第一步:配置R1和R2的dhcp服务器
R1(config)#int e1/0
R1(config-if)#ip add 12.0.0.1 255.255.255.0
R1(config)#ip dhcp pool R1
R1(dhcp-config)#network 12.0.0.0 /24
R1(config)#ip dhcp excluded-address 12.0.0.1
服务器
R2(config)#int e1/0
R2(config-if)#ip add 22.0.0.1 255.255.255.0
R2(config)#ip dhcp pool R2
R2(dhcp-config)#network 22.0.0.0 /24
R2(config)#ip dhcp excluded-address 22.0.0.1
ide
第二步:在R3的接口上配置经过dhcp得到地址oop
R3(config)#int e1/0
R3(config-if)#ip add dhcp
测试
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 22.0.0.2, mask 255.255.255.0ui
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.2, mask 255.255.255.0
//咱们经过sh和no sh接口,结果得出如下结果
分别得到到不一样网段的地域,说明dhcp各项工做正常
code
第三步:在SW2和sw3上开启 HDCP snooping和相关配置
SW2(config)#ip dhcp snooping
//开启snooping功能
SW2(config)#ip dhcp snooping vlan 1
//全部vlan1下的接口都配置为非信任接口,链接在vlan1下的全部dhcp服务器都没法应答
orm
SW2(config-if)#int f0/1
SW2(config-if)#ip dhcp snooping trust
//配置这个接口为信任接口
blog
SW2(config-if)#int f0/2
SW2(config-if)#ip dhcp snooping limit rate 20
//配置这个接口发dhcp包的个数
SW2(config)#errdisable recovery cause ?
all Enable timer to recover from all causes
arp-inspection Enable timer to recover from arp inspection error
disable state
bpduguard Enable timer to recover from BPDU Guard error disable
state
channel-misconfig Enable timer to recover from channel misconfig disable
state
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
disable state
dtp-flap Enable timer to recover from dtp-flap error disable
state
gbic-invalid Enable timer to recover from invalid GBIC error disable
state
l2ptguard Enable timer to recover from l2protocol-tunnel error
disable state
link-flap Enable timer to recover from link-flap error disable
state
loopback Enable timer to recover from loopback disable state
pagp-flap Enable timer to recover from pagp-flap error disable
state
psecure-violation Enable timer to recover from psecure violation disable
state
security-violation Enable timer to recover from 802.1x violation disable
state
sfp-config-mismatch Enable timer to recover from SFP config mismatch error
disable state
storm-control Enable timer to recover from storm-control error disable
state
udld Enable timer to recover from udld error disable state
unicast-flood Enable timer to recover from unicast flood disable state
vmps Enable timer to recover from vmps shutdown error disable
state
接口
SW2(config)#errdisable recovery cause all
//若是违反的上面的规定后,接口会down(默认行为)
这条命令的意思是恢复正常状态的缘由,有上面17种,咱们配置为all
SW2(config)#errdisable recovery interval 30
//恢复接口正常的时间为30s(最小为30s)
ip
SW2(config)#ip dhcp snooping database flash:dhcp-snooping.text
//交换机上生成一个dhcp snpooing 绑定表,绑定表中的内容是客户端mac地址和ip地址
SW2#show flash:
Directory of flash:/
2 -rwx 7134080 Jan 1 1970 03:36:03 +00:00 3550.bin 3 -rwx 1224 Mar 1 1993 03:15:45 +00:00 vlan.dat 4 -rwx 3244 Mar 1 1993 00:48:21 +00:00 n 5 -rwx 2209 Mar 1 1993 00:02:52 +00:00 statr 6 -rwx 0 Mar 1 1993 05:28:29 +00:00 system_env_vars 7 -rwx 0 Mar 1 1993 05:28:29 +00:00 env_vars 8 -rwx 47 Mar 1 1993 00:43:31 +00:00 dhcp-snooping.text
SW2#more flash:dhcp-snooping.text
//能够看到内面有客户端的mac地址和ip地址
SW2(config)#ip source binding 0004.2704.17b1 vlan 1 12.0.0.1 interface f0/1
//手工指定一个静态的mac地址和ip地址
SW3(config)#ip dhcp snooping
SW3(config)#ip dhcp snooping vlan 1
SW3(config)#int f0/23
SW3(config-if)# ip dhcp snooping trust
SW3(config)#int f0/3
SW3(config-if)#no ip dhcp snooping trust
第四步:配置
R2(config)#ip dhcp relay information trust-all
第五步:测试
01:22:41: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
R3(config-if)#no sh
01:22:43: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.5, mask 255.255.255.0
R3(config-if)#sh
01:23:58: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
R3(config-if)#no sh
01:24:07: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
01:24:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.6, mask 255.255.255.0
R3(config-if)#sh
01:24:21: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
R3(config-if)#no sh
01:24:23: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.7, mask 255.255.255.0
//从上面能够看出:snooping生效了
咱们三次sh和no sh接口,都得到了合法dhcp服务器上的定义地址
现象成功
咱们来看看源防御
SW2(config-if)#ip verify source port-security
//咱们在接口pc端配置ip源防御
有可能接入非法的dhcp的服务端接口上可配置
动态arp检测
SW3(config)#ip arp inspection vlan 1
SW2(config)#ip arp inspection vlan 1
SW2(config-if) #int f0/23
SW2(config-if) #ip arp inspection trust
SW3(config-if) #int f0/23
SW3(config-if) #ip arp inspection trust
第七步:
SW2#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
Insertion of option 82 is disabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
FastEthernet0/1 yes unlimited
FastEthernet0/2 no 2
FastEthernet0/23 yes unlimited
SW2#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
00:07:EB:79:08:D1 12.0.0.9 84188 dhcp-snooping 1 FastEthernet0/19
00:04:27:04:17:B1 12.0.0.1 infinite static 1 FastEthernet0/1
Total number of bindings: 2
SW3#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
00:07:EB:79:08:D1 12.0.0.9 85773 dhcp-snooping 1 FastEthernet0/3Total number of bindings: 1