11-23-2011 06:58 AM - edited 03-07-2019 03:33 AM
hi all
iam working out int the environment where i should set up dhcp snooping for vlan and mac baseed binding
note:
1. any static ip assignment shouldnt give access to internal network/internet
2. non binded mac-address in dhcp server shouldnt be accessed to internal networkl/internet
belopw is what i have done: p[lease refer and suggest wr im mistaken
L3 switch is the DHCP server.
L3 switch connected to L2 switch where in 40 hosts connecting to use 10.10.14.0/24 series
L3 switch config:
ip dhcp pool branchoffice1
network 10.10.14.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.6 8.8.4.4
interface FastEthernet0/45
switchport access vlan 99
switchport mode access
ip verify source port-security
i
ip dhcp excluded-address 10.10.14.1 10.10.14.39
ip dhcp excluded-address 10.10.14.72 10.10.14.255
ip dhcp pool ertyuyui
host 10.10.14.63 255.255.255.0
client-identifier 0110.78d2.7560.0f
client-name ertyuyui
L2 switch config for example:
i have done this on all ports
interface FastEthernet0/45
switchport access vlan 99
switchport mode access
ip verify source port-security
!
thanks for the support guys
please help me out for the above prob.
thabnks & regards
srikanth
11-23-2011 07:06 AM
HI
i have given my pc ip as 10.10.14.6 .......wherein i have excluded from dhcp exclude ip address..but still could access the network/internet
thanks pls quick suggestion
srikanth
11-23-2011 07:17 AM
Hi,
the IP Source Guard feature can function only if you configure DHCP snooping and/or manual binding which you didn't configure.
Regards.
Alain.
11-23-2011 10:19 PM
HI cadet
missed to add those.. i have configured them at global level..
IP DHCP SNOOPING
IP dhcp snooping vlan 99, 101
but the issue was resolved as i have added one more command at global level. which resisting the end user (provided static ip 10.10.14.6) to use static ip, but i could ping to the gateway IP 10.10.14.1. in the sense he can ping to all ips of 10.10.14.0/24 .how to restrict that.
the command i have added is below where its preventing end user to stop issuing static ip/
IP DHCP SNOOPING
IP dhcp snooping vlan 99, 101
ip dhcp snooping information option allow untrusted
Thanks & Regards
Srikanth
11-24-2011 01:04 AM
Hi,
DHCP snooping won't prevent from having a static IP as far as I understand it.
Regards.
Alain
11-24-2011 01:36 AM
Hi,
You need "IP Source Guard" and "DHCP Snooping "to prevent static ip address from hosts.
HTH,
Toshi
11-24-2011 02:33 AM
hI ALL
above i have posted .where in i have enabled IP source guard per interface to all the ports in the switch.
The issue is resolved . and even if we use static ip .i couldnt connect to internet.
i have an other case with this.
switch 2 i have enabled source guard to all interfaces. as like example below.::
interface FastEthernet0/45
switchport access vlan 99
switchport mode access
ip verify source port-security
****i have provided the information in attached file .. can you please refer that and answer me. whee im doing wrong.
******branch and main office are trunked and alloweed all vlans. l3 switch has the route to firewall for 10.10.14.0/24
and have given a static route to firewall gateway ip.
******branch office clients all were assigned with static ips. in the same way i want to give static ip of 10.10.10.0/24 range in main office. This is mainly beacause at 10.10.10.0/24 is whitelisted wher in have a VPn to another client office and many more reasons there where he needs ip of 10.10.10.0/24.
Thanks & regards
srikanth
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: