Configuring DHCP Binding

The DHCP (Dynamic Host Configuration Protocol) bindings database contains the IP address, MAC address, VLAN (Virtual LAN) ID, and port number of the client. You can add or delete the static IP to the MAC DHCP binding entries using the following commands:

configure ip-security dhcp-bindings add

configure ip-security dhcp-bindings delete

You can specify the storage details of the DHCP binding database. Use the following commands to specify the DHCP binding database location, filename, write-interval, and write threshold limits:

configure ip-security dhcp-bindings storage filename

configure ip-security dhcp-bindings storage location

configure ip-security dhcp-bindings storage

You can upload the DHCP binding database periodically by enabling the DHCP binding restoration. Binding write intervals occur in minutes, 5 to 1440 (24 hours). The default is 30 minutes.

Upload the latest DHCP binding database using the upload command:

enable ip-security dhcp-bindings restoration

You can also upload the DHCP binding database by the number of DHCP entries (the write-threshold is 25 to 200).

The periodic backup of the DHCP binding database can be disabled using the following command:

disable ip-security dhcp-bindings restoration
Note

Note

There is no command to unconfigure the DHCP binding storage server details. To disable the DHCP binding storage server details, use the preceding command.

For information about configuring option 82 at Layer 3, see Configuring the DHCP Relay Agent Option (Option 82) at Layer 3.

Note

Note

When configuring static DHCP binding entries, DHCP binding restoration needs to be configured.

Example of Option 82 Configuration

The following example describes Option 82 configuration for circuit ID fields.

create vlan v1
conf v1 add ports 21
enable ip-security dhcp-snooping v1 ports all violation-action drop-packet
configure trusted-ports 21 trust-for dhcp-server
conf ip-security dhcp-snooping information option
conf ip-security dhcp-snooping information check
conf ip-security dhcp-snooping information circuit-id vlan-information ServiceProvider-1 v1
conf ip-security dhcp-snooping information circuit-id port-information cutomer-1 port 1
conf ip-security dhcp-snooping information circuit-id port-information cutomer-2 port 2
CLI display output
==================
* switch # sh ip-security dhcp-snooping v1
DHCP Snooping enabled on ports: 21
Trusted Ports: 21
Trusted DHCP Servers: None
Bindings Restoration     : Disabled
Bindings Filename        :
Bindings File Location   :
Primary Server  : None
Secondary Server: None
Bindings Write Interval  : 30 minutes
Bindings last uploaded at:
------------------------------------
Port            Violation-action
------------------------------------
21              drop-packet
* switch # show ip-security dhcp-snooping information-option
Information option insertion: Enabled
Information option checking : Enabled
Information option policy   : Replace
* switch #
* switch # sh ip-security dhcp-snooping information-option circuit-id vlan-information
Vlan            Circuit-ID vlan information string
----            ----------------------------------
Default         1 (Default i.e. vlan-id)
Mgmt            4095 (Default i.e. vlan-id)
v1              ServiceProvider-1
Note: The full Circuit ID string has the form '<Vlan Info>-<Port Info>'
* switch 
* switch # sh ip-security dhcp-snooping information-option circuit-id port-information ports all
Port            Circuit-ID Port information string
----            ----------------------------------
1               cutomer-1
2               cutomer-2
3               1003
4               1004
5               1005
6               1006
7               1007
8               1008
9               1009
10              1010
11              1011
12              1012
13              1013
14              1014
15              1015
16              1016
17              1017
18              1018
19              1019
20              1020
21              1021
22              1022
23              1023
24              1024
25              1025
26              1026
Note: The full Circuit ID string has the form '<Vlan Info>-<Port Info>'
* switch #