Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
IP Configuration IPv4 Management and Interfaces Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 285 17 The following describes how DHCP reply packets are handled when both DHCP Snooping and DHCP Relay are enabled DHCP Snooping Binding Database DHCP Snooping builds a database (known as the DHCP Snooping Binding database) derived from information taken from DHCP packets entering the device through trusted ports. The DHCP Snooping Binding database contains the following data: input port, input VLAN, MAC address of the client and IP address of the client if it exists. DHCP Relay VLAN with IP AddressDHCP Relay VLAN without IP Address Packet arrives without Option 82Packet arrives with Option 82Packet arrives without Option 82Packet arrives with Option 82 Option 82 Insertion DisabledPacket is sent without Option 82Packet is sent with the original Option 82Relay discards Option 82 Bridge - Packet is sent without Option 82Relay 1. I f r e p l y o r i g i n a t e s on the device, packet is sent without Option 82 2. If reply does not originate on the device, discards the packet Bridge – Packet is sent with the original Option 82 Option 82 Insertion EnabledPacket is sent without Option 82Packet is sent without Option 82Relay – discards Option 82 Bridge – Packet is sent without Option 82Packet is sent without Option 82
IP Configuration IPv4 Management and Interfaces 286 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 The DHCP Snooping Binding database is also used by IP Source Guard and Dynamic ARP Inspection features to determine legitimate packet sources. DHCP Trusted Ports Ports can be either DHCP trusted or untrusted. By default, all ports are untrusted. To create a port as trusted, use the DHCP Snooping Interface Settings page. Packets from these ports are automatically forwarded. Packets from trusted ports are used to create the Binding database and are handled as described below. If DHCP Snooping is not enabled, all ports are trusted by default. How the DHCP Snooping Binding Database is Built The following describes how the device handles DHCP packets when both the DHCP client and DHCP server are trusted. The DHCP Snooping Binding database is built in this process. DHCP Trusted Packet Handling The actions are: STEP 1Device sends DHCPDISCOVER to request an IP address or DHCPREQUEST to accept an IP address and lease. STEP 2Device snoops packet and adds the IP-MAC information to the DHCP Snooping Binding database. STEP 3Device forwards DHCPDISCOVER or DHCPREQUEST packets. STEP 4DHCP server sends DHCPOFFER packet to offer an IP address, DHCPACK to assign one, or DHCPNAK to deny the address request. STEP 5Device snoops packet. If an entry exists in the DHCP Snooping Binding table that matches the packet, the device replaces it with IP-MAC binding on receipt of DHCPACK.
IP Configuration IPv4 Management and Interfaces Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 287 17 STEP 6Device forwards DHCPOFFER, DHCPACK, or DHCPNAK. The following summarizes how DHCP packets are handled from both trusted and untrusted ports. The DHCP Snooping Binding database is stored in non-volatile memory. DHCP Snooping Packet Handling Packet Type Arriving from Untrusted Ingress InterfaceArriving from Trusted Ingress Interface DHCPDISCOVER Forward to trusted interfaces only.Forwarded to trusted interfaces only. DHCPOFFER Filter. Forward the packet according to DHCP information. If the destination address is unknown the packet is filtered. DHCPREQUEST Forward to trusted interfaces only.Forward to trusted interfaces only. DHCPACK Filter. Same as DHCPOFFER and an entry is added to the DHCP Snooping Binding database. DHCPNAK Filter. Same as DHCPOFFER. Remove entry if exists. DHCPDECLINE Check if there is information in the database. If the information exists and does not match the interface on which the message was received, the packet is filtered. Otherwise the packet is forwarded to trusted interfaces only, and the entry is removed from database.Forward to trusted interfaces only
IP Configuration IPv4 Management and Interfaces 288 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 DHCP Snooping Along With DHCP Relay If both DHCP Snooping and DHCP Relay are globally enabled, then if DHCP Snooping is enabled on the clients VLAN, DHCP Snooping rules contained in the DHCP Snooping Binding database are applied, and the DHCP Snooping Binding database is updated in the clients and DHCP server ’s VLAN, for packets that are relayed. DHCP Default Configuration The following describes DHCP Snooping and DHCP Relay default options. DHCP Default Options Configuring DHCP Work Flow To configure DHCP Relay and DHCP Snooping:DHCPRELEASE Same as DHCPDECLINE.Same as DHCPDECLINE. DHCPINFORM Forward to trusted interfaces only.Forward to trusted interfaces only. DHCPLEASEQUE RYFiltered. Forward. Packet Type Arriving from Untrusted Ingress InterfaceArriving from Trusted Ingress Interface OptionDefault State DHCP Snooping Enabled Option 82 Insertion Not enabled Option 82 Passthrough Not enabled Verify MAC Address Enabled Backup DHCP Snooping Binding DatabaseNot enabled DHCP Relay Disabled
IP Configuration IPv4 Management and Interfaces Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 289 17 STEP 1Enable DHCP Snooping and/or DHCP Relay in the IP Configuration > DHCP > Properties page or in the Security > DHCP Snooping > Properties page. STEP 2Define the interfaces on which DHCP Snooping is enabled in the IP Configuration > DHCP > Interface Settings page. STEP 3Configure interfaces as trusted or untrusted in the IP Configuration > DHCP > DHCP Snooping Interface page. STEP 4Optional. Add entries to the DHCP Snooping Binding database in the IP Configuration > DHCP > DHCP Snooping Binding Database page. DHCP Snooping/Relay This section describes how the DHCP Relay and Snooping features are implemented via the Web-based interface. Properties To configure DHCP Relay, DHCP Snooping and Option 82: STEP 1Click IP Configuration > IPv4 Management and Interfaces > DHCP Snooping/Relay > Properties or Security > DHCP Snooping. Enter the following fields: •Option 82—Select Option 82 to insert Option 82 information into packets. •DHCP Relay—Select to enable DHCP Relay. •DHCP Snooping Status—Select to enable DHCP Snooping. If DHCP Snooping is enabled, the following options can be enabled: - Option 82 Passthrough—Select to leave foreign Option 82 information when forwarding packets. - Verify MAC Address—Select to verify that the source MAC address of the Layer 2 header matches the client hardware address as appears in the DHCP Header (part of the payload) on DHCP untrusted ports. - Backup Database—Select to back up the DHCP Snooping Binding database on the device’s flash memory. - Backup Database Update Interval—Enter how often the DHCP Snooping Binding database is to be backed up (if Backup Database is selected).
IP Configuration IPv4 Management and Interfaces 290 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 STEP 2Click Apply. The settings are written to the Running Configuration file. STEP 3To d e f i n e a D H C P s e r v e r , c l i c k Add. STEP 4Enter the IP address of the DHCP server and click Apply. The settings are written to the Running Configuration file. Interface Settings In Layer 2, DHCP Relay and Snooping can only be enabled on VLANs with IP addresses. In Layer 3, DHCP Relay and Snooping can be enabled on any interface with an IP address and on VLANs with or without an IP address. To enable DHCP Snooping/Relay on specific interfaces: STEP 1Click IP Configuration > IPv4 Management and Interfaces > DHCP Snooping/ Relay > Interface Settings. STEP 2To enable DHCP Relay or DHCP Snooping on an interface, click ADD. STEP 3Select the interface and the features to be enabled: DHCP Relay or DHCP Snooping. STEP 4Click Apply. The settings are written to the Running Configuration file. DHCP Snooping Trusted Interfaces Packets from untrusted ports/LAGs are checked against the DHCP Snooping Binding database (see the DHCP Snooping Binding Database page). By default, interfaces are trusted. To designate an interface as untrusted: STEP 1Click IP Configuration > IPv4 Management and Interfaces > DHCP Snooping/ Relay > DHCP Snooping Trusted Interfaces. STEP 2Select the interface and click Edit. STEP 3Select Trusted Interface (Ye s or No). STEP 4Click Apply to save the settings to the Running Configuration file.
IP Configuration IPv4 Management and Interfaces Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 291 17 DHCP Snooping Binding Database See How the DHCP Snooping Binding Database is Built for a description of how dynamic entries are added to the DHCP Snooping Binding database. Note the following points about maintenance of the DHCP Snooping Binding database: •The device does not update the DHCP Snooping Binding database when a station moves to another interface. •If a port is down, the entries for that port are not deleted. •When DHCP Snooping is disabled for a VLAN, the binding entries that were collected for that VLAN are removed. •If the database is full, DHCP Snooping continue to forward packets but new entries are not created. Note that if the IP source guard and/or ARP inspection features are active, the clients that are not written in the DHCP Snooping Binding database are not be able to connect to the network. To add entries to the DHCP Snooping Binding database: STEP 1Click IP Configuration > IPv4 Management and Interfaces > DHCP Snooping/ Relay > DHCP Snooping Binding Database. To see a subset of entries in the DHCP Snooping Binding database, enter the relevant search criteria and click Go. The fields in the DHCP Snooping Binding Database are displayed. These are described in the Add page, except for the IP Source Guard field: •Status— -Active—IP Source Guard is active on the device. -Inactive—IP Source Guard is not active on the device. •Reason— -No Problem -No Resource -No Snoop VLAN -Tr u s t P o r t STEP 2To add an entry, click Add.
IP Configuration DHCP Server 292 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 STEP 3Enter the fields: •VLAN ID—VLAN on which packet is expected. •MAC Address—MAC address of packet. •IP Address—IP address of packet. •Interface—Unit/Slot/Interface on which packet is expected. •Ty p e—T h e p o s s i b l e f i e l d v a l u e s a r e : - Dynamic—Entry has limited lease time. - Static—Entry was statically configured. •Lease Time—If the entry is dynamic, enter the amount of time that the entry is to be active in the DHCP Database. If there is no Lease Time, check Infinite.) STEP 4Click Apply. The settings are defined, and the device is updated. DHCP Server The DHCPv4 Server feature enables you to configure the device as a DHCPv4 server. A DHCPv4 server is used to assign IPv4 address and other information to another device (DHCP client) The DHCPv4 server allocates IPv4 addresses from a user-defined pool of IPv4 addresses. These can be in the following modes: •Static Allocation—The hardware address or client identifier of a host is manually mapped to an IP address. This is done in the Static Hosts page. •Dynamic Allocation—A client obtains a leased IP address for a specified period of time (that can be infinite). If the DHCP client does not renew the allocated IP Address, the IP address is revoked at the end of this period, and the client must request another IP address. This is done in the Network Pools page.
IP Configuration DHCP Server Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 293 17 Dependencies Between Features •It is impossible to configure DHCP server and DHCP client on the system at the same time, meaning: if one interface is DHCP client enabled, it is impossible to enable DHCP server globally. •If DHCPv4 Relay is enabled, the device cannot be configured as a DHCP server. Default Settings and Configurations •The device is not configured as a DHCPv4 server by default. •If the device is enabled to be a DHCPv4 server, there are no network pools of addresses defined by default. Workflow for Enabling the DHCP Server Feature To configure the device as a DHCPv4 server: STEP 1Enable the device as a DHCP server using the DHCP Server > Properties page. STEP 2If there are any IP addresses that you do not want to be assigned, configure them using the Excluded Addresses page. STEP 3Define up to 8 network pools of IP addresses using the Network Pools page. STEP 4Configure clients that will be assigned a permanent IP address, using the Static Hosts page. STEP 5Configure the required DHCP options in the DHCP Options page. This configures the values to be returned for every relevant DHCP option. STEP 6Add an IP interface in the range of one of the configured DHCP pools in the Network Pools page. The device answers DHCP queries from this IP interface. For example: if the pools range is 1.1.1.1 -1.1.1.254, add an IP address in this range, if you want directly-connected clients to receive IP address from the configured pool. Do this in the IP Configuration > IPv4 Interface page. STEP 7View the allocated IP addresses using the Address Binding page. IP addresses can be deleted in this page.
IP Configuration DHCP Server 294 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17 DHCPv4 Server To configure the device as a DHCPv4 server: STEP 1Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > Properties to display the Properties page. STEP 2Select Enable to configure the device as a DHCP server. STEP 3Click Apply. The device immediately begins functioning as a DHCP server. However, it does not assign IP addresses to clients until a pool is created. Network Pool When the device is serving as a DHCP server, one or more pools of IP addresses must be defined, from which the device will allocate IP addresses to clients. Each network pool contains a range of addresses that belong to a specific subnetwork. These addresses are allocated to various clients within that subnet. When a client requests an IP address, the device as DHCP server allocates an IP address according to the following: •Directly-attached Client—The device allocates an address from the network pool whose subnet matches the subnet configured on the device’s IP interface from which the DHCP request was received. •Remote Client—The devices takes an IP address from the network pool whose first relay subnet, which is connected directly to the client, matches the subnet configured on one of switches IP interfaces. Up to eight network pools can be defined. To create a pool of IP addresses, and define their lease durations: STEP 1Click IP Configuration > IPv4 Management and Interfaces > DHCP Server > Network Pool to display the Network Pool page. The previously-defined network pools are displayed. STEP 2Click Add to define a new network pool. Note that you either enter the Subnet IP Address and the Mask, or enter the Mask, the Address Pool Start and Address Pool End. STEP 3Enter the fields: •Pool Name—Enter the pool name. •Subnet IP Address—Enter the subnet in which the network pool resides.