Difference between revisions of "Netband Project - DHCP Snooping"

From Teknologisk videncenter
Jump to: navigation, search
(Configuration)
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<accesscontrol>NetBand</accesscontrol>
+
=DHCP Snooping=
 
This page is part of the [[Netband_Project|Netband Project]]
 
This page is part of the [[Netband_Project|Netband Project]]
  
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
+
*DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
 
+
*The DHCP snooping bindings are also used by the security features [[Netband Project - Dynamic Arp Inspection | Dynamic Arp Inspection]] and [[Netband Project - IP Source Guard | IP Source Guard]].
  
 
==Configuration==
 
==Configuration==
<pre>
+
<pre>ip dhcp snooping vlan 3,5
ip dhcp snooping vlan 3,5
 
 
ip dhcp snooping information option allow-untrusted
 
ip dhcp snooping information option allow-untrusted
 
ip dhcp snooping
 
ip dhcp snooping
 +
!
 +
interface FastEthernet0/1
 +
description HQdc1
 +
ip dhcp snooping trust
 +
!
 
</pre>
 
</pre>
 +
 +
==Verification==
 +
<pre>
 +
HQSW1#sh ip dhcp snooping binding
 +
MacAddress          IpAddress        Lease(sec)  Type          VLAN  Interface
 +
------------------  ---------------  ----------  -------------  ----  --------------------
 +
00:1B:2A:79:5F:53  10.1.2.52        208        dhcp-snooping  5    FastEthernet0/13
 +
00:03:47:C9:9F:AC  10.1.1.10        218        dhcp-snooping  3    FastEthernet0/2
 +
00:21:5A:F7:F1:01  10.1.2.50        51          dhcp-snooping  5    FastEthernet0/11
 +
Total number of bindings: 3
 +
</pre>
 +
 +
<pre>
 +
HQSW1#sh ip dhcp snooping
 +
Switch DHCP snooping is enabled
 +
DHCP snooping is configured on following VLANs:
 +
3,5
 +
Insertion of option 82 is enabled
 +
  circuit-id format: vlan-mod-port
 +
    remote-id format: MAC
 +
Option 82 on untrusted port is allowed
 +
Verification of hwaddr field is enabled
 +
Interface                    Trusted    Rate limit (pps)
 +
------------------------    -------    ----------------
 +
FastEthernet0/1              yes        unlimited
 +
</pre>
 +
 +
==External Links==
 +
[http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdhcp82.html#wp1078853 C3560 Configuration guide]
 +
[[Category:network]][[Category:CCNP]][[category:students]]

Latest revision as of 06:34, 13 May 2009

DHCP Snooping

This page is part of the Netband Project

  • DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
  • The DHCP snooping bindings are also used by the security features Dynamic Arp Inspection and IP Source Guard.

Configuration

ip dhcp snooping vlan 3,5
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
!
interface FastEthernet0/1
 description HQdc1
 ip dhcp snooping trust
!

Verification

HQSW1#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1B:2A:79:5F:53   10.1.2.52        208         dhcp-snooping  5     FastEthernet0/13
00:03:47:C9:9F:AC   10.1.1.10        218         dhcp-snooping  3     FastEthernet0/2
00:21:5A:F7:F1:01   10.1.2.50        51          dhcp-snooping  5     FastEthernet0/11
Total number of bindings: 3
HQSW1#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
3,5
Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1              yes         unlimited

External Links

C3560 Configuration guide