《dhcp snooping》由会员分享,可在线阅读,更多相关《dhcp snooping(5页珍藏版)》请在金锄头文库上搜索。
1、DHCP Snooping实验拓扑需求:1, client 获取 192.168.20.0/24 网段前面地址。2, 为了防止 DHCP 欺骗攻击,在交换机开启 DHCP snooping。初始化配置:SW1 配置:sw1(config)#vlan 2 sw1(config-vlan)#namesw1(config-vlan)#name SNOOPINGsw1(config-vlan)#exitsw1(config)#int rang fa0/1-3sw1(config-if-range)#switchport host switchport mode will be set to acces
2、sspanning-tree portfast will be enabledchannel group will be disabledsw1(config-if-range)#switchport access vlan 2sw1(config-if-range)#endsw1#DHCP_SER 配置:DHCP_SER(config)#interface fa0/0DHCP_SER(config-if)#ip add 192.168.20.254 255.255.255.0DHCP_SER(config-if)#no shuDHCP_SER(config-if)#exitDHCP_SER(
3、config)#ip dhcp pool CCIEDHCP_SER(dhcp-config)#network 192.168.20.0 /24DHCP_SER(dhcp-config)#default-router 192.168.20.254DHCP_SER(dhcp-config)#exitDHCP_SER(config)#ip dhcp excluded-address 192.168.20.200 192.168.20.254DHCP_SER(config)#DHCP snooping 配置:SW1 配置:sw1(config)#ip dhcp snooping sw1(config)
4、#ip dhcp snooping vlan 2 /还须在 vlan 开启sw1(config)#interface fa0/3sw1(config-if)#ip dhcp snooping trust /定义 dhcp 服务器位置测试:Client1(config)#interface fa0/0Client1(config-if)#no shutClient1(config-if)#ip address dhcp *Jan 31 03:08:13.451: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up*Jan
5、31 03:08:14.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upClient1(config-if)#可知 Client 没有拿到地址,在服务器上开启 debug 查看原因。DHCP_SER#debug ip dhcp server events DHCP server event debugging is on.DHCP_SER#debug ip dhcp server packet DHCP server packet debugging is on.D
6、HCP_SER#*Jan 31 03:03:09.659: DHCPD: inconsistent relay information.*Jan 31 03:03:09.659: DHCPD: relay information option exists, but giaddr is zero.根据如上所示为 relay information 存在,但是自己却不 trust。在三层交换机开启 DHCP snooping 后,默认会插入 82 option,但是思科路由器却不 trust,有两个解决办法,在 SW1 关闭 option 或者 DHCP server 接口下 trust。DHC
7、P_SER(config)#int fa0/0DHCP_SER(config-if)#ip dhcp relay information trustedDHCP_SER(config-if)#endDHCP_SER#Client1#*Jan 31 03:20:16.843: %SYS-5-CONFIG_I: Configured from console by console*Jan 31 03:20:20.939: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.20.1, mas
8、k 255.255.255.0, hostname Client1Client1#Client2 通过关掉 SW1 option 后拿地址:sw1(config)#no ip dhcp snooping information optionDHCP_SER(config)#interface fa0/0DHCP_SER(config-if)#no ip dhcp relay information trustedClient2(config)#interface fa0/0Client2(config-if)#no shutdown Client2(config-if)#ip address
9、dhcp *Jan 31 03:21:54.103: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.20.2, mask 255.255.255.0, hostname Client2Client2(config-if)#DHCP snooping 扩展实验拓扑在原来基础上添加 SW2、client3,client3 同样属于 vlan 2;交换机间起 trunk。需求:1, client3 通过 DHCP_SER 拿地址。2, 在 SW1、 SW2 启用 DHCP snoopin
10、g。初始化配置:SW1 配置:sw1(config)#interface rang fa0/23-24sw1(config-if-range)#switchport trunk encapsulation dot1q sw1(config-if-range)#switchport mode trunk sw1(config-if-range)#endsw1#SW2 配置:SW2(config)#interface rang fa0/23-24SW2(config-if-range)#switchport trunk encapsulation dot1q SW2(config-if-range
11、)#switchport mode trunk SW2(config-if-range)#exitSW2(config)#vlan 2SW2(config-vlan)#name SNOOPINGSW2(config-vlan)#exitSW2(config)#int fa0/4SW2(config-if)#switchport host switchport mode will be set to accessspanning-tree portfast will be enabledchannel group will be disabledSW2(config-if)#switchport
12、 access vlan 2SW2(config-if)#exitSW2(config)#DHCP snooping 配置:DHCP_SER 配置:DHCP_SER(config)#int fa0/0DHCP_SER(config-if)#ip dhcp relay information trustedDHCP_SER(config-if)#endDHCP_SER#SW1 配置:sw1(config)#ip dhcp snooping sw1(config)#ip dhcp snooping vlan 2 sw1(config)#interface fa0/3sw1(config-if)#i
13、p dhcp snooping trust sw1(config)#ip dhcp snooping information option allow-untrusted /启用 snooping后,默认在 untrusted 接口上不允许收到 82 option。SW2 配置:Sw2(config)#ip dhcp snooping Sw2(config)#ip dhcp snooping vlan 2 SW2(config)#int rang fa0/23-24SW2(config-if-range)#ip dhcp snooping trust测试:Client3(config)#int
14、erface fa0/1Client3(config-if)#no shutdown Client3(config-if)#ip address dhcp *Jan 31 03:25:54.103: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address 192.168.20.3, mask 255.255.255.0, hostname Client3Client2(config-if)#sw1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface- - - - - -58:35:D9:B1:36:69 192.168.20.3 85861 dhcp-snooping 2 FastEthernet0/24Total number of bindings: 1sw1#Note:当连接服务器的交换机不插入 82 option,另一台插入 option 后,不能拿地址;所以比较好的办法为在服务器上定义 relay trust option,交换机全部插入option。