Re: DHCP config

From: Ben (bmunyao@gmail.com)
Date: Thu Sep 27 2007 - 02:25:03 ART

• Next message: Narbik Kocharians: "Re: if you are a CCIE , you should have CCNA to be able take"
• Previous message: Joseph Brunner: "RE: Lab schedule required Please"
• Maybe in reply to: nicky noname: "DHCP config"
• Next in thread: Scott Morris: "RE: DHCP config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Rich,

When I labbed it up, I also couldn't positively verify it. However, i noted
that dynamic ARP was no longer possible, as documented. I could not
communicate with a node that had a static IP, until I configured a static
ARP entry for it on the DHCP server.

Ben

On 9/26/07, Rich Collins <nilsi2002@gmail.com> wrote:
>
> I just tried a quick lab-up
>
> ip dhcp pool TEST
> network 10.20.71.0 255.255.255.0
> update arp
> !
> !
> !
> !
> !
> !
> interface GigabitEthernet0/0
> ip address 10.20.71.1 255.255.255.0
> arp authorized
>
>
>
> I don't see anything obvious that it is a secure arp entry other than
> checking the debug.
>
>
> debug ip dhcp server ...
>
> Sep 25 21:33:24.224: DHCPD: Sending DHCPACK to client
> 0063.6973.636f.2d30.3031.392e.3535.6266.2e38.6563.362d.4769.302f.3131 (
> 10.20.71.2).
> Sep 25 21:33: 24.224: DHCPD: Creating secure ARP entry (10.20.71.2,
> 0019.55bf.8ec6).
> Sep 25 21:33:24.224: DHCPD: broadcasting BOOTREPLY to client
> 0019.55bf.8ec6.
>
>
> THIS IS THE DHCP SERVER
> Router1#sh ip dhcp binding
> Bindings from all pools not associated with VRF:
> IP address Client-ID/ Lease expiration Type
> Hardware address/
> User name
> 10.20.71.2 0063.6973.636f.2d30. Sep 26 2007 05:33 PM
> Automatic
> 3031.392e.3535.6266.
> 2e38.6563.362d.4769.
> 302f.3131
>
>
> Router1#sh arp
> Protocol Address Age (min) Hardware Addr Type Interface
>
> Internet 10.20.71.1 0 0019.a986.941b ARPA
> GigabitEthernet0/11
> Internet 10.20.71.2 - 0019.55bf.8ec6 ARPA
> GigabitEthernet0/11
>
>
> On 9/25/07, Ben < bmunyao@gmail.com> wrote:
> >
> >
> > Nicky
> >
> > You may find the following URL useful.
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/ch10/hipdhcpa.htm
> >
> >
> > HTH
> >
> > Ben
> >
> >
> > On 9/25/07, Gary Duncanson < gary.duncanson@googlemail.com> wrote:
> > >
> > > Hi Rich,
> > >
> > > Other than the cisco.com link to DHCP and arp authorised..
> > >
> > > Chapter 21 Security in Odom covers features such as Dynamic ARP
> > > inspection
> > > (DAI), DHCP Snooping and IP Source Guard. Combinations of these
> > > features
> > > should offer lots of scope for secure arp.
> > >
> > > HTH
> > > Gary
> > > ----- Original Message -----
> > > From: "Rich Collins" <nilsi2002@gmail.com>
> > > To: "nicky noname" < cisco2study@gmail.com >
> > > Cc: "Cisco certification" <ccielab@groupstudy.com>
> > > Sent: Tuesday, September 25, 2007 2:25 PM
> > > Subject: Re: DHCP config
> > >
> > >
> > > > Well I believe in general if you don't specify database then all
> > > bindings
> > > > are stored locally (whether secure or not). I am interested in
> > > hearing
> > > > more
> > > > about working with secure arp though.
> > > >
> > > > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > > >>
> > > >> thanks rich... I haven't seen...I will try it out. I guess this is
> > > what
> > > >> would be required, if you are not explicitlt told of a place to
> > > store the
> > > >> database.
> > > >>
> > > >> nic
> > > >>
> > > >> On 9/24/07, Rich Collins <nilsi2002@gmail.com > wrote:
> > > >> >
> > > >> > If you want to do it locally isn't it enough to add this under
> > > the dhcp
> > > >> > pool?
> > > >> > ip dhcp pool MYNET
> > > >> > ....
> > > >> > update arp
> > > >> > ...
> > > >> >
> > > >> > I think I read it somewhere that you need a corresponding
> > > >> >
> > > >> > arp authorized under the 'interface'.
> > > >> >
> > > >> > Rich
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > > >> >
> > > >> > > Hello,
> > > >> > >
> > > >> > > I am playing around with the IOS DHCP settings and i want to
> > > provide
> > > >> > > DHCP
> > > >> > > services to secure arp requests only.
> > > >> > >
> > > >> > > I though this was done by the command
> > > >> > >
> > > >> > > ip dhcp database XXXX
> > > >> > >
> > > >> > > Is this the only manner. I was hoping you could configure it
> > > locally.
> > > >> > > This
> > > >> > > command is looking for a specified URL.
> > > >> > > I have read through doc cd...it's not great for this.
> > > >> > >
> > > >> > > regards
> > > >> > > nic
> > > >> > >
> > > >> > >
> > > _______________________________________________________________________
> > > >> > >
> > > >> > > Subscription information may be found at:
> > > >> > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

• Next message: Narbik Kocharians: "Re: if you are a CCIE , you should have CCNA to be able take"
• Previous message: Joseph Brunner: "RE: Lab schedule required Please"
• Maybe in reply to: nicky noname: "DHCP config"
• Next in thread: Scott Morris: "RE: DHCP config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART