Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

catalyst switch port configure - allow only machines which use dhcp

Hi

it is possible to let cat3750 or 2960 ports which only allow machine on network which it use dhcp, not static ip? if so, how to configure it?

any comments will be apprecaited

thanks in advance

julxu

2 ACCEPTED SOLUTIONS

Accepted Solutions

catalyst switch port configure - allow only machines which use d

I saw that you are asking also about configuration :

Let's supose that your hosts are on vlan 99.

Enable dhcp snooping on vlan99

ip dhcp snooping

ip dhcp snooping vlan 99

You should permit DHCP offer from the server , this configuration should be made on the port towards the DHCP server :

interface gi0/0

ip dhcp snooping trust

You should not enable ARP inspection before you have dhcp snooping table populated , because DAI will drop the packets.

You can check the DHCP snooping table using : show ip dhcp snooping bindings

Enable ARP insplection on vlan 99

ip arp inspection vlan 99

Also you will need to trust ( not use ARP inspection ) on the trunk ports.

interface gi2/3

ip arp inspection trust

HTH

Dan

catalyst switch port configure - allow only machines which use d

Hi,

You have enabled DHCP snooping for vlan 99 and DAI for 96. DAI should be also for 99. Typo ?

  ip dhcp snooping vlan 99

  ip arp inspection vlan 96

For those ports that have hosts with static IP assign you should configure one of those two

   1 ) ip arp inspection trust - it will disable DAI on that port.

   2) Use static bindings for DAI :

                       (global) arp access-list VLAN99

                                 permit ip host x.x.x.x mac host h.h.h

                       (global) ip arp inspection filter VLAN99 vlan 99

This is also your case. Gi1/1 is connected to another switch. You must configure ip arp inspection on this port.

Dan

8 REPLIES
Bronze

Re: catalyst switch port configure - allow only machines which u

Have a read thru this

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

Also you can use port-security on the switch port, to allow only 1 or a certain number of mac-addresses to associate with that port.

Hope it helps

Eugen

Hall of Fame Super Gold

catalyst switch port configure - allow only machines which use d

Not possible, as far as I'm aware, without the use of NAP/NAC.

catalyst switch port configure - allow only machines which use d

Hi ,

I belive that a good solution is DAI (arp inspection ) + DHCP snooping.

Dan

catalyst switch port configure - allow only machines which use d

I saw that you are asking also about configuration :

Let's supose that your hosts are on vlan 99.

Enable dhcp snooping on vlan99

ip dhcp snooping

ip dhcp snooping vlan 99

You should permit DHCP offer from the server , this configuration should be made on the port towards the DHCP server :

interface gi0/0

ip dhcp snooping trust

You should not enable ARP inspection before you have dhcp snooping table populated , because DAI will drop the packets.

You can check the DHCP snooping table using : show ip dhcp snooping bindings

Enable ARP insplection on vlan 99

ip arp inspection vlan 99

Also you will need to trust ( not use ARP inspection ) on the trunk ports.

interface gi2/3

ip arp inspection trust

HTH

Dan

Cisco Employee

catalyst switch port configure - allow only machines which use d

Dan,

Actually, the DHCP Snooping + IP Source Guard would do the trick here. The DAI is a nice feature but it does not really prevent a station from having a static IP address and accessing the network. Using the IPSG, on the other hand, will prevent a station from communicating if it is not assigned an IP address via DHCP.

The IPSG is configured fairly easily: after configuring the DHCP Snooping as you suggested, the IPSG is configured on a per-interface basis using the ip verify source command.

Best regards,

Peter

catalyst switch port configure - allow only machines which use d

Hi Peter,

As far as I know , DAI permits frames on non trusted ports based on DHCP snooping database.

So if you have DAI + DHCP snooping enabled on VLAN, and a host in that vlan has the IP configured staticaly, DAI will drop every frame from that host. And in order to make this host function properly with static ip , a arp inpection filter should be configured.

As for a host that gets its IP via DHCP, the same vlan as the upper host, DHCP snooping database having its mac/ip in the database (dhcp server has already send its offer ), DAI will permit its frames thru the port.

You are saying that this is not the case ?

Kind regards,

Dan

New Member

catalyst switch port configure - allow only machines which use d

Hi

Great thanks for all help. I have tried Dan's method by :

on router configuration

   ip dhcp snooping

   ip dhcp snooping vlan 99

   interface GigbitEthernet1/1

     description to test switch

     swtchport

     switchport trunk encapsulation dot1q

     switchport mode trunk

     ip dhcp snooping trust

on test switch

   ip dhcp snooping

   ip dhcp snooping vlan 99

   ip arp inspection vlan 96

   interface GigbitEthernet1/1

      description to route

      switchport trunk encapsulation dot1q

      switchport mode trunk

      ip dhcp snooping trust

   interface GigbitEthernet0/1

      description test vista

       switchport access vlan 99

       switchport mode access

       switchport voice vlan 199

  

I can get dhcp traffic, both to/from server. but, I can not do anything, all other traffic be band. error on test switch:

%SW_DAI_4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on G1/1, vlan99 ......

the messages has two ARP, another one is a static ip. if I take ip arp inspection vlan99 off, I can get traffic.

Please advice

Many Regards

Julxu

catalyst switch port configure - allow only machines which use d

Hi,

You have enabled DHCP snooping for vlan 99 and DAI for 96. DAI should be also for 99. Typo ?

  ip dhcp snooping vlan 99

  ip arp inspection vlan 96

For those ports that have hosts with static IP assign you should configure one of those two

   1 ) ip arp inspection trust - it will disable DAI on that port.

   2) Use static bindings for DAI :

                       (global) arp access-list VLAN99

                                 permit ip host x.x.x.x mac host h.h.h

                       (global) ip arp inspection filter VLAN99 vlan 99

This is also your case. Gi1/1 is connected to another switch. You must configure ip arp inspection on this port.

Dan

883
Views
0
Helpful
8
Replies
CreatePlease login to create content