Wired Intelligent Edge (Campus Switching and Routing)

Requirement:

Methods of learning the IP address of clients connected to switch varies in old and new models.

New Models - 2540, 2920, 2930, 3810, 5400R

 IP Client Tracker

Old Models - 2530,3500,3800,4500 and 5400zl

DHCP Snooping

By default, the switch does not learn the IP address of the clients. DHCP-snooping and IP client-tracker are the two methods by which switch can learn the IP address of the connected clients. DHCP-snooping option should be enabled globally and cannot be enabled on specific ports, this is applicable for both old and new model switches. 

Old Model:

DHCP-snooping should be enabled for switch to learn the IP address of the clients. These switches do not support IP client-tracker option. DHCP-snooping should be on the Client’s VLAN. DHCP-snooping trust configuration must be done on the uplink port of the switch. If the uplink port of the switch has dhcp-snooping untrusted then the DHCP packets would be dropped by the switch.

New Model:

New model switches support both DHCP-snooping as well as IP client-tracker option. In order for switch to learn the client's IP any one method can be used. While using the option “ip client-tracker <trusted/untrusted>” should be specified where trusted represents the IP address of authenticated clients and untrusted represents the IP address of Unauthenticated clients.

Trusted ---> IP address of Authenticated clients

Untrusted ---> IP address of Unauthenticated clients

IP client-tracker configuration:

(Switch)<config># ip client-tracker trusted

(Switch)<config># ip client-tracker untrusted

DHCP-Snooping Configuration:

(Switch)<config># dhcp-snooping enable

(Switch)<config># dhcp-snooping vlan 104

(Switch)<config># show dhcp-snooping

DHCP Snooping Information

DHCP Snooping : Yes

Enabled Vlans : 104

Verify MAC : Yes

Option 82 untrusted policy : drop

Option 82 Insertion : Yes

Option 82 remote-id : mac

(Switch)<config># interface 7 

(Switch)<config># dhcp-snooping trust

In case of LACP, following commands should be used:

Interface trk1

     dhcp-snooping trust

     exit

New Model:

Clients connected on interface 6.

(Switch)<config># show port-access clients 

Port Access Client Status

  Port      Client Name       MAC Address            IP Address      User Role         Type     VLAN

 --------    --------------------    ----------------------         ------------------   ----------------      ----------   --------

   6        34e6d7149deb    34e6d7-149deb       10.27.131.176                             MAC      104   

Old Model:

Connected Clients on Interface 6 and 8, was able to see that the switch learns the IP of the client.

(Switch)<config># show port-access clients 

Port Access Client Status

  Port      Client Name       MAC Address        IP Address      User Role         Type    VLAN

 --------     ------------------      ---------------------      ---------------      -----------------      -------    --------

   6        34e6d7149deb   34e6d7-149deb    10.27.131.176                              MAC   104  

   8        34e6d7210eb6   34e6d7-210eb6    10.27.131.177                              MAC   104

(Switch)<config># show dhcp-snooping binding 

  MacAddress                         IP                        VLAN       Interface         Time Left

  -------------------                    ---------                  -----------   ---------------       --------------

  34e6d7-149deb          10.27.131.176             104                6                 86259

  34e6d7-210eb6          10.27.131.177             104                8                 86254    

DHCP bindings on switch would get listed only when dhcp-snooping is enabled.