARP Configuration Guide 1-1

Configuring EtherChannels and Link-State Tracking

Configuring MLD Snooping

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

Configuring VLANs. Understanding VLANs CHAPTER

Configuring Multicast VLAN Registration

Configuring the Cisco IOS XE DHCP Server

Switches running the LAN Base feature set support only static routing on SVIs.

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Configuring Interface Characteristics

Configuring SPAN. Understanding SPAN CHAPTER. This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2960 switch.

Configuring ARP attack protection 1

Configuring the Cisco IOS DHCP Relay Agent

IP Addressing: DHCP Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series)

Configuring VLANs. Understanding VLANs CHAPTER

IP Addressing: DHCP Configuration Guide

VLANs over IP Unnumbered SubInterfaces

Configuring SPAN and RSPAN

Configuring Private Hosts

Configuring SPAN and RSPAN

Operation Manual DHCP H3C S5500-SI Series Ethernet Switches. Table of Contents. Table of Contents

Configuring Port-Based Traffic Control

Configuring Port-Based Traffic Control

DHCP Configuration. Page 1 of 14

Configuring IP Unnumbered Interface

Configuring SPAN and RSPAN

Configuring VTP. Understanding VTP CHAPTER

White Paper. Ruijie DHCP Snooping. White Paper

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

Configuring EtherChannels

Configuring the PPPoE Intermediate Agent

Configuring Private VLANs

Implementing the Dynamic Host Configuration Protocol

Configuring MLD Snooping

DHCP Commands. default-router, page 13

Configuring the PPPoE Intermediate Agent

Implementing the Dynamic Host Configuration Protocol

Configuring VLAN Trunks

DHCP Client. Finding Feature Information. Restrictions for the DHCP Client

Configuring Storm Control

Configuring Port-Based Traffic Control

Configuring Private VLANs

Configuring DHCP for WLANs

Configuring IPv6 First-Hop Security

Configuring SPAN and RSPAN

DHCP Server RADIUS Proxy

Configuring the DHCP Relay

Configuring Interface Characteristics

Configuring the PPPoE Intermediate Agent

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

2] Chapter 2 Cisco IOS Commands traceroute mac

Configuring Cisco IOS CNS Agents

DHCP Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

Configuring the Cisco IOS DHCP Server

IPv6 Access Services: DHCPv6 Relay Agent

Configuring IGMP Snooping and Filtering

Configuring Private VLANs

Configuring EtherChannels and Layer 2 Trunk Failover

Constraining IP Multicast in a Switched Ethernet Network

Configuring VLANs. Understanding VLANs CHAPTER

Configuring VTP. Understanding VTP CHAPTER

Configuring EtherChannels and Layer 2 Trunk Failover

Configuring VLANs. Understanding VLANs CHAPTER

Configuring IGMP Snooping and Filtering

Configuring IP Unnumbered on IEEE 802.1Q VLANs

Configuring EtherChannels and Link-State Tracking

Configuring Interface Characteristics

Configuring SPAN and RSPAN

Using AutoQoS. Understanding AutoQoS CHAPTER

ARP attack protection commands

Configuring System MTU

Command Manual MAC Address Table Management H3C S5500-EI Series Ethernet Switches. Table of Contents

Transcription:

CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping and the option-82 data insertion features on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and refer to the IP Addressing and Services section in the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: Understanding DHCP Features, page 19-1, page 19-3 Displaying DHCP Information, page 19-5 Understanding DHCP Features DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server, which significantly reduces the overhead of administration of IP addresses. DHCP also helps conserve the limited IP address space because IP addresses no longer need to be permanently assigned to hosts; only those hosts that are connected to the network consume IP addresses. DHCP Snooping DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall that can cause traffic attacks within your network. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. 19-1

Understanding DHCP Features Chapter 19 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch. Option-82 Data Insertion In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified. Figure 19-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Figure 19-1 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Catalyst switch (DHCP relay agent) Access layer Host A (DHCP client) Subscribers Host B (DHCP client) VLAN 10 98813 When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: The host (DHCP client) generates a DHCP request and broadcasts it on the network. When the switch receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server. The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply. The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request. 19-2

Chapter 19 DHCP Snooping and Switch Stacks DHCP snooping is managed on the stack master. When a new switch joins the stack, the switch receives DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping bindings associated with the switch age out. When a stack merge occurs, all DHCP snooping bindings in the stack master are lost if it is no longer the stack master. With a stack partition, the existing stack master is unchanged, and the bindings belonging to the partitioned switches age out. The new master of the partitioned stack begins processing the new incoming DHCP packets. For more information about switch stacks, see Chapter 5, Managing Switch Stacks. These sections describe how to configure DHCP snooping and option 82 on your switch: Default DHCP Configuration, page 19-3 DHCP Snooping Configuration Guidelines, page 19-3 Enabling DHCP Snooping and Option 82, page 19-4 Default DHCP Configuration Table 19-1 shows the default DHCP configuration. Table 19-1 Default DHCP Configuration Feature DHCP snooping enabled globally DHCP snooping information option DHCP snooping limit rate DHCP snooping trust DHCP snooping VLAN Default Setting Disabled Enabled None configured Untrusted Disabled DHCP Snooping Configuration Guidelines These are the configuration guidelines for DHCP snooping. You must globally enable DHCP snooping on the switch. DHCP snooping is not active until DHCP snooping is enabled on a VLAN. When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied. ip dhcp relay information check global configuration command ip dhcp relay information policy global configuration command ip dhcp relay information trust-all global configuration command ip dhcp relay information trusted interface configuration command 19-3

Chapter 19 Before configuring the DHCP information option on your switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude or configure DHCP options for devices. If your switch is the DHCP server, see the Configuring the DHCP Server section on page 4-5 section for more information. If your DHCP server is a Cisco device, refer to the IP Addressing and Services section in the Configuring DHCP chapter of the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Otherwise, refer to the documentation that shipped with the server. Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally. Step 3 ip dhcp snooping vlan vlan-id [vlan-id] Enable DHCP snooping on a VLAN or range of VLANs. You can specify a single VLAN identified by VLAN ID number or start and end VLAN IDs to specify a range of VLANs. The range is 1 to 4094. Step 4 ip dhcp snooping information option Enable the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server. The default is enabled. Step 5 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 6 ip dhcp snooping trust (Optional) Configure the interface as trusted or untrusted. You can use the no keyword to configure an interface to receive messages from an untrusted client. The default is untrusted. Step 7 ip dhcp snooping limit rate rate (Optional) Configure the number of DHCP packets per second than an interface can receive. The range is 1 to 4294967294. The default is no rate limit configured. Note We recommend an untrusted rate limit of not more than 100 packets per second. Normally, the rate limit applies to untrusted interfaces. If you configure rate limiting for trusted interfaces, you will need to adjust the rate limit to a higher value because trusted interfaces might aggregate DHCP traffic in the switch. Step 8 end Return to privileged EXEC mode. Step 9 show running-config Verify your entries. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-id global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command. 19-4

Chapter 19 Displaying DHCP Information This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Displaying DHCP Information You can display a DHCP snooping binding table and configuration information for all interfaces on a switch. Displaying a Binding Table The DHCP snooping binding table for each switch has binding entries that correspond to untrusted ports. The table does not have information about hosts interconnected with a trusted port because each interconnected switch has its own DHCP snooping binding table. This example shows how to display the DHCP snooping binding entries for a switch. Switch# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------- ---- -------------------- 00:30:94:C2:EF:35 41.0.0.51 286 dynamic 41 gigabitethernet2/0/1 00:D0:B7:1B:35:DE 41.0.0.52 237 dynamic 41 gigabitethernet2/0/1 00:00:00:00:00:01 40.0.0.46 286 dynamic 40 gigabitethernet1/0/2 00:00:00:00:00:03 42.0.0.33 286 dynamic 42 gigabitethernet3/0/2 00:00:00:00:00:02 41.0.0.53 286 dynamic 41 gigabitethernet2/0/2 Table 19-2 describes the fields in the show ip dhcp snooping binding command output. Table 19-2 show ip dhcp snooping binding Command Output Field MAC Address IP Address Lease (seconds) Type VLAN Interface Description Client hardware MAC address Client IP address assigned from the DHCP server IP address lease time Binding type; dynamic binding learned by DHCP snooping or statically configured binding VLAN number of the client interface Interface that connects to the DHCP client host 19-5

Displaying DHCP Information Chapter 19 Displaying the DHCP Snooping Configuration This example shows how to display the DHCP snooping configuration for a switch. Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 40-42 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ------------------------ ------- ---------------- gigabitethernet1/0/1 yes unlimited gigabitethernet2/0/2 no 5000 gigabitethernet2/0/3 yes unlimited gigabitethernet2/0/4 yes unlimited 19-6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback