Requirement:
Methods of learning the IP address of clients connected to switch varies in old and new models.
New Models - 2540, 2920, 2930, 3810, 5400R
IP Client Tracker
Old Models - 2530,3500,3800,4500 and 5400zl
DHCP Snooping
Solution:By default, the switch does not learn the IP address of the clients. DHCP-snooping and IP client-tracker are the two methods by which switch can learn the IP address of the connected clients. DHCP-snooping option should be enabled globally and cannot be enabled on specific ports, this is applicable for both old and new model switches.
Old Model:
DHCP-snooping should be enabled for switch to learn the IP address of the clients. These switches do not support IP client-tracker option. DHCP-snooping should be on the Client’s VLAN. DHCP-snooping trust configuration must be done on the uplink port of the switch. If the uplink port of the switch has dhcp-snooping untrusted then the DHCP packets would be dropped by the switch.
New Model:
New model switches support both DHCP-snooping as well as IP client-tracker option. In order for switch to learn the client's IP any one method can be used. While using the option “ip client-tracker <trusted/untrusted>” should be specified where trusted represents the IP address of authenticated clients and untrusted represents the IP address of Unauthenticated clients.
Trusted ---> IP address of Authenticated clients
Untrusted ---> IP address of Unauthenticated clients
Configuration:IP client-tracker configuration:
(Switch)<config># ip client-tracker trusted
(Switch)<config># ip client-tracker untrusted
DHCP-Snooping Configuration:
(Switch)<config># dhcp-snooping enable
(Switch)<config># dhcp-snooping vlan 104
(Switch)<config># show dhcp-snooping
DHCP Snooping Information
DHCP Snooping : Yes
Enabled Vlans : 104
Verify MAC : Yes
Option 82 untrusted policy : drop
Option 82 Insertion : Yes
Option 82 remote-id : mac
(Switch)<config># interface 7
(Switch)<config># dhcp-snooping trust
In case of LACP, following commands should be used:
Interface trk1
dhcp-snooping trust
exit
VerificationNew Model:
Clients connected on interface 6.
(Switch)<config># show port-access clients
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type VLAN
-------- -------------------- ---------------------- ------------------ ---------------- ---------- --------
6 34e6d7149deb 34e6d7-149deb 10.27.131.176 MAC 104
Old Model:
Connected Clients on Interface 6 and 8, was able to see that the switch learns the IP of the client.
(Switch)<config># show port-access clients
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type VLAN
-------- ------------------ --------------------- --------------- ----------------- ------- --------
6 34e6d7149deb 34e6d7-149deb 10.27.131.176 MAC 104
8 34e6d7210eb6 34e6d7-210eb6 10.27.131.177 MAC 104
(Switch)<config># show dhcp-snooping binding
MacAddress IP VLAN Interface Time Left
------------------- --------- ----------- --------------- --------------
34e6d7-149deb 10.27.131.176 104 6 86259
34e6d7-210eb6 10.27.131.177 104 8 86254
DHCP bindings on switch would get listed only when dhcp-snooping is enabled.