dhcp snooping

《dhcp snooping》由会员分享，可在线阅读，更多相关《dhcp snooping（5页珍藏版）》请在金锄头文库上搜索。

1、DHCP Snooping实验拓扑需求：1， client 获取 192.168.20.0/24 网段前面地址。2， 为了防止 DHCP 欺骗攻击，在交换机开启 DHCP snooping。初始化配置：SW1 配置：sw1(config)#vlan 2 sw1(config-vlan)#namesw1(config-vlan)#name SNOOPINGsw1(config-vlan)#exitsw1(config)#int rang fa0/1-3sw1(config-if-range)#switchport host switchport mode will be set to acces

2、sspanning-tree portfast will be enabledchannel group will be disabledsw1(config-if-range)#switchport access vlan 2sw1(config-if-range)#endsw1#DHCP_SER 配置：DHCP_SER(config)#interface fa0/0DHCP_SER(config-if)#ip add 192.168.20.254 255.255.255.0DHCP_SER(config-if)#no shuDHCP_SER(config-if)#exitDHCP_SER(

3、config)#ip dhcp pool CCIEDHCP_SER(dhcp-config)#network 192.168.20.0 /24DHCP_SER(dhcp-config)#default-router 192.168.20.254DHCP_SER(dhcp-config)#exitDHCP_SER(config)#ip dhcp excluded-address 192.168.20.200 192.168.20.254DHCP_SER(config)#DHCP snooping 配置：SW1 配置：sw1(config)#ip dhcp snooping sw1(config)

4、#ip dhcp snooping vlan 2 /还须在 vlan 开启sw1(config)#interface fa0/3sw1(config-if)#ip dhcp snooping trust /定义 dhcp 服务器位置测试：Client1(config)#interface fa0/0Client1(config-if)#no shutClient1(config-if)#ip address dhcp *Jan 31 03:08:13.451: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Jan

5、31 03:08:14.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upClient1(config-if)#可知 Client 没有拿到地址，在服务器上开启 debug 查看原因。DHCP_SER#debug ip dhcp server events DHCP server event debugging is on.DHCP_SER#debug ip dhcp server packet DHCP server packet debugging is on.D

6、HCP_SER#*Jan 31 03:03:09.659: DHCPD: inconsistent relay information.*Jan 31 03:03:09.659: DHCPD: relay information option exists, but giaddr is zero.根据如上所示为 relay information 存在，但是自己却不 trust。在三层交换机开启 DHCP snooping 后，默认会插入 82 option，但是思科路由器却不 trust，有两个解决办法，在 SW1 关闭 option 或者 DHCP server 接口下 trust。DHC

7、P_SER(config)#int fa0/0DHCP_SER(config-if)#ip dhcp relay information trustedDHCP_SER(config-if)#endDHCP_SER#Client1#*Jan 31 03:20:16.843: %SYS-5-CONFIG_I: Configured from console by console*Jan 31 03:20:20.939: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.20.1, mas

8、k 255.255.255.0, hostname Client1Client1#Client2 通过关掉 SW1 option 后拿地址：sw1(config)#no ip dhcp snooping information optionDHCP_SER(config)#interface fa0/0DHCP_SER(config-if)#no ip dhcp relay information trustedClient2(config)#interface fa0/0Client2(config-if)#no shutdown Client2(config-if)#ip address

9、dhcp *Jan 31 03:21:54.103: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.20.2, mask 255.255.255.0, hostname Client2Client2(config-if)#DHCP snooping 扩展实验拓扑在原来基础上添加 SW2、client3，client3 同样属于 vlan 2；交换机间起 trunk。需求：1， client3 通过 DHCP_SER 拿地址。2， 在 SW1、 SW2 启用 DHCP snoopin

10、g。初始化配置：SW1 配置：sw1(config)#interface rang fa0/23-24sw1(config-if-range)#switchport trunk encapsulation dot1q sw1(config-if-range)#switchport mode trunk sw1(config-if-range)#endsw1#SW2 配置：SW2(config)#interface rang fa0/23-24SW2(config-if-range)#switchport trunk encapsulation dot1q SW2(config-if-range

11、)#switchport mode trunk SW2(config-if-range)#exitSW2(config)#vlan 2SW2(config-vlan)#name SNOOPINGSW2(config-vlan)#exitSW2(config)#int fa0/4SW2(config-if)#switchport host switchport mode will be set to accessspanning-tree portfast will be enabledchannel group will be disabledSW2(config-if)#switchport

12、 access vlan 2SW2(config-if)#exitSW2(config)#DHCP snooping 配置：DHCP_SER 配置：DHCP_SER(config)#int fa0/0DHCP_SER(config-if)#ip dhcp relay information trustedDHCP_SER(config-if)#endDHCP_SER#SW1 配置：sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping vlan 2 sw1(config)#interface fa0/3sw1(config-if)#i

13、p dhcp snooping trust sw1(config)#ip dhcp snooping information option allow-untrusted /启用 snooping后，默认在 untrusted 接口上不允许收到 82 option。SW2 配置：Sw2(config)#ip dhcp snooping Sw2(config)#ip dhcp snooping vlan 2 SW2(config)#int rang fa0/23-24SW2(config-if-range)#ip dhcp snooping trust测试：Client3(config)#int

14、erface fa0/1Client3(config-if)#no shutdown Client3(config-if)#ip address dhcp *Jan 31 03:25:54.103: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address 192.168.20.3, mask 255.255.255.0, hostname Client3Client2(config-if)#sw1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface- - - - - -58:35:D9:B1:36:69 192.168.20.3 85861 dhcp-snooping 2 FastEthernet0/24Total number of bindings: 1sw1#Note:当连接服务器的交换机不插入 82 option，另一台插入 option 后，不能拿地址；所以比较好的办法为在服务器上定义 relay trust option，交换机全部插入option。