Manualshelf

Technical Manual

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 3560E-12SD-E Switch
12345678910
Rogue DHCP servers can be mitigated by DHCP snooping features. The ip dhcp snooping command is
issued in order to enable DHCP globally on the switch. When configured with DHCP snooping, all ports in
the VLAN are untrusted for DHCP replies. Here, only the FastEthernet interface 1/0/3 connected to the DHCP
server is configured as trusted.
DHCP Snooping
Cat3750#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3750(config)#ip dhcp snooping
!−−− Enables DHCP snooping on the switch.
Cat3750(config)#ip dhcp snooping vlan 1
!−−− DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
Cat3750(config)#no ip dhcp snooping information option
!−−− Disable the insertion and removal of the option−82 field, if the
!−−− DHCP clients and the DHCP server reside on the same IP network or subnet.
Cat3750(config)#interface fastEthernet 1/0/3
Cat3750(config−if)#ip dhcp snooping trust
!−−− Configures the interface connected to the DHCP server as trusted.
Cat3750#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
−−−−−−−−−−−−−−−−−−−−−−−− −−−−−−− −−−−−−−−−−−−−−−−
FastEthernet1/0/3 yes unlimited
!−−− Displays the DHCP snooping configuration for the switch.
Cat3750#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−− −−−−−−−−−− −−−−−−−−−−−−− −−−− −−−−−−−−−−−−−−−−−−−−
00:11:85:A5:7B:F5 10.0.0.2 86391 dhcp−snooping 1 FastEtheret1/0/1
00:11:85:8D:9A:F9 10.0.0.3 86313 dhcp−snooping 1 FastEtheret1/0/2
Total number of bindings: 2
!−−− Displays the DHCP snooping binding entries for the switch.
Cat3750#
!−−− DHCP server(s) connected to the untrusted port will not be able
!−−− to assign IP addresses to the clients.
Refer to Configuring DHCP Features for more information.
Dynamic ARP Inspection
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and
discards ARP packets with invalid IP−to−MAC address bindings. This capability protects the network from