December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
DHCP-Secured IP Address Assignment
Problem
You wish to synchronize the ARP entries to the DHCP bindings to prevent IP address spoofing.
Solution
To enable secured IP address assignment, use the update arp command:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip dhcp poolRouter1(dhcp-config)#OREILLYupdate arpRouter1(dhcp-config)#endRouter1#
Discussion
Beginning with IOS Version 12.2(15)T, Cisco introduced the concept of DHCP secured IP address assignment. This feature synchronizes the ARP entry to the DHCP binding to ensure that IP addresses assign via DHCP can’t be spoofed. By default, ARP tables dynamically map MAC addresses to IP addresses to facilitate communication. Unfortunately, it’s rather easy for someone to spoof a DHCP assigned IP address and overwrite the router’s ARP cache with his own MAC address.
Once the DHCP-secured IP address assignment is enabled, the router adds a secured ARP entry for each DHCP binding. This ensures that the ARP entry cannot be dynamically, or even manually, erased or overwritten. In fact, the only way to clear a secured ARP entry is by releasing the DHCP lease.
The following is an example configuration of DHCP-secured IP address assignment:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip dhcp poolRouter1(dhcp-config)#OREILLYnetworkRouter1(dhcp-config)#172.25.1.0 255.255.255.0default-routerRouter1(dhcp-config)#172.25.1.1