1.基本概念
DHCP Snooping 用于确保DHCP客户端从合法的DHCP服务器获取正确的IP地址信息的安全技术。
交换机接口存在两种角色:
信任接口:允许接收包括DHCP offer报文在内的服务器应答报文。
非信任接口:不会接收包括DHCP offer、DHCP ACK、DHCP NAK等在内的应答报文。
2.DHCP Snooping配置
1)R1配置DHCP服务器
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R1]dhcp enable
[R1]ip pool R1pool
[R1-ip-pool-R1pool]network 192.168.1.0 mask 24
[R1-ip-pool-R1pool]gateway-list 192.168.1.254
[R1-ip-pool-R1pool]excluded-ip-address 192.168.1.253
[R1-ip-pool-R1pool]lease day 2
[R1-ip-pool-R1pool]dns-list 114.114.114.114
[R1-ip-pool-R1pool]quit
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]dhcp select global
2)R2配置DHCP服务器
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.100.254 24
[R2]dhcp enable
[R2]ip pool R2pool
[R2-ip-pool-R2pool]network 192.168.100.0 mask 24
[R2-ip-pool-R2pool]gateway-list 192.168.100.254
[R2-ip-pool-R2pool]excluded-ip-address 192.168.100.253
[R2-ip-pool-R2pool]lease day 2
[R2-ip-pool-R2pool]dns-list 8.8.8.8
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]dhcp select global
3)SW1配置DHCP Snooping
[SW1]dhcp enable
[SW1]dhcp snooping enable
[SW1]vlan 100
[SW1-vlan100]dhcp snooping enable
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 100
[SW1]interface GigabitEthernet 0/0/22
[SW1-GigabitEthernet0/0/22]port link-type access
[SW1-GigabitEthernet0/0/22]port default vlan 100
[SW1]interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23]dhcp snooping trusted
[SW1-GigabitEthernet0/0/23]port link-type access
[SW1-GigabitEthernet0/0/23]port default vlan 100
4)PC1验证DHCP Snooping配置
PC1>ipconfig
Link local IPv6 address...........: fe80::5689:98ff:feb3:6937
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.100.252
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.100.254
Physical address..................: 54-89-98-B3-69-37
DNS server........................: 8.8.8.8
5)端口22、23信任互换PC1验证DHCP Snooping配置
[SW1]interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23]undo dhcp snooping trusted
[SW1]interface GigabitEthernet 0/0/22
[SW1-GigabitEthernet0/0/22] dhcp snooping trusted
PC>ipconfig /release
Link local IPv6 address...........: fe80::5689:98ff:feb3:6937
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 0.0.0.0
Subnet mask.......................: 0.0.0.0
Gateway...........................: 0.0.0.0
Physical address..................: 54-89-98-B3-69-37
DNS server........................:
PC>ipconfig /renew
Link local IPv6 address...........: fe80::5689:98ff:feb3:6937
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.252
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-B3-69-37
DNS server........................: 114.114.114.114
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容