Configuring DHCP Snooping



Similar documents
Configuring DHCP Snooping and IP Source Guard

Configuring Port Security

Configuring MAC ACLs

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

CCNA Exploration: Accessing the WAN Chapter 7 Case Study

Configuring LLDP, LLDP-MED, and Location Service

Configuring EtherChannels

Security Considerations in IP Telephony Network Configuration

Configuring NetFlow-lite

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

Configuring the Transparent or Routed Firewall

How To Configure InterVLAN Routing on Layer 3 Switches

CCT vs. CCENT Skill Set Comparison

Chapter 25 DHCP Snooping

DHCP Server Port-Based Address Allocation

Monitoring Traffic Interception

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Enabling NetFlow and NetFlow Data Export (NDE) on Cisco Catalyst Switches

Configuring Network Security with ACLs

LiveAction Application Note

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Configuring Network Load Balancing for vethernet

Configuring Auto-QoS

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Configuring Port Security

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

Interconnecting Cisco Network Devices 1 Course, Class Outline

Lab Introduction to the Modular QoS Command-Line Interface

Network security includes the detection and prevention of unauthorized access to both the network elements and those devices attached to the network.

Configuring EtherChannels

Cisco - Catalyst 2950 Series Switches Quality of Service (QoS) FAQ

What is VLAN Routing?

Securing Networks with PIX and ASA

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Configuring Static and Dynamic NAT Translation

Cisco NetFlow Generation Appliance (NGA) 3140

Monitoring Load-Balancing Services

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

AutoQoS. Prerequisites for AutoQoS CHAPTER

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

1 PC to WX64 direction connection with crossover cable or hub/switch

Topic 7 DHCP and NAT. Networking BAsics.

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

Security Technology White Paper

VLANs. Application Note

Configuring Redundancy

Chapter 2 Lab 2-2, Configuring EtherChannel Instructor Version

Configuring QoS and Per Port Per VLAN QoS

Example: Configuring VoIP on an EX Series Switch Without Including 802.1X Authentication

Configuring Denial of Service Protection

How To Load Balance On A Libl Card On A S7503E With A Network Switch On A Server On A Network With A Pnet 2.5V2.5 (Vlan) On A Pbnet 2 (Vnet

White Paper How to Remotely Access Ethernet I/O Over the Internet

Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME. Scenario

Configuring the Switch IP Address and Default Gateway

Implementing Cisco IOS Network Security

SolarWinds Technical Reference

NetFlow Subinterface Support

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

Configuring a Load-Balancing Scheme

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Firewall Design Principles

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

CTS2134 Introduction to Networking. Module Network Security

IINS Implementing Cisco Network Security 3.0 (IINS)

Configuring iscsi Multipath

Firewall Load Balancing

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Sampled NetFlow. Feature Overview. Benefits

Switching in an Enterprise Network

Configuring System Message Logging

Configuring Traffic Storm Control

Cisco Firewall Technology

Configuring IPS High Bandwidth Using EtherChannel Load Balancing

Configuring PA Firewalls for a Layer 3 Deployment

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

LINK AGGREGATION INTEROPERABILITY OF THE DELL POWERCONNECT 6200 SERIES

Lab 2 - Basic Router Configuration

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Overview of Routing between Virtual LANs

Interconnecting Cisco Networking Devices Part 2

CCNP Switch Questions/Answers Implementing High Availability and Redundancy

Layer 3 Network + Dedicated Internet Connectivity

Chapter 7 Lab 7-1, Configuring Switches for IP Telephony Support

Adding an Extended Access List

Lab Developing ACLs to Implement Firewall Rule Sets

Application Notes for the Ingate SIParator with Avaya Converged Communication Server (CCS) - Issue 1.0

VIA CONNECT PRO Deployment Guide

Monitoring and Analyzing Switch Operation

Lab Diagramming Intranet Traffic Flows

Chapter 4 Customizing Your Network Settings

ISOM3380 Advanced Network Management. Spring Course Description

Cisco AnyConnect Secure Mobility Solution Guide

CT5760 Controller and Catalyst 3850 Switch Configuration Example

IntraVUE Plug Scanner/Recorder Installation and Start-Up

Transcription:

CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples. This chapter consists of the following major sections: Overview of DHCP Snooping, page 19-1 on the Switch, page 19-2 Displaying DHCP Snooping Information, page 19-4 For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/index.htm Overview of DHCP Snooping DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch. In order to enable DHCP snooping on a VLAN, you must enable DHCP snooping on the switch. You can configure DHCP snooping for switches and VLANs. When you enable DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you enable DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain. 19-1

on the Switch Chapter 19 For DHCP server configuration information, refer to Configuring DHCP in the Cisco IOS IP and IP Routing Configuration Guide at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cddhcp.htm on the Switch When you configure DHCP snooping on your switch, you are enabling the switch to differentiate untrusted interfaces from trusted interfaces. You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN. You can enable DHCP snooping independently from other DHCP features. Once you have enabled DHCP snooping, all the DHCP relay information option configuration commands are disabled; this includes the following commands: ip dhcp relay information check ip dhcp relay information policy ip dhcp relay information option ip dhcp relay information trusted ip dhcp relay information trust-all These sections describe how to configure DHCP snooping: Default Configuration for DHCP Snooping Enabling DHCP Snooping on Private VLAN, page 19-4 Default Configuration for DHCP Snooping DHCP snooping is disabled by default. Table 19-1 shows all the default configuration values for each DHCP snooping option. Table 19-1 Default Configuration Values for DHCP Snooping Option DHCP snooping DHCP snooping information option DHCP snooping limit rate DHCP snooping trust DHCP snooping vlan Default Value/State Disabled Enabled Infinite (functions as if rate limiting were disabled) Untrusted Disabled If you want to change the default configuration values, see the Enabling DHCP Snooping section. 19-2

Chapter 19 on the Switch Enabling DHCP Snooping To enable DHCP snooping, perform this task: Command Purpose Step 1 Switch(config)# ip dhcp snooping Enables DHCP snooping globally. You can use the no keyword to disable DHCP snooping. Step 2 Switch(config)# ip dhcp snooping vlan number [number] Enables DHCP snooping on your VLANs. Step 3 Switch(config)# ip dhcp snooping information Enables DHCP Option 82 data insertion. option Step 4 Switch(config-if)# ip dhcp snooping trust Configures the interface as trusted or untrusted. You can use the no keyword of to configure an interface to receive only messages from within the network. Step 5 Switch(config-if)# ip dhcp snooping limit rate rate Configures the number of DHCP packets per second (pps) that an interface can receive. You may not want to configure untrusted rate limiting to more than 100 pps. Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher value. Step 6 Switch(config)# end Exits configuration mode. Step 7 Switch# show ip dhcp snooping Verifies the configuration. You can configure DHCP snooping for a single VLAN or a range of VLANs. To configure a single VLAN, enter a single VLAN number. To configure a range of VLANs, enter a beginning and an ending VLAN number. This example shows how to enable DHCP snooping on VLANs 10 through 100: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 100 Switch(config)# ip dhcp snooping information option Switch(config-if)# ip dhcp snooping trust Switch(config-if)# ip dhcp snooping limit rate 100 Switch(config)# end Switch# show ip dhcp snooping DHCP Snooping is configured on the following VLANs: 10 30-40 100 200-220 Insertion of option 82 information is enabled. Interface Trusted Rate limit (pps) --------- ------- ---------------- FastEthernet2/1 yes 10 FastEthernet2/2 yes none FastEthernet3/1 no 20 Switch# 19-3

Displaying DHCP Snooping Information Chapter 19 on Private VLAN DHCP snooping can be enabled on private VLANs, which provide isolation between Layer 2 ports within the same VLAN. If DHCP snooping is enabled (or disabled), the configuration is propagated to both the primary VLAN and its associated secondary VLANs; you cannot enable (or disable) DHCP snooping on a primary VLAN without reflecting this configuration change on the secondary VLANs. Configuring DHCP snooping on a secondary VLAN is still allowed, but it will not take effect if the associated primary VLAN is already configured. If this is the case, the effective DHCP snooping mode on the secondary VLAN is derived from the corresponding primary VLAN. Manually configuring DHCP snooping on a secondary VLAN will cause the switch to issue the error message: DHCP Snooping configuration may not take effect on secondary vlan XXX The command show ip dhcp snooping will display all VLANs with DHCP snooping enabled, including both primary VLANs and their corresponding secondary VLANs. Displaying DHCP Snooping Information You can display a DHCP snooping binding table and configuration information for all interfaces on a switch. Displaying a Binding Table The DHCP snooping binding table for each switch contains binding entries that correspond to untrusted ports. It does not contain information about hosts interconnected with a trusted port, because each interconnected switch will have its own DHCP snooping binding table. This example shows how to display the DHCP snooping binding information for a switch. Switch# show ip dhcp snooping binding MacAddress IP Address Lease (seconds) Type VLAN Interface ----------- ----------- ---------------- ----- ----- ------------ 0000.0100.0201 10.0.0.1 1600 dynamic 100 FastEthernet2/1 Switch# Table 19-2 describes the fields in the show ip dhcp snooping binding command output. Table 19-2 show ip dhcp snooping binding Command Output Field Mac Address IP Address Lease (seconds) Type VLAN Interface Description Client hardware MAC address Client IP address assigned from the DHCP server IP address lease time Binding type; statically configured from CLI or dynamically learned VLAN number of the client interface Interface that connects to the DHCP client host 19-4

Chapter 19 Displaying DHCP Snooping Information Displaying the DHCP Snooping Configuration This example shows how to display the DHCP snooping configuration for a switch. Switch# show ip dhcp snooping Switch DHCP snooping is enabled. DHCP Snooping is configured on the following VLANs: 10 30-40 100 200-220 Insertion of option 82 information is enabled. Interface Trusted Rate limit (pps) --------- ------- ---------------- FastEthernet2/1 yes 10 FastEthernet3/1 yes none GigabitEthernet1/1 no 20 Switch# 19-5

Displaying DHCP Snooping Information Chapter 19 19-6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information