From: Ben (bmunyao@gmail.com)
Date: Thu Sep 27 2007 - 09:25:52 ART
Scott,
Yes, I had excluded all IPs from the /24 scope, except one IP for the dhcp
client router.
Given the description of authorised ARP in DocCD, I figured this was to be
expected.
Ben
On 9/27/07, Scott Morris <swm@emanon.com> wrote:
>
> Were your static Ips listed as "excluded-address" for DHCP?
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ben
> Sent: Thursday, September 27, 2007 1:25 AM
> To: Rich Collins
> Cc: Gary Duncanson; cisco2study@gmail.com; ccielab@groupstudy.com
> Subject: Re: DHCP config
>
> Hi Rich,
>
> When I labbed it up, I also couldn't positively verify it. However, i
> noted
> that dynamic ARP was no longer possible, as documented. I could not
> communicate with a node that had a static IP, until I configured a static
> ARP entry for it on the DHCP server.
>
> Ben
>
>
> On 9/26/07, Rich Collins <nilsi2002@gmail.com> wrote:
> >
> > I just tried a quick lab-up
> >
> > ip dhcp pool TEST
> > network 10.20.71.0 255.255.255.0
> > update arp
> > !
> > !
> > !
> > !
> > !
> > !
> > interface GigabitEthernet0/0
> > ip address 10.20.71.1 255.255.255.0
> > arp authorized
> >
> >
> >
> > I don't see anything obvious that it is a secure arp entry other than
> > checking the debug.
> >
> >
> > debug ip dhcp server ...
> >
> > Sep 25 21:33:24.224: DHCPD: Sending DHCPACK to client
> > 0063.6973.636f.2d30.3031.392e.3535.6266.2e38.6563.362d.4769.302f.3131
> > ( 10.20.71.2).
> > Sep 25 21:33: 24.224: DHCPD: Creating secure ARP entry (10.20.71.2,
> > 0019.55bf.8ec6).
> > Sep 25 21:33:24.224: DHCPD: broadcasting BOOTREPLY to client
> > 0019.55bf.8ec6.
> >
> >
> > THIS IS THE DHCP SERVER
> > Router1#sh ip dhcp binding
> > Bindings from all pools not associated with VRF:
> > IP address Client-ID/ Lease expiration Type
> > Hardware address/
> > User name
> > 10.20.71.2 0063.6973.636f.2d30. Sep 26 2007 05:33 PM
> > Automatic
> > 3031.392e.3535.6266.
> > 2e38.6563.362d.4769.
> > 302f.3131
> >
> >
> > Router1#sh arp
> > Protocol Address Age (min) Hardware Addr Type Interface
> >
> > Internet 10.20.71.1 0 0019.a986.941b ARPA
> > GigabitEthernet0/11
> > Internet 10.20.71.2 - 0019.55bf.8ec6 ARPA
> > GigabitEthernet0/11
> >
> >
> > On 9/25/07, Ben < bmunyao@gmail.com> wrote:
> > >
> > >
> > > Nicky
> > >
> > > You may find the following URL useful.
> > >
> > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124c
> > > g/hiad_c/ch10/hipdhcpa.htm
> > >
> > >
> > > HTH
> > >
> > > Ben
> > >
> > >
> > > On 9/25/07, Gary Duncanson < gary.duncanson@googlemail.com> wrote:
> > > >
> > > > Hi Rich,
> > > >
> > > > Other than the cisco.com link to DHCP and arp authorised..
> > > >
> > > > Chapter 21 Security in Odom covers features such as Dynamic ARP
> > > > inspection (DAI), DHCP Snooping and IP Source Guard. Combinations
> > > > of these features should offer lots of scope for secure arp.
> > > >
> > > > HTH
> > > > Gary
> > > > ----- Original Message -----
> > > > From: "Rich Collins" <nilsi2002@gmail.com>
> > > > To: "nicky noname" < cisco2study@gmail.com >
> > > > Cc: "Cisco certification" <ccielab@groupstudy.com>
> > > > Sent: Tuesday, September 25, 2007 2:25 PM
> > > > Subject: Re: DHCP config
> > > >
> > > >
> > > > > Well I believe in general if you don't specify database then all
> > > > bindings
> > > > > are stored locally (whether secure or not). I am interested in
> > > > hearing
> > > > > more
> > > > > about working with secure arp though.
> > > > >
> > > > > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > > > >>
> > > > >> thanks rich... I haven't seen...I will try it out. I guess this
> is
> > > > what
> > > > >> would be required, if you are not explicitlt told of a place to
> > > > store the
> > > > >> database.
> > > > >>
> > > > >> nic
> > > > >>
> > > > >> On 9/24/07, Rich Collins <nilsi2002@gmail.com > wrote:
> > > > >> >
> > > > >> > If you want to do it locally isn't it enough to add this under
> > > > the dhcp
> > > > >> > pool?
> > > > >> > ip dhcp pool MYNET
> > > > >> > ....
> > > > >> > update arp
> > > > >> > ...
> > > > >> >
> > > > >> > I think I read it somewhere that you need a corresponding
> > > > >> >
> > > > >> > arp authorized under the 'interface'.
> > > > >> >
> > > > >> > Rich
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > > > >> >
> > > > >> > > Hello,
> > > > >> > >
> > > > >> > > I am playing around with the IOS DHCP settings and i want to
> > > > provide
> > > > >> > > DHCP
> > > > >> > > services to secure arp requests only.
> > > > >> > >
> > > > >> > > I though this was done by the command
> > > > >> > >
> > > > >> > > ip dhcp database XXXX
> > > > >> > >
> > > > >> > > Is this the only manner. I was hoping you could configure it
> > > > locally.
> > > > >> > > This
> > > > >> > > command is looking for a specified URL.
> > > > >> > > I have read through doc cd...it's not great for this.
> > > > >> > >
> > > > >> > > regards
> > > > >> > > nic
> > > > >> > >
> > > > >> > >
> > > >
> _______________________________________________________________________
> > > > >> > >
> > > > >> > > Subscription information may be found at:
> > > > >> > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART