Re: DHCP Option 82 from Salah ElShekeil on 2009-10-28 (Ccielab archives 10/2009)

From: Salah ElShekeil <salah.elshekeil_at_gmail.com>
Date: Wed, 28 Oct 2009 22:51:49 +0300

very nice explanation Karim

keep it up :-)

On Wed, Oct 28, 2009 at 2:09 PM, karim jamali <karim.jamali_at_gmail.com>wrote:

> Hi Antonio,
>
> I have summarized Configuring DHCP Features and IP Source Guard
>
> Anyone who finds a mistake in any of concepts below please let me know.
>
> 1)Option 82 to operate, DHCP snooping must be activated!
> 2)DHCP snooping goal is to validate the integrity of the DHCP messages
> (Defining:Server trusted, Clients:Untrusted), and building the DHCP
> snooping
> databas(MAC Address/
> IP address/binding type/VLAN number/interfaceinformation..etc).
> 3)Option 82: Goal is to add information that may be useful for the DHCP
> server to implement certain policies!
> Remote-id (Global):default Switch MAC address
> Command:ip dhcp snooping information option format remote-id [string
> ASCII-string | hostname]
>
> Circuit-id: Per interface to diferentiate where the request to the relay
> agent came ON.
> Command:ip dhcp snooping vlan vlan information option format-type
> circuit-id
> [override] string ASCII-string
>
>
> IPSG:is a per port ACL that depends on the DHCP snooping datababase.
> Packets
> that arrive with source addresses conforming the the DHCP binding database
> are allowed to pass through. Packets that do not conform will be dropped.
> You can extend IPSG by allowing it to depend on the source IP address as
> well as the MAC address (port-security) for instance stating that hosts
> which have an ip address conforming with the DHCP snooping database on one
> hand, and only 5 hosts are allowed to communicate (port-security maximum 5)
> on a certain port.
> Recently,the interdependency between IPSG and a DHCP environment is broken,
> by allowing the IPSG to build a device tracking table(using ARP) thus
> validating the source addresses(hosts) allowed to communicate on the
> segment, and limiting them to a certain value(port-security maximum)
>
>
> Switch(config)# ip device tracking
> Switch(config)# interface gigabitethernet 0/3
> Switch(config-if)# switchport mode access
> Switch(config-if)# switchport access vlan 1
> Switch(config-if)# ip device tracking maximum 5
> Switch(config-if)# switchport port-security
> Switch(config-if)# switchport port-security maximum 5
> Switch(config-if)# ip verify source tracking port-security
> Switch(config-if)# end
>
> In this example, device tracking is enabled with a maximum of 5 hosts that
> can communicate(to be validated with the device tracking table). No more
> than 5 hosts can communicate on the switchport.
> Any help,comments, explanations are appreciated!
>
> Best Regards,
> On Wed, Oct 28, 2009 at 12:42 PM, Antonio Saez <
> antonio.saez.jimenez_at_gmail.com> wrote:
>
> > Hi Karim,
> >
> >
> >
> > In the configuration guide of 3560, in the source guard section
> >
> >
> >
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12
> .2_52_se/configuration/guide/swdhcp82.html#wp1328446
> >
> >
> >
> > I can not see the relation between source guard with mac address
> filtering
> > (ip verify source port-security).
> >
> >
> >
> > Thankyou again
> >
> >
> >
> > *De:* karim jamali [mailto:karim.jamali_at_gmail.com]
> > *Enviado el:* miircoles, 28 de octubre de 2009 10:36
> >
> > *Para:* Antonio Saez; Cisco certification
> > *Asunto:* Re: DHCP Option 82
> >
> >
> >
> > Hi Antonio,
> >
> >
> > I am not sure about this. Can you just give me the context in which you
> > read the relationship between option 82 and the port-security feature?
> >
> >
> >
> > Thanks
> >
> >
> >
> > Best Regards
> >
> > On Wed, Oct 28, 2009 at 12:30 PM, Antonio Saez <
> > antonio.saez.jimenez_at_gmail.com> wrote:
> >
> > Thanks Karim,
> >
> >
> >
> > Ok I understand this, but why is needed for source guard port-security
> > feature?
> >
> >
> >
> > Regards
> >
> >
> >
> > *De:* karim jamali [mailto:karim.jamali_at_gmail.com]
> > *Enviado el:* miircoles, 28 de octubre de 2009 8:55
> > *Para:* Antonio Saez; Cisco certification
> > *Asunto:* Re: DHCP Option 82
> >
> >
> >
> > Hi,
> >
> >
> >
> > DHCP option 82 is an optional feature that allows the relay agent to
> insert
> > circuit specific information into a request being forwarded to a DHCP
> > server. This option 82 information can be used by the DHCP server to
> > implement policies (allocation of addresses based on the requesting
> subnet
> > (giaddress) as well as the circuit-id information (e.g: Port on the
> switch
> > on which the client resides). For instance, you can have 12 clients on a
> > common VLAN, and you would like to give 6 of them from a certain range
> > within the pool, and the other 6 clients from another range in the pool
> > based on the circuit-id (tied to the switch interface).
> >
> >
> >
> > For instance:
> >
> > You can create a pool for a subnet (172.16.12.0/24), within the pool you
> > can create classes. Each class will have a range of option 82 values,
> which
> > will match a range of circuit-ids of the client ports. Thus a client
> > connected to a certain port, the circuit-id of that port will determine
> to
> > which class the client belongs to and thus will issue the client an ip
> > address from a certain range within that pool. (172.16.12.1 -
> 172.16.12.20).
> >
> >
> >
> > So the circuit-id matches option 82 hex value corresponding to the class
> > which in turn corresponds to a range of ip addresses within the
> > subnet(pool).
> >
> >
> >
> > Sample Configuration(Cisco's Website):
> >
> >
> >
> > Defines the DHCP classes and relay information patterns
> >
> > ip dhcp class CLASS1
> >
> > relay agent information
> >
> > relay-information hex 01030a0b0c02050000000123
> >
> > relay-information hex 01030a0b0c02*
> >
> > relay-information hex 01030a0b0c02050000000000 bitmask
> 0000000000000000000000FF
> >
> >
> >
> > ip dhcp class CLASS2
> >
> > relay agent information
> >
> > relay-information hex 01040102030402020102
> >
> > relay-information hex 01040101030402020102
> >
> >
> >
> > ip dhcp class CLASS3
> >
> > relay agent information
> >
> >
> >
> > ! Associates the DHCP pool with DHCP classes
> >
> > ip dhcp pool ABC
> >
> > network 10.0.20.0 255.255.255.0
> >
> > class CLASS1
> >
> > address range 10.0.20.1 10.0.20.100
> >
> > class CLASS2
> >
> > address range 10.0.20.101 10.0.20.200
> >
> > class CLASS3
> >
> > address range 10.0.20.201 10.0.20.254
> >
> >
> >
> >
> >
> > For more information on this topic check:
> >
> >
> >
> >
> http://blog.internetworkexpert.com/2009/07/22/understanding-dhcp-option-82/
> >
> >
> >
> > http://www.faqs.org/rfcs/rfc3046.html
> >
> >
> >
> > Best Regards,
> >
> > On Wed, Oct 28, 2009 at 10:30 AM, Antonio Saez <
> > antonio.saez.jimenez_at_gmail.com> wrote:
> >
> > Hi all,
> >
> >
> >
> > I am Reading the doc about dhcp option 82 and not sure I understand it
> > completely. What is it used for? Is needed for dhcp snoop feature?
> >
> > Sorry for these basic questions but do not have switches to test it.
> >
> >
> >
> > Thanks all
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > KJ
> >
> >
> >
> >
> > --
> > KJ
> >
>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Salah
CCIE #24207
Blogs and organic groups at http://www.ccie.net

Received on Wed Oct 28 2009 - 22:51:49 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:51:01 ART