Difference between revisions of "Cisco DHCP configuration"
| Line 67: | Line 67: | ||
10.0.99.2 017c.69f6.e1d9.18 Infinite Manual | 10.0.99.2 017c.69f6.e1d9.18 Infinite Manual | ||
10.0.99.3 017c.69f6.e1d9.78 Infinite Manual | 10.0.99.3 017c.69f6.e1d9.78 Infinite Manual | ||
= DHCP snooping = | |||
DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. | |||
* '''trusted ports''' can source all DHCP messages | |||
* '''untrusted ports''' can source requests only | |||
Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. Untrusted ports are those not explicitly configured as trusted. | |||
A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses. | |||
<span style="color: grey">s1(config)#</span> ip dhcp snooping !enable dhcp snooping | |||
<span style="color: grey">s1(config)#</span> ip dhcp snooping vlan 5,10 !enable dhcp snooping for specific VLANs | |||
<span style="color: grey">s1(config)#</span> interface gi0/0/0 | |||
<span style="color: grey">s1(config-if)#</span> ip dhcp snooping trust !path to a dhcp server | |||
<span style="color: grey">s1(config)#</span> interface gi0/0/1 | |||
<span style="color: grey">s1(config-if)#</span> ip dhcp snooping limit rate 5 !limit the rate of dhcp requests come from untrusted ports | |||
= References = | = References = | ||
Revision as of 23:08, 2 January 2015
This configuration will be applied to Cisco 1941 with EHWIC-3G-HSPA+7 card and Light Weigh Access Point.
Basic DHCP config
- Configure Cisco router as DHCP SERVER
configure terminal service dhcp ip dhcp pool POOL network 192.168.100.0 255.255.255.0 default-router 192.168.100.254 dns-server 192.168.100.254 8.8.8.8 domain-name home.gateway lease 0 8 '<--- 8 hrs lease -- number represents: Days Hours Minutes ---' ip dhcp excluded-address 192.168.100.1 192.168.100.10 ip dhcp excluded-address 192.168.100.240 192.168.100.255
- Cisco router interface configured to obtain an IP Address from DHCP server
configure terminal r1-basic(config)#int gi 0/0 r1-basic(config-if)#ip address dhcp r1-basic(config-if)#no shutdown r1-basic(config-if)#end
once ip is assigned you will see
*Sep 1 22:08:50.003: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address 192.168.1.66, mask 255.255.255.0, hostname r1-basicchanged state to up
- Clear DHCP binding will clear the current assignment then resetting a client interface will trigger to re negotiate IP address
R1#clear ip dhcp binding ? * Clear all automatic bindings A.B.C.D Clear a specific binding vrf DHCP vrf bindings
- Renew DHCP address on an access point
ap1#renew dhcp Gi0
DHCP IP bindings
This is an example of manual IP binding, dhcp POOL need to be created per ip address binding.
ip dhcp pool AP1
host 10.0.99.1 255.255.255.128
client-identifier 017c.69f6.e1d8.7d
! client-name did not work for me, it did not assign 'ap1' hostname to a client/AP
client-name ap1
If you configure a Cisco router as a DHCP client, you'll notice that it uses weird client-id in its DHCP requests (assuming you care about client IDs on the DHCP server). Instead of using the interface MAC address as the client ID (as most workstations do), the client ID is the string 'cisco-dotted.mac.ascii-ifname' where the dotted.mac.ascii is the interface MAC address in ascii and the ifname is the short interface name.
+-----------+ +-------------+
|Router | Gi0/1/0<--------->Gi0 | Access point|
|DHCP server| / +-------------+
+-----------+ /
MAC address
client-identifier 017c.69f6.e1d8.7d
debug dhcp detail
Note that if you have client-id cc05.12bc.0000 on your client ; on your server, you need to use client-id 01cc.0512.bc00.00. So there's a 01 prefix to add on the server where 01 represents the Ethernet media type.
By default, DHCP implementations typically employ the client's MAC address for this purpose, but the DHCP protocol allows other options as well. In any case, in order for DHCP to function, we must be certain that no other client is using the client ID we choose, and we must be sure the DHCP server will accept it. What is termed the Client ID for the purposes of the DHCP protocol is whatever is used by the protocol to identify the client computer.
A client identifier (DHCP option 61) can be a hexadecimal or an ASCII value. By default, the client identifier is an ASCII value. That is what happens if we just use ip address dhcp without any options. We can override the default by using ip address dhcp client-id <interface> command, and then it will use the hexadecimal MAC address of the named interface as the client identifier.
There is also DHCP option 12 that is used to send the hostname to the Server. By default option 12 also will be sent with the configured hostname as the value, but we can change it with ip address dhcp hostname host-name.
- Binding configured can be preview
R1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.99.1 017c.69f6.e1d8.7d Infinite Manual
10.0.99.2 017c.69f6.e1d9.18 Infinite Manual
10.0.99.3 017c.69f6.e1d9.78 Infinite Manual
DHCP snooping
DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.
- trusted ports can source all DHCP messages
- untrusted ports can source requests only
Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. Untrusted ports are those not explicitly configured as trusted.
A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses.
s1(config)# ip dhcp snooping !enable dhcp snooping s1(config)# ip dhcp snooping vlan 5,10 !enable dhcp snooping for specific VLANs s1(config)# interface gi0/0/0 s1(config-if)# ip dhcp snooping trust !path to a dhcp server s1(config)# interface gi0/0/1 s1(config-if)# ip dhcp snooping limit rate 5 !limit the rate of dhcp requests come from untrusted ports
References
- Configuring the Cisco IOS DHCP Server first published on May 2, 2005, and last updated on June 28, 2007.