第一步:配置R1和R2的dhcp服務器
R1(config)#int e1/0
R1(config-if)#ip add 12.0.0.1 255.255.255.0
R1(config)#ip dhcp pool R1
R1(dhcp-config)#network 12.0.0.0 /24
R1(config)#ip dhcp excluded-address 12.0.0.1
服務器
R2(config)#int e1/0
R2(config-if)#ip add 22.0.0.1 255.255.255.0
R2(config)#ip dhcp pool R2
R2(dhcp-config)#network 22.0.0.0 /24
R2(config)#ip dhcp excluded-address 22.0.0.1
ide
第二步:在R3的接口上配置經過dhcp得到地址oop
R3(config)#int e1/0
R3(config-if)#ip add dhcp
測試
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 22.0.0.2, mask 255.255.255.0ui
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.2, mask 255.255.255.0
//咱們經過sh和no sh接口,結果得出如下結果
分別得到到不一樣網段的地域,說明dhcp各項工做正常
code
第三步:在SW2和sw3上開啓 HDCP snooping和相關配置
SW2(config)#ip dhcp snooping
//開啓snooping功能
SW2(config)#ip dhcp snooping vlan 1
//全部vlan1下的接口都配置爲非信任接口,鏈接在vlan1下的全部dhcp服務器都沒法應答
orm
SW2(config-if)#int f0/1
SW2(config-if)#ip dhcp snooping trust
//配置這個接口爲信任接口
blog
SW2(config-if)#int f0/2
SW2(config-if)#ip dhcp snooping limit rate 20
//配置這個接口發dhcp包的個數
SW2(config)#errdisable recovery cause ?
all Enable timer to recover from all causes
arp-inspection Enable timer to recover from arp inspection error
disable state
bpduguard Enable timer to recover from BPDU Guard error disable
state
channel-misconfig Enable timer to recover from channel misconfig disable
state
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
disable state
dtp-flap Enable timer to recover from dtp-flap error disable
state
gbic-invalid Enable timer to recover from invalid GBIC error disable
state
l2ptguard Enable timer to recover from l2protocol-tunnel error
disable state
link-flap Enable timer to recover from link-flap error disable
state
loopback Enable timer to recover from loopback disable state
pagp-flap Enable timer to recover from pagp-flap error disable
state
psecure-violation Enable timer to recover from psecure violation disable
state
security-violation Enable timer to recover from 802.1x violation disable
state
sfp-config-mismatch Enable timer to recover from SFP config mismatch error
disable state
storm-control Enable timer to recover from storm-control error disable
state
udld Enable timer to recover from udld error disable state
unicast-flood Enable timer to recover from unicast flood disable state
vmps Enable timer to recover from vmps shutdown error disable
state
接口
SW2(config)#errdisable recovery cause all
//若是違反的上面的規定後,接口會down(默認行爲)
這條命令的意思是恢復正常狀態的緣由,有上面17種,咱們配置爲all
SW2(config)#errdisable recovery interval 30
//恢復接口正常的時間爲30s(最小爲30s)
ip
SW2(config)#ip dhcp snooping database flash:dhcp-snooping.text
//交換機上生成一個dhcp snpooing 綁定表,綁定表中的內容是客戶端mac地址和ip地址
SW2#show flash:
Directory of flash:/
2 -rwx 7134080 Jan 1 1970 03:36:03 +00:00 3550.bin 3 -rwx 1224 Mar 1 1993 03:15:45 +00:00 vlan.dat 4 -rwx 3244 Mar 1 1993 00:48:21 +00:00 n 5 -rwx 2209 Mar 1 1993 00:02:52 +00:00 statr 6 -rwx 0 Mar 1 1993 05:28:29 +00:00 system_env_vars 7 -rwx 0 Mar 1 1993 05:28:29 +00:00 env_vars 8 -rwx 47 Mar 1 1993 00:43:31 +00:00 dhcp-snooping.text
SW2#more flash:dhcp-snooping.text
//能夠看到內面有客戶端的mac地址和ip地址
SW2(config)#ip source binding 0004.2704.17b1 vlan 1 12.0.0.1 interface f0/1
//手工指定一個靜態的mac地址和ip地址
SW3(config)#ip dhcp snooping
SW3(config)#ip dhcp snooping vlan 1
SW3(config)#int f0/23
SW3(config-if)# ip dhcp snooping trust
SW3(config)#int f0/3
SW3(config-if)#no ip dhcp snooping trust
第四步:配置
R2(config)#ip dhcp relay information trust-all
第五步:測試
01:22:41: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
R3(config-if)#no sh
01:22:43: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.5, mask 255.255.255.0
R3(config-if)#sh
01:23:58: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
R3(config-if)#no sh
01:24:07: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
01:24:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.6, mask 255.255.255.0
R3(config-if)#sh
01:24:21: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively down
R3(config-if)#no sh
01:24:23: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.7, mask 255.255.255.0
//從上面能夠看出:snooping生效了
咱們三次sh和no sh接口,都得到了合法dhcp服務器上的定義地址
現象成功
咱們來看看源防禦
SW2(config-if)#ip verify source port-security
//咱們在接口pc端配置ip源防禦
有可能接入非法的dhcp的服務端接口上可配置
動態arp檢測
SW3(config)#ip arp inspection vlan 1
SW2(config)#ip arp inspection vlan 1
SW2(config-if) #int f0/23
SW2(config-if) #ip arp inspection trust
SW3(config-if) #int f0/23
SW3(config-if) #ip arp inspection trust
第七步:
SW2#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
Insertion of option 82 is disabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
FastEthernet0/1 yes unlimited
FastEthernet0/2 no 2
FastEthernet0/23 yes unlimited
SW2#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
00:07:EB:79:08:D1 12.0.0.9 84188 dhcp-snooping 1 FastEthernet0/19
00:04:27:04:17:B1 12.0.0.1 infinite static 1 FastEthernet0/1
Total number of bindings: 2
SW3#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
00:07:EB:79:08:D1 12.0.0.9 85773 dhcp-snooping 1 FastEthernet0/3Total number of bindings: 1