- Posts: 227
- Thank you received: 0
Cisco DHCP Server - Problem & Answer
14 years 8 months ago #33816
by S0lo
You only need static DHCP binding to let static IP addresses (for your servers) work. And this should answer your second question
Here is how to do it. First you have to Enable DHCP snooping and enable it on your VLAN(s):
[code:1]ip dhcp snooping
ip dhcp snooping vlan 1
[/code:1]
By default, all interfaces are Untrusted. So no need to touch that unless you want some trusted interfaces. Next step is to configure which interface(s) you want to use IP Source Guard on. Say Fa0/2:
[code:1]interface FastEthernet0/2
ip verify source[/code:1]
Now make sure that the host(s) connected to Fa0/2 renew their leased IP. You can do this by ipconfig /renew on a Windows console. You should notice now that when you set a static IP (that has not been leased) on a PC, the PC will not be able to connect to any thing.
You can show the DHCP snooping bindings using the sh ip dhcp snooping binding command.
Now, for your servers or hosts that you need manually configured static IPs, you need to manually add a binding for each one. Like this:
[code:1]ip source binding AAAA.BBBB.CCCC vlan 1 192.168.0.6 interface Fa0/2 [/code:1]
Replace AAAA.BBBB.CCCC with the MAC address of the server/host and 192.168.0.6 with it's static IP.
Finally, notice here that I used only IP filtering in the above, you can use both IP and MAC filtering by issuing ip verify source port-security above, but I didn't try that yet. This can be useful to prevent IP conflicts if a user sets his static IP to be the same as one IP that is already leased by DHCP to another host.
Hope it works for you.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Cisco DHCP Server - Problem & Answer
Do i need to enable ip dhcp binding before activate IP Source Guard feature?
You only need static DHCP binding to let static IP addresses (for your servers) work. And this should answer your second question
Here is how to do it. First you have to Enable DHCP snooping and enable it on your VLAN(s):
[code:1]ip dhcp snooping
ip dhcp snooping vlan 1
[/code:1]
By default, all interfaces are Untrusted. So no need to touch that unless you want some trusted interfaces. Next step is to configure which interface(s) you want to use IP Source Guard on. Say Fa0/2:
[code:1]interface FastEthernet0/2
ip verify source[/code:1]
Now make sure that the host(s) connected to Fa0/2 renew their leased IP. You can do this by ipconfig /renew on a Windows console. You should notice now that when you set a static IP (that has not been leased) on a PC, the PC will not be able to connect to any thing.
You can show the DHCP snooping bindings using the sh ip dhcp snooping binding command.
Now, for your servers or hosts that you need manually configured static IPs, you need to manually add a binding for each one. Like this:
[code:1]ip source binding AAAA.BBBB.CCCC vlan 1 192.168.0.6 interface Fa0/2 [/code:1]
Replace AAAA.BBBB.CCCC with the MAC address of the server/host and 192.168.0.6 with it's static IP.
Finally, notice here that I used only IP filtering in the above, you can use both IP and MAC filtering by issuing ip verify source port-security above, but I didn't try that yet. This can be useful to prevent IP conflicts if a user sets his static IP to be the same as one IP that is already leased by DHCP to another host.
Hope it works for you.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.124 seconds