RE: DHCP config

From: Scott Morris (smorris@ipexpert.com)
Date: Thu Sep 27 2007 - 13:07:10 ART

The feature appears to be closely tied to "arp authorized" which is an
interface command, so perhaps they're using the same restrictions.
 
"Restrictions for DHCP Authorized ARP
When this feature is configured on an interface, dynamic learning of ARP for
that interface is disabled. This feature is supported only on Ethernet
interfaces. "

Check out
<http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_gui
de09186a00801d2df4.html>
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guid
e09186a00801d2df4.html

HTH,

Scott

  _____

From: Ben [mailto:bmunyao@gmail.com]
Sent: Thursday, September 27, 2007 8:26 AM
To: swm@emanon.com
Cc: Rich Collins; Gary Duncanson; cisco2study@gmail.com;
ccielab@groupstudy.com
Subject: Re: DHCP config

Scott,

Yes, I had excluded all IPs from the /24 scope, except one IP for the dhcp
client router.

Given the description of authorised ARP in DocCD, I figured this was to be
expected.

Ben

On 9/27/07, Scott Morris <swm@emanon.com> wrote:

Were your static Ips listed as "excluded-address" for DHCP?

-----Original Message-----
From: nobody@groupstudy.com [mailto: nobody@groupstudy.com
<mailto:nobody@groupstudy.com> ] On Behalf Of Ben
Sent: Thursday, September 27, 2007 1:25 AM
To: Rich Collins
Cc: Gary Duncanson; cisco2study@gmail.com; ccielab@groupstudy.com
Subject: Re: DHCP config

Hi Rich,

When I labbed it up, I also couldn't positively verify it. However, i noted
that dynamic ARP was no longer possible, as documented. I could not
communicate with a node that had a static IP, until I configured a static
ARP entry for it on the DHCP server.

Ben

On 9/26/07, Rich Collins <nilsi2002@gmail.com <mailto:nilsi2002@gmail.com>
> wrote:
>
> I just tried a quick lab-up
>
> ip dhcp pool TEST
> network 10.20.71.0 255.255.255.0
> update arp
> !
> !
> !
> !
> !
> !
> interface GigabitEthernet0/0
> ip address 10.20.71.1 255.255.255.0
> arp authorized
>
>
>
> I don't see anything obvious that it is a secure arp entry other than
> checking the debug.
>
>
> debug ip dhcp server ...
>
> Sep 25 21:33:24.224: DHCPD: Sending DHCPACK to client
> 0063.6973.636f.2d30.3031.392e.3535.6266.2e38.6563.362d.4769.302f.3131
> ( 10.20.71.2).
> Sep 25 21:33: 24.224: DHCPD: Creating secure ARP entry (
<http://10.20.71.2> 10.20.71.2,
> 0019.55bf.8ec6).
> Sep 25 21:33:24.224: DHCPD: broadcasting BOOTREPLY to client
> 0019.55bf.8ec6.
>
>
> THIS IS THE DHCP SERVER
> Router1#sh ip dhcp binding
> Bindings from all pools not associated with VRF:
> IP address Client-ID/ Lease expiration Type
> Hardware address/
> User name
> 10.20.71.2 0063.6973.636f.2d30. Sep 26 2007 05:33 PM
> Automatic
> 3031.392e.3535.6266.
> 2e38.6563.362d.4769.
> 302f.3131
>
>
> Router1#sh arp
> Protocol Address Age (min) Hardware Addr Type Interface
>
> Internet 10.20.71.1 0 0019.a986.941b ARPA
> GigabitEthernet0/11
> Internet 10.20.71.2 - 0019.55bf.8ec6 ARPA
> GigabitEthernet0/11
>
>
> On 9/25/07, Ben < bmunyao@gmail.com> wrote:
> >
> >
> > Nicky
> >
> > You may find the following URL useful.
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124c
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124c>
> > g/hiad_c/ch10/hipdhcpa.htm
> >
> >
> > HTH
> >
> > Ben
> >
> >
> > On 9/25/07, Gary Duncanson < gary.duncanson@googlemail.com> wrote:
> > >
> > > Hi Rich,
> > >
> > > Other than the cisco.com link to DHCP and arp authorised..
> > >
> > > Chapter 21 Security in Odom covers features such as Dynamic ARP
> > > inspection (DAI), DHCP Snooping and IP Source Guard. Combinations
> > > of these features should offer lots of scope for secure arp.
> > >
> > > HTH
> > > Gary
> > > ----- Original Message -----
> > > From: "Rich Collins" <nilsi2002@gmail.com >
> > > To: "nicky noname" < cisco2study@gmail.com >
> > > Cc: "Cisco certification" < ccielab@groupstudy.com
<mailto:ccielab@groupstudy.com> >
> > > Sent: Tuesday, September 25, 2007 2:25 PM
> > > Subject: Re: DHCP config
> > >
> > >
> > > > Well I believe in general if you don't specify database then all
> > > bindings
> > > > are stored locally (whether secure or not). I am interested in
> > > hearing
> > > > more
> > > > about working with secure arp though.
> > > >
> > > > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > > >>
> > > >> thanks rich... I haven't seen...I will try it out. I guess this is
> > > what
> > > >> would be required, if you are not explicitlt told of a place to
> > > store the
> > > >> database.
> > > >>
> > > >> nic
> > > >>
> > > >> On 9/24/07, Rich Collins <nilsi2002@gmail.com > wrote:
> > > >> >
> > > >> > If you want to do it locally isn't it enough to add this under
> > > the dhcp
> > > >> > pool?
> > > >> > ip dhcp pool MYNET
> > > >> > ....
> > > >> > update arp
> > > >> > ...
> > > >> >
> > > >> > I think I read it somewhere that you need a corresponding
> > > >> >
> > > >> > arp authorized under the 'interface'.
> > > >> >
> > > >> > Rich
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> > On 9/24/07, nicky noname < cisco2study@gmail.com> wrote:
> > > >> >
> > > >> > > Hello,
> > > >> > >
> > > >> > > I am playing around with the IOS DHCP settings and i want to
> > > provide
> > > >> > > DHCP
> > > >> > > services to secure arp requests only.
> > > >> > >
> > > >> > > I though this was done by the command
> > > >> > >
> > > >> > > ip dhcp database XXXX
> > > >> > >
> > > >> > > Is this the only manner. I was hoping you could configure it
> > > locally.
> > > >> > > This
> > > >> > > command is looking for a specified URL.
> > > >> > > I have read through doc cd...it's not great for this.
> > > >> > >
> > > >> > > regards
> > > >> > > nic
> > > >> > >
> > > >> > >
> > >

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART