- Index
- Preface
- Overview
- Using the Command-Line Interface
- Assigning the Switch IP Address and Default Gateway
- Configuring Cisco IOS CNS Agents
- Clustering Switches
- Administering the Switch
- Configuring SDM Templates
- Configuring Switch-Based Authentication
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Interface Characteristics
- Configuring Smartports Macros
- Configuring VLANs
- Configuring VTP
- Configuring Voice VLAN
- Configuring STP
- Configuring MSTP
- Configuring Optional Spanning-Tree Features
- Configuring Flex Links and the MAC Address-Table Move Update Feature
- Configuring DHCP Features
- Configuring IGMP Snooping and MVR
- Configuring Port-Based Traffic Control
- Configuring CDP
- Configuring LLDP and LLDP-MED
- Configuring UDLD
- Configuring SPAN and RSPAN
- Configuring RMON
- Configuring System Message Logging
- Configuring SNMP
- Configuring Network Security with ACLs
- Configuring Cisco IOS IP SLAs Operations
- Configuring QoS
- Configuring IPv6 Host Functions
- Configuring IPv6 MLD Snooping
- Configuring EtherChannels and Link-State Tracking
- Troubleshooting
- Supported MIBs
- Working with the Cisco IOS File System, Configuration Files, and Software Images
- Recommendations for Upgrading a Catalyst 2950 Switch to a Catalyst 2960 Switch
- Unsupported Commands in Cisco IOS Release 12.2(46)SE
Configuring DHCP Features
Note To use DHCP features, the switch must be running the LAN Base image.
This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 2960 switch.
Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and see the "DHCP Commands" section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
This chapter consists of these sections:
•Displaying DHCP Snooping Information
•Understanding DHCP Server Port-Based Address Allocation
•Configuring DHCP Server Port-Based Address Allocation
•Displaying DHCP Server Port-Based Address Allocation
Understanding DHCP Snooping
DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server, which significantly reduces the overhead of administration of IP addresses. DHCP also helps conserve the limited IP address space because IP addresses no longer need to be permanently assigned to hosts; only those hosts that are connected to the network consume IP addresses.
These sections contain this information:
For information about the DHCP client, see the "Configuring DHCP" section of the "IP Addressing and Services" section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
DHCP Server
The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it forwards the request to one or more secondary DHCP servers defined by the network administrator.
DHCP Relay Agent
A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams are switched transparently between networks. Relay agents receive DHCP messages and generate new DHCP messages to send on output interfaces.
DHCP Snooping
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.
Note For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
An untrusted DHCP message is a message that is received from outside the network or firewall. When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer's switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks.
The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface.
In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.
The switch drops a DHCP packet when one of these situations occurs:
•A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.
•A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
•The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.
•A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.
If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.
hen an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features can still be enabled on the aggregation switch while the switch receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.
Option-82 Data Insertion
In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified.
Note The DHCP option-82 feature is supported only when DHCP snooping is globally enabled and on the VLANs to which subscriber devices using this feature are assigned.
Figure 19-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.
Figure 19-1 DHCP Relay Agent in a Metropolitan Ethernet Network
When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs:
•The host (DHCP client) generates a DHCP request and broadcasts it on the network.
•When the switch receives the DHCP request, it adds the option-82 information in the packet. remote-ID suboption is the switch MAC address, and the circuit-ID suboption is the port identifier, vlan-mod-port, from which the packet is received.
•If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet.
•The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
•The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
•The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.
the described sequence of events occurs, the values in these fields in Figure 19-2 do not change:
•Circuit-ID suboption fields
–Suboption type
–Length of the suboption type
–Circuit-ID type
–Length of the circuit-ID type
•Remote-ID suboption fields
–Suboption type
–Length of the suboption type
–Remote-ID type
–Length of the remote-ID type
In the port field of the circuit-ID suboption, the port numbers start at 3. For example, on a switch with 24 10/100 ports and small form-factor pluggable (SFP) module slots, port 3 is the Fast Ethernet 0/1 port, port 4 is the Fast Ethernet 0/2 port, and so forth. Port 27 is the SFP module slot 0/1, and so forth.
Figure 19-2 shows the packet formats for the remote-ID suboption and the circuit-ID suboption. The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command.
Figure 19-2 Suboption Packet Formats
192.1.168.1 3 0003.47d8.c91f 2BB6488E Fa0/4 21ae5fbb
192.1.168.3 3 0003.44d6.c52f 2BB648EB Fa0/4 1bdb223f
192.1.168.2 3 0003.47d9.c8f1 2BB648AB Fa0/4 584a38f0
Configuring DHCP Snooping
These sections contain this configuration information:
•Default DHCP Snooping Configuration
•DHCP Snooping Configuration Guidelines
•Configuring the DHCP Relay Agent
•Enabling DHCP Snooping and Option 82
Default DHCP Snooping Configuration
Table 19-1 shows the default DHCP snooping configuration.
|
|
---|---|
DHCP server |
Enabled in Cisco IOS software, requires configuration1 |
DHCP relay agent |
Enabled2 |
DHCP packet forwarding address |
None configured |
Checking the relay agent information |
Enabled (invalid messages are dropped)2 |
DHCP relay agent forwarding policy |
Replace the existing relay agent information2 |
DHCP snooping enabled globally |
Disabled |
DHCP snooping information option |
Enabled |
DHCP snooping option to accept packets on untrusted input interfaces3 |
Disabled |
DHCP snooping limit rate |
None configured |
DHCP snooping trust |
Untrusted |
DHCP snooping VLAN |
Disabled |
DHCP snooping MAC address verification |
Enabled |
DHCP snooping binding database agent |
Enabled in Cisco IOS software, requires configuration. This feature is operational only when a destination is configured. |
1 The switch responds to DHCP requests only if it is configured as a DHCP server. 2 The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client. 3 Use this feature when the switch is an aggregation switch that receives packets with option-82 information from an edge switch. |
DHCP Snooping Configuration Guidelines
These are the configuration guidelines for DHCP snooping.
•You must globally enable DHCP snooping on the switch.
•DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
•Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.
•When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied.
–ip dhcp relay information check global configuration command
–ip dhcp relay information policy global configuration command
–ip dhcp relay information trust-all global configuration command
–ip dhcp relay information trusted interface configuration command
•Before configuring the DHCP snooping information option on your switch, be sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, or you must configure DHCP options for these devices.
•If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.
•If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.
•If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
•Do not enter the ip dhcp snooping information option allow-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.
•Starting with Cisco IOS Release 12.2(37)SE,you can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command, and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command.
Note Do not enable Dynamic Host Configuration Protocol (DHCP) snooping on RSPAN VLANs. If DHCP snooping is enabled on RSPAN VLANs, DHCP packets might not reach the RSPAN destination port.
Configuring the DHCP Relay Agent
Beginning in privileged EXEC mode, follow these steps to enable the DHCP relay agent on the switch:
To disable the DHCP server and relay agent, use the no service dhcp global configuration command.
See the "Configuring DHCP" section of the "IP Addressing and Services" section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides for these procedures:
•Checking (validating) the relay agent information
•Configuring the relay agent forwarding policy
Enabling DHCP Snooping and Option 82
Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch:
To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command. To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping information option allow-untrusted global configuration command.
This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ip dhcp snooping information option
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip dhcp snooping limit rate 100
Enabling the Cisco IOS DHCP Server Database
For procedures to enable and configure the Cisco IOS DHCP server database, see the "DHCP Configuration Task List" section in the "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Enabling the DHCP Snooping Binding Database Agent
Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch:
To stop using the database agent and binding files, use the no ip dhcp snooping database global configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.
To clear the statistics of the DHCP snooping binding database agent, use the clear ip dhcp snooping database statistics privileged EXEC command. To renew the database, use the renew ip dhcp snooping database privileged EXEC command.
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you want to delete.
Displaying DHCP Snooping Information
To display the DHCP snooping information, use the privileged EXEC commands in Table 19-2:
Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings.
Understanding DHCP Server Port-Based Address Allocation
DHCP server port-based address allocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address.
When Ethernet switches are deployed in the network, they offer connectivity to the directly connected devices. In some environments, such as on a factory floor, if a device fails, the replacement device must be working immediately in the existing network. With the current DHCP implementation, there is no guarantee that DHCP would offer the same IP address to the replacement device. Control, monitoring, and other software expect a stable IP address associated with each device. If a device is replaced, the address assignment should remain stable even though the DHCP client has changed.
When configured, the DHCP server port-based address allocation feature ensures that the same IP address is always offered to the same connected port even as the client identifier or client hardware address changes in the DHCP messages received on that port. The DHCP protocol recognizes DHCP clients by the client identifier option in the DHCP packet. Clients that do not include the client identifier option are identified by the client hardware address. When you configure this feature, the port name of the interface overrides the client identifier or hardware address and the actual point of connection, the switch port, becomes the client identifier.
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device.
The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Configuring DHCP Server Port-Based Address Allocation
This section contains this configuration information:
•Default Port-Based Address Allocation Configuration
•Port-Based Address Allocation Configuration Guidelines
•Enabling DHCP Server Port-Based Address Allocation
Default Port-Based Address Allocation Configuration
By default, DHCP server port-based address allocation is disabled.
Port-Based Address Allocation Configuration Guidelines
These are the configuration guidelines for DHCP port-based address allocation:
•Only one IP address can be assigned per port.
•Reserved addresses (preassigned) cannot be cleared by using the clear ip dhcp binding global configuration command.
•Preassigned addresses are automatically excluded from normal dynamic IP address assignment. Preassigned addresses cannot be used in host pools, but there can be multiple preassigned addresses per DHCP address pool.
Enabling DHCP Server Port-Based Address Allocation
Beginning in privileged EXEC mode, follow these steps to globally enable port-based address allocation and to automatically generate a subscriber identifier on an interface.
After enabling DHCP port-based address allocation on the switch, use the ip dhcp pool global configuration command to preassign IP addresses and to associate them to clients.
Beginning in privileged EXEC mode follow these steps to preassign an IP address and to associate it to a client identified by the interface name.
To disable DHCP port-based address allocation, use the no ip dhcp use subscriber-id client-id global configuration command. To disable the automatic generation of a subscriber identifier, use the no ip dhcp subscriber-id interface-name global configuration command. To disable the subscriber identifier on an interface, use the no ip dhcp server use subscriber-id client-id interface configuration command.
To remove an IP address reservation from a DHCP pool, use the no address ip-address client-id string DHCP pool configuration command.
In this example, a subscriber identifier is automatically generated, and the DHCP server ignores any client identifier fields in the DHCP messages and uses the subscriber identifier instead. The subscriber identifier is based on the short name of the interface and the client preassigned IP address 10.1.1.7.
switch# show running config
Building configuration...
Current configuration : 4899 bytes
!
version 12.2
!
hostname switch
!
no aaa new-model
clock timezone EST 0
ip subnet-zero
ip dhcp relay information policy removal pad
no ip dhcp use vrf connected
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
ip dhcp excluded-address 10.1.1.1 10.1.1.3
!
ip dhcp pool dhcppool
network 10.1.1.0 255.255.255.0
address 10.1.1.7 client-id "Et1/0" ascii
<output truncated>
This example shows that the preassigned address was correctly reserved in the DHCP pool:
switch# show ip dhcp pool dhcppool
Pool dhcp pool:
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Excluded addresses : 4
Pending event : none
1 subnet is currently in the pool:
Current index IP address range Leased/Excluded/Total
10.1.1.1 10.1.1.1 - 10.1.1.254 0 / 4 / 254
1 reserved address is currently in the pool
Address Client
10.1.1.7 Et1/0
For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation here:
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html
Displaying DHCP Server Port-Based Address Allocation
To display the DHCP server port-based address allocation information, use one or more of the privileged EXEC commands in Table 19-3: