Solved: catalyst switch port configure - allow only machines which use d

julxu · ‎02-08-2012

Hi

it is possible to let cat3750 or 2960 ports which only allow machine on network which it use dhcp, not static ip? if so, how to configure it?

any comments will be apprecaited

thanks in advance

julxu

Dan-Ciprian Cicioiu · ‎02-08-2012

I saw that you are asking also about configuration :

Let's supose that your hosts are on vlan 99.

Enable dhcp snooping on vlan99

ip dhcp snooping

ip dhcp snooping vlan 99

You should permit DHCP offer from the server , this configuration should be made on the port towards the DHCP server :

interface gi0/0

ip dhcp snooping trust

You should not enable ARP inspection before you have dhcp snooping table populated , because DAI will drop the packets.

You can check the DHCP snooping table using : show ip dhcp snooping bindings

Enable ARP insplection on vlan 99

ip arp inspection vlan 99

Also you will need to trust ( not use ARP inspection ) on the trunk ports.

interface gi2/3

ip arp inspection trust

HTH

Dan

View solution in original post

Dan-Ciprian Cicioiu · ‎02-12-2012

Hi,

You have enabled DHCP snooping for vlan 99 and DAI for 96. DAI should be also for 99. Typo ?

ip dhcp snooping vlan 99

ip arp inspection vlan 96

For those ports that have hosts with static IP assign you should configure one of those two

1 ) ip arp inspection trust - it will disable DAI on that port.

2) Use static bindings for DAI :

(global) arp access-list VLAN99

permit ip host x.x.x.x mac host h.h.h

(global) ip arp inspection filter VLAN99 vlan 99

This is also your case. Gi1/1 is connected to another switch. You must configure ip arp inspection on this port.

Dan

View solution in original post

ebarticel · ‎02-08-2012

Have a read thru this

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

Also you can use port-security on the switch port, to allow only 1 or a certain number of mac-addresses to associate with that port.

Hope it helps

Eugen

Leo Laohoo · ‎02-08-2012

Not possible, as far as I'm aware, without the use of NAP/NAC.

Dan-Ciprian Cicioiu · ‎02-08-2012

Hi ,

I belive that a good solution is DAI (arp inspection ) + DHCP snooping.

Dan

Dan-Ciprian Cicioiu · ‎02-08-2012

I saw that you are asking also about configuration :

Let's supose that your hosts are on vlan 99.

Enable dhcp snooping on vlan99

ip dhcp snooping

ip dhcp snooping vlan 99

You should permit DHCP offer from the server , this configuration should be made on the port towards the DHCP server :

interface gi0/0

ip dhcp snooping trust

You should not enable ARP inspection before you have dhcp snooping table populated , because DAI will drop the packets.

You can check the DHCP snooping table using : show ip dhcp snooping bindings

Enable ARP insplection on vlan 99

ip arp inspection vlan 99

Also you will need to trust ( not use ARP inspection ) on the trunk ports.

interface gi2/3

ip arp inspection trust

HTH

Dan

Peter Paluch · ‎02-09-2012

Dan,

Actually, the DHCP Snooping + IP Source Guard would do the trick here. The DAI is a nice feature but it does not really prevent a station from having a static IP address and accessing the network. Using the IPSG, on the other hand, will prevent a station from communicating if it is not assigned an IP address via DHCP.

The IPSG is configured fairly easily: after configuring the DHCP Snooping as you suggested, the IPSG is configured on a per-interface basis using the ip verify source command.

Best regards,

Peter

Dan-Ciprian Cicioiu · ‎02-10-2012

Hi Peter,

As far as I know , DAI permits frames on non trusted ports based on DHCP snooping database.

So if you have DAI + DHCP snooping enabled on VLAN, and a host in that vlan has the IP configured staticaly, DAI will drop every frame from that host. And in order to make this host function properly with static ip , a arp inpection filter should be configured.

As for a host that gets its IP via DHCP, the same vlan as the upper host, DHCP snooping database having its mac/ip in the database (dhcp server has already send its offer ), DAI will permit its frames thru the port.

You are saying that this is not the case ?

Kind regards,

Dan

julxu · ‎02-12-2012

Hi

Great thanks for all help. I have tried Dan's method by :

on router configuration

ip dhcp snooping

ip dhcp snooping vlan 99

interface GigbitEthernet1/1

description to test switch

swtchport

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping trust

on test switch

ip dhcp snooping

ip dhcp snooping vlan 99

ip arp inspection vlan 96

interface GigbitEthernet1/1

description to route

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping trust

interface GigbitEthernet0/1

description test vista

switchport access vlan 99

switchport mode access

switchport voice vlan 199

I can get dhcp traffic, both to/from server. but, I can not do anything, all other traffic be band. error on test switch:

%SW_DAI_4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on G1/1, vlan99 ......

the messages has two ARP, another one is a static ip. if I take ip arp inspection vlan99 off, I can get traffic.

Please advice

Many Regards

Julxu

Dan-Ciprian Cicioiu · ‎02-12-2012

Hi,

You have enabled DHCP snooping for vlan 99 and DAI for 96. DAI should be also for 99. Typo ?

ip dhcp snooping vlan 99

ip arp inspection vlan 96

For those ports that have hosts with static IP assign you should configure one of those two

1 ) ip arp inspection trust - it will disable DAI on that port.

2) Use static bindings for DAI :

(global) arp access-list VLAN99

permit ip host x.x.x.x mac host h.h.h

(global) ip arp inspection filter VLAN99 vlan 99

This is also your case. Gi1/1 is connected to another switch. You must configure ip arp inspection on this port.

Dan

catalyst switch port configure - allow only machines which use dhcp