quick suggestion on dhcp snooping

srikanth ath · ‎11-23-2011

hi all

iam working out int the environment where i should set up dhcp snooping for vlan and mac baseed binding

note:

1. any static ip assignment shouldnt give access to internal network/internet

2. non binded mac-address in dhcp server shouldnt be accessed to internal networkl/internet

belopw is what i have done: p[lease refer and suggest wr im mistaken

L3 switch is the DHCP server.

L3 switch connected to L2 switch where in 40 hosts connecting to use 10.10.14.0/24 series

L3 switch config:

ip dhcp pool branchoffice1

network 10.10.14.0 255.255.255.0

default-router 10.10.10.1

dns-server 10.10.10.6 8.8.4.4

interface FastEthernet0/45

switchport access vlan 99

switchport mode access

ip verify source port-security

i

ip dhcp excluded-address 10.10.14.1 10.10.14.39

ip dhcp excluded-address 10.10.14.72 10.10.14.255

ip dhcp pool ertyuyui

host 10.10.14.63 255.255.255.0

client-identifier 0110.78d2.7560.0f

client-name ertyuyui

L2 switch config for example:

i have done this on all ports

interface FastEthernet0/45
switchport access vlan 99
switchport mode access
ip verify source port-security

!

thanks for the support guys

please help me out for the above prob.

thabnks & regards

srikanth

srikanth ath · ‎11-23-2011

HI

i have given my pc ip as 10.10.14.6 .......wherein i have excluded from dhcp exclude ip address..but still could access the network/internet

thanks pls quick suggestion

srikanth

cadet alain · ‎11-23-2011

Hi,

the IP Source Guard feature can function only if you configure DHCP snooping and/or manual binding which you didn't configure.

Regards.

Alain.

Don't forget to rate helpful posts.

srikanth ath · ‎11-23-2011

HI cadet

missed to add those.. i have configured them at global level..

IP DHCP SNOOPING

IP dhcp snooping vlan 99, 101

but the issue was resolved as i have added one more command at global level. which resisting the end user (provided static ip 10.10.14.6) to use static ip, but i could ping to the gateway IP 10.10.14.1. in the sense he can ping to all ips of 10.10.14.0/24 .how to restrict that.

the command i have added is below where its preventing end user to stop issuing static ip/

IP DHCP SNOOPING

IP dhcp snooping vlan 99, 101

ip dhcp snooping information option allow untrusted

Thanks & Regards

Srikanth

cadet alain · ‎11-24-2011

Hi,

DHCP snooping won't prevent from having a static IP as far as I understand it.

Regards.

Alain

Don't forget to rate helpful posts.

Thotsaphon Lueangwattanaphong · ‎11-24-2011

Hi,

You need "IP Source Guard" and "DHCP Snooping "to prevent static ip address from hosts.

HTH,

Toshi

srikanth ath · ‎11-24-2011

hI ALL

above i have posted .where in i have enabled IP source guard per interface to all the ports in the switch.

The issue is resolved . and even if we use static ip .i couldnt connect to internet.

i have an other case with this.

switch 2 i have enabled source guard to all interfaces. as like example below.::

interface FastEthernet0/45

switchport access vlan 99

switchport mode access

ip verify source port-security

****i have provided the information in attached file .. can you please refer that and answer me. whee im doing wrong.

******branch and main office are trunked and alloweed all vlans. l3 switch has the route to firewall for 10.10.14.0/24

and have given a static route to firewall gateway ip.

******branch office clients all were assigned with static ips. in the same way i want to give static ip of 10.10.10.0/24 range in main office. This is mainly beacause at 10.10.10.0/24 is whitelisted wher in have a VPn to another client office and many more reasons there where he needs ip of 10.10.10.0/24.

Thanks & regards

srikanth