1、请自行准备好华为交换机和电脑并且让你的电脑和交换机连接上
2、组网需求:如图所示,Switch应用在用户网络和ISP的二层网络之间,为防止DHCP Server仿冒者攻击,要求在Switch上应用DHCP Snooping功能,把用户侧的接口配置为Untrusted模式,把运营商网络侧的接口配置为Trusted模式。同时配置DHCP Reply报文丢弃告警功能。
3、配置思路
4、采用如下的思路配置DHCP Server仿冒者攻击(假设DHCP Server已经配置完成):使能全局和接口下的DHCP Snooping功能。使能伪DHCP Server探测功能。把连接DHCP Server的接口设置为“信任(Trusted)”。配置DHCP Reply报文丢弃告警功能。
5、配置DHCP Snooping功能
6、# 使能全局DHCP Snooping功能。<Quidway> system-view[Quidway] dhcp enable[Quidway] dhcp snooping enable
7、# 使能伪DHCP Server探测功能。[Quidway] dhcp server detect
8、# 使能用户侧接口的DHCP Snooping功能。[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping enable[Quidway-GigabitEthernet0/0/2] quit
9、配置接口的Trusted/Untrusted模式
10、# 配置DHCP Server侧的接口为Trusted模式。[Quidway] interface gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted[Quidway-GigabitEthernet0/0/1] quit
11、# 配置用户侧的接口为Untrusted模式。GE0/0/2接口使能了DHCP Snooping功能后,接口模式默认为“Untrusted”
12、配置DHCP Reply报文丢弃告警功能
13、# 使能对不信任端口收到的DHCP Reply报文丢弃告警功能,并配置告功稿赶虺警阈值。[Quidway] interface gigabitethernet 0/0/2[Quidway-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-reply enable threshold 120[Quidway-GigabitEthernet0/0/2] quit
14、查看当前配置拭貉强跳#dhcp enabledhcp snooping enabledhcp server detect#interface GigabitEthernet0/0/1dhcp snooping trusted#interface GigabitEthernet0/0/2dhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120#return
15、验证配置结果
16、在Switch上执行display dhcp snooping global命令可以看到全局和接口视图下已经使能DHCP Snooping功能。<Quidway>稆糨孝汶; display dhcp snooping globaldhcp snooping enableDhcp snooping enable is configured at vlan :NULLDhcp snooping enable is configured at interface :GigabitEthernet0/0/2Dhcp snooping trusted is configured at interface :GigabitEthernet0/0/1Dhcp option82 insert is configured at interface :NULLDhcp option82 rebuild is configured at interface :NULLDhcp option82 insert is configured at vlan :NULLDhcp option82 rebuild is configured at vlan :NULLdhcp packet drop count within alarm range : 0dhcp packet drop count total : 60<Quidway> display dhcp snooping interface gigabitethernet 0/0/1dhcp snooping trusted dhcp packet dropped by untrust-reply checking = 0<Quidway> display dhcp snooping interface gigabitethernet 0/0/2dhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120dhcp packet dropped by untrust-reply checking = 10
17、如果您觉得本经验有帮助,请点击正下方的或右上角的“大拇指”或“分享”或“关注TA”给我支持和鼓励为了方便下次寻找,您可以点击“收藏”收藏本经验如有其他问题请联系我本人