6.4 DHCP Snooping

1.基本概念

DHCP Snooping 用于确保DHCP客户端从合法的DHCP服务器获取正确的IP地址信息的安全技术。

交换机接口存在两种角色:

信任接口:允许接收包括DHCP offer报文在内的服务器应答报文。

非信任接口:不会接收包括DHCP offer、DHCP ACK、DHCP NAK等在内的应答报文。

2.DHCP Snooping配置

图片[1]-6.4 DHCP Snooping-大赛人网
图6-9 DHCP Snooping配置网络拓扑

1)R1配置DHCP服务器

[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24

[R1]dhcp enable 
[R1]ip pool R1pool 
[R1-ip-pool-R1pool]network 192.168.1.0 mask 24
[R1-ip-pool-R1pool]gateway-list 192.168.1.254
[R1-ip-pool-R1pool]excluded-ip-address 192.168.1.253
[R1-ip-pool-R1pool]lease day 2
[R1-ip-pool-R1pool]dns-list 114.114.114.114
[R1-ip-pool-R1pool]quit
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]dhcp select global 

2)R2配置DHCP服务器

[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.100.254 24 
[R2]dhcp enable 
[R2]ip pool R2pool
[R2-ip-pool-R2pool]network 192.168.100.0 mask 24
[R2-ip-pool-R2pool]gateway-list 192.168.100.254
[R2-ip-pool-R2pool]excluded-ip-address 192.168.100.253
[R2-ip-pool-R2pool]lease day 2
[R2-ip-pool-R2pool]dns-list 8.8.8.8
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]dhcp select global

3)SW1配置DHCP Snooping

[SW1]dhcp enable 
[SW1]dhcp snooping enable 
[SW1]vlan 100
[SW1-vlan100]dhcp snooping enable 
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access 
[SW1-GigabitEthernet0/0/1]port default vlan 100

[SW1]interface GigabitEthernet 0/0/22
[SW1-GigabitEthernet0/0/22]port link-type access 
[SW1-GigabitEthernet0/0/22]port default vlan 100

[SW1]interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23]dhcp snooping trusted 
[SW1-GigabitEthernet0/0/23]port link-type access 
[SW1-GigabitEthernet0/0/23]port default vlan 100

4)PC1验证DHCP  Snooping配置

PC1>ipconfig 
Link local IPv6 address...........: fe80::5689:98ff:feb3:6937
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.100.252
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.100.254
Physical address..................: 54-89-98-B3-69-37
DNS server........................: 8.8.8.8

5)端口22、23信任互换PC1验证DHCP  Snooping配置

[SW1]interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23]undo  dhcp snooping trusted
[SW1]interface GigabitEthernet 0/0/22
[SW1-GigabitEthernet0/0/22] dhcp snooping trusted
PC>ipconfig /release
Link local IPv6 address...........: fe80::5689:98ff:feb3:6937
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 0.0.0.0
Subnet mask.......................: 0.0.0.0
Gateway...........................: 0.0.0.0
Physical address..................: 54-89-98-B3-69-37
DNS server........................:

PC>ipconfig /renew
Link local IPv6 address...........: fe80::5689:98ff:feb3:6937
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.252
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-B3-69-37
DNS server........................: 114.114.114.114
© 版权声明
THE END
喜欢就支持一下吧
点赞7 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容