Difference between revisions of "Netband Project - DHCP Snooping"
From Teknologisk videncenter
| (14 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | =DHCP Snooping= | |
This page is part of the [[Netband_Project|Netband Project]] | This page is part of the [[Netband_Project|Netband Project]] | ||
*DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table. | *DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table. | ||
| − | *The DHCP snooping bindings are also used by the security features Dynamic | + | *The DHCP snooping bindings are also used by the security features [[Netband Project - Dynamic Arp Inspection | Dynamic Arp Inspection]] and [[Netband Project - IP Source Guard | IP Source Guard]]. |
==Configuration== | ==Configuration== | ||
| − | <pre> | + | <pre>ip dhcp snooping vlan 3,5 |
| − | ip dhcp snooping vlan 3,5 | ||
ip dhcp snooping information option allow-untrusted | ip dhcp snooping information option allow-untrusted | ||
ip dhcp snooping | ip dhcp snooping | ||
| + | ! | ||
| + | interface FastEthernet0/1 | ||
| + | description HQdc1 | ||
| + | ip dhcp snooping trust | ||
| + | ! | ||
| + | </pre> | ||
| + | |||
| + | ==Verification== | ||
| + | <pre> | ||
| + | HQSW1#sh ip dhcp snooping binding | ||
| + | MacAddress IpAddress Lease(sec) Type VLAN Interface | ||
| + | ------------------ --------------- ---------- ------------- ---- -------------------- | ||
| + | 00:1B:2A:79:5F:53 10.1.2.52 208 dhcp-snooping 5 FastEthernet0/13 | ||
| + | 00:03:47:C9:9F:AC 10.1.1.10 218 dhcp-snooping 3 FastEthernet0/2 | ||
| + | 00:21:5A:F7:F1:01 10.1.2.50 51 dhcp-snooping 5 FastEthernet0/11 | ||
| + | Total number of bindings: 3 | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | HQSW1#sh ip dhcp snooping | ||
| + | Switch DHCP snooping is enabled | ||
| + | DHCP snooping is configured on following VLANs: | ||
| + | 3,5 | ||
| + | Insertion of option 82 is enabled | ||
| + | circuit-id format: vlan-mod-port | ||
| + | remote-id format: MAC | ||
| + | Option 82 on untrusted port is allowed | ||
| + | Verification of hwaddr field is enabled | ||
| + | Interface Trusted Rate limit (pps) | ||
| + | ------------------------ ------- ---------------- | ||
| + | FastEthernet0/1 yes unlimited | ||
</pre> | </pre> | ||
| + | |||
| + | ==External Links== | ||
| + | [http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swdhcp82.html#wp1078853 C3560 Configuration guide] | ||
| + | [[Category:network]][[Category:CCNP]][[category:students]] | ||
Latest revision as of 06:34, 13 May 2009
DHCP Snooping
This page is part of the Netband Project
- DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
- The DHCP snooping bindings are also used by the security features Dynamic Arp Inspection and IP Source Guard.
Configuration
ip dhcp snooping vlan 3,5 ip dhcp snooping information option allow-untrusted ip dhcp snooping ! interface FastEthernet0/1 description HQdc1 ip dhcp snooping trust !
Verification
HQSW1#sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:1B:2A:79:5F:53 10.1.2.52 208 dhcp-snooping 5 FastEthernet0/13 00:03:47:C9:9F:AC 10.1.1.10 218 dhcp-snooping 3 FastEthernet0/2 00:21:5A:F7:F1:01 10.1.2.50 51 dhcp-snooping 5 FastEthernet0/11 Total number of bindings: 3
HQSW1#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
3,5
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited