Working with a Cisco router
Maurice Massar
massar at unix-ag.uni-kl.de
Fri Feb 5 19:02:59 UTC 2010
hi,
On Fri, Feb 05, 2010 at 10:33:13AM -0800, Tim Gavin wrote:
> I have just identified a problem where a small group of people are
> 'stealing' their IPs. It appears that they're grabbing their DHCP
> assigned address and setting it in their router as a static. This has
> the obvious consequences.
>
> What I'm wondering is if anyone knows of a script or app that will
> work with ISC DHCP that can set a static ARP in my Cisco router based
> on the DHCP lease. Maybe using SNMP or something. . . I know it's a
> strange request, but am hoping someone has dealt with this before.
not strange at all, some Ciscos have builtin support for that.
It is called "DHCP Authorized ARP" on Routers (IOS 12.3(4)T and up),
and "DHCP Snooping" + "Dynamic ARP Inspection" on recent Catalysts
(ie: 2960, 3550, 3560, 3750, 4500, 6500, snooping but no DAI on 2940/2950).
But note, that there recently was a thread about arp authorized and
Vista being incompatible:
https://lists.isc.org/pipermail/dhcp-hackers/2010-January/001812.html
(we only use snoopin/dai at our site. Only issues: some few clients put
a MAC from a different interface inside the DHCP packet...)
OTOH, you could do some hackery with "on commit { execute( ...) }", but
I think that would be hard to get reliable...
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdynarp.html
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtautarp.html
cu
Maurice Massar
More information about the dhcp-users
mailing list