DHCP-Secured IP Address Assignment
Problem
You wish to synchronize the ARP entries to the DHCP bindings to prevent IP address spoofing.
Solution
To enable secured IP address assignment, use the update arp command:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip dhcp poolRouter1(dhcp-config)#OREILLYupdate arpRouter1(dhcp-config)#endRouter1#
Discussion
Beginning with IOS Version 12.2(15)T, Cisco introduced the concept of DHCP secured IP address assignment. This feature synchronizes the ARP entry to the DHCP binding to ensure that IP addresses assign via DHCP can’t be spoofed. By default, ARP tables dynamically map MAC addresses to IP addresses to facilitate communication. Unfortunately, it’s rather easy for someone to spoof a DHCP assigned IP address and overwrite the router’s ARP cache with his own MAC address.
Once the DHCP-secured IP address assignment is enabled, the router adds a secured ARP entry for each DHCP binding. This ensures that the ARP entry cannot be dynamically, or even manually, erased or overwritten. In fact, the only way to clear a secured ARP entry is by releasing the DHCP lease.
The following is an example configuration of DHCP-secured IP address assignment:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip dhcp poolRouter1(dhcp-config)#OREILLYnetworkRouter1(dhcp-config)#172.25.1.0 255.255.255.0default-routerRouter1(dhcp-config)#172.25.1.1
Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
