The DHCP (Dynamic Host Configuration Protocol) bindings database contains the IP address, MAC address, VLAN (Virtual LAN) ID, and port number of the client. You can add or delete the static IP to the MAC DHCP binding entries using the following commands:
configure ip-security dhcp-bindings add
configure ip-security dhcp-bindings delete
You can specify the storage details of the DHCP binding database. Use the following commands to specify the DHCP binding database location, filename, write-interval, and write threshold limits:
configure ip-security dhcp-bindings storage filename
configure ip-security dhcp-bindings storage location
configure ip-security dhcp-bindings storage
You can upload the DHCP binding database periodically by enabling the DHCP binding restoration. Binding write intervals occur in minutes, 5 to 1440 (24 hours). The default is 30 minutes.
Upload the latest DHCP binding database using the upload command:
enable ip-security dhcp-bindings restoration
You can also upload the DHCP binding database by the number of DHCP entries (the write-threshold is 25 to 200).
The periodic backup of the DHCP binding database can be disabled using the following command:
Note
There is no command to unconfigure the DHCP binding storage server details. To disable the DHCP binding storage server details, use the preceding command.For information about configuring option 82 at Layer 3, see Configuring the DHCP Relay Agent Option (Option 82) at Layer 3.
Note
When configuring static DHCP binding entries, DHCP binding restoration needs to be configured.The following example describes Option 82 configuration for circuit ID fields.
create vlan v1 conf v1 add ports 21 enable ip-security dhcp-snooping v1 ports all violation-action drop-packet configure trusted-ports 21 trust-for dhcp-server conf ip-security dhcp-snooping information option conf ip-security dhcp-snooping information check conf ip-security dhcp-snooping information circuit-id vlan-information ServiceProvider-1 v1 conf ip-security dhcp-snooping information circuit-id port-information cutomer-1 port 1 conf ip-security dhcp-snooping information circuit-id port-information cutomer-2 port 2 CLI display output ==================
* switch # sh ip-security dhcp-snooping v1 DHCP Snooping enabled on ports: 21 Trusted Ports: 21 Trusted DHCP Servers: None Bindings Restoration : Disabled Bindings Filename : Bindings File Location : Primary Server : None Secondary Server: None Bindings Write Interval : 30 minutes Bindings last uploaded at: ------------------------------------ Port Violation-action ------------------------------------ 21 drop-packet
* switch # show ip-security dhcp-snooping information-option Information option insertion: Enabled Information option checking : Enabled Information option policy : Replace * switch #
* switch # sh ip-security dhcp-snooping information-option circuit-id vlan-information Vlan Circuit-ID vlan information string ---- ---------------------------------- Default 1 (Default i.e. vlan-id) Mgmt 4095 (Default i.e. vlan-id) v1 ServiceProvider-1 Note: The full Circuit ID string has the form '<Vlan Info>-<Port Info>' * switch
* switch # sh ip-security dhcp-snooping information-option circuit-id port-information ports all Port Circuit-ID Port information string ---- ---------------------------------- 1 cutomer-1 2 cutomer-2 3 1003 4 1004 5 1005 6 1006 7 1007 8 1008 9 1009 10 1010 11 1011 12 1012 13 1013 14 1014 15 1015 16 1016 17 1017 18 1018 19 1019 20 1020 21 1021 22 1022 23 1023 24 1024 25 1025 26 1026 Note: The full Circuit ID string has the form '<Vlan Info>-<Port Info>' * switch #
Print
this page
Email this topic
Feedback
View PDF
Download EPUB